Creating a Static Website using Amazon AWS S3

Step 1: Create a bucket

Note: The instructions below uses the AWS console to create a bucket. It is an easy method for creating an S3 bucket.

To create a bucket, you must register with Amazon S3 and have a valid AWS Access Key ID to authenticate requests. By creating the bucket, you become the bucket owner.

Not every string is an acceptable bucket name. For information about bucket naming restrictions. See Bucket naming rules

You can create a bucket using other methods, like for instance using a Mac or Linux terminal command line interface, or Windows CMD or PowerShell command line interface.

Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
Choose Create bucket
Enter the Bucket name (for example, my-awesome-bucket)

*Note: S3 buckets must have a UNIQUE NAME. Literally it has to be a unique name within AWS S3 for ALL REGIONS, Globally

Choose the Region where you want to create the bucket
Accept the default settings and create the bucket, choose Create.

Step 2: Enable static website hosting

After you create a bucket, you can enable static website hosting for your bucket.

To enable static website hosting

In the Buckets list, choose the bucket that you want to enable static website hosting
Choose Properties
Under Static website hosting, choose Edit
Choose Use this bucket to host a website
Under Static website hosting, choose Enable
In Index document, enter the file name of the index document, typically index.html
To provide your own custom error document for 4XX class errors, in Error document, enter the custom error document file name
Choose Save changes

Amazon S3 enables static website hosting for your bucket. At the bottom of the page, under Static website hosting, you see the website endpoint for your bucket

Under Static website hosting, note the Endpoint

The Endpoint is the Amazon S3 website endpoint for your bucket. After you finish configuring your bucket as a static website, You can use this endpoint to test your website.

Step 3: Edit Block Public Access settings

By default, AWS blocks public access to your account and buckets.

If you want to use a bucket to host a static website, you can use these steps to edit your block public access settings.

Warning

Before you complete this step, review Blocking public access to your Amazon S3 storage to ensure that you understand and accept the risks involved with allowing public access. When you turn off block public access settings to make your bucket public, anyone on the internet can access your bucket. We recommend that you block all public access to your buckets.

Open the Amazon S3 console at https://console.aws.amazon.com/s3/
Choose the name of the bucket that you have configured as a static website
Choose Permissions
Under Block public access (bucket settings), choose Edit
Clear Block all public access, and choose Save changes

Step 4: Add a bucket policy to make your bucket publicly available

After you edit S3 Block Public Access settings, you can add a bucket policy to grant public read access to your bucket. When you grant public read access, anyone on the internet can access your bucket.

Under Buckets, choose the name of your bucket
Choose Permissions
Under Bucket Policy, choose Edit
To grant public read access for your website, copy the following bucket policy, and paste it in the Bucket policy editor

‘

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::Bucket-Name/*"
            ]
        }
    ]
}

‘

Update the code in the new policy with the name of YOUR BUCKET before saving.

In the preceding example, "Bucket-Name" is a placeholder. To use this bucket policy with your BUCKET, you must update the policy name to match your bucket’s name.

Choose Save changes.

Step 5: Configure an index document

When you enable static website hosting for your bucket, you enter the name of the index document (for example, index.html). After you enable static website hosting for the bucket, you upload an HTML file with this index document name to your bucket.

To configure the index document

Create an index.html file. If you don’t have an index.html file, you can use the following HTML to create one:

    
    
        My Website Home Page
    
    
    <h1>Welcome to my website</h1>
    <p>Now hosted on Amazon S3!</p>

Save the index file locally.

The index document file name is case sensitive. For example, index.html and not Index.html.

Alternative Index method, I have provided a compressed zip file that contains a generic web site. You are free to download the file, Unzip the files locally and then upload the index.html along with the images and assets folder up to your S3 bucket.

Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
In the Buckets list, choose your bucket
To upload the index documentto your bucket, do one of the following:
- Drag and drop the index file into the console bucket listing.
- Choose Upload, and follow the prompts to choose and upload the index file (Or Perhaps) Upload your own static website files to your bucket or the generic web site files found below.

