In this article, we will share with you an overview of one of the fundamental services that AWS provides for you to build your infrastructure in the Cloud.
AWS VPC allows you to provision an isolated section of AWS for you to launch other AWS resources in a virtual network that you can define. This service allows you to have full control over your network environment, including IP ranges, subnets, and configuration of route tables and network gateways. Also, it is possible to create your own VPN that allowing you to connect your datacenter with your VPC and make AWS an extension of your datacenter.
In this article, we are going to show you how to create a custom VPC with two subnets, one public to use it for web servers facing the public and another private for your backend servers such as databases.
By default, AWS delivers a fully configured VPC per region with subnets into the different availability zones.
To create a new VPC, you need to navigate to VPCs and then click on “Create a VPC” and then the configuration starts.
One crucial comment is that by default when you create a VPC the following components are created: Route table, Network ACL and a Security Group.
The next step is to create the public and private subnet. To do this task, you need to navigate to the subnet menu in the VPC dashboard.
Another fundamental consideration is that subnets can’t span multiple availability zones. In other words, one subnet can be deployed to one availability zone. Also, you can have multiple subnets in the same availability zone.
Additionally, AWS reserves five addresses for the following:
- 10.X.X.0: Network address.
- 10.X.X.1: Reserved by AWS for the VPC router.
- 10.X.X.2: Reserved by AWS.
- 10.X.X.3: Reserved by AWS for future use.
- 10.X.X.255: Network broadcast address.
This is the reason why you can see 251 available IP addresses in each subnet.
To enable public addresses in one of the subnets, you need to select the subnet that is going to be public, go to actions and then “Modify auto-assign IP settings”. Once you are in the configuration, you just need to activate the flag to assign public IPv4 addresses.
The next step is to create an Internet Gateway so that our subnet has a way to connect to the internet. To create one, you need to navigate to the menu “Internet Gateways” in the VPC left menu. It only asks you for the name.
Once it is created, we need to attach it to our VPC. To perform this operation, you need to select the IG, then go to actions and select “Attach to VPC”.
One additional comment is that you can’t have more than one IG attached to a VPC.
Now let’s go to the route table, navigate to the Route Tables menu and select the one assigned to our custom VPC. We need to configure a route table that allows the VPC to be connected to the internet. If we add a route to our IG in the main route table, we will be granting all subnets to access the internet and we only want one to be private.
To create a new route, just click in the “Create route table” option. After creation, we need to configure the route to the IG and then associate the public subnet.
We can now launch two EC2 instances so we can test the private and public subnets.
Navigate to EC2 menu and then click on Launch Instance. I’m going to skip all the steps and only show the config of each EC2 instance and how they were deployed.
The first EC2 instance is the WebServer and is deployed in the subnet that has the route with access to IG.
Now to connect to the Web Server EC2 instance, we just need to SSH with the key.
However, we can’t connect to the back-end server instance using direct ssh.
There are several ways we can access our server through SSH, the simplest way to do it but it is not recommended is to copy the ssh key into the webserver and do ssh using the key. The best approach is to use Bastion hosts.
Also, the last step to provide access to the internet to the Back-end server in order to download patches and upgrades is to create a NAT Gateway.
To do that we need to go to the VPC dashboard, and to the NAT Gateways menu. Then click on “Create NAT Gateway” and configure it. We are going to select the public subnet and click save.
After the NAT Gateway creation the last step is to edit the route tables. We need to add the route so we could access the internet through the NAT Gateway.
Let’s try it out. SSH to the Web Server, then inside that instance, we can ssh again to the Back-end instance. Lastly, perform a “yum update” and we can now access the internet through a private subnet.
To summarize, we have created a custom VPC in our AWS environment, allowing us to create our custom infrastructure and very quickly. This service gives you an idea of how flexible and powerful AWS cloud can be.