Designing and Building a Custom VPC from Scratch

By Thai Diep (thaimct.diep@gmail.com)

Introduction

This hands-on lab provides you with some experience building and connecting the following services inside AWS: VPC, subnets, internet gateway, NAT gateways, Bastion host, route tables, security groups, and network access control lists (NACLs). These services are the foundation of networking architecture inside of AWS and cover concepts such as infrastructure, design, routing, and security.

Step	Detail
Part 1 – Create VPC and Subnet Architecture
1	Create a VPC
	Navigate to VPC > Your VPCs. Click Create VPC, and set the following values: Name tag: TechnetVN-LabVPC IPv4 CIDR block: 10.0.0.0/16 IPv6 CIDR block: Amazon provided IPv6 CIDR block Leave the Tenancy field as its default value. Click Create.
2	Create Subnets
	PublicA Subnet Click Subnets in the left-hand menu. Click Create subnet. Name tag: publicA VPC: TechnetVN-LabVPC Availability Zone: us-east-1a IPv4 CIDR block: 10.0.0.0/24 Click Create, and close out of the success message. Do same steps for the below Subnet PublicB Subnet Click Create subnet. Name tag: publicB VPC: TechnetVN-LabVPC Availability Zone: us-east-1b IPv4 CIDR block: 10.0.1.0/24 Click Create, and close out of the success message. PublicC Subnet Click Create subnet. Name tag: publicC VPC: TechnetVN-LabVPC Availability Zone: us-east-1c IPv4 CIDR block: 10.0.2.0/24 Click Create, and close out of the success message. PrivateA Subnet Click Create subnet. Name tag: privateA VPC: TechnetVN-LabVPC Availability Zone: us-east-1a IPv4 CIDR block: 10.0.4.0/24 Click Create, and close out of the success message. PrivateB Subnet Click Create subnet. Name tag: privateB VPC: TechnetVN-LabVPC Availability Zone: us-east-1b IPv4 CIDR block: 10.0.5.0/24 Click Create, and close out of the success message. PrivateC Subnet Click Create subnet. Name tag: privateC VPC: TechnetVN-LabVPC Availability Zone: us-east-1c IPv4 CIDR block: 10.0.6.0/24 Click Create, and close out of the success message. dbA Subnet Click Create subnet. Name tag: dbA VPC: TechnetVN-LabVPC Availability Zone: us-east-1a IPv4 CIDR block: 10.0.8.0/24 Click Create, and close out of the success message. dbB Subnet Click Create subnet. Name tag: dbB VPC: TechnetVN-LabVPC Availability Zone: us-east-1b IPv4 CIDR block: 10.0.9.0/24 Click Create, and close out of the success message. dbC Subnet Click Create subnet. Name tag: dbC VPC: TechnetVN-LabVPC Availability Zone: us-east-1c IPv4 CIDR block: 10.0.10.0/24 Click Create, and close out of the success message.
3	Create Internet Gateway, Public Routing, and Bastion Host
	Select publicA, and click Actions > Modify auto-assign IP settings. Check the box to Enable auto-assign public IPv4 address. Click Save, and then un-select publicA. Do same steps for publicB, publicC Select publicB, and click Actions > Modify auto-assign IP settings. Check the box to Enable auto-assign public IPv4 address. Click Save, and then un-select publicB. Select publicC, and click Actions > Modify auto-assign IP settings. Check the box to Enable auto-assign public IPv4 address. Click Save.
4	Configure Internet Gateway
	Click Internet Gateways in the left-hand menu. Click Create internet gateway. Set the name tag as “ TechnetVN-LabVPCIGW”, and click Create. Select the newly created IGW, and click Actions > Attach to VPC. Select TechnetVN-LabVPC, and click Attach.