To configure an error document Create an error document, for example 404.html

    
    
        Something went wrong
    
    
    <h1>Sorry about that</h1>
    <p>Now hosted on Amazon S3!</p>

Save the error document file locally

Remember, The file name is case sensitive
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
To upload the error document to your bucket, do one of the following:
- Drag and drop the error document file into the console bucket listing.
- Choose Upload, and follow the prompts to choose and upload the index file. For step-by-step instructions, see Uploading objects.

Step 7: Test your website endpoint

After you configure static website hosting for your bucket, you can test your website endpoint.

Note: Amazon S3 does not support HTTPS access to the website. If you want to use HTTPS, you can use Amazon CloudFront to serve a static website hosted on Amazon S3.

Under Buckets, choose the name of your bucket
Choose Properties
At the bottom of the page, under Static website hosting, choose your Bucket website endpoint
Your new website opens in a separate browser window.

You now have a website hosted on Amazon S3. This website is available at the Amazon S3 website endpoint.

Step 8: Clean up

If you created your static website only as a learning exercise, delete the AWS resources that you allocated so that you do not accrue charges.

Files you can use to create a generic Web site

Note: The index.html file included below has a slight modification of a web site template provided by H5 up. I have provided the files to help make your exercise more interesting. However, I take no responsibility for the content and provided to you at your own risk! At the time of this writing, the files are free of virus and/or malware.

generic-web-site-1 Download

Launch an EC2 instance and Connect

This assumes you have left the default VPC in place or that you have created your own VPC with a public network. Also, be sure to select the region you want to create a EC2 instance before launching new EC2 instance.

Note: EC2 free tier accounts: only the t2.micro is free (and only if you use it for less than hours per month)

To launch an EC2 instance

Sign in to the AWS Management Console
- Choose the region you wish to launch
Choose EC2 Dashboard, and then choose Launch instance
Choose the Amazon Linux 2 AMI
Chose the t2.micro instance type (free tier)
Click next to configure instance details
- Network: Choose the VPC with a public subnet (either default VPC or one you’ve created)
- Subnet: Choose an existing public subnet
- Auto-assign Public IP: Choose Enable
Choose next to configure storage
- Keep the defaults and add a tag of your choosing:
  - example: Key = “Name” and Value = “Test Server”
Choose next to configure Security Group (or if you have already created a security group to allow SSH, then choose existing security group)
- Keep the defaults for SSH connectivity (except change source by clicking the down arrow and choosing My IP, unless you want it open to the public then 0.0.0.0/0 will work just great)
Click Review and Launch
On the Review Instance Launch page, shown following, verify your settings and then choose Launch
Select an existing key pair or create a new key pair page
- To Create a new key pair and set Key pair name to any name you would like: for example, “TestKey” or perhaps “EC2Key”. Be very sure to Choose Download Key Pair (you will be using this key for connectivity potentially for all of your AWS exercises) , and then save the key pair file on your local machine. You use this key pair file to connect to your EC2 instance.
To launch your EC2 instance, choose Launch Instances
Choose View Instances to find your instance.
Wait until Instance Status for your instance reads as Running

To Connect into your EC2 instance:
Goto Amazon’s EC2 connect guide as they have a great explanation of your choices to connect into an EC2 instance.

UPDATE YOUR EC2 INSTANCE

Once connected, run a linux update

sudo yum update -y

There ya go, launched and updated an AWS virtual server in just a few minutes

Next Steps

Perhaps you would like to Create a Web Server, if so ahead and go to the next module.

Caution: It is a good idea to remove an EC2 instance when you are finished with the instance, so as not to incur costs for leaving an EC2 running.

It goes without saying, but it has to be said anyway. This is not for production!

All public websites should have some type of application firewall in between the Web Server and its internet connection!

