MyIGW Main Oregon MyVPC 10.0.0.0/16 10.0.1.0/24 10.0.1.0 -- us-west-2a MySecurityGroup 10.0.2.0/24 10.0.2.0 -- us-west-2b MyWebServer1 MyDBServer DMZ MyInternetRouteTable 0.0.0.0/0 IGW Type Port Source SSH 22 0.0.0.0/0 HTTP 80 0.0.0.0/0
MyIGW Main Oregon MyVPC 10.0.0.0/16 0.0.0.0/0 NAT Type Port Source HTTP 80 10.0.2.0/24 HTTPS 443 10.0.2.0/24 MyNATSG MyNATVM ami-69ae8259 HVM GP2 10.0.1.0/24 10.0.1.0 -- us-west-2a MySecurityGroup 10.0.2.0/24 10.0.2.0 -- us-west-2b MyWebServer1 MyDBServer DMZ MyInternetRouteTable 0.0.0.0/0 IGW Type Port Source SSH 22 0.0.0.0/0 HTTP 80 0.0.0.0/0
AWS VPC Lab Create a VPC name MyVPC CIDR Block 10.0.0.0/16 Tenancy Default look at route tables. see that a route table is created automatically when the VPC is created. Create 3 subnets Create Subnet Select the VPC we just created, MyVPC subnet is always mapped to one AZ CIDR block 10.0.1.0/24 Name 10.0.1.0 us-west-2a Select the VPC we just created, MyVPC subnet is always mapped to one AZ CIDR block 10.0.2.0/24 Name 10.0.2.0 us-west-2b Select the VPC we just created, MyVPC subnet is always mapped to one AZ CIDR block 10.0.3.0/24 Name 10.0.3.0 us-west-2c select one subnet and see that it has a route table. add an Internet Gateway Create Internet Gateway" Name MyIGW Attach to VPC Can only have one internet gateway per VPC. (Exam question may try to ask you your internet is not working, should you connect another Internet gateway to the VPC? and that can t be a right answer). Add a new route table. We want our IGW to be able to communicate to our EC2 instances. Create Route Table name MyInternetRouteTable VPC MyVPC Go to Routes tab (MyInternetRouteTable) create another route out. select and select our IGW. Send all traffic to this route (0.0.0.0/0) Save [confirm routes of 10.0.1.0/24 subnet before next step] Look at subnet Associations tab (MyInternetRouteTable) associate 10.0.1.0/24 with MyInternetRouteTable (will be internet facing DMZ) deploy EC2 instance into 10.0.1.0/24 and 10.0.2.0/24 DMZ EC2 Network select 10.0.0.0/16 MyVPC EC2 Subnet 10.0.1.0/24 subnet Auto-assign Public IP Enable Tag Name MyWebServer1 new security group SSH & HTTP access create a new key pair MyNewKeyPair Download, cut & paste into clipboard Application or DB Server EC2 Network select 10.0.0.0/16 MyVPC EC2 Subnet 10.0.2.0/24 subnet Auto-assign Public IP Use subnet settings (Disable) Tag Name MyDBServer Put into the same security group. Remember security group can stretch across subnets and AZs. Subnet can not span AZs. Use existing key pair (MyNewKeyPair) ssh into DMZ (MyWebServer1) yum update ssh from DMZ into app server using private IP address put pem file on DMZ host chmod 0600.pem file ssh ec2-user@app server ip address yum update on app server will fail because it doesn t have an IGW route (private subnets are not internet accessible) will solve this using a NAT host Add NAT to DB server so that we can perform a yum update
Create security group MyNatSG add to MyVPC add inbound rules to SG HTTP from custom IP (10.0.2.0/24 DB server subnet) HTTPS from custom IP (10.0.2.0/24) save (optional) add outbound rules for HTTP and HTTPS create NAT instance launch EC2 instance look for Amazon NAT instance (HVM) t2.micro (possible exam question) if network to internet is bottlenecked, then you can try to increase the size of the NAT instance type (e.g., t2.mirco -> m3.large) Network MyVPC Subnet 10.0.1.0 (public subnet created earlier) Auto-assign Public IP Disable (done to reinforce concept that just because instance is on public subnet does not mean that it is accessible from the internet. will be taken care of manually, on the host, in a later step) Tag Name MyNATVM put into existing security group, MyNatSG (with HTTP and HTTPS) (will get warning that this host does not have port 22 (ssh) access. that is expected) Use MyNewKeyPair (although i m not sure if this is necessary since