5	Configure Routing
	Click Route Tables in the left-hand menu. Click Create route table, and set the following values: Name tag: publicRT VPC: TechnetVN-LabVPC Click Create
6	Add Default Public Route
	Select publicRT, and click the Edit routes tab. Click Edit routes, Add route, and set the following values: Destination: 0.0.0.0/0Target: Internet Gateway, and select TechnetVN-LabVPCIGW Click Add route again, set the following values: Destination: ::/0 Target: Internet Gateway, and select TechnetVN-LabVPCIGW Click Save routes. Click Close.
7	Associate with Subnets
	Select publicRT, and click the Subnet Associations tab. Click Edit subnet associations. Select publicA, publicB, and publicC. Click Save.
8	Create a Bastion Host Since these subnets are public, then, in theory, anything we deploy into them should be publicly accessible. Now, we’ll create a bastion host, which is a way you can access a secure VPC from outside — meaning, we can connect to the bastion host via SSH and use it to connect into the VPC.
	Navigate to EC2 > Instances. Click Launch Instance. On the AMI page, select the Amazon Linux 2 AMI with 64-bit (x86) architecture. Choose the t3.micro instance type, and click Next: Configure Instance Details. On the Configure Instance Details page, set the following values: Network: TechnetVN-LabVPC Subnet: publicB Auto-assign Public IP: Use subnet setting (Enable) Click Next: Add Storage, and then click Next: Add Tags. On the Add Tags page, add the following tag: Key: Name Value: BastionHost Click Next: Configure Security Group. Select Create a new security group, and set the following values: Security group name: bastionSG Description: bastionSG Click Review and Launch, and then Launch. In the key pair dialog, select Create a new key pair. Give it a Key pair name of “ Technet_VPCLAB”. Click Download Key Pair, and then Launch Instances. Click View Instances, and give it a few minutes to enter the running state.
9	Verify Bastion Host Is Working
	When the bastion host has 2/2 status checks, select the instance, click Connect, and copy the ssh connection command. Open a terminal window. Note: Windows users can connect to the instance using this as a guide. Change to your downloads folder, where the key pair file is saved: cd Downloads Change permissions on the key pair file: chmod 400 Technet_VPCLAB.pem Run the ssh connection command you copied from the AWS console to connect to your bastion host. Enter yes at the prompt.
Part 2 – Configure Private Internet Connectivity Using NAT Gateway
1	Create the NAT Gateways
	In the AWS console, navigate to VPC > NAT Gateways. Click Create NAT Gateway. Set the subnet to publicA. Click Allocate Elastic IP address and then Create a NAT Gateway. Click Close. Do same steps for PublicB and PublicC. Click Create NAT Gateway. Set the subnet to publicB. Click Allocate Elastic IP address and then Create a NAT Gateway. Click Close. Click Create NAT Gateway. Set the subnet to publicC. Click Allocate Elastic IP address and then Create a NAT Gateway. Click Close. Select each NAT gateway, and copy each one’s NAT Gateway ID as well as the public subnet it’s in (this information can be found in the Details tab). Paste these values into a text file, as we will need them later
2	Create Three Private Route Tables
	Click Route Tables. Click Create route table, and set the following values: Name tag: privateA-RT VPC: TechnetVN-LabVPC Click Create and then Close. Click Create route table, and set the following values: Name tag: privateB-RT VPC: TechnetVN-LabVPC Click Create and then Close. Click Create route table, and set the following values: Name tag: privateC-RT VPC: TechnetVN-LabVPC Click Create and then Close.
3	Route Table Associations
	privateA-RT With privateA-RT selected, click the Subnet Associations tab. Click Edit subnet associations. Select dbA and privateA Click Save. On the same route table, click the Routes tab Click Edit routes, Add route, and set the following values: Destination: 0.0.0.0/0 Target: NAT Gateway, and paste the NAT Gateway ID for the one in publicA in the list you made earlier Click Save routes and Close. privateB-RT Select privateB-RT, and click the Subnet Associations tab. Click Edit subnet associations. Select dbB and privateB Click Save. On the same route table, click the Routes tab. Click Edit routes, Add route, and set the following values: Destination: 0.0.0.0/0 Target: NAT Gateway, and paste the NAT Gateway ID for the one in publicB in the list you made earlier Click Save routes and Close. privateC-RT Select privateC-RT, and click the Subnet Associations tab. Click Edit subnet associations. Select dbC and privateC Click Save. On the same route table, click the Routes tab. Click Edit routes, Add route, and set the following values: Destination: 0.0.0.0/0 Target: NAT Gateway, and paste the NAT Gateway ID for the one in publicC in the list you made earlier Click Save routes and Close.
