Setup EC2 And VPC – AWS

In this Document Covered these

1 How to connect private ip address of aws ec2 instance
2. How many methods we have to connect instance
3. Complete setup of VPC- Subnets, Route tables, IGW, NAT.

Launch EC2 VM :
Step1: Login to AWS Console with user credentials

Step 2: After login into the account then go to home page of aws console
Step 3 : search ec2 home page

Step 4: Launch instance

Give the instance name as per requirement

Choose the AMI image like below as per requirement under drop down menu

Choose instance type as per requirement

Due to security connectivity of the instance key pair is generated . here if key pair is generated
choose that in drop down menu otherwise create new key pair .pem or .ppk files these file
stored in local machine under download folder.

Choose the vpc and security group

If the firewall is an existing security group choose default otherwise create a new security group
as per requirement to allow or block the ports and ips.
Size of the instance i.e volume
If added in the extra details choose advanced options under instance creation setup.
Here Under User data we need to insert the bash or any script to install the packages directly
while on launching

Summery
Step 5: Instance is running

Step 6 : adding the security group inbound and outbound rules

At ec2 dashboard goto network and security choose security groups

Here under inbound rules add custom tcp port 22 why because port 22 is default ssh connection

Inbound rules
Outbound rules all traffic

Step 7 : Any changes in ec2 instance goto actions

Step 8:
Connect aws instance using private ip address getting error

To connect Private IP addresses in aws we having two methods:

1- Bastion Host or Jump Server

2- EIC (EC2 Instance connect).

1- Bastion Host or Jump Server:

There is no public Ip for pvt-inst so only private ip address

Here we need to connect the Pvt-Inst using a bastion server.

First copy the bastion server ip and ssh into any client.
This is bastion server connectivity check private ip

Now connect Pvt-inst server in bastion server

But I am getting following error because in bastion server there is no .pem or .ppk file of pvt-inst
server so copy that in bastion machine server.

First copy the pem file two ways

1. Direct upload the file into client like mobaxterm
2. Using SCP Command to copy the local pem file into bastion machine.
I am getting error here so
Putty:
The error "Load key 'prometheus.ppk': error in libcrypto" indicates a problem with loading or
processing the private key file due to a cryptographic library issue. To address this, you can try
the following steps:
​ Use OpenSSH Private Key:
● Convert the PuTTY private key (prometheus.ppk) to OpenSSH format using the
puttygen tool. Run the following command in your local terminal:

puttygen prometheus.ppk -O private-openssh -o prometheus.pem

● Use the converted key (prometheus.pem) in your SSH command:

ssh -i prometheus.pem [email protected]

​ Check Key Permissions:

● Ensure that the permissions for the private key file (prometheus.pem) are set
correctly:

chmod 600 prometheus.pem

​ Verify Key Format:

● Double-check that the private key file is in the correct format (OpenSSH format)
after the conversion.
​ Update SSH Client:
● Ensure that you are using an up-to-date version of the OpenSSH client on your
local machine. You can update it using your package manager:
For Ubuntu/Debian:

sudo apt-get update

sudo apt-get install openssh-client

● For CentOS/RHEL:

sudo yum update

sudo yum install openssh-clients

​ Check SSH Agent:

● If you have an SSH agent running, try restarting it or clearing loaded keys:

eval "$(ssh-agent -s)"

ssh-add -D # Clears all identities from the agent
ssh-add prometheus.pem
 ​ Check Crypto Libraries:
● Ensure that the cryptographic libraries on your system are up to date. Perform a
system update and upgrade:
For Ubuntu/Debian:
sudo apt-get update
sudo apt-get upgrade
● For CentOS/RHEL:

sudo yum update

​ Check Key Passphrase:
● If the private key has a passphrase, make sure you are entering it correctly when
prompted.
​ Generate a New Key Pair (Optional):
● If the issue persists, consider generating a new key pair and updating the public
key on the remote server.
Mobaxterm:

The error "Load key 'prometheus.ppk': error in libcrypto" suggests an issue with the private key
file or its compatibility with the SSH client. Since you are using MobaXterm, you might want to
ensure that the key file is correctly loaded and that MobaXterm is handling the key conversion
properly.
Here are steps you can take to resolve the issue:
​ Check Key Format:
● Ensure that the private key file (prometheus.ppk) is in the correct format.
MobaXterm uses its own private key format, so it's important to make sure the
key is in the right format for OpenSSH.
​ Convert Key to OpenSSH Format:
● Use MobaXterm itself to convert the key to OpenSSH format:
● Open MobaXterm.
● Go to the "Tools" menu.
● Select "MobaKeyGen."
● Load your private key (prometheus.ppk).
● In the "Conversions" menu, choose "Export OpenSSH key" and save the
key with a .pem extension.

chmod 600 prometheus.pem

 ​ Use the Converted Key:
● After converting the key, use the new OpenSSH key (prometheus.pem) in your
SSH command:

ssh -i prometheus.pem [email protected]

Successfully connected pvt ip address in bastion host server if doubt check the ip
addresses. 172.31.30.34 172.31.14.220

​ Ensure Key is Loaded in MobaXterm:

