amazon web services hands-on vpcguides/pdf/vpc+hol.pdf · amazon web services hands-on vpc january...

Copyright2016,AmazonWebServices,AllRightsReservedPage1

AmazonWebServicesHands-OnVPC

January2016

VPCHands-OnLab

Copyright2016,AmazonWebServices,AllRightsReserved Page2

TableofContentsOverview......................................................................................................................................................3

CreateaVPC.................................................................................................................................................3

VPCObjectWalkthrough..............................................................................................................................7

YourVPCs.................................................................................................................................................7

InternetGateways..................................................................................................................................12

DHCPOptionsSets.................................................................................................................................13

ElasticIPs................................................................................................................................................14

NATGateway..........................................................................................................................................14

PeeringConnections..............................................................................................................................15

NetworkACLs.........................................................................................................................................16

SecurityGroups......................................................................................................................................16

LaunchingVPCInstances............................................................................................................................17

LaunchaPrivateServer..........................................................................................................................17

LaunchaPublicServer...........................................................................................................................24

TerminateBillableServices........................................................................................................................31

AdvancedVPCConcepts.............................................................................................................................33

VPCFlowLogs.........................................................................................................................................33

CreatingFlowLogsforaSubnet.............................................................................................................33

CreatingFlowLogsforaVPC..................................................................................................................35

CreatingFlowLogsforaNetworkInterface...........................................................................................37

VPCEndpoints........................................................................................................................................39

VPCHands-OnLab


OverviewThislabwillwalktheuserthroughusingtheVPCwizardtocreateaVPCwithpublicandprivatesubnets,describeeachoftheobjectscreatedbythewizard,andlaunchinstancesintothepublicandprivateVPCsubnets.ThelabwillalsoreviewrecentlyreleasedVPCfeatures–VPCflowlogsandVPCendpoints.Thefollowingisahigh-leveloverviewofthislab:

• CreateaVPC• ExplorethedifferentVPCobjectsandwhattheymean• LaunchEC2instancesintotheVPC• AssignapublicIPaddress(EIP)andtestpublic/privateconnectivity• Advancedconcepts–flowlogsandendpoints

Note:Screenshotsareprovidedtoguideyouthroughthestepsinthelab.Theelementsthatyouwillcreate(e.g.VPC,NATGateway,EIP)willbeuniquetoyouraccount,sothingssuchasVPCIDthatyouseeintheconsolewillnotnecessarilymirrorwhat’sseeninthescreenshot.

CreateaVPCLogintotheAWSConsole,andclickonVPCtogototheVPCdashboard.Alongtheleft,clickonElasticIPs,andclicktheAllocateNewAddressbutton.WearereservinganIPaddresstobeusedlaterintheVPCWizardfortheNATGateway.

VPCHands-OnLab


ClickonYes,Allocate.

YouwillseethenewEIPallocatedtoyouraccount.NotedowntheAllocationID,whichwewillreferencelaterduringtheVPCwizardandlabcleanup.

VPCHands-OnLab


ClickonVPCDashboard,thenselecttheStartVPCWizardbuttontolaunchtheVPCcreationwizard.

SelectthesecondoptiontocreateaVPCwithPublicandPrivateSubnetsandclickSelect.NoteinthepicturethatthewizardwillautomaticallycreateandlaunchanNATgatewaytoenableinstancesintheprivatesubnettoconnecttotheInternet.WewilldiscusstheNATgatewayinmoredetaillaterinthislab.

VPCHands-OnLab


Onthenextpage,enterthefollowingvaluesintotheVPCname,PublicSubnet,andPrivateSubnettextfields:

VPCname:<YourName>PublicSubnet: 10.0.0.0/23PrivateSubnet:10.0.10.0/23

ClickontheElasticIPAllocationIDfield.AlistofavailableEIPswillappear,selecttheEIPthatyouallocatedatthebeginningofthelab.

Wearemodifyingthedefaultsubnetsizestoillustratehowyoucancarveupthesubnetstoyourrequirements,aswellasprovidingsomeroombetweenthe“public”and“private”subnetblockstoaccommodateexpansiontoincludeadditionalAvailabilityZonesinthefutureaswell.

