Amazon AWS Certified Developer Associate – Virtual Private Cloud (VPC) Part 3

3. Build A Custom VPC – Part 2

Okay, so here I am in the EC two instance, part of the AWS console and I’m going to go ahead and launch a new instance and I’m going to use an Amazon Linux AMI, going to go ahead and hit Next. Going to change my VPC over to my VPC and then I’m going to put this in My basically into my private subnet. Again, we’re using autoassign public IP addresses use the subnet setting and it actually tells us in here that it’s disabled, so we won’t get a public IP address in this subnet. And then I’m just going to leave everything else as is. Go ahead and hit next.

We’re not going to do a bootstrap script for this because it won’t work anyway. Well, it would work, but if we’re trying to apply a Yum update, it’s not going to have an Internet connection out because it is in a private subnet. Go ahead and hit next. And I’m going to call this, let’s call it my DB or my SQL Server. So MySQL server. So this would be, I’ll pretend, let’s say my SQL Server. Go ahead and hit next. I’m going to create a new security group just for this and we’re going to call it like my RDS Security Group or SG might be easier.

And then I’m going to go ahead and paste in that as the description. And then so in terms of the rules, we’re going to want SSH into this through this security group. We’re also going to want MySQL. So we’ll put in here, and then in here we’re going to specify outsider address range. So it was 100 10 and then it was 24. So anything in that block range will be allowed to use the MySQL ports. We’ll also do that for SSH. So we’ll lock SSH down just to EC two instances within this block range.

And then I’m just going to add another rule. I’m going to allow ICMP traffic. So I’m going to basically ICMP traffic will allow me to ping this EC Two instance from our public subnet. So I’m going to go in here and do all ICMP and again I’m going to specify that it’s allowed through our public subnet. Now if you remember from the very first introductory lecture, security groups are stateful, which means that when we basically allow these rules outbound, traffic is also allowed by default.

So if we allow inbound traffic for SSH or for MySQL or for ICMP outbound traffic will automatically be allowed out as well. Okay? So I’m happy with all the rules in this security group. I’m going to go ahead and hit Review and launch. And now I’m going to go ahead and launch my EC Two instance, going to use my private key, which is my German key, and that is now launching. We can go ahead and view our instances in here and we can see it’s called my SQL Server. Now there’s not a lot that we’re going to be able to do with this server from the console simply because it’s not going to have a public IP address. I’m just going to pause the video here and wait for it to launch.

Okay, so if that has now launched, so we’ve got my SQL Server here. You can see it doesn’t have a public IP address. We do have a private IP address down here though, so it’s 100 2156. So you’re going to need to make a note of your private IP address. So what I’m going to do now is I’m going to SSH into my web server. So I just need to make a note of the public IP address. I’m going to copy that over. So here I am in my SSH directory. We can see my private key here, which is my German key. If it’s a brand new one that you guys have just created, remember chmod 600 to my German key.

That will make sure the permissions are correct on it. And then what you might want to do is you might just want to open it up. So nano my and whatever your key name is, and then just copy and paste this key into your clipboard because you’re going to need it later on. So going to copy that in and then just exit. And then I’m going to SSH and then EC two Hyphen user and then at then I’m going to type in my public IP address, which is 54, 93, 120, and then 28, and then I’m going to do minus I and then my German key pair. And so there we go. It’s asking me if I want to connect hit yes. And so now I’ve SSH into my EC two instance which is sitting inside my public subnet.

So what I’m going to do is just elevate my privileges to root. I’m going to clear the screen. And now what I want to do first of all is I want to see if I can ping my server that’s sitting inside my private subnet. So to do that I just type in ping and then the private IP address. So for me it was ten 02156 and hit enter. And there you go, you can see the ping happening automatically. Now if I wanted to stop this ping, I just alt tab back over to my browser. I could go into let’s go back over here, go into my VPCs and then go into my security group and we could grab the RDS security group and go to the inbound rules and we could just delete all ICMP and hit save. And then straight away that should break the ping. And then interestingly, it doesn’t actually break the ping because the connection has already been established. But if I hit cancel and then hit up and try and ping it again, you’ll see that I’m no longer able to ping.

So it did take effect immediately, but because the ping connection was already established. Basically, I have to break that connection, then try to reping it to get it through the security group. So let’s go back and just quickly add in. I’ll just cancel this out. I’m just going to quickly add ICMP traffic back to my RDS security group. So just go in here, go edit, add another rule, ICMP traffic and then my address range. I’ll just copy and paste this in and paste it in there and hit save. And if I go back to my EC two instance again, I should just be able to go up and start pinging. And there we go, it’s pinging it again. So what I’m going to do now is I’m just going to clear the screen and I’m going to create a new document. And this is going to be our private key, which we’re going to use to get into our database server. So I’m going to call it Nano, and I’m going to call it my German key pair PEM.

