AWS

Designing and Building a Custom VPC from Scratch

By Thai Diep (thaimct.diep@gmail.com)

Introduction

This hands-on lab provides you with some experience building and connecting the following services inside AWS: VPC, subnets, internet gateway, NAT gateways, Bastion host, route tables, security groups, and network access control lists (NACLs). These services are the foundation of networking architecture inside of AWS and cover concepts such as infrastructure, design, routing, and security.


Step Detail
Part 1 – Create VPC and Subnet Architecture
1

Create a VPC

  • Navigate to VPC > Your VPCs.
  • Click Create VPC, and set the following values:
    • Name tagTechnetVN-LabVPC
    • IPv4 CIDR block10.0.0.0/16
    • IPv6 CIDR blockAmazon provided IPv6 CIDR block
  • Leave the Tenancy field as its default value.


  • Click Create.


2

Create Subnets

PublicA Subnet

  • Click Subnets in the left-hand menu.


  • Click Create subnet.
    • Name tagpublicA
    • VPCTechnetVN-LabVPC
    • Availability Zoneus-east-1a
    • IPv4 CIDR block10.0.0.0/24


  • Click Create, and close out of the success message.


Do same steps for the below Subnet

PublicB Subnet

  • Click Create subnet.
    • Name tagpublicB
    • VPCTechnetVN-LabVPC
    • Availability Zoneus-east-1b
    • IPv4 CIDR block10.0.1.0/24
  • Click Create, and close out of the success message.

PublicC Subnet

  • Click Create subnet.
    • Name tagpublicC
    • VPCTechnetVN-LabVPC
    • Availability Zoneus-east-1c
    • IPv4 CIDR block10.0.2.0/24
  • Click Create, and close out of the success message.

PrivateA Subnet

  • Click Create subnet.
    • Name tagprivateA
    • VPCTechnetVN-LabVPC
    • Availability Zoneus-east-1a
    • IPv4 CIDR block10.0.4.0/24
  • Click Create, and close out of the success message.

PrivateB Subnet

  • Click Create subnet.
    • Name tagprivateB
    • VPCTechnetVN-LabVPC
    • Availability Zoneus-east-1b
    • IPv4 CIDR block10.0.5.0/24
  • Click Create, and close out of the success message.

PrivateC Subnet

  • Click Create subnet.
    • Name tagprivateC
    • VPCTechnetVN-LabVPC
    • Availability Zoneus-east-1c
    • IPv4 CIDR block10.0.6.0/24
  • Click Create, and close out of the success message.

dbA Subnet

  • Click Create subnet.
    • Name tagdbA
    • VPCTechnetVN-LabVPC
    • Availability Zoneus-east-1a
    • IPv4 CIDR block10.0.8.0/24
  • Click Create, and close out of the success message.

dbB Subnet

  • Click Create subnet.
    • Name tagdbB
    • VPCTechnetVN-LabVPC
    • Availability Zoneus-east-1b
    • IPv4 CIDR block10.0.9.0/24
  • Click Create, and close out of the success message.

dbC Subnet

  • Click Create subnet.
    • Name tagdbC
    • VPCTechnetVN-LabVPC
    • Availability Zoneus-east-1c
    • IPv4 CIDR block10.0.10.0/24
  • Click Create, and close out of the success message.

3

Create Internet Gateway, Public Routing, and Bastion Host

  1. Select publicA, and click Actions > Modify auto-assign IP settings.


  1. Check the box to Enable auto-assign public IPv4 address.


  1. Click Save, and then un-select publicA.

Do same steps for publicB, publicC

  1. Select publicB, and click Actions > Modify auto-assign IP settings.
  2. Check the box to Enable auto-assign public IPv4 address.
  3. Click Save, and then un-select publicB.
  4. Select publicC, and click Actions > Modify auto-assign IP settings.
  5. Check the box to Enable auto-assign public IPv4 address.
  6. Click Save.
4

Configure Internet Gateway

  1. Click Internet Gateways in the left-hand menu.
  2. Click Create internet gateway.


  1. Set the name tag as “
    TechnetVN-LabVPCIGW”, and click Create.


  1. Select the newly created IGW, and click Actions > Attach to VPC.


  1. Select TechnetVN-LabVPC, and click Attach.



5

Configure Routing

  • Click Route Tables in the left-hand menu.

  • Click Create route table, and set the following values:
    • Name tagpublicRT
    • VPCTechnetVN-LabVPC


  • Click Create

6

Add Default Public Route

  • Select publicRT, and click the Edit
    routes tab.


