VPC Project

About the Project

This example demonstrates how to create a VPC that you can use for servers in a production environment.

To improve resiliency, you deploy the servers in two AZs, by using an Auto Scaling group and an Application Load Balancer.

For additional security, you deploy the servers in private subnets. The servers receive requests through the load balancer. The servers can connect to the internet by using a NAT gateway. To improve resiliency, you deploy the NAT gateway in both AZs.

The VPC has public subnets and private subnets in two Availability Zones.

Each public subnet contains a NAT gateway and a load balancer node.

The servers run in the private subnets, are launched and terminated by using an Auto Scaling group, and receive traffic from the load balancer.

The servers can connect to the internet by using the NAT gateway.

A VPC with subnets in two Availability Zones.

Required Resources:

AWS account
Git installed on your local machine

PS: I am still learning AWS concepts. So, I might not be correct in some cases.

Let's get started.

Creating a VPC (Virtual Private Cloud)

A VPC allows you to create a private network within the cloud environment, isolating your resources from the public internet and providing control over network configuration, security, and routing. It's commonly used to host and manage cloud-based resources in a secure and customized network environment.

On Services search for VPC and select VPC.

Now, select on Create VPC button.

Select VPC and more option and give a name to your VPC.

Set default settings for all other options while setting the NAT gateway option to 1 per AZ and select None for VPC endpoints.

A NAT Gateway is a service that allows private resources within a network to access the internet while masking their internal IP addresses.

A VPC endpoint is a networking interface that enables instances in your VPC to communicate with AWS services and other VPCs without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect. VPC endpoints leverage AWS PrivateLink.

Now, select Create VPC. It'll take some time for NAT Gateways to activate.

View your recently created VPC.

Now, select EC2 on the services tab and select EC2.

Now, on the left panel, you'll see Launch Templates.

Select it and Click on Create launch template.

A launch template simplifies the process of launching instances by allowing you to specify instance configuration details in a template, which can then be used to create multiple instances with those settings.

Provide the name and the description for your template.

For AMI (Amazon Machine Image), select Ubuntu.

AMI is a template that contains a software configuration (an operating system, application server, and database) that is used to create an Amazon Elastic Compute Cloud (Amazon EC2) instance.

On Instance type, select the free-tier one.

On Key pair, create a new key pair.

Key pair, often referred to as an SSH key pair or login key pair, is a pair of cryptographic keys that consist of a public key and a private key. Key pairs are primarily used for securely logging into and accessing AWS EC2 instances and for secure data transfer between your local machine and the EC2 instance.

Provide the Key Name and select the other options as follows to create key pair.

Save your created key pair.

Now, in the network settings, keeping other options default, we choose Create security group.

Security Group acts as a virtual firewall for controlling inbound and outbound traffic to and from AWS resources such as Amazon Elastic Compute Cloud (EC2) instances, Amazon RDS databases, and more.

Provide name and description (Allow SSH access)

In VPC, select the one that we'd created earlier.

Click on the Add security group rule.

Inbound rules control incoming traffic from external sources into your network or resource, while Outbound rules control outgoing traffic from your network or resource to external destinations.

First Inbound Rule:

This rule is to allow SSH access to log in to our EC2 instance.
Select ssh in Type and Anywhere in Source type.
This rule allows SSH access to our EC2 instance from anywhere on the internet.

Second Inbound Rule:

Custom TCP in Type and 8000 in Port range and Anywhere in Source type.
This inbound rule is for the application that we will be deploying in our EC2 instance.

Now, keeping all others as default, click on Create launch template.

Now, on the EC2 dashboard, you'll see the Auto Scaling group at the bottom.

Select it and Click on Create Auto Scaling group.

Now, provide a name for your Auto Scaling group and select your created template.

Then Click on Next.

In the network section, choose the VPC you've created.

In the Availability Zones and subnets, choose two private subnets. These subnets are where our instances will be deploying.

Click on Next.

For step 3, set the defaults and Click on Next.

Now, in step 4, make the following changes.

Desired capacity: the number of instances that you want your Auto Scaling Group to maintain at any given time.

Minimum capacity: minimum number of instances you want to keep running at all times, regardless of the workload.

Maximum capacity: maximum number of instances that Auto Scaling can launch based on the workload and scaling policies.

Set all other options as default and click on Next.

Click on Next until you see the Create Auto Scaling group button and create it.

After the creation, click on your created Auto Scaling group.

On the Activity tab, scroll down to see the Activity history.

You can see the successful launching of two EC2 instances.

You can head over to the EC2 section to check the created instances.

Also, notice that they are created in different availability zones.

You can explore much by clicking on each of the instances.

Now, time to deploy an application in our instance.

To connect to our instance, we check for Public IPv4 address. There is none. Then, how can we log in to our instance?

That's where the role of the bastion host comes into the picture.

A bastion host, also known as a jump server or jump box, is a specialized computer that is designed to be a secure access point to a private network.

