What is Amazon VPC and its components — Part -2 !!
This is the second blog continuation on part -1 ( Link -https://medium.com/@sanjeebiitg/what-is-amazon-vpc-and-its-components-part-1-fac80922812a ). In this section, we will discuss one more important concept associated with EC2 instance called security group and then deploy resources in our custom vpc.
Security Group: Security Group acted as a virtual firewall which managed in the incoming and outgoing traffic at instance level.
1. Security groups are always permissive which means users can not define deny rule.
2. Security groups are stateful which means if a rule is allowed, then return traffic is automatically allowed.
3. Up to 5 security groups allowed to be added in EC2 instances.
Let’s jump into the practical now.
Step -1: Create 2 security groups, one Public and Private. Security group are under EC2.
1. Search EC2 on the search bar of AWS console and click on EC2.
2. Click on Security Group (Left panel of EC2 console)
3. Click on Create security group to create a security group
4. Give the Security group details, Name and description and select the custom VPC.
5. Since this security group is for public, we open SSH and HTTP port from every where ** In prod you may restrict ssh port.
6. No outbound rule defined. By default, all outbound rule is allowed. If user needs to remove outbound rule, they can always do that.
7. Click create security group to create the public security group.
8. Follow the same process for creating a private SG and only difference is that inbound rule where we allow the traffic from the Public Security group.
Step -2:
Well done, we completed all necessary components for a VPC. Let’s create 2 EC2 instances, one web server (to host a simple web page) and put it Public subnet, attached public security group and another instance in private to validate it is not accessible from Internet and only accessible from Public EC2 instance only.
Do not worry, I will put the overall context diagram at end of this blog.
To create an EC2 instance,
1. Search EC2 on AWS console, click EC2
2. Click on Instances on the left panel of EC2 console
3. Click on Launch Instances
4. Give the Instance name
5. Select the Amazon Linux type ( here we are using free-tier) for our demo
6. Select the instance type as t2.micro ( AWS has more than 300+ instance types), depending upon the workload, user can select the right instance type. For this demo, free-tier, we used t2.micro
7. To connect the EC2 instance via SSH , we required the key pair, this will help in downloading and upgrading packages in EC2 as well. Since we need to test the connectivity of private instance from Public instance (later stage), we created a key pair and save this key pair locally.
8. In Network setting, select custom VPC (which is created earlier), select the public subnet
9. In the Firewall setting, select the public security group
10. Select the default storage ( EC2 instance storage)
11. We will add user data, In user data user can add and install some packages, so after the ec2 instance created, the user data script will be executed as well .
In our case we want to install httpd server, so copy and paste below user data in the user data section. ( The user data is available in Advance options)
#!/bin/bash
yum update -y
yum install -y httpd.x86_64
systemctl start httpd.service
systemctl enable httpd.service
12.Click Launch instance to create the EC2 instance. User can see the status
13. Click on Instances tab to see all our instances. User can see a new instance created now named “my-demo-webserver”. The instance will be initializing state for sometime and after that status check will be 2/2 passed.
14. To check whether the web page is available or not, take the public Ip address of instance
15. Take the Public IP address and open a new internet explorer window and paste the IP, hurry the web page is working and accessible as well.
Step -3: We will create another instance with the same steps as per step 2 but we will add the private SG and private subnet with instance. See the only changes below
Since the instance is created in Private subnet, there is no public IP address available.
Step 4: Now let’s verify whether we can access private instance from public instance or not. For that first connect to public instance ( there are many ways user can connect to public instance, please follow the blog — to get the details how to connect instance from system manager).
To connect private instance, we need to import the key pair ( which is created during the instance create to a key file). Just open the key pair file and create a file in public instance ( in this case , we gave the name as private_key.pem) and paste the contain.
Let’s ping private instance with command ping <<private instance ip address>>, the ping is not working. Let’s add ICMP in Private instance security group and verify again.
Now see whether the ping command is working or not.
Let’s ssh to Private instance and login to private instance from public instance
sudochmod 600 private_key.pem[ This is important to change the permission of the key file]
ssh -iprivate_key.pemec2-user@10.0.1.209 [ Replace the key name and IP address accordingly]
Step -4: We already added a nat gateway to public instance and also added the route in the private instance subnet, let’s verify whether private instance is able to connect internet or not.
Note — If there is no route available in route table attached to private subnet, please add it
Note — Private instance may require to connect internet to download some software packages or patches.
DO NOT forget to clean up all services ( nat gateway is important one as it is not covered under free tier)
Wow, congratulations, we are able to create a custom VPC, create 2 instances (public and private ) and able to check the connectivity. The overall context diagram is:
