Creating Custom VPC
Aws VPC is virtual private cloud and whenever you create a AWS account in AWS management console, a default VPC will always be created by default in region you select to work on.
Please complete the following task to create the custom VPC:
- Create the VPC and name it DCLESSOSN-VPC and select the CIDR range of 10.0.0.0/16.
- Create a Subnet name DCLESSONS-SUBNET1 in AZ us-east-2a with subnet 10.0.0.0/24 select your VPC named DCLESSONS-VPC
- Create the ACL named DLESSONS-ACL-1 and select your VPC and edit the ACL and allow all traffic for inbound and outbound rule.
- Create the SG name as DCLESSONS-SG-1 and allow SSH and HTTP traffic for inbound traffic and allow all traffic for outbound traffic.
- Create the IGW DCLESSONS-IGW-1 and associate it to VPC you created.
- Create the NAT gateway DCLESSONS-VPN-1 , create the Elastic IP address and attached it to your private Subnet 10.0.0.0/24.
- Edit the Route table (main route table) and create the 0.0.0.0/0 Destination and attach the IGW which you created and again add 0.0.0.0/0 and attach the NAT Gateway that is also created in another rule.
- Associate the Subnet ( 10.0.0.0/24 ) we created with the route table which has NAT and IGW gateway .
- Create another route table ( DCLESSONS-ROUTE-1) and associate it to another private subnet 10.0.1.0/24 with it.
- Create the Instance ( Linux) and Select the VPC which we created earlier and select the Public subnet which has IGW attached and enable Auto assign public IP , and provide Tag name and select the security group created earlier and launch and connect the instance via CLI ( Procedure to connect to linux Ami is already discussed in earlier section).
- To create the Custom VPC, Login to AWS management console and click on VPC dashboard. Then click on your VPC in left menu to and you will see create VPC option. Click on Create VPC. Put the VPC name tag and CIDR range. Don’t change the other options and click on Yes, Create:
- A VPC is created with the given details. Please take note of the VPC ID which is vpc-0c1092057be66f316 as we can see, a Route Table and Network ACL have also been created and associated with the VPC. Also Note the Route table ID rtb-03652fd7cdc35269e and Network ACL ID: acl-03cbebd9d965a9092
In each AZ we can host multiple Subnets and these subnets cannot span across multiple AZ in a region. There are two types of subnets which is public subnet which can be accessed by outside and has internet gateway / VPN gateway attached to it. Second is Private subnets which is not accessed by outside.
- Click on Subnetsin VPC Dashboard. Click on Create Subnet link. Put the Name tag, select the VPC, CIDR range and Availability Zone. Click on Yes, Create:
- A subnet DCLESSONSSUBNET1 is created which has Route Table rtb-03652fd7cdc35269e and the Network ACL acl-03cbebd9d965a9092. We can select a subnet and, from the Subnet Actions menu, delete a subnet or modify other settings:
- Click on the Route Table tab. You can see entries, one for local VPC communication. And in this you will not see that it is not attached to IGW that means this subnet is not able to communicate it to outside network and hence it acts as private network.
An AWS Network Access Control List (NACL) works as a firewall at the VPC level which helps in controlling incoming and outgoing traffic between one or more subnets associated with that VPC. It is used in conjunction with the Security Group (SG). Whenever a VPC is created , a default NACL is created and everything is allowed. We can create a custom NACL and associate it with a subnet, thus replacing the default NACL.
- Click on Create Network ACL for creating a new NACL. Provide the Name tag DCLESSONS-ACL-1 and select the VPC DCLESSONS-VPC for which you want to create an NACL. Click on Yes, Create:
- Learn the NACL ID : acl-03261465f690e9567 | DCLESSONS-ACL-1 . Click on the Edit button in the Inbound Rules tab. Click on Add another rule. You can add multiple rules. Allow all traffic to test everything. Click on the Save button:
- Click on the Edit button in the Outbound Rules tab. Click on Add another rule. Allow all traffic to test everything. Click on the Save button
- Click on Subnet Associations. Select the subnet that we created earlier. Click on the Save button:
Security Group (SG) works as a virtual firewall that controls incoming traffic to protect resources hosted in AWS. SGs can span across different subnets in a VPC. SGs are stateful firewalls where you can define rules for a valid source, protocol, and port for incoming and outgoing traffic
- Click on Create Security Group. Put in the required details such as name DCLESSONS-SG-1 , Group name : DCLESSONS-SG-1 and select your VPC with which you want to associate the SG. Click on Yes, Create:
- Click on to your SG and notice that there is no inbound rules that means no incoming traffic is allowed from outside to inside.
Click on inbound rules edit it and and allow SSH , HTTP for all source
An Internet Gateway is an AWS component that enables communication between resources hosted in the VPC and the internet.
- Click on Internet Gateways in the left menu bar under the Virtual Private Cloud menu. Click on Create Internet Gateway name it as DCLESSONS-IGW-1 the following window will open. Provide a Name tag and click on Yes, Create:
- You can see the IG is created. However, it is in the detached state. This means that it is not attached to any VPC and also Notice the IGW ID: igw-0bfda8f99d4b7330d.
- Click on the Attach to VPC button. The following window will open. Select the VPC that we created and click on Yes, Attach:
By default, there is no way that resources hosted in a private subnet can access the internet. By NAT gateway host present in private subnet can be able to access the internet. However, any resource outside the VPC can’t access the resources in a private subnet. We can use a NAT instance or a NAT Gateway to achieve this
- Click on Elastic IP under the Virtual Private Cloud menu. Click on Allocate New Address. The following window will open. Click on Allocate:
- Click on NAT Gateways under the Virtual Private Cloud menu:
- Click on Create NAT Gateway. Select the subnet where you want it to be hosted from the Subnet search menu and the Elastic IP that we created Click on Create a NAT Gateway:
- Note the NAT gateway ID : nat-09211594323e22ba8 and its status will show pending but after some time it will change to Available.
Click on Route Tables under the Virtual Private Cloud menu. We can see the Main Route Table created and associated with the VPC that we created. Click on Routes. You can see there is only one route with the Target as local. Click on Edit, and then click on Add another route. Add all destinations with 0.0.0.0/0 and target the Internet Gateway that we created earlier. Also, add the NAT Gateway in as another route. Click on the Save button:
- Create the Another Subnet DCLESSONS-SUBNET-2 and associate it with same VPC DCLESSONS-VPC.
- Click on Create Route Table. Put the Name tag DCLESSONS-ROUTE-2 and select the VPC that we created. Click on Yes, Create:
- Go to Subnet Associations. Click on the Edit button. Choose the other subnet that we created. Click on the Save button:
Now we have turned one subnet into a public subnet that is associated with the route table having Internet Gateway and NAT Gateway. The other subnets that are associated with the route table with a local route become private subnets.
A VPC comes with a main router when created. If any subnet in the VPC is not associated with any route table, it is automatically associated with the main table. You can make any Route Table the main table by clicking the Set as Main Table button from the console.
Open the EC2 Dashboard: Click on the Launch Instance. You can choose any prebuilt virtual image called Amazon Machine Images (AMIs) that you like in Linux AMI. Click Next: Configure Instance Details. In the Number of instances, put 1. In Network, choose the VPC that we created earlier. In Subnet, choose the public subnet that we created earlier. In Auto-assign Public IP, choose Enable. Leave other options as they are. Click on Next: Add Storage, Leave the details as they are and click on Next: Add Tags, Add a tag for identifying the EC2 instance in the EC2 dashboard. Click on Next: Configure Security Group, select the Security group which we created earlier, now review and launch.