4	Configure and Test VPC Security
	Navigate to EC2. Click Launch instance. On the AMI page, select the Amazon Linux 2 AMI with 64-bit (x86) architecture. Choose the t3.micro instance type, and click Next: Configure Instance Details. On the Configure Instance Details page, set the following values: Network: TechnetVN-LabVPC Subnet: privateA Auto-assign Public IP: Use subnet setting (Disable) Click Next: Add Storage, and then click Next: Add Tags. On the Add Tags page, add the following tag: Key: Name Value: appserver Click Next: Configure Security Group. Select Create a new security group, and set the following values: Security group name: appSG Description: appSG Change the rule Source to bastionSG. Click Review and Launch, and then Launch. In the key pair dialog, select Choose an existing key pair. Choose the Technet_VPCLAB key pair. Click Launch Instances. Click View Instances, and give it a few minutes to enter the running state.
5	Use SSH Key Forwarding
	Now, we’re going to use a special feature of SSH that allows us to forward keys. We’re going to connect to the bastion host using SSH and use this forwarding feature to allow us to SSH from the bastion host to the app server without having to have the SSH key also on the bastion host. This is more efficient, secure, and saves us a step. Note: Windows users, when using SSH Key Forwarding, you will need specific configuration (includes PuTTY). In the terminal session, exit out of the current SSH session: exit Change to your downloads folder: cd Downloads We need to add the key to the SSH agent, enabling the key to be stored in memory and be used as part of the pass-through architecture so we can hop via the bastion host into the appserver instance. To do so, run the following: ssh-add -K Technet_VPCLAB.pem In the AWS console, right-click the BastionHost instance, and click Connect. Copy the ec2-user@IP_ADDRESS portion of the connection command. In the terminal session, run the following (replacing <ec2-user@IP_ADDRESS> with what you just copied): ssh -A <ec2-user@BASTIONHOST_IP_ADDRESS> The -A tells SSH to use forwarding. Confirm you have public internet connection: ping 1.1.1.1 We should see we’re connected. Hit Ctrl+C to stop the ping. In the AWS console, right-click the appserver instance, and click Connect. Copy the ec2-user@IP_ADDRESS portion of the connection command. In the terminal session, run the following (replacing <ec2-user@IP_ADDRESS> with what you just copied): ssh <ec2-user@IP_ADDRESS> Enter yes at the prompt. Confirm you have public internet connection: ping 1.1.1.1 We should see we’re connected, which means our NAT gateway in publicA is working. Hit Ctrl+C to stop the ping. Enter the following twice to exit out of both the BastionHost and app server: exit `Note: if you are using Windows, you need to copy Technet_VPCLAB.pem file to your AWS Linux, and then use ssh -i "Technet_VPCLAB.pem" ec2-user@APP-Server-IP to connect to your AppServer host.`
6	Modify NACL
	In the AWS console, navigate to VPC > Network ACLs. With the default NACL selected, click the Inbound Rules tab. Click Edit inbound rules. Click Add Rule, and set the following values: Rule #: 50 Type: ALL Traffic Source: Your IP address (which you can get by googling “what is my IP” in a new browser tab), and append /32 at the end Allow / Deny: DENY Click Save. In the terminal session, try to log in to the bastion host: ssh -A <ec2-user@BASTIONHOST_IP_ADDRESS> You won’t be able to since your IP address is matched against the explicit DENY rule. Exit out of the command by hitting Ctrl+C. In the AWS console, remove rule #50 to remove the explicit DENY. In the terminal, try connecting to the bastion host again, which should work this time.