● Open MobaXterm.
● In the terminal, check if the private key is loaded using the following command:

ssh-add -l
 ● If the key is not listed, add it using:

ssh-add /path/to/prometheus.pem

​ Verify Permissions:
● Ensure that the permissions for the private key file are set correctly:

chmod 600 prometheus.pem

​ Check MobaXterm Settings:

● In MobaXterm, go to "Settings" > "Configuration."
● Under the "SSH" tab, make sure that the "Use internal SSH agent" option is
selected.
​ Restart MobaXterm:
● Sometimes, restarting MobaXterm can resolve certain issues. Close and reopen
the application.
​ Check MobaXterm Logs:
● MobaXterm may log information about key loading and authentication attempts.
Check the logs for any relevant error messages.
​ Update MobaXterm:
● Ensure that you are using the latest version of MobaXterm. If not, consider
updating to the latest release.

2- EIC (EC2 Instance connect):

On June 13th, AWS launched a new service called EC2 Instance Connect Endpoint (EIC Endpoint).
Which Allows to have secure SSH and RDP connectivity to private EC2 instances without using
public IP addresses.
This Article discusses working of EIC Endpoint and demonstrates how to create and use it to
SSH/RDP to an instance from the Internet.

EC2 Instance Endpoint Connect any resources:

✴️ Use "EC2 instance Connect" to connect to RDS and other VPC resources — no VPN required, no
EC2 Bastion instance needed 🔥

1️⃣ Upgrading the AWS CLI to version 2.12+

2️⃣ Create (if you haven't already) an EC2 Instance Connect Endpoint

• aws ec2 create-instance-connect-endpoint --region 𝚞𝚜-𝚎𝚊𝚜𝚝-𝟷 --subnet-id

⚠️
𝚜𝚞𝚋𝚗𝚎𝚝-𝟶𝟷𝟸𝟹𝟺𝟻𝟼𝟽𝟾𝟿𝚊𝚋𝚌𝚍𝚎𝚏
Change "region" and "subnet-id" to your values.

After creation you use "InstanceConnectEndpointId".

3️⃣ Connecting to EC2 Instance Connect Endpoint
The EC2 User Guide so far only lists connection to an EC2 instance by "instance-id". However, the
AWS CLI v2 lists others for "ec2-instance-connect open-tunnel", in particular "private-ip-address" and
"remote-port".
So we use this command:

• aws ec2-instance-connect open-tunnel --private-ip-address <𝚢𝚘𝚞𝚛-𝚙𝚛𝚒𝚟𝚊𝚝𝚎-𝙸𝙿-𝚑𝚎𝚛𝚎>

--instance-connect-endpoint-id 𝚎𝚒𝚌𝚎-𝟶𝟷𝟸𝟹𝟺𝟻𝟼𝟽𝟾𝟿𝚊𝚋𝚌𝚍𝚎𝚏𝟷𝟸 --remote-port 𝟻𝟺𝟹𝟸 --local-port
𝟻𝟺𝟹𝟸

⚠️ Change "private-ip-address", "instance-connect-endpoint-id" (obtained during creation),

"remote-port" and "local-port" to your values.
The result will be a tunnel:
• Listening for connections on port 5432.
• [1] Accepted new tcp connection, opening websocket tunnel.

4️⃣ Connect to the local port (localhost:5432 from the example above) and that's it!👍
It definitely works for IPs from other VPCs connected via VPC Peering. I haven't tried it for another —
let me know if it doesn't work.
Creation of the Endpoint Under VPC Dashboard:

EIC EndPoint:
IAM Inline Policy is created Under the specific User:
This is the policy of eice-ploicy inline policy created under the user

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllEC2Actions",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceConnectEndpoints"
],
"Resource": "*"
},
{
"Sid": "AllowSpecificActionsForUserARN",
"Effect": "Allow",
"Action": [
"ec2-instance-connect:OpenTunnel",
"ec2-instance-connect:SendSSHPublicKey"
],
"Resource": [

"arn:aws:ec2:us-east-2:AccountNumber:instance-connect-endpoint/eice-0cdcda4db3e069304",
"arn:aws:ec2:us-east-2:Account Number
:instance/i-0a8b962883bd3c729"
]
}
]
}
Connect Private IP Address Testing :

Using Endpoint Successfully connect Pvt Ip Address :

VPC Launch :

Step1: Goto AWS Console and search vpc and open vpc
dashboard.

Click on Create VPC then enter the name of vpc

Step2: Checking IGW is added in vpc if not attach the vpc
Why this? – Internet connectivity i.e public
Step3: Subnets
Create 2 Public and 2 Private Subnets in 2 AZs

Step4: Route Tables

Default Route Table is Public one then create pvt rt
Step5: Route Table Subnets association
Adding public subnets into public route table

Adding private subnets into private route table

Step6: adding the Internet gateway to the public route table to
explore the subnet to access from internet

Step7: Creating NAT Gateway

Creating NAT for private route table to provide internet to them

Here choose any pub subnet to access internet to the NAT gateway
Step8: Add the nat gateway ino pvt route table under routes
Then Choose any pvt route table to attach the nat gateway to serve internet
Successfully configured vpc setup if any other services under the vpc we can add based on the
requirements.