  • Click Edit routesAdd route, and set the following values:
    • Destination0.0.0.0/0TargetInternet Gateway, and select TechnetVN-LabVPCIGW


  • Click Add route again, set the following values:
    • Destination::/0
    • TargetInternet Gateway, and select TechnetVN-LabVPCIGW


  • Click Save routes.
  • Click Close.


7

Associate with Subnets

  1. Select publicRT, and click the Subnet Associations tab.
  2. Click Edit subnet associations.


  1. Select publicApublicB, and publicC.
  2. Click Save.

8

Create a Bastion Host

Since these subnets are public, then, in theory, anything we deploy into them should be publicly accessible. Now, we’ll create a bastion host, which is a way you can access a secure VPC from outside — meaning, we can connect to the bastion host via SSH and use it to connect into the VPC.

  • Navigate to EC2 > Instances.
  • Click Launch Instance.


  • On the AMI page, select the Amazon Linux 2 AMI with 64-bit (x86) architecture.


  • Choose the t3.micro instance type, and click Next: Configure Instance Details.


  • On the Configure Instance Details page, set the following values:
    • NetworkTechnetVN-LabVPC
    • SubnetpublicB
    • Auto-assign Public IPUse subnet setting (Enable)


  • Click Next: Add Storage, and then click Next: Add Tags.
  • On the Add Tags page, add the following tag:
    • KeyName
    • ValueBastionHost


  • Click Next: Configure Security Group.
  • Select Create a new security group, and set the following values:
    • Security group namebastionSG
    • DescriptionbastionSG


  • Click Review and Launch, and then Launch.
  • In the key pair dialog, select Create a new key pair.
  • Give it a Key pair name of “
    Technet_VPCLAB”.
  • Click Download Key Pair, and then Launch Instances.


  • Click View Instances, and give it a few minutes to enter the running state.

9

Verify Bastion Host Is Working

  1. When the bastion host has 2/2 status checks, select the instance, click Connect, and copy the ssh connection command.
  2. Open a terminal window.

    Note: Windows users can connect to the instance using this as a guide.

  3. Change to your downloads folder, where the key pair file is saved:

    cd Downloads

  4. Change permissions on the key pair file:

    chmod 400 Technet_VPCLAB.pem

  5. Run the ssh connection command you copied from the AWS console to connect to your bastion host.
  6. Enter yes at the prompt.



Part 2 – Configure Private Internet Connectivity Using NAT Gateway
1

Create the NAT Gateways

  1. In the AWS console, navigate to VPC > NAT Gateways.
  2. Click Create NAT Gateway.


  1. Set the subnet to publicA.
  2. Click Allocate Elastic IP address and then Create a NAT Gateway.


  1. Click Close.

Do same steps for PublicB and PublicC.

  1. Click Create NAT Gateway.
  2. Set the subnet to publicB.
  3. Click Allocate Elastic IP address and then Create a NAT Gateway.
  4. Click Close.
  5. Click Create NAT Gateway.
  6. Set the subnet to publicC.
  7. Click Allocate Elastic IP address and then Create a NAT Gateway.
  8. Click Close.


  1. Select each NAT gateway, and copy each one’s NAT Gateway ID as well as the public subnet it’s in (this information can be found in the Details tab). Paste these values into a text file, as we will need them later

2

Create Three Private Route Tables

  • Click Route Tables.


  • Click Create route table, and set the following values:
    • Name tagprivateA-RT
    • VPCTechnetVN-LabVPC
  • Click Create and then Close.


  • Click Create route table, and set the following values:
    • Name tagprivateB-RT
    • VPCTechnetVN-LabVPC
  • Click Create and then Close.
  • Click Create route table, and set the following values:
    • Name tagprivateC-RT
    • VPCTechnetVN-LabVPC
  • Click Create and then Close.


3

Route Table Associations

privateA-RT

  • With privateA-RT selected, click the Subnet Associations tab.
  • Click Edit subnet associations.


  • Select dbA and privateA
  • Click Save.