As well it should be monitored and have event and incident management in place. The list of things that will make a better architecture for a web site continues! However, enough said at this time!

Creating an AWS Security Group

Create a Security Group for Public network

This exercise will create a security group that allows HTTP and HTTPS using the AWS Console to EC2 instances in a public network.

Note: This is for testing purposes only, normally we would place an application firewall in front of web servers, and possibly load balancers, and monitoring along with notification services, but hey, we are just creating a test (not production), right!!

Security group for an EC2 instance hosting a Website

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the left side navigation pane, choose Security Groups.
Choose Create security group.
Enter a name for the security group (for example, Web Services), and then provide a description (allows http & https inbound).
From VPC, select the ID of your VPC.
(Optional) Add or remove a tag.[Add a tag] Choose Add new tag and do the following:
- For Key, enter “Name”.
- For Value, enter “Web Services”
Click ADD Rule
- Under Type, click the down arrow and scroll to select “HTTP“
  - Under Source, click the down arrow and choose “My IP“
    Note: You can choose the default 0.0.0.0/0, if you want to leave the inbound connection OPEN to the World. I recommend using “My IP” address , which limits the inbound connection to only your network’s public IP address.
Click ADD Rule (again)
- Under Type, click the down arrow and scroll to select “HTTPS“
- Under Source, click the down arrow and choose “My IP“
Scroll down and click the button Create Security Group.

Create a Security group to allow SSH

This exercise will create a security group that allows SSH using the AWS Console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the left side navigation pane, choose Security Groups.
Choose Create security group.
Enter a name for the security group (for example, Web Services), and then provide a description (allows http & https inbound).
From VPC, select the ID of your VPC.
(Optional) Add or remove a tag.[Add a tag] Choose Add new tag and do the following:
- For Key, enter “Name”.
- For Value, enter “SSH”
Click ADD Rule
- Under Type, click the down arrow and scroll to select “SSH“
  - Under Source, click the down arrow and choose “My IP“
    Note: You can choose the default 0.0.0.0/0, if you want to leave the inbound connection OPEN to the World. I recommend using “My IP” address , which limits the inbound connection to only your network’s public IP address.
Click the button Create security group

To create a security group using the command line

create-security-group (AWS CLI)
New-EC2SecurityGroup (AWS Tools for Windows PowerShell)

To describe one or more security groups using the command line

describe-security-groups (AWS CLI)
Get-EC2SecurityGroup (AWS Tools for Windows PowerShell)

By default, new security groups start with only an outbound rule that allows all traffic to outbound and restrict all traffic inbound. You must add rules to enable any inbound traffic or to restrict the outbound traffic.

Adding, removing, and updating rules

When you add or remove a rule, any instances already assigned to the security group are subject to the change.

If you have a VPC peering connection, you can reference security groups from the peer VPC as the source or destination in your security group rules. For more information, see Updating your security groups to reference peer VPC security groups in the Amazon VPC Peering Guide.

To add a rule using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Security Groups.
Select the security group to update.
Choose Actions, Edit inbound rules or Actions, Edit outbound rules.
Choose Add rule. For Type, select the traffic type, and then specify the source (inbound rules) or destination (outbound rules). For example, for a public web server, choose HTTP or HTTPS and specify a value for Source as 0.0.0.0/0.If you use 0.0.0.0/0, you enable all IPv4 addresses to access your instance using HTTP or HTTPS. To restrict access, enter a specific IP address or range of addresses.
You can also allow communication between all instances that are associated with this security group. Create an inbound rule with the following options:
- Type: All Traffic
- Source: Enter the ID of the security group.
Choose Save rules.

To delete a rule using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Security Groups.
Select the security group to update.
Choose Actions, Edit inbound rules or Actions, Edit outbound rules.
Choose Delete for the rule that you want to delete.
Choose Save rules.

When you modify the protocol, port range, or source or destination of an existing security group rule using the console, the console deletes the existing rule and adds a new one for you.

