AWS — VPC(Virtual Private Cloud) Basics & How to Deploy Public and Private Subnets on AWS VPC
Hello All!!!
In the past few months, I have seen there is a tremendous increase in the Cloud Computing Domain, A lot of big companies are migrating their infrastructure on multiple Clouds like AWS, Azure, GCP, Alibaba, etc. Nowadays it is a must to have basic knowledge of these technologies as an engineer.
I have written multiple blogs before as I have to describe all the tasks I did and submit them to my institute. But from now on I will try to make these blogs more readable and try to share as much as I have learned in the past few months.
I would like to start with one of the services of AWS(Amazon Web Services) which is VPC(Virtual Private Cloud), What is a VPC, What kind of Use Cases we can solve using these Services, and much more.
WHAT IS A VPC???
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. It can be termed as Network as a Service (NaaS). This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
We can think of a VPC as an office in which we can create multiple subnets or labs according to our desires and according to the availability zones we have.
Just like in a computer lab we have our own Switches, Routers, LAN wires, Firewall Rules, etc. We can also create these features in our Amazon VPCs.
I will explain all these things with the help of a used case But before that, I will explain all the basic Terms we have in the VPC
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Instance: It is a virtual server in the AWS cloud. With Amazon EC2, you can set up and configure the operating system and applications that run on your instance.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Subnetwork or subnet: is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting.AWS provides two types of subnetting one is Public which allows the internet to access the machine and another is private which is hidden from the internet. As per our choice, we can create this subnet in different data centers or availability zones in a region. For ex- In the Mumbai region(ap-south-1), we have 3 different data centers ap-south-1a, ap-south-1b, ap-south-1c, We can create our public/private subnet in out of these 3 data centers.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Route Tables: A routing table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Internet gateway: is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. Route tables contain a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a routing table, the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Nat gateway: We can use this feature only in the public subnets as it will be used by the bastion hosts. Using this we can send the data packets from our OS to other OS or I can say to the internet but at the same time, the network packets from the Internet cannot access our OS.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Security Groups: A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups. If you don’t specify a security group, Amazon EC2 uses the default security group
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Switches: A switch is a device in a computer network that connects other devices together when all the devices are configured within the same network
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Routers: A router is a device in a computer network that connects other devices together when all the devices are configured within a different network
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Now let's move to the practical part,
Here We will first create a customize VPC and add all the components manually first with the AWS WebUI and then with AWS CLI.
Description:-
Create a VPC.
Create multiple subnets in it
Configure these subnets to launch Public and private instances
Launch the instances in these subnets.
Step 1: Go to aws.amazon.com > Services > VPC to reach the VPC dashboard.
Click on Create VPC. Give the VPC name and IPv4 address range as they are further used within the subnets. Ex- 192.168.0.0/24
Click on Create
Step 2: After creating the VPC, Go to the Subnets(on the left window) and click on create subnet
Choose the VPC you have created and give the subnet name and IPv4 CIDR range, Ex- 192.168.1.0/24
Click on Create.
Similarly with a different range of IPv4 (192.168.3.0/24) create the private subnet in a different region.
Step 3: Now Go to the Internet Gateways (IGw), click on create and give your gateway a new name.
Then click on Actions and attach it with the new VPC.
Note: Whenever we create a new subnet in the VPC, it is automatically attached with the routing table connecting it with all the other subnets.
Now for the Public subnet, we need to create the routeing table in which we need to create the route to connect our instances to the IGw. but if you see in the above screenshots both the Subnets are using the same(default) route tables, So we need to create a new route table and attaching it with the public subnet only.
Step 4: Goto Route Tables > Create Route Tables > Give Name > Attach the VPC > Create Rules to connect Any IP to the IGw >Attach Subnet
Click on Save.
With this we have created the Public and Private subnets, We now have to launch the instances in these subnets.
For launching the instance Go to EC2 dashboard > Click on Launch Instances > Select your preferred AMI image> Choose Instance type >Configure Instance Details Select your VPC and Subnet here > Add the storage > Give Tagname > Configure the Security Groups > Attach the key and launch.
(Note: For the EC2 services I will soon publish another article where I will discuss more in detail)
Here as highlighted choose the VPC you have created and select the public subnet(where you have attached the routing table for internet gateway). You can see that we did get the public IP of this instance.
Similarly, we can launch the instance in the private subnet but we wont get any public IP attached to it.
Now using the private key we can do the ssh into the public instance.
ssh -i keyname -l ec2-user Public IP
But for the private subnet instance, we can’t directly connect to it as we don't have the Public Ip, But we can use our public instance as they are in the same vpc and shares the same route table config.
In order to do that we need to first transfer the private key into our Public instance, there we need to change the file permissions using
chmod 400 keyname.pem
and then do the ssh directly to the private instance.
As you can see from the public instance I have connected to the private subnet’s instance.
Now if we need to update any software inside the private instance we won’t be able to do that as there is no connectivity from the internet directly, Therefore we need to use the NAT gateway inside the Public Subnet(NAT gateways is not a free service).
To launch the NAT gateway Goto VPC >NAT gateways > Create NAT gateway > Give NAT gateway Name > Attach the customized VPC >Allocate Elastic IP to the NAT gateway > Create
Now create another Route table for the Private Subnet there in Destination use 0.0.0.0/0 (anywhere) and for Target nat-xxxxxxxx(NatGateway id). and attach this routing table to the private subnets.
This is how you create a vpc containing public and private subnets.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
For doing the above task with the AWS CLI, you can use aws help command to check different commands works for different services.
