[Lab] Amazon VPC – Public and Private Subnets

We will create a VPC with a public and private subnet and try accessing them both from internet. We will be creating the VPC without using the Wizard available.

Steps:

1. Log in to the AWS console and go to VPC dashboard.

2. Go to ‘Your VPCs’ and click on ‘Create VPC’

   1. Provide a name (e.g. BuddyVPC), CIDR (e.g. 10.0.0.0/16) and select ‘Default’ Tenancy.

      1. Note: Default tenancy is shared; you may also select ‘Dedicated’.

   2. Click ‘Yes, Create’

3. Verify following:

   1. No new subnets are created. Subnets for default VPC will be present anyway.

   2. There is a new Route table for the new VPC.

   3. No new internet gateways are created.

   4. Default security group was created for the new VPC.

   5. Default Network ACL was created for the new VPC.

4. Click on subnets tab and click on ‘Create Subnet’

   1. Provide name (e.g. 10.01.0-ap-southeast-1a), select our VPC, select the availability zone (e.g. ap-southeast-1a) and enter CIDR block range (e.g. 10.0.1.0/24).

      1. Note: Specifying the range and AZ in name can be handy at times).

   2. Click ‘Yes, Create’

5. Click on subnets tab and click on ‘Create Subnet’

   1. Provide name (e.g. 10.0.2.0-ap-southeast-1b), select our VPC, select the availability zone (e.g. ap-southeast-1b) and enter CIDR block range (e.g. 10.0.2.0/24).

   2. Click ‘Yes, Create’

6. Click on Internet Gateways and click ‘Create Internet Gateway’.

   1. Provide a name (e.g. BuddyIGW).

   2. Click ‘Yes, Create’

      1. Note: IG is needed to make the subnet public.

7. Select our IGW, click on ‘Attach to VPC’ and attach to our VPC.

8. Add a new Route out for the VPC

   1. Go to ‘Route Tables’ tab.

   2. Verify the routes tab for the default route.

      1. Note: Good practice to not edit the default root table.

   3. Click on ‘Create Route table’

      1. Provide a name (e.g. BuddyPublicRoute) and select our VPC.

      2. Click ‘Yes, Create’

   4. Select our Route table, go to Routes tab, click edit.

      1. Provide a route out entry: Destination as 0.0.0.0/0, Target as our IGW.

      2. Click save

9. Click on Subnet Associations tab and click Edit

   1. Select the first subnet (e.g. one in ap-southeast-1a)

      1. Make sure that our new route table is currently selected.

   2. Click Save

10. Go to ‘Subnets’ tab, select first subnet, click on ‘Subnet Actions’, click on ‘Auto Assign Public IP’ and select Auto Assign public IP checkbox.

11. Launch an EC2 instance selecting our VPC and into subnet 1

    1. Create a bootup script during instance creation to install updates, install httpd, start it and configure it to start on restart, and create an index.html file with some text in /var/www/html. (see previous notes) 

    2. Create or reuse an EC2 security group with HTTP.

    3. Once launched and started, try accessing the public ip to see the index.html page loaded.

    4. Also try to SSH into the EC2 instance.

12. Launch an EC2 instance selecting our VPC and into subnet 2

    1. Create or reuse an EC2 security group with:

       1. SSH, MySQL, All ICMP.

       2. All sources as custom and IP ranges as: 10.0.1.0/24.

       3. ICMP is required as we will be pinging the instance from the other Ec2 instance.

    2. Verify that it does not have a public IP, but only a private IP

13. Login to the public IP EC2 instance and elevate permissions (e.g. sudo su)

14. Try pinging private EC2 instance using the private IP.

    1. Ping should be successful

15. Copy your .pem private key to the public EC2 instance.

    1. Or create a new .pem file and copy the key contents.

16. Run: ssh ec2-user@<private-ip> -i mykeypair.pem

    1. Should successfully ssh into private instance

17. Try running: yum update  -y

    1. Should not update as there is no valid route out defined.