One of the critical things to remember for working with a AWS VPC is creating and using it. I had hard time remembering how to do it, so, I wrote down a cheat sheet for myself.
If anyone wants to follow along, just navigate to the VPC page on the AWS Console and start with 'Create VPC' button. Please note that this may cost some dollars if you are not on the free tier. If you are on the free tier and make mistakes, it may cost some dollars.
Create EC2 instance for private route
The private EC2 instance is accessible only from the public web server. It is not directly accessible from the internet. In fact, you cannot SSH to the private EC2 instance because there is no public IP address assigned to the instance.
If anyone wants to follow along, just navigate to the VPC page on the AWS Console and start with 'Create VPC' button. Please note that this may cost some dollars if you are not on the free tier. If you are on the free tier and make mistakes, it may cost some dollars.
In the steps below, we will be creating the following on a new VPC:
- An internet gateway
- One public subnet with routes for accessibility from the internet
- One private subnet without any routes
- One EC2 web server with Apache installed in it and serving a sample html page - using the public subnet.
- One EC2 server with the private subnet and security group that allows access to resources running on the public subnet only.
Create VPC
- Name tag: myVPC
- CIDR Block: 10.0.0.0/16
- Tenancy: default (Must have default. Otherwise, it will get very expensive quite fast.)
Create subnet for public
- Name tag: 10.0.1.0 - us-west-1a
- VPC: myVPC
- Availability zone: us-west-1a
- CIDR Block: 10.0.1.0/24
- Select the public subnet from the VPC console
- Subnet Actions drop down - Modify Auto Assign IP - Enable auto-assign public IPv4 address.
The last step ensures that your public web server will be accessible on the internet with an automatically assigned public IP address.
Create another subnet for private
- Name tag: 10.0.2.0 - use-west-1b
- VPC: myVPC
- Availability zone: us-west-1b
- CIDR Block: 10.0.2.0/24
Create Internet Gateway
- Name tag: myIGW
- Then attach to VPC: myVPC
Create Route Tables for public
- Name tag: myPublicRoute
- VPC: myVPC
- Routes tab: Edit
- Description: 0.0.0.0/0
- Target: myIGW (it may look different than the keyword myIGW, but it is the only one that will be selectable.)
- Subnet associations: Edit
- Checkbox: us-west-1a subnet
Create EC2 instance for public route
- Network: myVPC
- Subnet: 10.0.1.0 - us-west-1a
- Advanced details:
- Install httpd, update, start httpd and configure httpd to start on server start.
- yum install httpd -y && yum update -y && service httpd start && chkconfig httpd on
- Create a simple index.html
- echo “<html><h1></h1></html>” > /var/www/html/index.html
- Install httpd, update, start httpd and configure httpd to start on server start.
- Tag instance: MyWebServer
- New security group: myWebSG
- ssh 0.0.0.0/0
- http 0.0.0.0/0
- Launch
- Get public IP address and open in browser
Create EC2 instance for private route
- Network: myVPC
- Subnet: 10.0.2.0 - us-west-1b
- Tag instance: MyWebServer
- New security group: myWebSG
- ssh 10.0.1.0/24
- http 10.0.1.0/24
- All ICMP 10.0.1.0/24
- Launch - no public ip is provided
- Make a note of the private ip address
Verify
SSH to public EC2 instance using your pem key.- Copy the contents of your pem key and save it on the public EC2 instance.
- From the public EC2 instance, SSH to the private EC2 instance using the copied pem key using the private ip address.
The private EC2 instance is accessible only from the public web server. It is not directly accessible from the internet. In fact, you cannot SSH to the private EC2 instance because there is no public IP address assigned to the instance.