Build your VPC and Launch a Web Server

In this lab, we will use Amazon Virtual Private Cloud (VPC) to create our own VPC and add additional components to produce a customized network. We will also create a security group. Finally, we will create an EC2 instance and we'll do SSH login to that instance.

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon Web Services (AWS) resources into a virtual network that you defined. This virtual network closely resembles a traditional network that you would operate in your own data center, with the benefits of using the scalable infrastructure of AWS. You can create a VPC that spans multiple Availability Zones.

After completing this lab, you should be able to do the following:

Create a VPC.
Create subnets.
Configure a security group.
Launch an EC2 instance into a VPC.

In this lab, you build the following infrastructure:

Let's dive right into it.

Task 1: Create your VPC.

In the services section, search for VPC and select it.

Configure the following options.

Select VPC and more and provide a name for your VPC.
No. of AZs = 1

for the first AZ, we've chosen us-east-1a.
No. of public and private subnets = 1.
Expand Customize subnets CIDR blocks

Public subnet CIDR block: 10.0.0.0/24

Private subnet CIDR block: 10.0.1.0/24
Nat gateways: In 1 AZ
VPC Endpoints: None
Leave others as default.

Click on Create VPC. (NAT Gateway takes some time to activate)

The diagram below summarizes the VPC resources you have just created and how they are configured.

An Internet gateway is a VPC resource that allows communication between EC2 instances in your VPC and the Internet.

The lab-subnet-public1 public subnet has a CIDR of 10.0.0.0/24, which means that it contains all IP addresses starting with 10.0.0.x.

A NAT Gateway, is a VPC resource used to provide internet connectivity to any EC2 instances running in private subnets in the VPC without those EC2 instances needing to have a direct connection to the internet gateway.

The lab-subnet-private1 private subnet has a CIDR of 10.0.1.0/24, which means that it contains all IP addresses starting with 10.0.1.x.

Here, the first one is for the public subnet while the second one is for the private subnet.

In the Route Table,

The terms Destination and Target can be understood as:

To go to the destination(the place where we want to go), we have to go through the target (medium). And the same process goes for the other way around.

Let's explore the public route table as an example.

Within the 10.0.0.0/16 range, which is our VPC's network, we refer to it as "local" because it is within our virtual private cloud.

To access the entire internet (0.0.0.0/0), we use the internet gateway. Similarly, for traffic from the entire internet to reach the subnet, the internet gateway is used.

While private subnets use NAT gateways in public subnets to enable internet access for their resources securely.

Task 2: Create Additional Subnets

In this task, we will create two additional subnets for the VPC in a second Availability Zone. Having subnets in multiple Availability Zones within a VPC is useful for deploying solutions that provide High Availability.

After creating a VPC as you have already done, you can still configure it further, for example, by adding more subnets. Each subnet you create resides entirely within one Availability Zone.

In the left panel, choose Subnets.

Click on Subnets, Create Subnet.
Choose your VPC.
Configure as follows:

We've chosen different AZ here (us-east-1b).

This subnet will have all IP addresses starting with 10.0.2.x.

Click on Add new Subnet.

Configure as follows:

This subnet will have all IP addresses starting with 10.0.3.x.

Click on Create Subnet.

We will now configure this new private subnet to route internet-bound traffic to the NAT Gateway so that resources in the second private subnet are able to connect to the Internet, while still keeping the resources private. This is done by configuring a Route Table.

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in a VPC must be associated with a route table; the route table controls routing for the subnet.

In the left panel, choose Route tables.

Select the route table that was created during the creation of VPC for the private subnet.

Observe the destination and target in the Routes section.

Now click on Subnet associations.

This field specifies which subnets are associated with this route.

Click on Edit subnet associations.

Click on the private subnet you created recently to associate this route.

Save associations.

Similarly, we associate our recently created public subnet with another route having an Internet Gateway.

Your VPC now has public and private subnets configured in two Availability Zones. The route tables you created in Task 1 have also been updated to route network traffic for the two new subnets.

Task 3: Create a VPC Security Group

In this task, you will create a VPC security group, which acts as a virtual firewall. When you launch an instance, you associate one or more security groups with the instance. You can add rules to each security group that allows traffic to or from its associated instances.

On the left panel, choose Security groups.

Follow the following steps:

Create security group
Provide a name for your SG
Description: Enable HTTP access
Choose your VPC
Click on Add rule in Inbound rules.
Configure the following:
- Type: SSH
- Source: Anywhere-IPv4
- Description: SSH login to EC2

Scroll to the bottom of the page and choose Create security group.

You will use this security group in the next task when launching an Amazon EC2 instance.

Task 4: Launch a Web Server Instance

In the Services section, search for EC2 and select it.

Click on Launch Instance.

Follow the following steps:

Provide a name for your EC2
On Quick Start, choose Ubuntu
Instance type: t2.micro.
Create a key pair.
Configure the network settings

Choose your VPC

Choose Public Subnet of AZ: us-east-1b

Make Auto-assign public IP Enable
Choose your created security groups.