To update a rule using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Security Groups.
Select the security group to update.
Choose Actions, Edit inbound rules or Actions, Edit outbound rules.
Modify the rule entry as required.
Choose Save rules.

If you are updating the protocol, port range, or source or destination of an existing rule using the Amazon EC2 API or a command line tool, you cannot modify the rule. Instead, you must delete the existing rule and add a new rule. To update the rule description only, you can use the update-security-group-rule-descriptions-ingress and update-security-group-rule-descriptions-egress commands.

To add a rule to a security group using the command line

authorize-security-group-ingress and authorize-security-group-egress (AWS CLI)
Grant-EC2SecurityGroupIngress and Grant-EC2SecurityGroupEgress (AWS Tools for Windows PowerShell)

To delete a rule from a security group using the command line

revoke-security-group-ingress and revoke-security-group-egress(AWS CLI)
Revoke-EC2SecurityGroupIngress and Revoke-EC2SecurityGroupEgress (AWS Tools for Windows PowerShell)

To update the description for a security group rule using the command line

update-security-group-rule-descriptions-ingress and update-security-group-rule-descriptions-egress (AWS CLI)
Update-EC2SecurityGroupRuleIngressDescription and Update-EC2SecurityGroupRuleEgressDescription (AWS Tools for Windows PowerShell)

Changing an instance’s security groups

After you launch an instance into a VPC, you can change the security groups that are associated with the instance. You can change the security groups for an instance when the instance is in the running or stopped state.Note

This procedure changes the security groups that are associated with the primary network interface (eth0) of the instance. To change the security groups for other network interfaces, see Changing the security group.

To change the security groups for an instance using the console

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Instances.
Select the checkbox for the instance. The Security tab lists the security groups that are currently associated with the instance.
To change the security groups that are associated with the instance, choose Actions, Security, Change security groups.
For Associated security groups, select a security group from the list, and then choose Add security group.To remove an already associated security group, choose Remove for that security group.
Choose Save.

To change the security groups for an instance using the command line

modify-instance-attribute (AWS CLI)
Edit-EC2InstanceAttribute (AWS Tools for Windows PowerShell)

Deleting a security group

You can delete a security group only if there are no instances assigned to it (either running or stopped). You can assign the instances to another security group before you delete the security group (see Changing an instance’s security groups). You can’t delete a default security group.

If you’re using the console, you can delete more than one security group at a time. If you’re using the command line or the API, you can only delete one security group at a time.

To delete a security group using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Security Groups.
Select one or more security groups and choose Security Group Actions, Delete Security Group.
In the Delete Security Group dialog box, choose Yes, Delete.

To delete a security group using the command line

delete-security-group (AWS CLI)
Remove-EC2SecurityGroup (AWS Tools for Windows PowerShell)

Deleting the 2009-07-15-default security group

Any VPC created using an API version older than 2011-01-01 has the 2009-07-15-default security group. This security group exists in addition to the regular default security group that comes with every VPC. You can’t attach an internet gateway to a VPC that has the 2009-07-15-default security group. Therefore, you must delete this security group before you can attach an internet gateway to the VPC.Note

If you assigned this security group to any instances, you must assign these instances a different security group before you can delete the security group.

To delete the 2009-07-15-default security group

Ensure that this security group is not assigned to any instances.
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, choose Network Interfaces.
3. Select the network interface for the instance from the list, and choose Change Security Groups, Actions.
4. In the Change Security Groups dialog box, select a new security group from the list, and choose Save.When changing an instance’s security group, you can select multiple groups from the list. The security groups that you select replace the current security groups for the instance.
5. Repeat the preceding steps for each instance.
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Security Groups.
Choose the 2009-07-15-default security group, and then choose Security Group Actions, Delete Security Group.
In the Delete Security Group dialog box, choose Yes, Delete.