And then all I want to do is paste in the contents of my private key, which I had saved locally, paste that in there, hit Control X, hit Enter, and yes, and then we’re going to save it. And then I’m just going to ch mod it. So zero, 600, my lowercase, my German key pair. So there we go. So now I should, in theory, be able to SSH EC two Hyphen user and then at. And then we need to use the public sorry, the private IP address. So dot o, dot, two, dot. And for me it was one, five, six. Yours will obviously be different. And then we want to do minus I, and then mygermankeypair PEM. And there we go. It’s saying, do we want to connect? Hit yes. And now we are inside our EC two instance, which is in our private subnet. So I’m going to clear the screen, I’m going to elevate my privileges to root.

Let’s do a yum updates. Let’s just try and do a Yum update. Minus yes. So we want to apply all our security patches to this EC two instance in our private subnet. And you can see nothing is happening. And the reason for that is because it does not have a route out to the Internet. This EC two instance can basically only talk to other EC two instances within my public subnet, and it can only talk over the ports that I’ve allowed it. So through Iccmp, through port 80, and through port 22, which is the SSH port. So right now, this EC two instance is pretty useless to me because I can’t even install my SQL on it.

So how do we solve that? And the way we solve that is by using Nat instances or Nat gateways. And they’re called network Address translation. That’s what Nat. Stands for. So in the next lecture, we’re going to look at how we can deploy a Nat gateway into our custom VPC. And then we’re going to look at how we can apply our security patches and install MySQL on this EC two instance. So if you’ve got the time, join me in the next lecture. Thank you.

4. Network Address Translation (NAT)

Okay, so here I am in the AWS console. I’m going to go over to EC Two and we’re going to go and launch an instance. And this is going to be our Nat instance. Now the easiest way to get a Nat instance is to go over to the community Amis. And in here just type in Nat. And you can choose any Nat here, but I always choose the top one. So this is an Amazon AMI. It’s a VPC Nat. It’s using HVM virtualization. This is the date in which it was provisioned. And basically this is the one that I’m going to use for this lecture. So go ahead and hit select. I’m going to put that on a T two micro. Going to go ahead and hit Next. Now I’m going to deploy this into my VPC and I’m going to put it into my public subnet. So it’s going to be 100 10. Going to hit that one and then I’m going to leave everything else as default. I’m going to go ahead and hit Next and I’m just going to call it my Nat. Go ahead and hit next. Now notice that I have to put it behind a security group. I’m going to do it under an existing security group. So it’s going to be my Web DMZ. With Nat gateways you don’t need to select a security group at all.

Amazon handle all that for you. But with Nat instances they must be behind a security group. So I’m going to go ahead and hit Review and Launch. And then I’m just going to hit yes Next for this one and make sure I boot from SSD storage. I’m going to go ahead and hit Launch. Then I’m going to use my German key pair and launch my instance and that is it. So now it’s going to take a couple of minutes for my Nat instance to boot up. The next thing I’m going to need to do is I’m going to basically need to create a route out to the Internet via my Nat gateway. But before I do that, I’m just going to pause the video here and wait for this Nat instance to boot up. Okay, so my Nat instance is now live. I’m going to go ahead and go over to Actions and go to Networking. And here you can see change source. Destination check. And basically what this means is that any EC Two instance by default must either be the source or the destination of any traffic it either sends or receives.

Now we don’t want this to happen. As for our Net, basically we want to route traffic through our Net instance out to the Internet. And then any traffic coming back, we want to allow that traffic. So I’m basically going to go ahead and disable our source destination check. And there we go. That’s all I need to do. Now. One last thing I do want to do though is I just want to go over to my security groups for my web DMZ security group. We don’t actually have Https enabled, we’ve only got Http. So I’m just going to go in and add that. Amazon always recommend that you allow Http and Https for your Nat instances or for the security groups that are behind your net instances. So I’m just going to go ahead and hit save. And the very last thing we need to do now is we need to create a route from our private subnets out through our Nat instance to the Internet. So of course what we would do is we would go back over here, go up into VPC, and then we’re going to go and have a look at our root tables. So we go into our root table and in here we’ve got our public route. Now we don’t need to make any changes to our public route because of course it has a route out to the Internet gateway automatically. What we need to make a change to is our main root table, our default route table, and we need to tell it in here. We’re going to add another route. We’re going to say o. And the target, if we click in here, will now see our Nat instance, my Nat. And we can just click on that and go ahead and hit save. So now in theory, our private subnet, any EC two instances launched into our private subnet should be able to access the Internet. So let’s go head over to our terminal and test this.