  • On the same route table, click the Routes tab


  • Click Edit routesAdd route, and set the following values:
    • Destination0.0.0.0/0
    • TargetNAT Gateway, and paste the NAT Gateway ID for the one in publicA in the list you made earlier
  • Click Save routes and Close.


privateB-RT

  • Select privateB-RT, and click the Subnet Associations tab.
  • Click Edit subnet associations.
  • Select dbB and privateB
  • Click Save.
  • On the same route table, click the Routes tab.
  • Click Edit routesAdd route, and set the following values:
    • Destination0.0.0.0/0
    • TargetNAT Gateway, and paste the NAT Gateway ID for the one in publicB in the list you made earlier
  • Click Save routes and Close.

privateC-RT

  • Select privateC-RT, and click the Subnet Associations tab.
  • Click Edit subnet associations.
  • Select dbC and privateC
  • Click Save.
  • On the same route table, click the Routes tab.
  • Click Edit routesAdd route, and set the following values:
    • Destination0.0.0.0/0
    • TargetNAT Gateway, and paste the NAT Gateway ID for the one in publicC in the list you made earlier
  • Click Save routes and Close.
4

Configure and Test VPC Security

  • Navigate to EC2.
  • Click Launch instance.
  • On the AMI page, select the Amazon Linux 2 AMI with 64-bit (x86) architecture.
  • Choose the t3.micro instance type, and click Next: Configure Instance Details.
  • On the Configure Instance Details page, set the following values:
    • NetworkTechnetVN-LabVPC
    • SubnetprivateA
    • Auto-assign Public IPUse subnet setting (Disable)


  • Click Next: Add Storage, and then click Next: Add Tags.
  • On the Add Tags page, add the following tag:
    • KeyName
    • Valueappserver
  • Click Next: Configure Security Group.
  • Select Create a new security group, and set the following values:
    • Security group nameappSG
    • DescriptionappSG
  • Change the rule Source to bastionSG.


  • Click Review and Launch, and then Launch.
  • In the key pair dialog, select Choose an existing key pair.
  • Choose the Technet_VPCLAB key pair.
  • Click Launch Instances.
  • Click View Instances, and give it a few minutes to enter the running state.

5

Use SSH Key Forwarding

Now, we’re going to use a special feature of SSH that allows us to forward keys. We’re going to connect to the bastion host using SSH and use this forwarding feature to allow us to SSH from the bastion host to the app server without having to have the SSH key also on the bastion host. This is more efficient, secure, and saves us a step.

Note: Windows users, when using SSH Key Forwarding, you will need specific configuration (includes PuTTY).

  1. In the terminal session, exit out of the current SSH session:

    exit

  2. Change to your downloads folder:

    cd Downloads

  3. We need to add the key to the SSH agent, enabling the key to be stored in memory and be used as part of the pass-through architecture so we can hop via the bastion host into the appserver instance. To do so, run the following:

    ssh-add -K Technet_VPCLAB.pem

  4. In the AWS console, right-click the BastionHost instance, and click Connect.
  5. Copy the ec2-user@IP_ADDRESS portion of the connection command.
  6. In the terminal session, run the following (replacing <ec2-user@IP_ADDRESS> with what you just copied):

    ssh -A <ec2-user@BASTIONHOST_IP_ADDRESS>

    The -A tells SSH to use forwarding.

  7. Confirm you have public internet connection:

    ping 1.1.1.1

    We should see we’re connected. Hit Ctrl+C to stop the ping.

  8. In the AWS console, right-click the appserver instance, and click Connect.
  9. Copy the ec2-user@IP_ADDRESS portion of the connection command.
  10. In the terminal session, run the following (replacing <ec2-user@IP_ADDRESS> with what you just copied):

    ssh <ec2-user@IP_ADDRESS>

  11. Enter yes at the prompt.
  12. Confirm you have public internet connection:

    ping 1.1.1.1

    We should see we’re connected, which means our NAT gateway in publicA is working. Hit Ctrl+C to stop the ping.

  13. Enter the following twice to exit out of both the BastionHost and app server:

    exit

Note: if you are using Windows, you need to copy Technet_VPCLAB.pem file to your AWS Linux, and then use ssh -i "Technet_VPCLAB.pem" ec2-user@APP-Server-IP to connect to your AppServer host. 
6

Modify NACL

  • In the AWS console, navigate to VPC > Network ACLs.


  • With the default NACL selected, click the Inbound Rules tab.
  • Click Edit inbound rules.
  • Click Add Rule, and set the following values:
    • Rule #50
    • TypeALL Traffic
    • Source: Your IP address (which you can get by googling “what is my IP” in a new browser tab), and append /32 at the end
    • Allow / DenyDENY
  • Click Save.


  • In the terminal session, try to log in to the bastion host:

    ssh -A <ec2-user@BASTIONHOST_IP_ADDRESS>

    You won’t be able to since your IP address is matched against the explicit DENY rule. Exit out of the command by hitting Ctrl+C.

  • In the AWS console, remove rule #50 to remove the explicit DENY.
  • In the terminal, try connecting to the bastion host again, which should work this time.

Conclusion

Congratulations on completing this hands-on lab!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: