AWS VPC by hellocloud.io
6 likes1,833 views
The document outlines a detailed configuration of a Virtual Private Cloud (VPC) setup, including subnets, network ACLs, and security groups across multiple Availability Zones. It provides information on access control rules, public and private instances, NAT gateways, and SSH agent forwarding procedures. Additionally, it discusses the process of managing Elastic IPs and potential internet access requirements for workloads in private subnets.
AWS VPC by hellocloud.io
- 1. Prepared By ~ Sai HelloCloud.io
- 2. Core Principles ● Humility ● Grit ● Deep Work ● Focus ● Consistency
- 3. VPC
- 4. gritworks-master (123456789012) ap-southeast-1 VPC (172.31.0.0/16) ap-southeast-1a ap-southeast-1b ap-southeast-1c Public subnet ap-southeast-1a 172.31.16.0/20 Public subnet ap-southeast-1b 172.31.32.0/20 Public subnet ap-southeast-1c 172.31.0.0/20 rtb (main) 172.31.0.0/16 local 0.0.0.0/0 igw
- 5. IGW (Internet Gateway) Inbound internet access (TO INTERNET)
- 6. NACLs - Virtual Firewall for your subnets Security Groups - Virtual Firewall for your instances
- 7. VPC (172.31.0.0/16) ap-southeast-1a ap-southeast-1b ap-southeast-1c Public subnet ap-southeast-1a 172.31.16.0/20 Public subnet ap-southeast-1b 172.31.32.0/20 Public subnet ap-southeast-1c 172.31.0.0/20 rtb (main) 172.31.0.0/16 local 0.0.0.0/0 igw Network ACLs (acl-489dea2e) Inbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny Outbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny secu-group (sg-e9f787a4) secu-group (sg-e9f787a4) public-instance-1 172.31.18.102/20 18.136.120.52/32 public-instance-2 172.31.40.11/20 13.250.31.41/32
- 8. gritworks-master (123456789012) ap-southeast-1 VPC (192.168.0.0/16) ap-southeast-1a ap-southeast-1b ap-southeast-1c Public subnet ap-southeast-1a 192.168.0.0/24 Public subnet ap-southeast-1b 192.168.1.0/24 Public subnet ap-southeast-1c 192.168.2.0/24 192.168.0.0/16 local 0.0.0.0/0 igw Private subnet ap-southeast-1a 192.168.3.0/24 Private subnet ap-southeast-1b 192.168.4.0/24 Private subnet ap-southeast-1c 192.168.5.0/24 192.168.0.0/16 local
- 9. NACLs - STATELESS Security Groups - STATEFUL
- 10. Public subnet ap-southeast-1a 172.31.16.0/20 Network ACLs (acl-489dea2e) Inbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Inbound rules Type Protocol Port range Source All traffic All All sg-e9f787a4 All traffic All All YOUR IP public-instance-1 172.31.27.135/20 18.136.120.52/32 Network ACLs (acl-489dea2e) Outbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Outbound rules Type Protocol Port range Source All traffic All All 0.0.0.0/0
- 11. TEST CASES
- 12. Public subnet ap-southeast-1a 172.31.16.0/20 Network ACLs (acl-489dea2e) Inbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Inbound rules Type Protocol Port range Source All traffic All All sg-e9f787a4 All traffic All All YOUR IP public-instance-1 172.31.27.135/20 18.136.120.52/32 Network ACLs (acl-489dea2e) Outbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Outbound rules Type Protocol Port range Source All traffic All All 0.0.0.0/0
- 13. Public subnet ap-southeast-1a 172.31.16.0/20 Network ACLs (acl-489dea2e) Inbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Inbound rules Type Protocol Port range Source All traffic All All sg-e9f787a4 All traffic All All YOUR IP public-instance-1 172.31.27.135/20 18.136.120.52/32 Network ACLs (acl-489dea2e) Outbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Outbound rules Type Protocol Port range Source All traffic All All 0.0.0.0/0
- 14. Public subnet ap-southeast-1a 172.31.16.0/20 Network ACLs (acl-489dea2e) Inbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Inbound rules Type Protocol Port range Source All traffic All All sg-e9f787a4 All traffic All All YOUR IP public-instance-1 172.31.27.135/20 18.136.120.52/32 Network ACLs (acl-489dea2e) Outbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Outbound rules Type Protocol Port range Source All traffic All All 0.0.0.0/0 public-instance-2 172.31.44.202/20 13.212.86.174/32 Public subnet ap-southeast-1b 172.31.32.0/20
- 15. Public subnet ap-southeast-1b 172.31.32.0/20 Public subnet ap-southeast-1a 172.31.16.0/20 Network ACLs (acl-489dea2e) Inbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Inbound rules Type Protocol Port range Source All traffic All All sg-e9f787a4 All traffic All All YOUR IP public-instance-1 172.31.27.135/20 18.136.120.52/32 Network ACLs (acl-489dea2e) Outbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Outbound rules Type Protocol Port range Destination All traffic All All 0.0.0.0/0 public-instance-2 172.31.44.202/20 13.212.86.174/32
