0% found this document useful (0 votes)
10 views34 pages

Building our first custom VPC.docx

This document outlines the steps to create a custom Virtual Private Cloud (VPC) on AWS, including setting up subnets, an internet gateway, and launching EC2 instances. It details the process of configuring public and private subnets, creating a NAT gateway for internet access from private instances, and accessing instances via SSH. Finally, it emphasizes the importance of cleaning up resources to avoid unexpected charges.

Uploaded by

Abdulhay Allooh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
10 views34 pages

Building our first custom VPC.docx

This document outlines the steps to create a custom Virtual Private Cloud (VPC) on AWS, including setting up subnets, an internet gateway, and launching EC2 instances. It details the process of configuring public and private subnets, creating a NAT gateway for internet access from private instances, and accessing instances via SSH. Finally, it emphasizes the importance of cleaning up resources to avoid unexpected charges.

Uploaded by

Abdulhay Allooh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Building our first custom VPC

​In this lab session, you create a basic virtual private cloud (VPC) and then extend it to
produce a customised result. You do all of this with the AWS Management Console.

The overall VPC is designed to incorporate these basic features:

● It spans two Availability Zones (AZs), in order that later you can distribute
applications across these zones in order to architect for application durability and
availability.

● Within each Availability Zone (AZ) there are two subnets: one “public” subnet is
connected directly to the Internet. The other “private” subnet is able to communicate
with any other subnet within the VPC; however, there is no access to them from the
Internet.

Step 1: Create a VPC with CIDR 10.0.0.0/16 with Default tenancy

1. Login to the AWS management console and choose the region of your choice.

This will ensure that you create the custom VPC in a specific region of your choice. In this
example, the Asia Pacific (Singapore) ap-southeast-1 region is selected for this deployment.

You can go for any other region based on your preference and requirement.
2. Go to the search bar on the top of your AWS management console, search for VPC
and click on this very service.

3. This will eventually take you to the VPC dashboard. Click Your VPCs to get access
to the list of VPCs.

4. Over here, we can already see a default VPC in this very region of our choice. Click
Create VPC on the top right hand corner.
5. Within VPC settings, select VPC only for Resources to create, assign a name to
this VPC, mention the IPv4 CIDR block as 10.0.0.0/16, choose No IPv6 CIDR block
in IPv6 CIDR block option, and choose Tenancy as Default.

6. Optionally, you can assign a tag to this very VPC. Click Create VPC.
Step 2: Add two subnets to the custom VPC

7. You will be prompted to a page where details of this newly created VPC can be
accessed. Click Subnets within the navigation menu options (on the left side of this
very page).

8. Let’s create two subnets - one would be the Public Subnet and another one the
Private Subnet in your custom VPC. Click Create subnet at the top right hand
corner.

9. Select the newly created custom VPC from the drop-down menu.
10. Assign a name to this subnet and choose the very first availability zone so that this
subnet you’re going to create is linked with a specific availability zone.

11. Allocate an IPv4 CIDR block as 10.0.1.0/24, accept the default tag value and click
Add new subnet to create another subnet (private).
12. This second subnet will be the Private subnet of this custom VPC. We will assign a
name and choose any of the listed availability zones.

13. Assign an IPv4 CIDR block as 10.0.2.0/24, accept the default tag value and click
Create subnet.
Step 3: Create an internet gateway and attach it to VPC
14. Finally, these two subnets (Public and Private) are created. Let’s now create an
internet gateway. Click Internet Gateways, which is one of the navigation menu
options located on the left side of the dashboard.

15. We can already see an internet gateway attached to the default VPC of the specific
region. Click Create internet gateway to create a new internet gateway from
scratch.

16. Assign a name to this internet gateway, accept default tag value and click Create
internet gateway.
16. The internet gateway we just created is in Detached mode. Click Attach to VPC to
attach this internet gateway to your newly created custom VPC.

17. Select the custom VPC and click Attach internet gateway.

18. This attaches the internet gateway to our custom VPC. Now, click Route Tables
located within the navigation menu (on the left side of the VPC dashboard).
19. A route table should be created with a route towards the internet through an internet
gateway, and thereafter it will be linked to our subnet. Click Create route table at the
top right hand corner.

20. Assign a name to this very route table you’re going to create, choose your custom
VPC and click Create route table.

21. Once created, click Edit routes to add a route to this newly created route table.
22. Click Add route on Edit routes page.

