AWS - VPC

Theory

VPC (Virtual Private Cloud)

VPC stands for Virtual Private Cloud, which provides a logically isolated space on AWS to help you run resources.

Types of VPC

In AWS, there are Default VPCs and Custom VPCs for each Region. Default VPCs are created by default, one per Region, and Custom VPCs can be created up to 5 per Region.

Subnet

A network divided into smaller network areas. In the cloud environment's VPC, you can also divide and separate networks through subnets.

Reserved IP Addresses in Subnets

If the IP range assigned to a subnet is 10.0.0.0/24, then from 10.0.0.0 ~ 10.0.0.255:

Also, AWS Subnets have Public Subnets and Private Subnets. Public Subnets are networks that can communicate directly with the external internet, Private Subnets are closed networks that cannot communicate directly with the external internet. *However, Private Subnets can communicate with the outside if there is a NAT Gateway.

Security Group and ACL

The security technology at the instance level is Security Group. There is also a security technology used at the subnet level called Access Control List (ACL).

Lab - Public Subnet VPC Configuration

Lab Steps

Create VPC

1. Access VPC Console -> VPC
2. Name: CloudPeter-VPC IPv4 CIDR block: 10.0.0.0/16
3. Verify creation *Later, you can distinguish between default VPC and custom VPC by checking the presence of the Name Tag

Create Public Subnet

1. Access VPC Console -> Subnets
2. VPC ID: Select created VPC (CloudPeter-VPC) Name tag: CloudPeter-Public-SN Availability Zone: ap-northeast-2a IPv4 CIDR block: 10.0.0.0/24
3. Verify creation

Create Internet Gateway and Attach to VPC

Create an IGW and attach it to the VPC for communication with the external internet

1. Access VPC Console -> Internet Gateways
2. Name tag: CloudPeter-IGW
3. Attach IGW to VPC Available VPCs: Select created VPC (CloudPeter-VPC)
4. Verify attachment

If you've proceeded this far, the IGW for communicating with the internet is attached to the VPC, and the subnet is also created. However, external internet access is still not possible because there is no routing path to the external internet in the VPC's virtual routing table.

Create Public Routing Table and Associate Subnet

1. Access VPC Console -> Route Tables
2. Name tag: CloudPeter-Public-RT VPC: Select created VPC (CloudPeter-VPC)
3. Verify creation and associate subnet Click Subnet associations Click Edit subnet associations Select the previously created subnet

Add Route to Public Routing Table

1. VPC Console -> Route Tables
2. Select CloudPeter-Public-RT
3. Go to Routes tab
4. Destination: 0.0.0.0/0 Target: Internet Gateway -> Select igw-xxxxx
5. Verify application

Now all configurations are complete. Let's verify if actual communication is possible.

Create EC2 Instance

Create an EC2 instance to verify communication

1. Access EC2 Console -> Instances

2. Click Launch instances

3. Name: Public-EC2 OS Image: Amazon Machine Image(AMI), 64bit Instance type: T2.micro Key pair: The one you always use

4. Network settings -> Edit

5. VPC: Select created VPC (CloudPeter-VPC) Subnet: Select created Subnet (CloudPeter-Public-SN) Auto-assign public IP: Enable

6. Security group: default

7. Verify creation

Access EC2 Instance and Verify Communication

Access via SSH using the public IP, then run ping google.com If the ping works, success!

Lab - Private Subnet VPC Configuration

Lab Steps

Create Private Subnet

1. Access VPC Console -> Subnets

2. Create subnet VPC ID: Select created VPC (CloudPeter-VPC) Name tag: CloudPeter-Private-SN Availability Zone: ap-northeast-2c IPv4 CIDR block: 10.0.1.0/24

3. Verify creation

Create NAT Gateway

1. Access VPC Console -> NAT Gateways

2. Name: CloudPeter-NAT Subnet: Select public subnet (CloudPeter-Public-SN) Click Allocate Elastic IP!

3. Verify creation

Create Private Routing Table and Associate Subnet

1. Access VPC Console -> Route Tables

2. Name tag: CloudPeter-Private-RT VPC: Select created VPC (CloudPeter-VPC)

3. Select private routing table

4. Click Edit routes

5. Select private subnet (CloudPeter-Private-SN)

Add Route to Private Routing Table

1. Access VPC Console -> Route Tables

2. Select private routing table

3. Click Edit routes Edit as follows (Select NAT Gateway)

Create EC2 Instance

1. Access EC2 Console -> Instances

2. Name: Private-EC2 Network: Select created VPC (CloudPeter-VPC) Subnet: Select created private subnet (CloudPeter-Private-SN)

3. Network settings

4. Advanced details

#!/bin/bash
(
echo "qwe123"
echo "qwe123"
) | passwd --stdin root
sed -i "s/^PasswordAuthentication no/PasswordAuthentication yes/g" /etc/ssh/sshd_config
sed -i "s/^#PermitRootLogin yes/PermitRootLogin yes/g" /etc/ssh/sshd_config
service sshd restart

The user data above is a configuration that allows SSH access via password. It is read and applied when the EC2 instance boots.

5. Verify creation

If you check the network of Private-EC2, you can see that no public IP has been assigned.

Access EC2 Instance and Verify Communication

1. SSH into Public-EC2's IP

2. From the SSH session, SSH into Private-EC2's private IPv4 address

3. Verify that ping google.com works through NAT

*With NAT, going from inside to outside is possible, but accessing the Private Subnet from outside is not possible

Delete Resources

1. Terminate EC2 instances (EC2 -> Instances -> Select instance -> Actions -> Instance state -> Terminate)
2. Delete NAT gateway (VPC -> NAT Gateways -> Actions -> Delete NAT gateway) Warning: Wait until the NAT gateway is deleted
3. Delete Elastic IP (VPC -> Elastic IPs -> Actions -> Release Elastic IP addresses)
4. Delete VPC (VPC -> Your VPCs -> Actions -> Delete VPC)