TheVPCwizardwillcreateyoursubnetandletyouknowwhenithasbeensuccessfullycreated.Behindthescenes,thewizardiscreatingandlaunchingtheNATgateway.ClickOKwhenit’sdone

VPCHands-OnLab


VPCObjectWalkthroughAfteryourVPCwascreated,youmaynoticethatseveralthingshavebeencreatedforyouasdepictedinthescreenshotbelow.ThenextsetofstepswillwalkyouthroughthevariousVPCobjectsandcomponentsthatwerecreatedforyoubytheVPCWizard.

YourVPCsTheYourVPCslinkprovidesalistofyourVPCsandisagoodlocationtoobtaintheVPCIDforyourVPCs.IfyoucreatemultipleVPCs,theywillbelistedhere.ClickingontheVPCthatwasjustcreatedwillbringupdetailsabouttheVPCliketheIPaddressblock(CIDR),DHCPOptionsSet,RouteTable,NetworkACL,HardwareTenancy(whetherVPCphysicalhardwarewillbeshared[default]ordedicatedtoyou)andDNSconfigurationinformation.

VPCHands-OnLab


AlsonotethepresenceofaDefaultVPClistedintheYourVPCsdisplay.AsofDecember4th,2013,wecreateadefaultVPCforyouineachregion.ThedefaultVPCincludesasubnetperavailabilityzone,adefaultsecuritygroup,anInternetgateway,andothernetworkingelements.Forthepurposesofthislab,wewillignoretheDefaultVPCandfocusontheVPC’screatedaspartofthelabexercise.

Subnets

TheSubnetslinklistsallofyourVPCsubnetsandallowsyoutocreateadditionalsubnetswithinyourVPCwiththeCreateSubnetsbutton.Clickingonasubnetwillbringupsubnetdetailsincludingitssubnetaddressrange(CIDR),availabilityzone,andassociatedroutetableandnetworkACLs.Clickingontabsunderneathbringsupreleventinfoaboutthesubnet.ClickonthePublicSubnetcreatedbytheVPCWizard.

VPCHands-OnLab


ClickonRouteTabletabandnoticethatthissubnet’sdefaultroute(0.0.0.0)istheInternetGateway(describedbelowintheInternetGatewaysection).InternetGatewayscanbeidentifiedby“igw”prefixinitsID.Thisroutemakesthissubnetyour“public”subnetbecauseitispublicallyroutablethroughtheInternetGateway.

VPCHands-OnLab


IfyouclickonthePrivatesubnettoinspectitsdetails,youwillnoticeadifferentroutingtable.

Thissubnet’sdefaultroute(0.0.0.0)istheNATgatewayidentifiedbythe“nat-”prefixinitsID.Thisroutemakesthissubnetyour“private”subnetbecauseitisnotroutingthroughtheInternetGateway.Instead,allclientconnectionstotheInternetaredirectedto,andproxiedby,yourNATgatewayinthe“public”subnet.

RouteTables

TheRouteTableslinklistsallofyourVPCroutetables,allowsyoutomodifyandassociatetheroutetablestosubnets,andallowsyoutocreateadditionalroutetableswithinyourVPCwiththeCreateRouteTablebutton.NoticethattworoutetableswerecreatedbytheVPCWizard,andthesearethesameroutetablesthatweredisplayedinthesubnetdetailsintheprevioussection.NoticetheMainandAssociatedWithcolumns.Thesubnetdesignatedasthe“Main”subnet(Main=Yes)isthedefaultroutetableforthelistedVPC.Thismeansthatallsubnetsthatarenotexplicitlyassociatedwithamorespecificroutetablewillusethisroutetablebydefault.TheAssociatedWithcolumndisplaysnumberofsubnetsexplicitlyassociatedwiththeroutetable.

VPCHands-OnLab


Noticethatonly1ofthe2subnetscreatedwiththeVPCisassociatedwitharoutetable.Thesecondsubnetisnotexplicitlyassociatedwitharoutetableandisthereforeusingthe“Main”routetable.

Clickingonaroutetablewillbringupdetailsabouttheroute.ClickingonRoutestabunderneathwillbringuproutinginfoaswellastheabilitytomodifytheroutetable’sroutesbyclickingonEditbutton.SimilarlyyoucanviewormodifySubnetAssociations,RoutePropagationandTaginformationpertainingtotheselectedroute.

VPCHands-OnLab


NoticethattheselectedroutetableisNOTtheMainroutetable(Main=No)anditsdefaultroute(0.0.0.0)istheInternetGateway.Thismeansyour“public”subnetisexplicitlyassociatedwiththisroutetable(clickontheSubnetAssociationstabtoverifythis).NoticethereisanotherroutetableassociatedwiththeVPC,youwillseethedefaultroute(0.0.0.0)isyourNATgateway.

Sowhatdoesallthismean?Bydefault,theVPCWizardcreatedtwosubnetsandtworoutetables.The“public”subnetisassociatedwitharoutetablethatdirectstrafficbydefaultouttotheInternet.The“private”subnetisnotassociatedwithaspecificroutetableandthereforeinheritstheMainroutetableruleswhichdirectstrafficbydefaulttotheNATgatewayinthe“Public”subnet.

Onemorethingtonote:TherulesintheMainroutetabledeterminehowsubnetswillbetreatedbydefault.SincetheMainroutetableisa“private”routetable(itdoesnotrouteanytraffictotheInternetGateway),allnewsubnetscreatedinthisVPCwillbe“private”subnetsbydefault.Theywillremain“private”untiltheyareexplicitlyassociatedwitha“public”routetable(e.g.onethatroutestrafficdirectlytotheInternetGateway).

InternetGatewaysAnInternetGatewayprovides1-to-1staticnetworkaddresstranslation(NAT)mappingforyourVPCinstanceinternalIPaddressestopublicallyroutableElasticIPaddressesthatyoumustexplicitlyassociatewithyour“public”VPCinstances.Forthepurposesofthislab,theVPCWizardcreatedanInternetGatewayandassociateditwithyourVPC.

YoudonotneedtodoanythingspecificallywiththeInternetGatewayinthislab.WepointitoutheretoexplaintheInternetGatewaythatwascreatedforyou,andtopointoutthatInternetGatewayscanbeindependentlycreated,attachedanddetactedtoVPCs.ThisallowsyoutoaddorremovetheInternetGatewaycapabilitiestoyourVPCsaftertheVPChasbeencreated.

VPCHands-OnLab


DHCPOptionsSetsTheDHCPOptionsSetslinkallowsyoutocontrolsomeDHCPoptionsthattheVPCprovidedDHCPservicewillpresenttoyourinstanceswhentheyboot.BydefaulttheVPCWizardcreatedaDHCPOptionssetthattellsyourVPCinstancestousetheAWSprovidedDNSservicefordomainnameresolution.

VPCallowsyoutocreateandattachnewDHCPOptionstoyourVPCsincludingsettingyourdomainname,domainname(DNS)servers,time(NTP)servers,andMicrosoftWindowsNetBIOSnameserversandnodetype.ThefollowingscreenshotdepictshowtheseoptionscanbeconfiguredwhencreatinganewDHCPOptionsSet.

VPCHands-OnLab


ElasticIPsVPCElasticIPsarestatic,publicallyroutableIPaddressesthatyoucanassociatewithyourVPCInstances.Earlier,theVPCWizardlaunchedaNATgatewayandassociatedapublicElasticIPaddress.YoucanseethisEIPandassociationbyclickingontheElasticIPslinkandselectingtheAddress.

NATGatewayANATgatewayisamanagedservicethatenablesEC2instancesinprivatesubnetstoreachtheInternetwithoutpubliclyexposingtheinstance.ItusesnetworkaddresstranslationtomaptheprivateIPaddressofanEC2instancetothesharedpublicIPaddressoftheNATgatewayandre-mapsreturntrafficbacktotheinstance.NATgatewayshavebuilt-inredundancyandautomaticallyscalescapacityupto10Gbpsbasedondemand.

VPCHands-OnLab


Forthepurposesofthislab,aNATgatewaywascreatedforyouearlierintheVPCWizard,andyoucanviewdetailsofyourNATgatewayhere.