23. Mention 0.0.0.0/0 in the Destination and select Internet Gateway from the Target list.

24. Select the exact internet gateway which is attached to your custom VPC and click
Save changes.
25. This adds a route to within this very route table. Let’s associate it to one of our
subnets. Click Subnet associations.

26. Click Edit subnet associations.

27. Now, choose the public subnet of your custom VPC and click Save associations.
Step 4: Launching EC2 instances
28. Navigate to the EC2 dashboard by typing EC2 in the above search menu option and
clicking on it.

29. Let’s launch an EC2 instance in each of the subnets (public and private) of your
custom VPC. Click Launch instance.

30. As this instance will be launched in the public subnet of our custom VPC, we will
name it accordingly.
31. Choose the default Amazon Linux 2 AMI.

32. Accept the default and free tier eligible instance type, i.e. t2.micro or t3.micro
(depending on the region).

33. For Key pair name, choose an existing key pair, or choose Create new key pair to
create a new one.
● For Name, enter a descriptive name for the key pair. Amazon EC2 associates the
public key with the name that you specify as the key name. A key name can include
up to 255 ASCII characters. It can’t include leading or trailing space
● For Key pair type, choose either RSA or ED25519.
● For Private key file format, choose the format in which to save the private key. To
save the private key in a format that can be used with OpenSSH, choose pem. To
save the private key in a format that can be used with PuTTY, choose ppk.
● Choose Create key pair.

● The private key file is automatically downloaded by your browser. The base file name
is the name that you specified as the name of your key pair, and the file name
extension is determined by the file format that you chose. Save the private key file in
a safe place.
34. Scroll down and click Edit next to the Network Settings.

35. For VPC, select your custom VPC from the list.

35. For Subnet, choose the public subnet from the drop-down menu.

36. For Auto-assign public IP, select Enable from the drop-down menu.
37. For Firewall (security groups), choose Create security group, assign a name and
a description.

38. Accept the default security group rule, which allows the SSH from anywhere and click
Add security group rule.

39. For this security group rule, choose HTTP from Anywhere, and click Add security
group rule.
40. For this security group rule, choose HTTPS from Anywhere.

41. Accept the default parameters within Configure storage and Advanced details and
click Launch instance.

42. After the instance is launched, click on the instance ID to view the instance you’ve
just launched.

43. You will then be navigating to the instance dashboard. Click Launch instances to
launch another EC2 instance, but this time into the private subnet of your VPC.
44. As this instance will be launched in the private subnet of your custom VPC, assign
an appropriate name so that you can easily differentiate between instances.

45. Choose the default Amazon Linux 2 AMI.

46. Accept the default and free tier eligible instance type, i.e. t2.micro or t3.micro
(depending on the region).
47. Select the same key pair which you’ve created at the time of launching the previous
instance in the public subnet of your custom VPC.

48. click Edit next to the Network Settings.

49. For VPC, select your custom VPC from the list.

50. For Subnet, choose the private subnet from the drop-down menu.
51. For Firewall (security groups), select the same security group created at the time of
launching the previous instance in the public subnet of your custom VPC.

52. Accept the default parameters within Configure storage and Advanced details and
click Launch instance.

53. Click View all instances to see the list of your two newly launched EC2 instances.
54. Let’s access these instances via SSH. As you’ll be using the same terminal session
to access these two instances at the same time, there is a separate process that
needs to be followed on macOS and on Windows OS devices.

For macOS:

A. Open Terminal and go to the directory where you have stored your private key

B. If you’re using the private key for the very first time, then you need to change the
access rights of it by running the command: chmod 400 <name_of_the_key>.pem

C. You can add your private keys to the keychain application by using the ssh-add
command with the -K option and the .pem file for the key, as shown in the following
example.

The agent prompts you for your passphrase, if there is one, and stores the private key in
memory and the passphrase in your keychain.

D. After the key is added to your keychain, you can connect to the bastion instance with
SSH using the –A option. This option enables SSH agent forwarding and lets the
local SSH agent respond to a public-key challenge when you use SSH to connect
from the bastion to a target instance in your VPC.
Note: In your case, the bastion host is the instance that you launched in the public subnet of
your custom VPC.

To get the public IPV4 address of an instance launched in the public subnet, select it on the
instance dashboard, go to Details, and from there you can copy this information and paste it
on your terminal.