Okay, so I’m in my terminal window and you can see that I’m SSH into my private EC two instance. So the way I did that was obviously I SSH into my public EC two instance. I then SSHed over into my private EC two instance. So this is ten 02156. So now if I just run a yum, let’s actually do Yum install and we’ll just do MySQL and then we’ll do Minus. Yes, there we go. It has Internet access and it has gone out and installed MySQL. It’s as simple as that. So what I’m going to do now is quickly delete the Nat instance and we’ll try and just uninstall MySQL and try and reinstall it. So here I am in the EC two console, go over to my instances, grab my Nat and we’ll kill him off. Poor little guy. Go ahead and terminate the instance. And there we go. So now in theory, what’s going to happen is my EC two instance in my private subnet will no longer have a route out to the Internet. So let’s go back over to my terminal window. I’m just going to do Yum remove and then MySQL minus. Yes. So we’ll uninstall MySQL and now what we’re going to try and do is reinstall it. So yum install MySQL minus. Yes, and you can see it’s trying to download the packages, but it can’t. And that’s because we just killed off the Nat instance. So I’m just going to cancel this. So now I’m back in the console.

I’m going to go back over to our VPC. And now we’re going to go ahead and create a Nat gateway. So we go into Nat gateways, and in here you can see an old Nat gateway that I created. I’m going to create a new Nat gateway. We have to specify what subnet it’s going to be deployed into. So we always deploy our Nat gateways into our public subnet. So I’m going to select 100. Then it’s going to ask us for an Elastic IP. I don’t have one right now, so I’m just going to hit Create. And it’s going to allocate an Elastic IP to our Nat gateway automatically. You’re going to go ahead and hit Create Nat gateway. There we go. Straight away it says, in order to use your Nat gateway, ensure that you edit your root tables to include a route with the target of Nat, and then et cetera. So what we need to do is just go into our root table. We’re going to go over to our main default route table, which is this one. So that’s our main root table for our VPC. We’ll go in here and have a look at our roots.

You can see it’s not happy with one of these roots because we’ve deleted our portal or net instance. It’s actually saying that the status is a black hole. That’s because that elastic network interface that was assigned to our net instance no longer is there. So I’m going to go ahead and remove that. Now. I’m going to add another route. We’re going to add zero zero. And the target, of course, is going to be our net gateway. So click on that, go ahead and hit save. And there we go. So with our Nat gateway, the cool thing about Nat gateways is we didn’t need to disable our source destination check. We don’t need to put it behind a security group. If you go in and have a look at your Nat gateway here, you’ll see we actually click on it. You’ll see that it doesn’t have any kind of a security group here. Amazon are going to handle it all automatically. Now, this does take a couple of minutes to actually prepare the Nat gateway. It’s not as instant as your Nat instance. But the cool thing about Nat gateways is that you don’t have to maintain them yourselves, amazon maintain them all for you. So I’m just going to pause the video and wait for this Nat gateway to come back up. OK, so this Nat gateway is now available if I go back into my terminal window. So I’m back in my terminal window in my private subnet.

And now if I just type in Yum, install MySQL minus yes and hit Enter, we can see that it is able to download and install it via the Nat gateway automatically. Okay, so just to summarize what we’ve just done, first of all, we created a Nat instance that sat behind a security group. We then updated our route table to route traffic from our main route table through that Nat instance out to the Internet. And then we also, and this is really important to remember for the exams, is we disabled our source destination check on our net instance. Now, the problem with this design is that the Nat instance is a single point of failure. If that EC Two instance goes down, or maybe we lost that Availability Zone, it’s not we’re going to lose internet access to everything in our private subnet.

You can do clever things like putting that Nat instance behind an auto scaling group and using the Nat instance AMI in an auto scaling group and setting the minimum number to one, so that if you do lose that Nat instance, it will be provisioned back in that public subnet. Then of course you’d probably want to have more than one public subnet and use multiple net instances across your public subnets. There’s a couple of ways you can do it, but really people are starting to use net gateways now because you don’t have to worry about managing the Nat instance yourself. So in scenario two, we have our Nat gateway that’s not sitting behind a security group anymore. Obviously our RDS instances are still behind their own RDS security group, but when we’re communicating out to the Internet, it goes directly to the Nat gateway and then out to the Internet gateway.

