AWS VPC From Zero to Hero Series: 1- Introduction to Amazon Virtual Private Cloud (VPC)

This is a series of hands-on labs that start from beginner level to advanced level to give you a real understanding of AWS VPC.

Overview

In this adventure, you will use the Amazon VPC wizard to create a VPC, attach an Internet gateway, add a subnet, and then define routing for the VPC so traffic can flow between the subnet and the Internet gateway.

Topics covered

Upon completion of this adventure, you will be able to:

• Create an Amazon VPC Using the VPC Wizard
• Explore the basic components of a VPC including: 1- Public and private subnets 2- Route tables and routes 3- NAT gateways 4- Network ACLs

What is Amazon Virtual Private Cloud (VPC)?

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

Prerequisites

• An active AWS account.
• A user that has access to the AWS console with the needed permissions.

ask 1: Create an Amazon VPC

In this task you will create an Amazon VPC using the VPC wizard. The wizard automatically creates a VPC based upon parameters you specify. Using the VPC Wizard is much simpler than manually creating each component of the VPC.
Here is an overview of the VPC you will create:

1- Open the AWS console, and select the region that you want to create the VPC in it.

2- At the top of the AWS Management Console, to the right of Services menu, in the search bar, search for "VPC" and then choose VPC from the list

3- Click VPC Dashboard in the top-left corner.
In every region, a default VPC with CIDR 172.31.0.0/16 has already been created for you. So, even if you haven’t created anything in your account yet, you will see some pre-existing VPC resources already there.
4- Click
5- On Create VPC page, under VPC settings section, choose VPC and more.

6- Configure the following fields:

7- Click
Your VPC will now be created. A status window displays progress. When the VPC completes, a status window confirms that your VPC has been successfully created. This may take a few minutes to create.
8- Click
9- Copy the VPC IP value and keep it in your text editor.

Task 2: Explore your VPC

In this task, you will explore the VPC components created by the VPC Wizard.
10- Select Your VPCs from the left panel.
11- In Filter by VPC search about the created VPC.
12- Locate Your VPCs’ Name column, your VPC is created with the name adventure_1-vpc.

13- In the left navigation pane, choose Internet gateways.

The Internet gateway for your VPC will be displayed.
An Internet gateway connects your VPC to the Internet. If the Internet gateway was not present, then the VPC would have no connectivity to the Internet.
An Internet gateway is a horizontally scaled, redundant, and highly available VPC component. It therefore imposes no availability risks or bandwidth constraints on your network traffic.
14- In the left navigation pane, choose Subnets.

A Subnet is a subset of a VPC. A subnet:
• Belongs to a specific VPC
• Exists in a single Availability Zone (while a VPC can span multiple Availability Zones)
• Has a range of IP addresses (known as a CIDR range, which stands for Classless Inter-Domain Routing)
Two subnets will be displayed for your VPC: a Public subnet and a Private subnet.
15- Select the Public subnet which starts with adventure_1-subnet-public in the Name column.

Examine the information displayed in the lower window pane:
• Each subnet is assigned a unique Subnet ID.
• The IPv4 CIDR of 10.0.25.0/24 means that the subnet contains the range of IP addresses from 10.0.25.0 to 10.0.25.255. (IPv6 is also supported, but is not part of this lab.)
• The subnet only has 250 Available IPs out of 256 possible addresses. This is because there are several reserved addresses in each subnet and one IP address has been consumed by the NAT gateway.
Why is this subnet considered to be a Public subnet? The answer lies in the Subnet Routing.

16- Choose the Route table tab.

Each subnet is associated with a Route table, which specifies the routes for outbound traffic leaving the subnet. Think of it like an address book that lists where to direct traffic based on its destination.

Two routes in the route table are associated with your public subnet:
• Route 10.0.0.0/16 | local directs traffic destined for elsewhere in the VPC (which has a range of 10.0.0.0/16) locally within the VPC. This traffic never leaves the VPC.
• Route 0.0.0.0/0 | igw- directs all traffic to the Internet gateway.
Routing rules are evaluated from the most restrictive (with the bigger number after the slash) through to the least restrictive (which is 0.0.0.0/0 since it refers to the entire Internet). Thus, traffic is first sent within the VPC if it falls within the range of the VPC, otherwise, it is sent to the Internet. The rules can further be edited based on your particular network configuration.
The fact that this subnet is associated with a Route Table that has a route to an Internet gateway makes it a Public Subnet. That is, it is reachable from the Internet.

17- Choose the Network ACL tab.

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of subnets. Network ACLs are normally left with their default settings that allow all traffic in and out of subnets:
• Rule 100 Inbound allows all inbound traffic into the Public Subnet.
• Rule 100 Outbound allows all traffic out of the Public Subnet.
• The second line in each ruleset shows an asterisk (*) that acts as a catch-all rule in case traffic does not match any of the earlier rules.

18- In the left navigation pane, choose Subnets.
19- At the top of the window, select Private subnet which starts with adventure_1-subnet-private in the Name column, and ensure that it is the only line selected.

20- Choose the Tags tab.

The subnet has been tagged with the key of Name starting with the value of Lab-subnet-private. Tags help you to manage and identify your AWS resources.

21- Choose the Route table tab.

The Route Table for the Private subnet has the configuration:
• Route 10.0.0.0/16 | local is the same as the Public subnet.
• Route 0.0.0.0 | nat- directs traffic to the NAT gateway.
This subnet does not have a route to the Internet gateway. Therefore, it is a Private Subnet.

22- In the left navigation pane, choose NAT gateways.

A Network Address Translation (NAT) gateway allows resources in a private subnet to connect to the Internet and other resources outside the VPC. This is an outbound-only connection, which means that the connection must be initiated from within the private subnet. Resources on the Internet cannot initiate an inbound connection. Therefore, it is a means of keeping resources private and improving security for VPC resources.

23- In the left navigation pane, choose Security groups, and select the security group that matches with your VPC ID.

24- Choose the Inbound rules tab.

Security groups act as virtual firewall for your instances to control inbound and outbound traffic. When you launch an Amazon EC2 instance into a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level and not the subnet level. Your VPC automatically comes with a default security group. If you do not specify a different security group when you launch an Amazon EC2 instance, it will use the default security group.
The default security group permits ALL traffic to access associated resources, but only if the Source is the default security group. This self-reference might appear strange, but this configuration simply means that any EC2 instance associated with the default security group can communicate with any other EC2 instance that is associated with the default security group. All other traffic is denied. This is a very safe default setting because it limits any access from other resources.
When adding resources to the VPC, you can create additional security groups to permit desired access to resources such as web servers, application servers, and database servers.
Launching Amazon EC2 instances in this lab is out of the scope of the lab. Please do not attempt to launch an Amazon EC2 instance. This lab will not allow you to launch EC2 instances.

Delete the created resources

Now let's end the first adventure by deleting the created resources.

25- Select Nat gateways from left navigation pane.
26- From the NAT gateways list, select the one that matches your VPC ID, then from Actions click on Delete NAT gateway.

27- In the Delete Nat gateway window, write delete in the textbox, then click Delete

28- Wait until the state of the NAT gateway became Deleted

29- Select Your VPCs from left navigation pane.
30- From the VPCs list, select your VPC, then from Actions click on Delete VPC.

31- In the Delete VPC window, write delete in the textbox, then click Delete