AWS -VPC
VPC is Region-wise, by default you can create max 5 VPC
Range of IP Address are defined for each VPC.
CIDR Range: Range of IP address in a network.
Example
CIDR:- 192.168.0.0/16
Because we are using /16 so 192.168 will be constant whereas other octates can be changed from 0-255 which means it has 256×256 = 65536 IP Addresses.
Valid IP Address in this Range
192.168.10.20, 192.168.200.10,192.168.2.0/24, 192.168.3.10/21
Invalid IP in the above CIDR
192.168.10.278, 192.169.0.0/24
Reserved IP Addresses in a network
These reserve IP addresses can not be used for EC2 instances.
1. Network IP
2. Broadcast IP
3. Future use IP
Lab
Create a VPC
1. Search for VPC service
2. Click on Your VPC Link
3. Click Create VPC button
4. On this Page define properties related to VPC
- Select Vpc only option
- Name: myvpc-1
- IPV4 CIDR: 10.10.0.0/16
- Teancy : Default
Click on Create Vpc button
Create Subnets (By Default no subnet get created in the VPC)
1. Click on Subnets link
2. Click on Create subnet
3. Set following properties for Public Subnet
- VPC ID: myvpc-1
- Subnet Name: Public Subnet 1-a
- Availbility Zone: 1-a
- CIDR: 10.10.1.0/24
Click on Create Subnet
4. Click on Create subnet
5. Set following properties for Private subnet
- VPC ID: myvpc-1
- Subnet Name: Private Subnet 1-b
- Availbility Zone: 1-b
- CIDR: 10.10.2.0/24
Click on Create Subnet
Create an Internet Gateway to provide Internet connectivity to Public subnet
1. Click on Internet Gateways
2. Name: IGW1
Click on Create Internet Gateway
3. Select Internet Gateway IGW1 and Action—>Attach to VPC and select myvpc-1
Now Internet connectivity is available to myvpc-1 VPC.
Create Route Tables ( A default Route table get created for VPC)
1. Click on Route Tables link
2. Click on Create Route table button
3. Set the properties
- Name: Public Route
- VPC: myvpc-1
and Click on Create Route Table
4. Click on Create Route table button
5. Set the properties
- Name: Private Route
- VPC: myvpc-1
and Click on Create Route Table
6. Attach subnets to Route tables
Select Public Route
select Subnet Associations
Click on Edit subnet associations and select Public Subnet 1-a
Click on Routes –> Edit Routes–> Add Route
Destination: 0.0.0.0/0
Target: IGW1
and click on Save Changes button.
Select Private Route
Select Subnet Associations
Click on Edit subnet associations and select Private subnet 1-b
Create EC2 instance in myvpc-1
1. Create a Public EC2 instance Amazon Linux Image
2. Select VPC as myvpc-1
3. Select subnet as Public Subnet 1-a
4. Auto assign Public IP: Enable
5. Create new Security Groups for SSH let’s call it sshSG.
1. Create a Private EC2 instance Amazon Linux Image
2. Select VPC as myvpc-1
3. Select subnet as Private Subnet 1-b
4. Auto assign Public IP: Disable
5. Select sshSG security group
Experiment
1. Private IP addresses are in the defined range of subnets or not.
2. Both instances can ping to each other with private ip address
3. Connect to Private VM through Public VM
4. Check internet connectivity is available for Private VM ( ping 8.8.8.8)
NAT Gateway
To provide internet connection to private VM we need to create a NatGateway in the current VPC
1. Click on NAT (Network Address Translation) Gateway
2. Select Public Subnet 1-a
3. Connectivity type: Public
4. Click on Allocate Elastic IP button
5. Click on NatGateway
6. It takes some time to create, once it is created select it and Goto Action—> Attach to VPC—> myvpc-1
7. Click on Route Table and Select the private Route table
8. Select Routes–>Edit Route
9. Click on Add Route , Destination 0.0.0.0/0 and Target NAT Gateway and Click on save changes
10. Now the private VM should have internet connectivity.
Experiments
1. Delete NAT Gateway, Check the EIP also get delete
2. Find the EIP address allocated to NAT Gateway.
3. How to delete a VPC.
Network ACL
A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
Note:
One Subnet can be associated with one and only one NACL
One NACL can have multiple subnet associated with it.
1. Select Security —>Network ACLs
2. You can see there is already a NACL defined for your subnets (Public and Private).
3. Click on create Network ACL button
4. Provide the following settings
NACL Name: mynacl
VPC: myvpc1
Click on Create Network ACL
5. select mynacl and click on Subnet Association Tab and select public subnet.
6. Click on Inbound Rules and Click on Edit Inbound Rules and Allow access to port number 22.
7. Create an Ec2 instance in myvpc-1 and subnet public subnet and try to connect with port number 22.You will not able to connect because on NACL level we have opened port 22 for Inbound level not for Outbound level, so let’s open port number 22 for the outbound level as well. I am opening ALL Traffic because we are not sure that outbound is port number 22 or something else port number.
8. Select mynacl and click on the outbound rules tab and Edit the Outbound rule by Allowing All Traffic.
Experiments
1. Host a website on EC2 instance on port number 80 and remove the outbound rule and check you are able to access it externally or not.
2. Try to access google.com on your Ec2 instance.