we don t have SSH access at the moment) launch This is the subsequent step. Go to Elastic IP and Associate Address to the newly created NAT instance. (exam question) Click on NAT and go to actions/networking change Source/ Check. Needs to be disabled since it will not be the origin or destination of traffic, it s only proxying traffic. Need to create a new route for servers in private subnet to speak to this NAT Go to VPC look at route tables select unnamed 10.0.0.0/16 route table (Main == Yes, associated with 0 subnets) add route, target MyNATVM, destination 0.0.0.0/0 save go back to My DB EC2 ssh prompt and yum update should work. VPC ACLs ACLs allow you to provide access rules across the entire subnet (and not just the security group). it will override the rules applied in a security group. e.g., if port 80 is open in a security group, and the ACL disallows 80, any VM in the subnet would not allow port 80 to be allowed through. numbered list of rules, evaluated in order, starting with the lowest numbered rule first. each subnet must be associated with an ACL. otherwise it s associated with the default network ACL. stateless evaluate rule 100 first, then evaluate rule 200. Create new ACL MyTestNACL by default everything is denied inbound and outbound edit associate 10.0.2.0 and 10.0.3.0 subnets to MyTestNACL you can t have multiple NACLs associated with a subnet (if you associate a new NACL to a subnet, it will remove the existing NACL if exists). NACL can have multiple subnets associated with it. subnet can only be associated to one NACL Remove association and subnets will return to be associated with default NACL for the subnet. delete MyTestNACL Summary build VPC from memory deploy EC2 instance into public subnet and private subnet
create NAT to provide internet access to private subnet VPC Limits 5 elastic IP addresses per region 5 VPCs per region (can be increased upon request) 1 IGW per VPC 5 internet gateways per region 5 NAT gateways per AZ 200 subnets per VPC 50 VPN connections per region 50 Customer Gateways per region 200 Route tables per VPC 50 Routes per route table 500 Security Groups per VPC 50 inbound and outbound rules per security group (100 total) 5 security groups per network interface 200 NACLs per VPC 20 rules per NACL 50 VPN connections per region 10 VPN connections per VPC ACL Summary ACLs can be across multiple subnets Subnets can only have 1 NACL ACLs encompass all security groups under the subnets associated with them Rule Numbers, Lowest is evaluated first VPC Creation Summary Create a VPC Defined our IP Address Range (10.0.0.0/16) By Default this created a Network ACL & Route table Created a Custom route table created 3 subnets Created an Internet Gateway Attached to our custom route table Adjusted our public subnet to use the newly defined route Provisioned an EC2 instance with an Elastic IP address (public subnet) Provisioned an EC2 instance in the private subnet Just because EC2 is in public subnet, it either needs Elastic IP address or Elastic load balancer in order to have internet access NAT Summary Created a security gruop Allowed inbound connections to 10.0.1.0/24 and 10.0.2.0/24 on HTTP and HTTPS Allowed outbound connections on HTTP and HTTPS for all traffic Provisioned our NAT instance inside our public subnet Disabled Source/ Check (for NAT instance) Set up a route on our private subnets to route through the NAT instance
AWS VPC Alternate Lab create VPC create subnet 1 create subnet 2 create IGW associate IGW with VPC create route table public route add route for IGW associate with subnet 1 create route table private route associate with subnet 2 create NAT add route for NAT to private route launch ec2 into subnet 1 create new security group ssh & http create new key pair and download launch ec2 into subnet 2 add to security group just created use key pair just created and downloaded