AWS - VPC
A blog post to explain the basic concepts of AWS VPC(Virtual Private Cloud).
Overview
VPC is a networking service as provided by AWS to create , manage , isolate the environments and services over the cloud. In layman term its a virtual data-center over the cloud which gives you all the super powers to setup /create own subnets, IP range , configuration of route tables , network gateways and network firewall(access rules / via security groups and network ACL’s).
Below is sample and a very basic AWS VPC architecture having both public and private subnet, a IGW(internet gateway) attached to public subnet and a NAT gateway to access private subnet via public subnet.
Our Mission
We will be aiming to cover basic of VPC via setting up a custom vpc , creating a public and a private subnet , customizing route table , applying security groups, and attaching a internet gateway to the public subnet so, that to expose machines/applications over the internet.
Prerequisite
- AWS Console Access i.e. a valid account on AWS Portal.
- A valid user with permission of creation and deletion of VPC, EC2 instances.
Implementation
Every account on AWS comes up with a default VPC that has a default subnet in each availability zone. Default VPC is really helpful for users who comes up with no prior knowledge of AWS or Networking as it comes up with default and pre-configured subnet, an internet gateway, route tables , security groups and default ACL’s etc.
But default VPC have few limitations as isn’t provide you full power and control over your network setup and therefore comes in need of a custom VPC where one can customize their network settings like subnet, IP ranges , route tables and firewalls i.e. via custom security groups and ACL’s.
We will going to setup a custom VPC via VPC dashboard as available on AWS console and steps are as follows.
1. Login
Login to AWS console and jump to VPC dashboard. On dashboard page we will be able to see all the available options and associations with VPC.
2. Create VPC
Go to VPC Dashboard → Your VPC’s , and a new page will open up i.e. listing the default VPC and custom VPC’s (if any).
Click on Create VPC submit button to create a new custom VPC. A new page will open up asking for VPC name , CIDR block & tenancy details. Please fill in details as below and click Create.
On successful VPC creation , a vpc id will be generated i.e associated to our custom vpc. Dashboard will now contain 2 VPC’s i.e. a DefaultVPC and a CustomVPC(that we just created).
For a custom VPC a route table and NACL gets created(by default) as shown below.
Route table
NACL’s
3. Create Subnets
We created a VPC and same is having a route table and NACL that is auto created , but we still have few tasks in our hands i.e creation of subnets , security groups , internet gateway etc.
Let’s first create our subnets , we going to create 2 subnets within our custom VPC’s as below.
- Public Subnet → For public facing instances like web-servers.
- Private Subnet → For private instances like DB.
Go to VPC Dashboard → Subnets.
As, you see currently we only have subnets associated with the DefaultVPC and no default subnet for CustomVPC.
Click on Create subnet.
First we will be going to create a public subnet and then a private subnet as to support below snaps.
Public Subnet
Private Subnet
Main page will now show up 2 more new subnets that we created recently.
But how we differentiating public and private subnet ? Hmm, the difference will pops up in next few steps.
4. Public Subnet & the Internet Gateway
In this section we going to make our first subnet as a public subnet.
First we have to modify auto assign IP settings and enable “Auto Assign public IP address” option for public subnet as same is set to “NO” (by default) for all custom subnets. This option will auto assign a public IP to an instances created in the CustomVPC.
Secondly, we have to create an internet gateway and attached it to public subnet that is to expose public subnet over the internet and accessible over the web.
The IGW that we created is by default is open and ready to be attached to any of VPC. So, our next task will be to attach it to our CustomVPC.
IGW - detached
Attach to VPC
&&
Attached
With the completion of above steps our subnet can now be really called as a public subnet. 😉
5. Route tables & Subnet Associations
The subnet we create in last step is still dangling around and isn’t yet associated to any routes. If you remember currently we have only single route table that is created by default while creation of CustomVPC.
So, Next we going to create one more route table for our private subnet so as to separate it out from the public subnet and to create two different network zones. Post creation , we associate the public subnet to public route table and private to private.
Create a private route table and attached it to CustomVPC.
Routes
Now, as we are done with creation of 2 different route tables so, next step is to associate subnets to these route tables. Select public/private subnet and check out lower half of page that will show up various tabs like routes, subnets, tags etc.
Select subnet associations tab and it will show up 2 subnets that we created in last section and as because same is available for association. Edit subnet associations and map public to public & private to private.
Public 2 Public
Private 2 Private
IGW association
One last step relating to our route table is adding an internet gateway to our public subnet routes. Select public subnet and go to Route tables → Route tab which will show up current routes.
Go ahead and Edit routes to add igw as one of the route.
and our updated routes look like as below i.e. forwarding all traffic (0.0.0.0/0) via an internet gateway.
6. Security Groups
Lastly, from the VPC perspective we need to add some rules(using security groups) to allow SSH/HTTP access for our public instances that we going to spin up as in next step. Security groups basically act as a virtual firewall for AWS VPC or instances.
Create SG
On VPC dashboard, click on security groups and then create security group. Please remember to select CustomVPC while creating the SG.
Create
Check
Add Rules
As, of now we just created a security group but isn’t added any rules to it. To add rules select
Final look - Security Groups
Done!
7. ATTACH VPC
Finally, we are done with our custom VPC setup and now it’s time to spin up an EC2 instance into our VPC so that to test our setup and that we are going to do next.
Go to EC2 dashboard and create a new instance , choose AMI and instance type as you like and halt on step#3 i.e. Configure Instance as this step will give you access to configure or to select custom network and subnet i.e. VPC. Refer to below screen shot where we going to select our custom VPC from the drop-down and also the respective subnet i.e. public subnet and keep the rest of the settings as it is and move on to next step.
Add Storage, tags and configure/select security as per the one we created @ step #6. Review & Launch.
For more details on EC2 launch step please refer to blog.
Post successful launch , check for instance settings so as to check for VPC , SG, Subnet setting etc. If all well then let’s try to access our instance.
SSH
Pick an instance public IP from instance details and try to access same via your favorite command line utility.
Bingo ! Our public webserver is accessible over ssh i.e. on port 22. We can customize ssh port and update same in our SG to enhance our system security so as by avoiding use of default ports.
Next, quickly install an apache on our webserver and bring it up for our testing purpose.
All done and now we can test our webserver page over http. Once again copy public IP of an instance and try to access same on the web browser and if our setup is well , it should give us a apache test page as below. 👍
Cool, our setup is up and ready using a custom VPC. Recap/Revisit above steps in case of any issue or doubt and if not then go ahead to clean up the setup that we created so as to avoid unnecessary charges and costing.
Time for cleanup!
First terminate an EC2 instance and then delete VPC and same will automatically remove all its attached components.
Delete VPC
Epilogue
So, well done for making it to the end. I hope the article will be useful as we learnt a lot i.e. creating and setup of a custom VPC, creating subnet , SG, update of routes, instance setup using custom VPC etc. !
But wait , we able to access our public subnet webserver but what about private subnet nodes ! 😏
To be continued …
Please follow link that is an article on How to access private instance via public instances.
— A blog by teckdevOps