PeeringConnectionsAVPCpeeringconnectionisanetworkingconnectionbetweentwoVPCsthatenablesyoutoroutetrafficbetweenthemusingprivateIPaddresses.InstancesineitherVPCcancommunicatewitheachotherasiftheyarewithinthesamenetwork.YoucancreateaVPCpeeringconnectionbetweenyourownVPCs,orwithaVPCinanotherAWSaccountwithinasingleregion.AWSusestheexistinginfrastructureofaVPCtocreateaVPCpeeringconnection;itisneitheragatewaynoraVPNconnection,anddoesnotrelyonaseparatepieceofphysicalhardware.Thereisnosinglepointoffailureforcommunicationorabandwidthbottleneck.ThereisnoneedtocreateaVPCpeeringforthislab.

VPCHands-OnLab


NetworkACLsNetworkAccessControlLists(NACLs)actasasubnetstatelessfirewall,controllingingressandegressforanentiresubnet(asasecondlayerofdefenseontopofsecuritygroups).IfyouclickontheNetworkACLslinkyouwillseethattheVPCWizardcreatedasingle“default”NACLforyourVPCwithadefaultAllowALLrule.SinceNACLsarestateless,werecommendusingNACLsonlywhenyouwanttoexplicitlydenytraffic.Forexample,weneverwanttouseTFTPor“this”subnetshouldneverbeabletotalkto“that”subnet.

SecurityGroupsAtthispointyoushouldalreadybefamiliarwithEC2SecurityGroupsandunderstandthedifferencebetweenEC2andVPCSecurityGroups.TheSecurityGroupslinkallowsyoutoseeyourVPCSecurityGroups.NoticethattheVPCWizardcreatedSecurityGroupforyoucalled“default”.

VPCHands-OnLab


LaunchingVPCInstancesWalkthroughlaunchinganinstanceintheprivatesubnet.CreateasecuritygroupandallowICMPrequestsfromtheVPCCIDR.Noticehowthereisnopublicwaytoroutetotheinstance(e.g.youcan’tpingit)?

Nowlaunchaninstanceinthepublicsubnet.CreateanewsecuritygroupandallowICMPrequestsfromtheworld.Notehowyoustillcan’tpingit?AddanEIP.Notehowyoucannowpingthepublicinstancebutnottheprivateone.Connecttopublicinstanceandpingtheprivateone.

LaunchaPrivateServerIntheAWSManagementConsole,EC2tab,clickontheLaunchInstancebutton.OnStep1:ChooseanAmazonMachineImage(AMI)selectthelatestAmazonLinuxAMI.

VPCHands-OnLab


OnStep2:ChooseanInstanceType,changetheinstancetypetot2.microandclickNext:ConfigureInstanceDetails

OnStep3:ConfigureInstanceDetails,selecttheVPCandPrivateSubnetthatwascreatedinpreviousstepsandclickNext:AddStorage

VPCHands-OnLab


LeavedefaultsonStep4.Onthenextscreen,Step5(TagInstance),youcanprovideanameforyourprivateserver(e.g.PrivateServer)andclickNext.

VPCHands-OnLab


OnStep6:ConfigureSecurityGroup,createanewsecuritygroup.InthisexamplewecallitPrivate_ServersandgivepermissionforallinstancesintheVPCto“ping”theseservers.

VPCHands-OnLab


ReviewyourselectedoptionsandLaunchyourinstance.

YoushouldhavecreatedakeypairfromtheEC2handsonlab.Selecttheexistingkeypair,acknowledgethatyouhaveaccesstotheselectedprivatekeyfile(*.pem)andclickLaunchInstances.

Ifyoumissedthatlaboraremissingthekeypair,selectCreateanewkeypairfromthefirstdropdown,namethekeypairLab,andclickDownloadKeyPair.Oncedownloaded,clickLaunchInstances.

VPCHands-OnLab


YouhavenowlaunchedaprivateserverinyourVPC.FindthenewinstanceinyourlistofEC2instancesandselectit.Intheinstancedescription,notethattheinstancehasaprivateIPaddress(10.0.10.177inthescreenshotbelow),butdoesnothaveanyassociatedpublicinformationforconnectingtothisinstance(e.g.noEIPorPublicDNSinformation).ThisinstanceisonlylocallyaccessiblefromwithinyourVPC(theoreticallyitcouldalsobelocallyaccessiblefrominsideacorporatenetworkifwehadestablishedahardwareVPNconnectiontotheVPCfromourcorporatenetwork).