(Note: For running the aws command you need to first install the aws SDK in your OS)
To create VPC:
aws ec2 create-vpc — — cidr-block 172.32.0.0/16
To give any resource in aws a name you can use create-tags and give the resource id to it
To give VPC name:
aws ec2 create-tags — resources vpc-0f8f89dced48e4a46 — tags Key=Name,Value=Demo_cli
WebConsole OP:
To create Subnets:
aws ec2 create-subnet — vpc-id vpc-0f8f89dced48e4a46 — availability-zone ap-south-1c — cidr-block 172.32.3.0/24
To give the tag name:
aws ec2 create-tags — resources subnet-050a1dc8e9f14aded — tags Key=Name,Value=Public_sub
Similarly, for the private subnet:
aws ec2 create-subnet — vpc-id vpc-0f8f89dced48e4a46 — availability-zone ap-south-1a — cidr-block 172.32.5.0/24
To give it the tag-name:
aws ec2 create-tags — resources subnet-0ea9e53a89cff6493 — tags Key=Name,Value=Private_sub
WebConsole OP:
To create the Internet Gateway:
aws ec2 create-internet-gateway
aws ec2 create-tags — resources igw-0934c71e2889b65fa — tags Key=Name,Value=IGw1
WebConsole OP:
Attaching IGw to the VPC:
aws ec2 attach-internet-gateway — vpc-id vpc-0f8f89dced48e4a46 — internet-gateway-id igw-0934c71e2889b65fa — region ap-south-1
Create route table:
aws ec2 create-route-table — vpc-id vpc-0f8f89dced48e4a46
aws ec2 create-tags — resources rtb-05d6ad36fa12a9d53 — tags Key=Name,Value=RouteTableforIgwconnect
Create Routes for this table:
aws ec2 create-route — route-table-id rtb-05d6ad36fa12a9d53 — destination-cidr-block 0.0.0.0/0 — gateway-id igw-0934c71e2889b65fa
WebConsoleOP:
Associate the routing table to the public subnet:
aws ec2 associate-route-table — route-table-id rtb-05d6ad36fa12a9d53 — subnet-id subnet-050a1dc8e9f14aded
As explained earlier create the NAT gateway using the aws ec2 help command. And attach that routing table to the private subnet.
Now, we will launch the ec2 instances in public and private subnets using the CLI:
aws ec2 run-instances — image-id ami-068d43a544160b7ef — instance-type t2.nano — subnet-id subnet-050a1dc8e9f14aded — associate-public-ip-address — key-name keyname
aws ec2 create-tags — resources instance1ID — tags Key=Name,Value=PublicInstance
For the private Subnet:
aws ec2 run-instances — image-id ami-068d43a544160b7ef — instance-type t2.nano — subnet-id subnet-050a1dc8e9f14aded — no-associate-public-ip-address — key-name keyname
aws ec2 create-tags — resources instance1ID — tags Key=Name,Value=PrivateInstance
WebConsole OP:
Complete commands:
create vpc
aws ec2 create-vpc — cidr-block 172.32.0.0/16
create tag
aws ec2 create-tags — resources vpc-0f8f89dced48e4a46 — tags Key=Name,Value=Demo_clipub subnet1
aws ec2 create-subnet — vpc-id vpc-0f8f89dced48e4a46 — availability-zone ap-south-1c — cidr-block 172.32.3.0/24
tag
aws ec2 create-tags — resources subnet-050a1dc8e9f14aded — tags Key=Name,Value=Public_subprivate subnet2
aws ec2 create-subnet — vpc-id vpc-0f8f89dced48e4a46 — availability-zone ap-south-1a — cidr-block 172.32.5.0/24tag
aws ec2 create-tags — resources subnet-0ea9e53a89cff6493 — tags Key=Name,Value=Private_subcreate igw
aws ec2 create-internet-gatewaytaging
aws ec2 create-tags — resources igw-0934c71e2889b65fa — tags Key=Name,Value=IGw1attaching igw to vpc
aws ec2 attach-internet-gateway — vpc-id vpc-0f8f89dced48e4a46 — internet-gateway-id igw-0934c71e2889b65fa — region ap-south-1create routing table in vpc\
aws ec2 create-route-table — vpc-id vpc-0f8f89dced48e4a46taging routing table
aws ec2 create-tags — resources rtb-05d6ad36fa12a9d53 — tags Key=Name,Value=RouteTableforIgwconnectcreating routes
aws ec2 create-route — route-table-id rtb-05d6ad36fa12a9d53 — destination-cidr-block 0.0.0.0/0 — gateway-id igw-0934c71e2889b65faassosciate routes
aws ec2 associate-route-table — route-table-id rtb-05d6ad36fa12a9d53 — subnet-id subnet-050a1dc8e9f14adedlaunch instance
aws ec2 run-instances — image-id ami-068d43a544160b7ef — instance-type t2.nano — subnet-id subnet-050a1dc8e9f14aded — associate-public-ip-address — key-name awscsadevkeycreate tags
aws ec2 create-tags — resources instance1ID — tags Key=Name,Value=PublicInstance
Replace the Ids as shown in your console.
This is how we can use the AWS WebUI and CLI for solving this use case, Another great tool is terraform using which we can create a complete .tf file and use a variable in place of the IDs. Also, this tool gives a lot better features. If you want to know about this I would definitely like to help and share the blogs with you all. And also there are a lot more services I am working on right now including Route53, S3, Cloudfront, IAM, ELB, RDS, etc. I will soon publish other blogs related to these services and their Used Cases, If you want to know more you can connect with me on LinkedIN.
https://www.linkedin.com/in/akshat-soni-011b461a6t
That’s All from my side, I hope this will help