Virtual Private Cloud - Lab Hands-On Lab: AWS Virtual Private Cloud (VPC) 1
Overview In this lab we will create and prepare a Virtual Private Cloud (VPC) so that we can launch multiple EC2 web servers in a highly available configuration. In this lab we will complete the following steps: 1 Create a VPC with a single subnet 2 Verify the VPC s components 3 Create a second subnet in another availability zone 4 Create a Security Group for your EC2 web servers 2
What we are building: Internet GW Route Table Subnet 10.0.0.0/24 Subnet 10.0.1.0/24 VPC 10.0.0.0/16 AZ A AZ B AWS Region 3
Create a VPC 1. Login to the AWS Management Console: https://console.aws.amazon.com 2. Select VPC from the Services dropdown menu 4
3. Select the US West (Oregon) region in the Regions dropdown. 5
4. Click the Start VPC Wizard or the Get started creating a VPC button to start the VPC creation process. 6
5. Select the first option VPC with a Single Public Subnet Only and then click Continue. 7
6. The confirmation page shows the CIDR ranges that we'll use for your VPC and subnet (10.0.0.0/16 and 10.0.0.0/24, respectively). We will leave the rest as the defaults. Click Create VPC to create your VPC, Internet gateway, subnet, and route table. 8
7. A status window shows the work in progress. When the work completes, a status window confirms that your VPC has been successfully created. Click Close to close the status window and return to the VPC dashboard. 9
Verify the VPC s Components In this step we will spend some time verifying the components of the VPC we just created. Note: AWS recently implemented a new concept we call Default VPC. Depending on when your account was created and what region you are in you may have an additional VPC already present in your VPC console in addition to the VPC we just created. The presence (or lack) of a Default VPC in your account will not impact this lab. If you would like to learn more about Default VPCs please see the link below: http://aws.typepad.com/aws/2013/03/amazon-ec2-update-virtual-private-clouds-for-everyone.html 10
1. Select the Your VPCs menu on the left hand navigation bar in the VPC console. Note your newly created 10.0.0.0/16 VPC. If your account has a Default VPC already created you will see an additional VPC on this screen with a CIDR of 172.31.0.0/16 11
2. Select the Subnets menu on the left hand navigation bar in the VPC console to navigate your VPC subnets. 3. Take note of the availability zone in which your subnet has been created. We will need this information later when we create another subnet. 12
4. Select the Internet Gateways menu on the left hand navigation bar in the VPC console to navigate your Internet Gateways. Internet Gateways (IGW) enable instances within a VPC to communicate with the internet. In order for instances to route or communicate with the internet a route table entry must be present to route internet bound traffic from a subnet to the IGW. We will explore this further in the next step. 13
5. Select the Route Tables menu on the left hand navigation bar in the VPC console to navigate your VPC s Route Tables and note the route tables. The VPC came with a main route table by default, and the VPC Wizard created a custom route table in addition. Your subnet is associated with the custom route table, which means that we use the routes in that table to determine how the traffic for the subnet flows. If you add a new subnet to your VPC, it uses the main route table by default. If you select the main route table you will notice that there is no entry for the 0.0.0.0/0 destination with the IGW as the target. If we were to use this route table, our instances would not be able to communicate with the internet. 14
Create a second subnet in another availability zone (AZ) In the previous steps we created a VPC with a single subnet. The subnet that was created in the VPC resides within a single availability zone. It is an AWS best practice that applications should be architected for high availability through the use of multiple availability zones. In this section we are going to to create an additional subnet in another availability zone so we can launch EC2 instances in a highly available architecture. 15
1. Select the Subnets menu in the VPC navigation bar. Remember the AZ of the subnet you currently have in your VPC 2. Click the Create Subnet button at the top of the page. 16
3. Select the VPC you just created. 4. Select an Availability Zone that is different from the Subnet you already have in your VPC. In this case we selected us-east-1a but yours may be different. 5. Enter a subnet CIDR Block of 10.0.1.0/24 and then click Yes, Create. 17
The subnet we just created has not been associated to a specific route table therefore it will, by default, use the main route table which only has a route for the local network (10.0.0.0/16). We want instances in this subnet to communicate with the internet so we will need to associate this subnet with a route table that has a route to the IGW that is attached to our VPC. In the next step we will perform this association. 18
6. Navigate to the Route Tables section in the VPC menu. 7. Select the Route Table that is NOT the Main route table. Under routes you should see an entry 0.0.0.0/0 that targets an igw. If you have a Default VPC in your account you will see additional route tables. If this is the case make sure you select the route table that is part of the 10.0.0.0/16 VPC we created in this lab. 19
8. With the route table selected find the Associations tab and associate the subnet you just created with the Route Table. Click Yes, associate when prompted. You have now associated the custom route table with the subnet you just created. Because the subnet has a route to an IGW instances launched within the subnet will be able to communicate with the internet. 20
Create a Security Group for your EC2 web servers In this step we will create a security group called WebServers that will allow ingress traffic on port 80. This will allow the EC2 instances to receive HTTP traffic. We will also create an Admin security group that will allow ingress traffic on port 22 or 3389. This security group will allow us to SSH/RDP to the EC2 in order to configure our web application. 21
1. Select the Security Groups menu in the VPC navigation bar. 2. Select Create Security Group. 22
3. Name the Security Group WebServers and give it a description of Port 80. Make sure you select your VPC and then click Yes, Create. Make sure you create the security group in the VPC you created (10.0.0.0/16) and not the Default security group. 4. Repeat the process but this time name the Security Group Admin and give it a description of Port 22 (Linux) or Port 3389 (Windows). We have created the security groups WebServer and Admins however they do not have any rules associated with them so they are effectively in a deny all state right now. In the next step we will add ingress rules to allow traffic. 23
5. Select your WebServers Security Group and navigate to the Inbound tab. 6. Select the Create a new rule dropdown, find the HTTP rule and add the rule it to the security group. Leave the source as 0.0.0.0/0. 7. Make sure you click Apply Rule Changes or else your modifications will not take effect. 24
8. Repeat the steps with the Admin security group but this time select the SSH option from the Create a new rule drop down. Leave the source as 0.0.0.0/0. If you are planning on launching Windows instances select the RDP option instead of SSH. Note: it is not recommended to allow SSH or RDP access from 0.0.0.0/0 (the entire internet) we recommend that you find the public IP address of your network and put that as the source. We are allowing 0.0.0.0/0 only for the purpose of this lab. 25
Allocate an Elastic IP Address The last step in configuring our VPC to communicate with the internet is to Allocate an Elastic IP Address that we can attach to an EC2 instance. This is how we will connect to the EC2 instance in order to configure our Web Server. 26
1. Select the Elastic IPs menu in the VPC navigation bar. 2. Select Allocate New Address. 3. Make sure you select the VPC option and then click Yes, Allocate You may not have the option to select VPC. In that case simply continue by clicking Yes, Allocate 27
Congratulations! you have finished the Virtual Private Cloud Lab you are now ready to configure and launch Web Server EC2 Instances. 28