VPCHands-OnLab


VPCHands-OnLab


LaunchaPublicServerNowthatyouhaveaprivateserver,wewilllaunchapublicserveranddifferentiatebetweenthetwo.IntheAWSManagementConsole,EC2tab,clickonLaunchInstancebutton.OnStep1:ChooseanAmazonMachineImage(AMI)selectthe64-bitAmazonLinuxAMI.Changetheinstancetypetot2.mircoonStep2.OnStep3,selecttheVPCandselectthePublicsubnet(10.0.0.0/23).

LeavethedefaultsonStep4,provideanameforyourprivateserver(e.g.PublicServer)andclickNext.

VPCHands-OnLab


VPCHands-OnLab


Createanewsecuritygroupforyourpublicservers.InthisexamplewecreateasecuritygroupcalledPublic_Servers,withrulestoallowanyoneto“ping”andSSHintotheinstance.

Finally,reviewyoursettings,clickLaunchanduseyourexistingkeypair,acknowledgethatyouhaveaccesstotheselectedprivatekeyfile(*.pem)andclickLaunchInstances.

VPCHands-OnLab


Youhavenowlaunchedaserverinyourpublicsubnet;howeveritisstillnotpubliclyaccessible.FindthenewinstanceinyourlistofEC2instancesandselectit.Intheinstancedescription,notethattheinstancehasaprivateIPaddress(10.0.1.79inthescreenshotbelow),butdoesnothaveanyassociatedpublicinformationforconnectingtothisinstance(e.g.noEIPorPublicDNSinformation)–justlikeyourprivateinstance.

Tomakethisinstancepublicallyaccessible,weneedtoassigntheserverapublicElasticIPaddress.IntheEC2console,clickontheElasticIPslink.ClickontheAllocateNewAddressbutton.

VPCHands-OnLab


ClickYes,Allocate.

Nextright-clickonthenewEIPthatwasallocatedandselectAssociateAddress.

VPCHands-OnLab


SelectyourPublicServerfromtheInstancedropdownandclickAssociate.

VPCHands-OnLab


YoushouldnowbeabletoconnecttoyourpublicserverusingitsnewElasticIPaddress.Intheexamplescreenshotbelow,wedemonstratethisconnectivitybysimply“pinging”theserver.

YouhavenowsuccessfullycreatedpublicandprivateserversinaVPC.FeelfreetoexploretheinstancedetailsforbothinstancestoseetheEIPassignmenttoyourpublicserverandexaminethedifferencesbetweenthetwoinstances.

VPCHands-OnLab


TerminateBillableServicesYouwillnotbeabletodeleteyourVPCuntilallinstancesusingtheVPChavebeenterminated.AtthispointfeelfreetoterminatethePublicandPrivateServersthatwecreatedinthislab.

ChecktheboxtoReleasetheEIPalongwithinstanceterminationsothatyoudon’tincurIdleEIPchargesandclickYes,Terminate.

Finally,tocompletelydeletetheVPC,firstdeletetheNATgateway.ClickonNATGatewaysfromtheVPCDashboard,selecttheNATgatewaycreatedearlierinthelab,andclickDeleteNATGateway.

VPCHands-OnLab


Next,releasetheEIPassociatedwiththeNATGatewayfromthebeginningofthelab.WhileintheVPCdashboard,clickonElasticIPs,selecttheEIPthatwaspreviouslyassociatedwiththeNATgateway.WiththeEIPselected,clickontheActionsdropdownandselectReleaseAddress.

VPCHands-OnLab


Finally,clickonYourVPCsintheVPCDashboard,selectyourVPC,andclickontheDeletebutton.

AdvancedVPCConceptsInthissectionwewilldoanoverviewoftwofairlynewVPCfeatures–VPCEndpointsandVPCFlowLogs.

VPCFlowLogs

AmazonVPCFlowLogsisafeaturethatenablesyoutocaptureinformationabouttheIPtrafficgoingtoandfromnetworkinterfacesinyourVPC.FlowlogdataisstoredusingAmazonCloudWatchLogs.Afteryou'vecreatedaflowlog,youcanviewandretrieveitsdatainAmazonCloudWatchLogs.

Flowlogscanhelpyouwithanumberoftasks;forexample,troubleshootingwhyspecifictrafficisnotreachinganinstance,whichinturncanhelpyoudiagnoseoverlyrestrictivesecuritygrouprules.Youcanalsouseflowlogsasasecuritytooltomonitorthetrafficthatisreachingyourinstance.