And so what you have to remember is once you’ve provisioned a Nat gateway, you always put it in the public subnet first of all, and then you always update your root tables to point your instances to that Nat gateway and then out to the Internet. The great thing about Nat gateways is you don’t need to apply security patches to them. And if you go into the Amazon documentation, if you go up to Docs, Amazon, AWS Amazon. com, amazonbpc the latest basically user guide, and you just go down under networking. Net, you can see a comparison of net instances and net gateways. So net gateway is highly available. Net gateways in each Availability Zone are implemented with redundancy, so you don’t have to worry about auto scaling groups or anything like that. But with the Nat instance, you’re going to have to use a script to manage failover between your instances.

Nat gateways support bursts of up to ten gigabits per second, whereas Nat instances, it really depends on the bandwidth of the instance type. So when we were doing like the T two micros, for example, that’s probably not a really good idea in production if we’re using a Nat instance, because they’re going to fall over as soon as you get any kind of surge in traffic. That can be a common scenario in the exam, which is where your net instance is no longer being able to cope. What do you do? Well basically you scale it up, you increase the instance size or you change the instance family and so that then you can support larger network volume coming out through your net instance. The great thing about net gateways is it’s already automatically built in the maintenance. Obviously Amazon will always do the security patches for your Nat gateways with the Nat instance it’s managed by you performance software is optimized for handling the net traffic on a Nat gateway whereas a Nat instance is basically a generic Amazon Linux AMI that’s configured to perform Nat. Nat gateways can be slightly more expensive. It really depends how you’re using them. In some ways they can actually be cheaper. It really depends on your use, duration of usage and the amount of data that you’re sending through. If we scroll down and we just have a quick look at security groups you cannot associate a Nat gateway with a security group whereas you can with a Nat instance and then network ACLs.

You can use network ACLs to control the traffic for both Nat gateways and Nat instances because network ACLs operate at a subnet layer and don’t you worry, we’re going to go into that in the next lecture and then basically that’s the main difference. So Nat gateways people will always use them in production. Typically companies now will use them more than that instances just because they’re a lot easier to use. You don’t have to worry about single points of failure and then automating that failover if your Nat instance goes down. Okay, so you’ve done really well. Let’s just have a look at our exam tips. So Nat instances have been around almost as long as EC two itself so they feature very heavily in the exam even though they’re not as relevant now since we’ve got Nat gateways. But you have to remember certain points going into any of the associate exams.

The first and most important is when creating a Nat instance remember to disable your source destination checks on the instance. Remember that Nat instances must be in a public subnet. And always remember of course that one subnet equals one availability zone. So if you’re going to have redundancy you’re going to need multiple public subnets in multiple availability zones. There must be a route out of the private subnet to the Nat instance in order for this to work. So it’s not enough just deploying a Nat instance into a public subnet, you’ve always got to add a route out to the internet. Another thing to remember is that when you deploy a Nat it must have a public IP address as well in order for it to work. So you must allocate it a public IP address and then the amount of traffic that Nat instances supports depends on the instance size.

So if you’re bottlenecking, the only way to stop that bottleneck is to increase the size of the nat instance. And then finally you can create high availability using auto scaling groups, multiple subnets in different availability zones, and a script to automate failover from one net instance to another. It’s really painful, but you can definitely do it. But Amazon listened to their customers. Customers always used to complain about this, and that’s why Nat gateways were created. The last thing to remember is that net instances are always behind a security group. Now, Nat gateways are pretty much the way forward. They’re very new, so they might not be in the exams just yet, but they’re preferred by the Enterprise. They scale automatically up to ten gigabits per second.

There’s no need to patch them, you don’t have to worry about running your Yum updates on them all the time, and there’s no need to associate with them. With security groups, they’re automatically assigned a public IP address. And just remember that once you have created your Nat gateway, you have to update your root table to point it to that Nat gateway. And then that will give you a route out to the Internet. And there’s no need to disable your source destination checks on a net gateway. Okay, so that’s it guys. You’ve come a really long way so far. The next lecture, what we’re going to do is we’re going to look at security groups versus network ACLs, and we’re going to look at how we can block specific IP addresses, but also what the difference is between a security group and a network ACL I’ve mentioned a couple of times. One is stateful, one is stateless. See if you can remember which one is which. But by all means, go and have a break now. And when you’re ready, let’s move on to VPC Security.

• Category: Uncategorized