Book a demo

My Devops Learning

Aws Vpc

Dheeren Gaud's photo
Dheeren Gaud
·

6 min read

Cover Image for Aws Vpc

In this article, I am sharing a project on VPC infrastructure setup.

So, I am building this architecture. if you will se this digram there in one VPC

SO as a name sugguest VPC (virtual private clouds)

VPC

defination - A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center. After you create a VPC, you can add subnets.

use - Companies use VPCs to create private networks, enhancing the security of their infrastructure.
step 1 - icreated VPC

i have create one vpc and added IPv4 CIDR

i have added 4 subnet in VPC ,

Subnet - is a range of IP addresses in your VPC. A subnet must reside in a single Availability Zone. After you add subnets, you can deploy AWS resources in your VPC.

use - Subnets are used to divide a VPC into smaller, more manageable sections. This allows for better organization and isolation of resources within a VPC. By using subnets, you can control the flow of traffic between different parts of your network, enhance security by isolating sensitive resources, and optimize network performance by placing resources in closer proximity to each other within the same Availability Zone. Subnets also enable you to implement different security and routing policies for different parts of your network.

Create 4 subnets in 2 different AZs (one AZ with 2 subnets), naming them public and private. Then I created one IG (internet gateway).

IG - A gateway connects your VPC to another network. For example, use an internet gateway to connect your VPC to the internet. Use a VPC endpoint to connect to AWS services privately, without the use of an internet gateway or NAT device.

then i conneted public subnet to IG by using route table

Route table - to determine where network traffic from your subnet or gateway is directed.

use - Route tables are used to determine where network traffic from your subnet or gateway is directed. They contain a set of rules, called routes, that specify how packets should be forwarded within a VPC. By configuring route tables, you can control the flow of traffic between subnets, to and from the internet, and between your VPC and other networks. This allows for efficient traffic management and helps ensure that data reaches its intended destination.

I added the public subnet and added routes, like 0.0.0.0/0 routes to the IG, so all the instances in this public subnet can have direct access.

Now, to make the network private, services/instances are created under the private subnet. If we don't connect the subnet to the IG, it remains a private subnet.

So the question arises: how does an organization connect to a private subnet instance? This can be done by using a bastion host or a jump server.

Bastion host / jump server - A bastion host is a server used to manage access to an internal or private network from an external network - sometimes called a jump box or jump server. Because bastion hosts often sit on the Internet, they typically run a minimum amount of services in order to reduce their attack surface. They are also commonly used to proxy and log communications, such as SSH sessions.

I created one EC2 machine in the public subnet/private subnet and moved the PEM keys (keys used to SSH to the instance).

Step 1 - SSH to the public instance (bastion host)
Step 2 - Move the PEM key for the private instance to the publicly accessible instance
Step 3 - Make an SSH connection from your publicly accessible machine to the private instance using the PEM key
Step 4 - Gain access to the private machine
NOTE - The security group of the private instance will only allow access from the security group of the bastion host instance.

Now you are in the private instance/server...
If you are in the private instance/server and need to install some packages from the internet, you can't do it because the private subnet doesn't have internet access.
This is where a NAT gateway comes in, helping the private subnet access the internet by hiding the private instance's IP with a static IP (meaning if the server wants any package, it makes a request to the NAT gateway, and the NAT gateway makes the request for you).

NAT getway - A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services can't initiate a connection with those instances.

use

NOTE: AWS charges for NAT gateway because it uses an Elastic IP. step 1- create Elastic Ip

step 2- create NAT Getway & attach elastic IP

NOTE : NAT getway allways created in public subnet

step 3 - careate route table for private subnet
add a rule to route all other traffic of the private subnet to the NAT gateway
this makes your private subnet private

If you did these steps, you can now install packages and access the internet from your private instance/server. Now you can create any application on that server and enable the port in the SG of the private instance/server.

When you try to access your application publicly from the internet, you can't access it because it is in a private subnet.

NOTE - A NAT gateway is for a private instance/server to access the internet.
So, to access an application hosted in a private instance, we use a Load Balancer.

LoadBalancer -Distributes incoming network traffic across multiple servers (targets)

to improve availability, scalability, and reliability of an application.

Target Group is:A logical group of targets (EC2, IP, or Lambda)
where the Load Balancer forwards traffic and performs health checks.

lb require Target Group way -A Load Balancer never sends traffic directly to EC2.
It always sends traffic through a Target Group (TG).

How Target Group Works with Load Balancer

Step-by-step working:

  1. Client sends request to Load Balancer

  2. Load Balancer checks listener rule (port 80/443)

  3. LB forwards request to associated Target Group

  4. Target Group selects a healthy target

  5. Request is sent to that EC2 instance

  6. Response goes back through LB to clientstep 1 - create Target Group (TG)

step 1 - Create TG

setp 2 - create SG for LB
Add rules anywhere so it is accessible from anywhere on the internet for IPv4 or IPv6.
step 3 - cretae LB and attach TG and SG

NOTE - Create the LB in a public subnet
NOTE - The SG of your private instance should allow the SG of the LB

Finally, you have done all the steps. Now you can access the application from the DNS name of the LB.