Creating a VPC with Private and Public Subnets
This project will demonstrate how we can set up infrastructure in AWS with a few configurations and just a couple clicks of our mouse. The ability to easily build your infrastructure is only one of the many advantages of using the cloud with AWS. I have created a diagram to help visualize the process. In the diagram I have below the VPC(purple) has two subnets. There is a public and private subnet, that each has their own security group(blue). These security groups will give us a layer of protection with our instances as we can choose the specific traffic that will be allowing to access our instances. The vpc also has a network access control list to help us maintain control of the traffic we allow in and out of our vpc. In this project we will be connecting to our instance in the public subnet that I will set up to use as a bastion host. Once we have established connection with our bastion host we can then connect from there to our private instance. The bastion host will help us lower the risk of allowing SSH connections from outside networks.
Prerequisites:
The only thing you will need to have to be able to follow along and complete this lab is an AWS account. Everything we will be doing in this lab is in range of the free tier account. Now, let us get started with this project to see the advantage of using AWS for our infrastructure.
Once you login in to the aws console , as shown above, we will navigate to the vpc dashboard. Simply type “vpc” in the search field and select the VPC service. You should be directed to a screen like this :
Click on “Your VPCs” in the panel on the left and select create vpc in the upper-right corner. Create your VPC by entering your CIDR block and giving it a name. Finish creating your vpc by selecting create vpc.
Next you will need to set up your subnets. First I will be setting up my Private subnet and then I will do the Public subnet. Click on the subnet option in the panel on the left side of the screen and then click create subnet in upper-right corner. Select the VPC you just created and give your subnet a name. Next, provide your subnet with an IPV4 CIDR address. I am going to click add subnet and repeat these same steps for my Public Subnet. Be sure to name your subnets to easily identify them.
Now its time to set up our instances inside of our subnets. Navigate to EC2 by typing EC2 in the search bar. Click on the instance option under the EC2 dashboard.
Click launch instance and select your type of instance based on your own needs. Click Configure instance details, you should see a screen similar to what is shown below:
Be sure to select your VPC instead of the default VPC, repeat these steps for your other instance and specify the private subnet for your private instance.
Now I will setup my Internet Gateway so that my vpc will be able to have access to the internet. In the VPC console you can navigate to the Internet Gateway section(as shown above) on the panel to the left. Then click create gateway in the upper right corner. Specify a name for Gateway and click create. Once you successfully create the Gateway you should be presented to a screen like this:
Make sure your internet gateway is selected and click actions in the upper right corner and select attach to VPC and specify your VPC when directed and click attach.
Next, I will be setting up my Network Access Control List by clicking on Network ACL under Security in the VPC panel on the left and then clicking create network ACL in the upper right corner.
Once you successfully create it, select the ACL, go to the actions menu and select edit subnet associations to associate your subnets with the network ACL. Next you will need to set your inbound and outbound rules. I will be allowing all traffic in and out of my environment but set yours as needed.
First I will be setting my inbound rules by selecting my NACL and clicking on edit inbound rules under actions menu. Next, we just have to click on add new rule in the bottom left corner and specify the rules we wish to set. Repeat this step for your outbound rules as well. We will now be setting up the Security Groups. I will navigate to the security groups section of the panel on the left in the VPC console under security. Which will look something like this :
Once you click create security groups in the upper right corner and you should be directed to a page as shown :
This is where you will provide the security group name and description as well as the inbound and outbound rules. Be sure to specify the VPC you are setting your environment in also. To add a rule for inbound and outbound traffic, simply select add rule for each in the specified section.
One of my rules will be allowing ssh traffic from my personal laptop. You can see I have concealed my ip address for security reasons but to the left is an example. Create tags if needed and select create security group. Now, we will set up our route table by navigating to route table in the panel on the left in the VPC console and selecting create route table in the upper left corner. Here, you can set a name and which VPC to associate with the route table. When finished, select create in the bottom right corner. Now we just need to associate our subnets with the route tables.
To do this we just select our route table we have previously created while in the route table section. Once we have selected in the box the route table we wish to use, we need to click on actions and select edit subnet associations. You should be presented to a screen like the one below :
Select which subnet you are looking to associate with the route tables and click save in the bottom right corner. Now we just need to test the connection, here is a link to help with connecting to our private instance https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/.