1.Find VPC under Networking and Content Delivery.
2.Click Create VPC to create a new custom VPC.
3.Fill in the Name tag and IPv4 CIDR block (largest possible block 10.0.0.0/16). Default Tenancy is multi-tenant, with option for dedicated hardware. Create VPC.
4.The new VPC automatically creates a new Route Table (RT), Security Group and NACL. Does not create a new subnet or Internet Gateway (IGW).
5.Create new subnet. Fill Name tag, under VPC selected created custom VPC, select AZ and fill PIv4 CIDR block (eg. 10.0.1.0/24). Create subnet.
- AZ on AWS are randomised. us-east-1a on one AWS account could be different from another AWS account.
6.Create another subnet. Using a different Name tag, AZ and IPv4 CIDR block (eg 10.0.2.0/24). Create second subnet.
- Subnet cannot span AZ. 1 subnet can only exist in 1 AZ.
- Auto assign public IP is not enabled by default
- There are only 251 available addresses. For /24 block it is supposed to contain 256 addresses (refer to CIDR.xyz). The allowed block size is between /16 (65,536 addresses) and /28 (16 addresses). The 5 missing IP addresses are reserved by Amazon (network address, for VPC router, IP address for DNS server, future use and network broadcast address).
7.Set 1 of the subnet to be publicly accessible (Need EC2 to launch in it with public IP address). Under Actions > Modify auto-assign IP settings. Enable auto-assign public IPv4 address to enable launching EC2 into this subnet and to automatically get a IPv4 address.
8.Add IGW to enable a route into the VPC. Fill Name tag. The new IGW is not attached to any VPC and will therefore appear as ‘detached’. To attach IGW to VPC, under Actions > Attach to VPC.
- 1 VPC can only be attached to 1 IGW. IGW is designed to be HA.
9.Configure RT to enable a route out to the internet. A default RT (Main RT) is created when creating the custom VPC. The default RT allows 2 routes(Destination), to facilitate the communication between the subnets within the VPC via IPv4 and IPv6. All subnets created for this VPC will be connected to the default RT automatically. If the default RT is allowed a route out the the internet, it would mean that all the subnets created will be public.
- Keep default RT private and create a separate public RT.
10.Create secondary RT (public). Fill Name tag and associate the VPC. By creating the new RT, the VPC will now have 2 RT. It will be reflected as the secondary RT (under Main, it will be marked as No).
11.Create a route out to the internet for secondary RT. Under Routes> Edit routes. Route out to the internet 0.0.0.0/0 which will traverse through the IGW (select Internet Gateway for Target). Can also add a route out for IPv6 using ::/0. The RT will now have a route out to the internet via IPv4 and IPv6.
12.Associate public subnet to the public RT. Under Subnet Associations > Edit subnet associations and add the public subnet to the RT.
13.Provision EC2 for public subnet.
- Select custom VPC under Network and public subnet under Subnet. Since it is a public subnet, Auto-assign Public IP will be Enabled. Public subnet will therefore have a public IPv4 address.
- Configure Security Group for instance. Use either the default security group (created together with the custom VPC) or set up a new security group (SG1).
- Security Groups do not span VPC.
- Allow port SSH and HTTP to communicate to the internet
14.Provision EC2 for private subnet. Since this is launched into the private subnet, Auto-assign Public IP is disabled (Note: it was enabled in 13. when launched into public subnet). Private subnet will not have a Public IPv4 address. Select the default security group.
— EC2 in private do not have a public IP (cannot communicate to public) but it has an associated Private IP. Since the 2 subnets are under a different security group, it does not allow communication between the 2 instances. Private subnet is currently under the default security group. To allow communication between the 2 subnets, security group settings will have to be configured.
15.Create and configure new security group (SG2) for private subnet. Fill Security group name, Description and select custom VPC. Set inbound traffic to allow from public subnet (source 10.0.1.0/24) through HTTP and SSH. Assign (change) the security group for private subnet to be using SG2 to allow communication between the 2 subnets.
— Private subnets are now able to communicate with the public subnets, but is still unable to access the internet. It needs to be able to communicate with the IGW as a route out to the internet, while staying as a private subnet. This can be achieved either by using a Network Address Translation (NAT) instance or NAT gateway.
- NAT instance is a single EC2 instance and is not HA. It is placed behind a security group in the public subnet and could also be a source of bottleneck when high amount of traffic is traversing through it. Although, HA can be achieved using autoscaling groups, multiple subnets in different AZ or a script to automate failover. Will need to disable source/destination checks (turned on by default for every EC2 instance) as NAT instance is not a source or destination of any traffic, it merely sends and receives (acting as a gateway/ bridge to IGW).
- NAT gateway is preferred as it is HA. Patching is not required and it is not associated to any security group. It is automatically assigned a public IP address and do not need to disable source/destination checks. Will only discuss steps to set up NAT gateway.
16.Create NAT gateway. Select subnet as public subnet and create a new Elastic IP (EIP) that will be attached to NAT gateway. After creating the NAT gateway, add it to the default RT for a route out to the internet via NAT gateway.
17.Add NAT gateway to default RT. The private subnet can now connect to the internet via NAT gateway.
- 1 AZ can only consist of 1 NAT gateway. If all AZs share 1 NAT gateway, failure in that single AZ could cause other AZs to lose internet connection. Therefore, it is advisable to create a AZ-independent architecture with a NAT gateway in each AZ.
18.Create custom NACL and associate it to the custom VPC. Fill Name tag and select custom VPC. The existing default NACL allows all inbound and outbound traffic via IPv4 and IPv6. The new custom NACL deny all traffic when created.
- Each NACL can be associated with multiple subnet but 1 subnet can only be connected to only 1 NACL at a time.
- All subnets are associated to default NACL when created or if it is not connected explicitly to any NACL.
19.Associate public subnet to custom NACL under Subnet associations > Edit inbound rules. Since the custom NACL is denying all traffic, it will now prevent the public subnet from accessing the internet.
20.To allow access to the internet, edit inbound/outbound rules for custom NACL. Rules should be created in denominations of 100s and is evaluated in order. DENY rule should always come before (smaller numer) ALLOW rule. Source of 0.0.0.0/0 will allow it to connect to the internet.
- NACL is evaluated before security groups and denied traffic in NACL will not reach security group.
- Port 80 HTTP
- Port 443 HTTPS
- Port 22 SSH
Since NACL is stateless, edit the same rules for outbound.
- Port 1024–65535 Ephemeral (short-lived port)used by NAT gateway
— Additional: Gateway endpoints allows connection from VPC to supported AWS services (S3/ DynamoDB) without leaving the amazon network or using the IGW, VPN, Direct connect or NAT devices.
21.To allow communication between VPC (more specifically the EC2 in private subnet) and S3 via the gateway endpoint, ensure that roles are created to facilitate communications with S3 (Policy name: AmazonS3FullAccess. Attached IAM role to the EC2.
22. Create Endpoint > select option containing S3 under Service Name > select custom VPC and default RT (no internet access) providing route via the main RT. (* to check that gateway endpoints work, remove route to NAT gateway on default RT and test)
