PRACTICAL

1. Create VPC

For creating VPC we have 4 configurations

1. VPC with a Single Public Subnet: The configuration for this scenario includes a virtual private cloud (VPC) with a single public subnet, and an Internet gateway to enable communication over the Internet.

2. VPC with Public and Private Subnets: The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet. (note: A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet)

3. VPC with Public and Private Subnets and Hardware VPN Access: The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet, and a virtual private gateway to enable communication with your own network over an IPsec VPN tunnel. (note: This scenario enables you to run a multi-tiered application with a scalable web front end in a public subnet, and to house your data in a private subnet that is connected to your network by an IPsec VPN connection).

(note: IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication, integrity, and confidentiality as data is transferred between communication points across IP networks. IPSec provides data security at the IP packet level.)

4. VPC with a Private Subnet Only and Hardware VPN Access: The configuration for this scenario includes a virtual private cloud (VPC) with a single private subnet, and a virtual private gateway to enable communication with your own network over an IPsec VPN tunne

(note: we are going to create the subnet from very basics)

Select your VPC -> create VPC -> give any name ->
CIDR (Classless Inter-Domain Routing block is a set of
Internet protocol (IP) standards that is used to create
unique identifiers for networks and individual devices)
(in general case we have 254 host in a n/w but In AWS
it is 251, 0 = unicast, 1 = gateway, 2 = dns, 3 = unknown
and 255 = broadcast) -> 10.0.0.0/16 -> default tenancy
-> creat

2. Create subnet

Go to the subnet part -> create subnet -> add tag (1a-
public) -> select the custom VPC -> AZ (1a) -> IPV4 CIDR
(10.0.1.0/24) -> create subnet -> add tag (1b-public) ->
select custom vpc -> AZ (1b) -> IPV4 CIDR (10.0.2.0/24)

3. Spinning an EC2 instance

(note: Now the subnet that we have created is a private subnet so we won’t be able to access internet)

Create an instance -> attach created VPC -> select subnet
(1b) -> Auto assign public ip (even if you assign we won’t
be able to access) -> default -> add storage -> add tag ->
add sg (ssh) -> launch.

4. Creating a route table

(note: when we create a VPC a route table will be created automatically, by using the existing route table it won’t be able to access internet)

Select the existing route table -> name it as
private -> go to subnet -> select (1b-private) -> go to route
table option -> edit -> change to custom route
table(private) -> save
Create route table -> name tag(public) -> VPC
(select custom VPC) -> go to subnet -> select the custom
subnet (1a-public) -> go to route table option -> edit ->
change to custom route table(public) -> save

(note: by using route table we can manage internal traffic)

5. Internet Gateway

(note: Even if we create an internet gateway it doesn’t give you an access to internet, either you need to elastic load balancer or elastic ip)

Create internet gateway -> name tag(nirmal) -> attach
to VPC -> select the VPC -> go to route table (public) ->
select routes -> edit -> select target -> select the
gateway -> destination 0.0.0.0/0 -> save

6. Elastic IP

Create an elastic ip

7. Spin a new instance

Create a new instance -> select the custom VPC -> select
the availability zone (1a) -> launch

8. Associate elastic ip

Go to elastic ip -> associate -> select the instance in
public subnet(1a).

9. Connect to the instance

Login to instance

(note: here when we check the ip it is the private instance)

10. Login to private instance

Using winscp copy the public key to public instance ->
from public instance use ->
#chmod 600 <pem file>
#ssh ec2-user@<private ip> -I <pem file> 

(note: i -> identity file)

11. Try to install a package

Try to install a package from the instance to verify it is
installing or not.

(note: here package won’t be installed, now we are going to use, by using NAT it is possible to access network from private instance but not possible to access the instance publicly).

12. Creating NAT gateway

Create NAT -> select the public subnet (1a-public) ->
create new elastic ip -> create NAT gateway -> go to
subnet -> select public subnet -> go to route table ->
edit -> target -> give nat id -> destination -> 0.0.0.0/0

13. Login to instance

Now login to the instance in private subnet -> try to install
any package or try to ping to google

(Note: it should work)

(Note: public subnet -> public route table -> igw, private subnet -> private route table -> nat, we are creating NAT in public instance and attaching to private instance).

14. VPC Peering

Goto peering connection -> create peering connection ->
peering connection name (Checking) -> VPC REQ.
(custom vpc) -> VPC ACCEP. (default vpc) -> create peer
connection -> goto peering connection menu -> accept
the new request -> goto route table of custom vpc (public)
-> add the ipv4 cidr and target (172.31.0.0/16 pcx3e6a9757
connection name) of default vpc -> goto route
table of default vpc -> add the ipv4 cidr and target
(10.0.0.0/16 connection name) of custom vpc -> save
Now launch an instance in default VPC and try to connect
to custom vpc webserver instance (in this example) using
private ip, it will be possible, then try to connect to DBS (in
this example) it won’t be possible to connect, because we
have added the entry only in public route table not in
private route table

15. Network ACLs

(note: NetworkACL is primary form of security. It does the same activity of SG, but multiple SG can be under ACL)

Select the custom acl-> check the subnets which
are associated (here it is 2, by default whatever
changes we do will be affected on both) -> inbound ->
edit -> add another rule -> 95 -> type SSH -> source
(give the ip you want to allow) -> allow -> save

(note: Deny will override allow)

16. Endpoint

a. Create an IAM user with S3 full access
b. Launch an amazon instance in custom vpc and private
subnet
c. Login and integrate the user by performing
#aws configure (specify the location as ap-south-1)
d. #aws s3 ls (now we will be able to see s3 bucket)
e. Goto private route table and remove nat.
f. Check #aws s3 ls (we won’t be able to access)
g. Click on endpoint and associate to private route table
h. Go back to instance and perform #aws s3 ls (now we
will be able to see s3 bucket)