We will create the bastion host in one of the public subnets.

The bastion host will act as a mediator between the public and the private subnet.

Now, go to the EC2 console, and click on Launch instances.

Here, provide a name for your instance. Name it as Bastion Host.

Select Ubuntu as AMI. For instance, select the free tier and for the key pair, select the key that you'd created earlier.

In the network setting, select your created VPC.

In the subnet section, choose one of the public subnets.

Select Enable for Auto-assign public IP.

In security groups, make sure the Inbound Security Group Rules section is configured like this. This is by default though.

This allows SSH access to the Bastion Host.

Now click on Launch Instance.

Now, we will transfer the key pair from our local machine to the Bastion Host.

It is because using that key, Bastion Host can log in to the private instance.

Now, I'm on my desktop and I open Git Bash.

Now, the command to copy the key file to the Bastion Host is:

scp -i <your key file> <your key file location> ubuntu@Public IPv4 address:/home/ubuntu

The command instructs the scp command to use the myKey.pem private key for authentication, copy the file located at ~/Desktop/myKey.pem on your local machine, and transfer it to the /home/ubuntu directory on the remote host with the IP address 3.95.196.81.

scp securely copies files from one host to another host.

Copy the Bastion Host public IPv4 address and make the command as above.

Now, that we've copied the key file, it's time to log in to the Bastion Host.

For that, go to the EC2 console, select the Bastion Host and Click on Connect.

Copy the command and paste in your local terminal.

After you log in, type ls to list out the contained files and folders.

Here, we can see the key file copied from our local machine.

Now, we will log in to the private instance from the Bastion Host.

ssh -i <key file> ubuntu@private IPv4 address

For the private IPv4 address, you can copy the Private IP address of one of the private instances.

Proceed with yes.

Now, you're in the private instance.

If you face problems like permission denied, then do the following.

chmod 400 <your key file>

chmod = change mode
400 = read(4), write(0), execute(0).
Now, try to ssh login again and it should be working fine.

Now, we're going to create a simple HTML page and setup Python server.

For that, we follow the following steps:

Enter i to insert into writing mode
Copy and paste the following HTML code.

<!DOCTYPE html>
<html>
<body>

<h1>My First Project</h1>

<p>Hello Everyone.</p>

</body>
</html>

Enter Esc.
Type :wq! to save and exit.

Now we set up the Python server on port 8000.

python3 -m http.server 8000

Copy the command and paste it into your terminal

Till we've accomplished the following:

created Auto Scaling group,
created a Bastion Host,
log in to one of the private instances from the Bastion Host

We've logged in to only one of the instances.

The Application Load Balancer will direct the traffic into two instances. One instance will respond while the other won't as we have not set anything on the other instance.

Now, we'll create target groups for directing the traffic to the instances.

On the EC2 dashboard, scroll a bit and you'll see the Target group in the Load Balancing section.

Create a target group,
We have an instance as a target so be it default.

Provide a target group name, for the port, input 8000 and choose your VPC.

Here we're directing the request to the port 8000 of the instances.

Select two private instances.

Now, we'll create a Load Balancer and attach the two private instances as target groups.

Click on Include as pending below and Create a target group.

Now, we'll create an Application Load Balancer.

On the EC2 dashboard, scroll a bit and you'll see the Load balancer.

Create a load balancer, select Application Load Balancer to proceed.

Provide a name for your Application Load Balancer.

In network mapping, Choose your VPC and click on both the AZs.

Also, choose public subnets in both the AZs.

We're going to have an Application Load Balancer across two public subnets.

Click Next.

In Security groups, add your security group, select your target group and click Create load balancer.

It'll take some time to provision.

Now, if you go to your target group, you'll see like this:

Total targets: 2 where one is healthy and one is not.

This is because one instance is active where we have setup a Python server while in another instance, we have not configured anything.

Now, we have to add new inbound rules in the security groups.

We configure inbound rules so, the instances can receive traffic from the ALB.

In your application load balancer, check out for security section.

Click on your security group.

Click on Edit inbound rules.

Click on Add rule,

Type: HTTP
Source: Anywhere-IPv4
Save rules

Now head up to your Application Load Balancer and copy the DNS name.

Paste it in your browser and Click Enter.

Now, we'll set up some different content in another instance.

NOTE: Do not terminate any of the activities for now.

Now I'm on my desktop and we create a new Git Bash Here.

Now log in to the other private instance as we did earlier.

Here we are also going to set up a Python server at port 8000 having a simple HTML page.

[ Setup Python Server as we did earlier ]

<!DOCTYPE html>
<html>
<body>

<h1>My Second Project</h1>

<h1>Congrats!! Well Done</h1>

</body>
</html>

You can go for the target group to see the health status of instances,

We can see there are 2 healthy instances now.

Now, copy the DNS name of your Application Load Balancer as we did earlier and paste it into the private browser tab. We have to do it in the private tab as in the regular tab, ALB always directs for the connected instance as long as it is working fine.