For Windows:

A. Access the following link and download Pageant software:


https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

B. Once downloaded on your Windows machine, double click on Pageant icon to


access and use this very application.
C. Go to your machine’s notification area or system tray (located at the bottom right
corner on Windows) and locate the Pageant icon.

D. Right click on this icon in the system tray and click Add Key.
E. Select the private (.ppk) key and click Open. After the key is added, the Pageant
will still be running in the background.

F. Now access the instance launched in the public subnet using PuTTy. Open PuTTy
and in the Category pane, choose Session and complete the following fields

● In the Host Name box, mention either the Public IP address or the Public IPv4 DNS
name of the linux instance.

● To get the public IPV4 address of an instance launched in the public subnet, select it
on the instance dashboard, go to Details, and from there you can copy this
information and paste it on your terminal.
● Ensure that the Port value is 22.
● Under Connection type, select SSH.

In the Category pane, expand Connection, expand SSH, and then choose Auth. Complete
the following:

● Check the Allow agent forwarding box and leave the Private key file for the
authentication field empty.
● Click Open to open the SSH session
With agent forwarding enabled in the PuTTY configuration, you can connect from the public
instance to any other instance in the VPC without having the SSH private key on the bastion.
To connect to other instances, use the following command:

ssh user@<instance-IP-address or DNS-entry>

● If the PuTTy Security Alert prompt window is prompted, click Accept to proceed.

G. Once connected, enter the default username for Ubuntu AMI instance (i.e. ubuntu) and
press enter. This connects you to the EC2 instance running in the public subnet of your
custom VPC.
55. As you have accessed our instance running the public subnet via SSH, download some
updates to verify that it has full access to the internet. To achieve this, run the following
command: sudo apt-get update for Ubuntu and sudo yum update -y for Amazon Linux AMI
(same command will run on macOS terminal and Windows shell utility).

56. After the installation of updates, let’s connect to the instance running in the private
subnet of your VPC. First of all, fetch the private IP address of this very instance. Go to the
instance dashboard, go to Details and from there you can copy the Private IPv4 address.

57. Execute following command on shell or terminal : ssh ubuntu@<private_ip4_address>


Consequently, you will get access to the instance running in the private subnet internally via
instance running in the public subnet of your custom VPC.

58. Now, try installing some updates to this very instance we’ve just got connected to.

As you can see that the connection timed out because this instance running in the private
subnet has no access to the internet.

Hence, you will be now launching a NAT gateway and associating it with the private subnet
of your custom VPC.

This will guarantee a safe access to the internet for the instances running in the private
subnet as their private IP addresses will not be broadcasted while they initiate requests to
download some patches or updates.

59. Go back to the VPC dashboard and click NAT Gateways, which can be accessed from
the navigation pane on the left side of the dashboard.
60. Click Create NAT gateway on the top right side of the page.

61. Within NAT gateway settings, assign name to this gateway, select public subnet in the list
and choose Public as Connectivity type.

62. As you scroll down, click Allocate Elastic IP to allocate an Elastic IP to this very NAT
gateway and finally click Create NAT gateway.
63. In order to associate this NAT gateway with the private subnet of your VPC, you need to
create a new route table with a route towards the internet via this NAT gateway.

Click Route Tables on the navigation pane (located at the left side of the VPC dashboard).

64. Click Create route table at the top right hand corner of the web page.
65. Assign a name to this very route table, choose your custom VPC underneath, accept
default tag value and click Create route table.

66. Once created, click Edit routes.

67. Click Add route.


68. Enter the Destination as 0.0.0.0/0 and choose Target as NAT Gateway.

69. This will populate the same NAT Gateway we deployed beforehand.

70. Select the specific NAT gateway and click Save changes.
71. Lastly, this route table with a new route added to it needs to be linked with the private
subnet of your custom VPC.

Select Subnet associations and click Edit subnet associations.

72. Select private subnet and click Save associations.

73. Now, try installing updates to the instance running in the private subnet via terminal or
shell utility.
As you may have witnessed, your instance running the private subnet of your custom VPC is
now able to install updates smoothly, which was certainly not feasible before.

Clean up
● Make sure that you terminate the instances, delete the NAT gateway, release its
elastic IP and delete your custom VPC. This will ensure that your account does not
incur unexpected charges.

● Kindly note that NAT gateway is not a free resource and a few cents will reflect in
your upcoming monthly statement.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy