Creating a VPC manually

Two public and two private subnets

Step One – Create VPC

  1. Sign into AWS Console https://console.aws.amazon.com/vpc/
  2. Select your choice of an AWS region
    • ie. I’m from Los Angeles and choose Northern California as my region of choice
  3. Click on VPCs (under Resources by Region)
  4. In VPC settings, type in the following:
    • Name Tag = “New-VPC”
    • IPv4 CIDR block = “10.0.0.0/16”
    • Keep the defaults for the rest of the VPC form
    • Click Create VPC
    • After the New-VPC is created click on the New-VPC ID to see the details of the VPC
    • Notice that by default the DNS hostnames is disabled. It is not necessary, however, many tutorials will mention using the DNS hostnames, so it might be a good idea to change the DNS hostnames to “enabled”

Step One – Creating the Subnets

Step 1a – Public Subnet A

  1. On the left Navigation Pane – find and choose Subnets
  2. Select Create subnet
  3. Under VPC – click “Select a VPC” and choose the new subnet created called “New-VPC
  4. Under Subnet settings
    • Type in a subnet name, ie. “New-Public-Subnet-A
    • Type in a CIDR block for the IP range you would like to create for this subnet:
      • i.e. 10.0.1.0/25
  5. Under Availability Zone
    • Note: In region US-WEST-1 there exists only two availability zones, us-west-1a and us-west-1c
    • Choose us-west-1a
  6. Keep the defaults for the rest of the Subnet Form
  7. Click Create Subnet

Step 1b – Public Subnet B

  1. On the left Navigation Pane – find and choose Subnets
  2. Select Create subnet
  3. Under VPC – click “Select a VPC” and choose the new subnet created called “New-VPC
  4. Under Subnet settings
    • Type in a subnet name, ie. “New-Public-Subnet-B
    • Type in a CIDR block for the IP range you would like to create for this subnet:
      • i.e. 10.0.2.1/25
  5. Under Availability Zone
    • Note: Now we will choose an availability zone other than the one selected for Public-Subnet-A
    • Choose us-west-1c
  6. Keep the defaults for the rest of the Subnet Form
  7. Click Create Subnet

Step 1c – Private Subnet A

  1. On the left Navigation Pane – find and choose Subnets
  2. Select Create subnet
  3. Under VPC – click “Select a VPC” and choose the new subnet created called “New-VPC
  4. Under Subnet settings
    • Type in a subnet name, ie. “New-Private-Subnet-A
    • Type in a CIDR block for the IP range you would like to create for this subnet:
      • i.e. 10.0.2.0/25
  5. Under Availability Zone
    • Note: In region US-WEST-1 there exists only two availability zones, us-west-1a and us-west-1c
    • Choose us-west-1a
  6. Keep the defaults for the rest of the Subnet Form
  7. Click Create Subnet

Step 1d – Private Subnet B

  1. On the left Navigation Pane – find and choose Subnets
  2. Select Create subnet
  3. Under VPC – click “Select a VPC” and choose the new subnet created called “New-VPC
  4. Under Subnet settings
    • Type in a subnet name, ie. “New-Private-Subnet-B
    • Type in a CIDR block for the IP range you would like to create for this subnet:
      • i.e. 10.0.2.128/25 (128 IP addresses available for this subnet)
  5. Under Availability Zone
    • Note: Now we will choose an availability zone other than the one selected for Private-Subnet-A
    • Choose us-west-1c
  6. Keep the defaults for the rest of the Subnet Form
  7. Click Create Subnet

Check it out – We have a new VPC with four subnets

Hurray!! We now have a New-VPC and four subnets. BUT, let’s take a closer look at our subnet communications, because we are not done yet, as we now need to lay out the communication rules for our subnets.

Select the ID of any of the subnets, and the AWS console will show all the details for the selected subnet. Notice, a routing table and a network ACL table was automatically created for the new subnet. The routing table, allows routes to all other subnets with the route table of 10.0.0.0/16, and the network ACL has an automatic deny all for inbound and outbound traffic. So now we have subnets that can talk to each other but can not talk to the rest of the world. Guess we aren’t done yet.

The next steps are equally as important. We need a gateway to the internet to allow inbound/outbound traffic for our public networks. Another gateway to the internet that allows outbound traffic for our private networks.

As well, we need routing and firewall rules. So, we have to install an Internet gateway, a NAT gateway (or NAT instances), update the routing tables to/from the gateways, and create security groups to allow inbound traffic such as SSH, HTTP & HTTPS.

Step Two – Setup an Internet Gateway

  • If you don’t have it open already, goto the AWS VPC console
  • In the left hand navigation pane, select Internet Gateways
  • Then click Create Internet Gateway
  • Under Name Tag, give it a name, ie. New-Internet-Gateway
  • Keep the default settings for the rest of the form
  • Click Create Internet Gateway
  • The console will show the gateways has been created, and will show the ID of the gateway
  • In the upper right hand corner, click Attach to a VPC
  • In the VPC box, under available VPCs, click on Select a VPC and your New-VPC will automatically be displayed. Click on your New-VPC to select it
  • Then click Attach internet gateway

Step Three – Update the Internet routing

  • If you don’t have it open already, goto the AWS VPC console and select VPCs, then select your “New-VPC”, by clicking on the VPC ID of “New-VPC”
  • Then click the route table ID shown under the Main route table (this will select the route table for your new vpc)
  • You should now see the details of a route table for your new VPC. Click the Edit Routes tab
  • Click Add route
  • Under Destination, type 0.0.0.0/0
  • Under Target, click the down arrow and your new Internet Gateway should automatically be displayed. Select your new internet gateway
  • Click Save routes
  • Close the screen that pops up
  • Now find and click on the Subnet Associations Tab
    • Notice: The table states that you have no subnet associations and therefore:
      • The following subnets have not been explicitly associated with any route tables and are therefore associated with the main route table:
  • So we need to make sure we associate the public subnets with this route table (not the private subnets, we’ll fix them in just a bit)
  • Click on Edit Subnet Associations button
  • Select New-Public-Subnet-A and New-Public-Subnet-B
  • Then click Save

Step Four – Create a NAT Gateway

CAUTION: So far everything in the first three steps, do not incur any charges. However, for some strange reason A NAT Gateway (unlike the Internet Gateway) IS NOT FREE! YOU WILL BE CHARGED THE MOMENT YOU CREATE A NAT GATEWAY. So don’t leave the NAT Gateway running for very long, unless you are willing to pay about $1.00 or more per day. If you leave it running for an hour, it will cost you about a nickel per hour in the US regions.

An alternative is to use a NAT instance (an EC2 Instance specially configured as a NAT). AWS Free Tier allows 750 hours of a t2.micro EC2 running hours per month and hence a NAT instance is a good choice to use in a Free Tier Account. The creation of a NAT Instance will be covered as an alternative below. That said, a NAT Gateway is a managed service by AWS that is scalable and more efficient with routing traffic to the internet and in my opinion is worth a few cents to leave it running for a few hours.

  • Goto the AWS VPC console
  • In the left hand navigation pane select NAT Gateways
  • Click Create NAT Gateway
  • In the NAT gateway settings under Name type New-NAT-Gateway
  • Under Subnet, click Select a subnet, and select New-Public-Subnet-A
  • Alongside of the Elastic IP allocation ID is a button Allocate Elastic IP, click on that button and it will automatically allocate an Elastic IP ID
    • Caution: if you delete a NAT Gateway, its Elastic IP Address might still exist but not be associated.
    • AWS does NOT charge for an Elastic IP address that is allocated and associated, therefore during the lifetime of your NAT gateway, there is no extra charge for an Elastic IP address
      • But, AWS DOES CHARGE for an Elastic IP address that IS NOT associated. If you delete the NAT gateway, make sure you don’t have an Elastic IP address just hanging out by itself with no association (it will cost you money).
  • Click Create NAT gateway
  • Ideally in a production VPC cloud design, we would repeat the creation of a NAT gateway into the other public subnet (New-Public-Subnet-B). However, for the purposes of this tutorial, and the fact that most of us will be testing with a Free Tier AWS account, a single NAT gateway will suffice.
    • A second NAT gateway in another availability zone gives resiliency to our architecture, in case any events occur in an opposing availability zone that forces a service outage for resources within the availability zone, the second NAT gateway will still be working.