Creating a VPC manually

Two public and two private subnets

Step One – Create VPC

Sign into AWS Console https://console.aws.amazon.com/vpc/
Select your choice of an AWS region
- ie. I’m from Los Angeles and choose Northern California as my region of choice
Click on VPCs (under Resources by Region)
In VPC settings, type in the following:
- Name Tag = “New-VPC”
- IPv4 CIDR block = “10.0.0.0/16”
- Keep the defaults for the rest of the VPC form
- Click Create VPC
- After the New-VPC is created click on the New-VPC ID to see the details of the VPC
- Notice that by default the DNS hostnames is disabled. It is not necessary, however, many tutorials will mention using the DNS hostnames, so it might be a good idea to change the DNS hostnames to “enabled”

Step One – Creating the Subnets

Step 1a – Public Subnet A

On the left Navigation Pane – find and choose Subnets
Select Create subnet
Under VPC – click “Select a VPC” and choose the new subnet created called “New-VPC“
Under Subnet settings
- Type in a subnet name, ie. “New-Public-Subnet-A“
- Type in a CIDR block for the IP range you would like to create for this subnet:
  - i.e. 10.0.1.0/25
Under Availability Zone
- Note: In region US-WEST-1 there exists only two availability zones, us-west-1a and us-west-1c
- Choose us-west-1a
Keep the defaults for the rest of the Subnet Form
Click Create Subnet

Step 1b – Public Subnet B

On the left Navigation Pane – find and choose Subnets
Select Create subnet
Under VPC – click “Select a VPC” and choose the new subnet created called “New-VPC“
Under Subnet settings
- Type in a subnet name, ie. “New-Public-Subnet-B“
- Type in a CIDR block for the IP range you would like to create for this subnet:
  - i.e. 10.0.2.1/25
Under Availability Zone
- Note: Now we will choose an availability zone other than the one selected for Public-Subnet-A
- Choose us-west-1c
Keep the defaults for the rest of the Subnet Form
Click Create Subnet

Step 1c – Private Subnet A

On the left Navigation Pane – find and choose Subnets
Select Create subnet
Under VPC – click “Select a VPC” and choose the new subnet created called “New-VPC“
Under Subnet settings
- Type in a subnet name, ie. “New-Private-Subnet-A“
- Type in a CIDR block for the IP range you would like to create for this subnet:
  - i.e. 10.0.2.0/25
Under Availability Zone
- Note: In region US-WEST-1 there exists only two availability zones, us-west-1a and us-west-1c
- Choose us-west-1a
Keep the defaults for the rest of the Subnet Form
Click Create Subnet

Step 1d – Private Subnet B

On the left Navigation Pane – find and choose Subnets
Select Create subnet
Under VPC – click “Select a VPC” and choose the new subnet created called “New-VPC“
Under Subnet settings
- Type in a subnet name, ie. “New-Private-Subnet-B“
- Type in a CIDR block for the IP range you would like to create for this subnet:
  - i.e. 10.0.2.128/25 (128 IP addresses available for this subnet)
Under Availability Zone
- Note: Now we will choose an availability zone other than the one selected for Private-Subnet-A
- Choose us-west-1c
Keep the defaults for the rest of the Subnet Form
Click Create Subnet

Check it out – We have a new VPC with four subnets

Hurray!! We now have a New-VPC and four subnets. BUT, let’s take a closer look at our subnet communications, because we are not done yet, as we now need to lay out the communication rules for our subnets.

Select the ID of any of the subnets, and the AWS console will show all the details for the selected subnet. Notice, a routing table and a network ACL table was automatically created for the new subnet. The routing table, allows routes to all other subnets with the route table of 10.0.0.0/16, and the network ACL has an automatic deny all for inbound and outbound traffic. So now we have subnets that can talk to each other but can not talk to the rest of the world. Guess we aren’t done yet.

The next steps are equally as important. We need a gateway to the internet to allow inbound/outbound traffic for our public networks. Another gateway to the internet that allows outbound traffic for our private networks.