Thereisnoadditionalchargeforusingflowlogs;however,standardCloudWatchLogschargesapply.

FlowLogscanbecreatedforNetworkInterfaces,SubnetsandVPCs.

CreatingFlowLogsforaSubnet

FollowthebelowstepstocreateaflowlogforyourVPC:

Step1.GotoyourVPCDashboard

Step2.SelectSubnets

Step3.SelecttheSubnethatyouwouldliketocreateaFlowLogfor

VPCHands-OnLab


Step4.ClicktheActionbuttonandselectCreateFlowLogfromthedropdownmenuitproduces

1

3

2

VPCHands-OnLab


Step4.Filloutthescreenthatfollows.Selectyour“Filter”,thenchosetheIAMRoleyoucreatedforthedestination“CloudWatchAccount”.

CreatingFlowLogsforaVPC

FollowthebelowstepstocreateaflowlogforyourVPC:

Step1.GotoyourVPCDashboard

Step2.SelecttheVPCthatyouwouldliketocreateaFlowLogfor

VPCHands-OnLab


Step3.ClicktheActionbuttonandselectCreateFlowLogfromthedropdownmenuitproduces


12

3

VPCHands-OnLab


CreatingFlowLogsforaNetworkInterfaceFollowthebelowstepstocreateaFlowLogforaNetworkInterface:

Step1.GotoyourEC2Dashboard

Step2.SelectNetworkInterfaces(Itislocatedinthemenuonthelefthandsideofhescreen,underNetwork&Security

VPCHands-OnLab


Step3.SelecttheNetworkInterfacethatyouwouldliketocreateaFlowLogfor,thenselectActionsandCreateFlowLogfromthedropdownmenu

VPCHands-OnLab



VPCEndpoints

AVPCendpointenablesyoutocreateaprivateconnectionbetweenyourVPCandanotherAWSservice(suchasS3)withoutrequiringaccessovertheInternet,throughaNATinstance,NATinstanceGateway,aVPNconnection,orAWSDirectConnect.AnendpointenablesinstancesinyourVPCtousetheirprivateIPaddressestocommunicatewithresourcesinthoseservices.Wewon’tgointodepthinthislababoutendpoints,butitisworthnotingthatyouuseendpointpoliciestocontrolaccesstoresourcesinotherservices.TrafficbetweenyourVPCandtheAWSservicedoesnotleavetheAmazonnetwork.

Today,wesupportEndpointsforconnectionswithAmazonS3withinthesameregiononly.We'lladdsupportforotherAWSserviceslater.

FollowthebelowstepstocreateanEndpointinsideyourVPCthatisattachedtooneormoreRouteTables.

Step1.IntheVPCConsole,ontheleftmostmenu,selectEndpoints

VPCHands-OnLab


Step2.SelectCreateEndpoint

VPCHands-OnLab


Step3.SpecifytheVPCandtheservicetowhichyou'reconnecting,forexampleVPCx.x.x.x/xwillbeconnectingtoVPCEndpointsforAmazonS3.YouwillalsoberequiredtospecifyanEndpointPolicy.ThisdeterminesthetypeofaccessyourusersorresourcesinsideyourVPCwillhavetotheintendservicelikeS3.YoucanselectFullAccessorwriteacustompolicyusingJSON.

Oncefinish,select

VPCHands-OnLab


Step4.TocontroltheroutingoftrafficbetweenyourVPCandtheotherservice,youcanspecifyoneormoreroutetablesthatareusedbytheVPCtoreachtheendpoint.ThenSelect“CreateEndpoint”

Anendpointrouteisautomaticallyaddedtotheroutetable,withadestinationofpl-1a2b3c4d(let’sassumethisrepresentsAmazonS3giventhatS3istheonlyEndpointthatexisttoday).Now,anytrafficfromthesubnetthat'sdestinedforAmazonS3inthesameregiongoestotheendpoint,anddoesnotgototheInternetgateway.AllotherInternettrafficgoestoyourInternetgateway,includingtrafficthat'sdestinedforotherservices,anddestinedforAmazonS3inotherregions.

amazon web services hands-on vpcguides/pdf/vpc+hol.pdf · amazon web services hands-on vpc january...

Documents