Step Five – Create a route table for Private Subnets via our new NAT gateway

  • Goto the AWS VPC console
  • In the left hand navigation pane select Route Tables
  • Click Create Route Table button
  • Type Private Route Table for Name Tag
  • For VPC, click the down arrow and Select our New-VPC
  • Click Create
  • Click on the route table ID in the screen that pops up
  • Click the Routes tab
  • Click Edit Routes
  • Click Add route
  • Type 0.0.0.0/0 for the Destination
  • Under Target click the down arrow and select our New-NAT-Gateway
  • Click Save Routes
  • Close the screen that pops up
  • Click the Subnet Associations tab
  • Click the Edit Subnet Associations button
  • Click Private-Subnet-A and Private-Subnet-B
  • Then click Save

A Working VPC with two public and two private subnets is now operational

Optional – Testing the new VPC with a bastion host

  • See the page Create Security group and setup “allow SSH
  • See the page Create an EC2 instance and setup an EC2 instance in either one of the public subnets with a public IP address and assign the Allow SSH security group created in the first step, assign the new EC2 instance a tag Key=”Name”, Value=”Bastion Host“.
    • Note: bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet.
  • Jot down the Private IP address of the new EC2 instance (the private IP address will be used in the next step)
  • Create another new Security group that allows SSH only from the private IP address of the new EC2 instance created above), bastion host and name it “SSH-Bastion”
  • Create another EC2 Instance in a private subnet, without a public IP Address.
    • Any server installed into a Private Subnet, should not have a public IP address. Without a private IP address we are eliminating the ability to connect to an EC2 instance from the internet (hence why it is called “private”)
    • We need another avenue to connect to a private server, which is why we created the bastion host. We’ll connect to a bastion host, and then SSH from the Bastion host to a private server
  • Ideally by now, you have created an AWS Key Pair for example “testkey.pem” and you have already copied the key pair to an appropriate folder. This instruction assumes that you have the key located in the hidden folder /.ssh.
    • At the command line, type in:
ssh-add ~/.ssh/testkey.pem
  • Note: the above line assumes the location of your private key, change the path to your private key above, if your private key is located somewhere besides the /.ssh folder
    • ssh-add is a command for adding SSH private keys into the SSH authentication agent for implementing single sign-on with SSH. The agent process is called ssh-agent
    • Note: this allows us to connect to bastion host, and then from the bastion host connect to a private server (without having to copy our private keys to the bastion host)
  • Now we connect to the Bastion host using the following command
ssh -A ip-address

Where “ip-address” is the public ip-address of the bastion host

  • And now we connect to a private server, once connected to the bastion host

CleanUP

Once finished with this exercise, be sure to delete the following. You do not want to leave the resources running from this tutorial or it will consume your allocation of Free Tier Hours and especially the NAT Gateway as it is not free within a Free Tier account

Note: If you did use a NAT gateway, it will only cost you less than a dollar (today’s pricing in the us-west region) to run a NAT gateway for a few hours

  • Terminate the EC2 instances
  • Delete the new Security Groups
    • Note: Its Ok to leave security Groups in place, Security groups are Free in AWS
  • Delete the NAT Gateway (especially remember to delete the Nat gateway, it is not Free)
  • Release all Elastic IP addresses addresses
  • Delete the VPC
    • Note: Its Ok to leave a VPC with subnets in place
    • A VPC and its subnets are Free on any AWS account

Author: Joseph OMara

Solution Architect for Information Technology. Hobbies include amateur photography, backpacking, camping, hiking, and travel

Leave a ReplyCancel reply

Discover more from Joseph O'Mara

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%