- 16. Public subnet ap-southeast-1b 172.31.32.0/20 Public subnet ap-southeast-1a 172.31.16.0/20 Network ACLs (acl-489dea2e) Inbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Inbound rules Type Protocol Port range Source All traffic All All sg-e9f787a4 All traffic All All YOUR IP public-instance-1 172.31.27.135/20 18.136.120.52/32 Network ACLs (acl-489dea2e) Outbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Outbound rules Type Protocol Port range Source All traffic All All 0.0.0.0/0 public-instance-2 172.31.44.202/20 13.212.86.174/32
- 17. Public subnet ap-southeast-1b 172.31.32.0/20 Public subnet ap-southeast-1a 172.31.16.0/20 Network ACLs (acl-489dea2e) Inbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Inbound rules Type Protocol Port range Source All traffic All All sg-e9f787a4 All traffic All All YOUR IP public-instance-1 172.31.27.135/20 18.136.120.52/32 Network ACLs (acl-489dea2e) Outbound rules 100 All traffic All All 0.0.0.0/0 Allow * All traffic All All 0.0.0.0/0 Deny security-group (sg-e9f787a4) Outbound rules Type Protocol Port range Source All traffic All All 0.0.0.0/0 public-instance-2 172.31.44.202/20 13.212.86.174/32 public-instance-21 172.31.35.37/20 13.212.87.209/32
- 18. NAT Gateways Onbound internet access
- 19. VPC (172.31.0.0/16) Public subnet ap-southeast-1a 172.31.16.0/20 Public subnet ap-southeast-1b 172.31.32.0/20 Public subnet ap-southeast-1c 172.31.0.0/20 172.31.0.0/16 local 0.0.0.0/0 igw Private subnet ap-southeast-1a 172.31.48.0/20 Private subnet ap-southeast-1b 172.31.64.0/20 Private subnet ap-southeast-1c 172.31.80.0/20 172.31.0.0/16 local 0.0.0.0/0 natgw1 secu-group (sg-e9f787a4) public-instance-1 172.31.18.48/20 13.229.133.196/32 pub-ip priv-ip secu-group (sg-e9f787a4) private-instance-1 172.31.57.83/20 secu-group (sg-e9f787a4) private-instance-2 172.31.69.115/20 secu-group (sg-e9f787a4) private-instance-3 172.31.84.232/20
- 20. NAT Gateways AZ Resilient (Not Region Resilient)
- 21. Release Elastic IP after deleting NAT Gateways
- 23. mycomputer hellocloud-master-sg.pem (PRIVATE KEY) public-instance-1 hellocloud-master-sg.pem (PRIVATE KEY) hellocloud-master-sg (Public-key) private-instance-1 hellocloud-master-sg (Public-key)
- 24. SSH agent forwarding For Linux, ssh-add -c hellocloud-master-sg.pem For macOS, ssh-add -K hellocloud-master-sg.pem Connect to public instance using the -A option to enable SSH agent forwarding, ssh -A ubuntu@public-instance-1 Connect to private instance from public instance, ssh ubuntu@private-instance-1
- 25. Private NAT gateway traffic can't reach the internet.
- 27. LAB
- 28. The failure of one NAT Gateway and the fail over to an available NAT Gateway by the manual changing of the default route next hop in respective private subnets route table.
- 29. VPC (172.31.0.0/16) Public subnet ap-southeast-1a 172.31.16.0/20 Public subnet ap-southeast-1b 172.31.32.0/20 Public subnet ap-southeast-1c 172.31.0.0/20 172.31.0.0/16 local 0.0.0.0/0 igw Private subnet ap-southeast-1a 172.31.48.0/20 Private subnet ap-southeast-1b 172.31.64.0/20 Private subnet ap-southeast-1c 172.31.80.0/20 secu-group (sg-e9f787a4) public-instance-1 172.31.18.102/20 18.136.120.52/32 nat-gw-1 pub-ip priv-ip secu-group (sg-e9f787a4) private-instance-1 172.31.60.214/20 secu-group (sg-e9f787a4) private-instance-2 172.31.69.115/20 secu-group (sg-e9f787a4) private-instance-3 172.31.84.232/20 nat-gw-2 pub-ip priv-ip nat-gw-3 pub-ip priv-ip 172.31.0.0/16 local 0.0.0.0/0 nat-gw-1 172.31.0.0/16 local 0.0.0.0/0 nat-gw-2 172.31.0.0/16 local 0.0.0.0/0 nat-gw-3
- 30. Elastic IP
- 31. public-instance-1 18.141.173.52 172.31.23.196 stop 3.0.90.6 172.31.23.196 start Create new EIP 54.179.154.227 public-instance-1 54.179.154.227 172.31.23.196 Associate EIP 54.179.154.227 172.31.23.196 Stop and start the instance1 3.0.90.91 172.31.23.196 Disassociate EIP public-instance-1 54.179.154.227 172.31.23.196 Associate IP with reassociation enabled EIP Reassociate to instance2 public-instance-2 54.179.154.227 172.31.42.37 public-instance-1 52.221.241.51 172.31.23.196
- 32. Workloads in Private Subnets may need: ● Internet Access (or) ● Databases or Apps that are on-premises.
- 33. Q & A