As well, we need routing and firewall rules. So, we have to install an Internet gateway, a NAT gateway (or NAT instances), update the routing tables to/from the gateways, and create security groups to allow inbound traffic such as SSH, HTTP & HTTPS.

Step Two – Setup an Internet Gateway

If you don’t have it open already, goto the AWS VPC console
In the left hand navigation pane, select Internet Gateways
Then click Create Internet Gateway
Under Name Tag, give it a name, ie. New-Internet-Gateway
Keep the default settings for the rest of the form
Click Create Internet Gateway
The console will show the gateways has been created, and will show the ID of the gateway
In the upper right hand corner, click Attach to a VPC
In the VPC box, under available VPCs, click on Select a VPC and your New-VPC will automatically be displayed. Click on your New-VPC to select it
Then click Attach internet gateway

Step Three – Update the Internet routing

If you don’t have it open already, goto the AWS VPC console and select VPCs, then select your “New-VPC”, by clicking on the VPC ID of “New-VPC”
Then click the route table ID shown under the Main route table (this will select the route table for your new vpc)
You should now see the details of a route table for your new VPC. Click the Edit Routes tab
Click Add route
Under Destination, type 0.0.0.0/0
Under Target, click the down arrow and your new Internet Gateway should automatically be displayed. Select your new internet gateway
Click Save routes
Close the screen that pops up
Now find and click on the Subnet Associations Tab
- Notice: The table states that you have no subnet associations and therefore:
  - The following subnets have not been explicitly associated with any route tables and are therefore associated with the main route table:
So we need to make sure we associate the public subnets with this route table (not the private subnets, we’ll fix them in just a bit)
Click on Edit Subnet Associations button
Select New-Public-Subnet-A and New-Public-Subnet-B
Then click Save

Step Four – Create a NAT Gateway

CAUTION: So far everything in the first three steps, do not incur any charges. However, for some strange reason A NAT Gateway (unlike the Internet Gateway) IS NOT FREE! YOU WILL BE CHARGED THE MOMENT YOU CREATE A NAT GATEWAY. So don’t leave the NAT Gateway running for very long, unless you are willing to pay about $1.00 or more per day. If you leave it running for an hour, it will cost you about a nickel per hour in the US regions.

An alternative is to use a NAT instance (an EC2 Instance specially configured as a NAT). AWS Free Tier allows 750 hours of a t2.micro EC2 running hours per month and hence a NAT instance is a good choice to use in a Free Tier Account. The creation of a NAT Instance will be covered as an alternative below. That said, a NAT Gateway is a managed service by AWS that is scalable and more efficient with routing traffic to the internet and in my opinion is worth a few cents to leave it running for a few hours.

Goto the AWS VPC console
In the left hand navigation pane select NAT Gateways
Click Create NAT Gateway
In the NAT gateway settings under Name type New-NAT-Gateway
Under Subnet, click Select a subnet, and select New-Public-Subnet-A
Alongside of the Elastic IP allocation ID is a button Allocate Elastic IP, click on that button and it will automatically allocate an Elastic IP ID
- Caution: if you delete a NAT Gateway, its Elastic IP Address might still exist but not be associated.
- AWS does NOT charge for an Elastic IP address that is allocated and associated, therefore during the lifetime of your NAT gateway, there is no extra charge for an Elastic IP address
  - But, AWS DOES CHARGE for an Elastic IP address that IS NOT associated. If you delete the NAT gateway, make sure you don’t have an Elastic IP address just hanging out by itself with no association (it will cost you money).
Click Create NAT gateway
Ideally in a production VPC cloud design, we would repeat the creation of a NAT gateway into the other public subnet (New-Public-Subnet-B). However, for the purposes of this tutorial, and the fact that most of us will be testing with a Free Tier AWS account, a single NAT gateway will suffice.
- A second NAT gateway in another availability zone gives resiliency to our architecture, in case any events occur in an opposing availability zone that forces a service outage for resources within the availability zone, the second NAT gateway will still be working.

Step Five – Create a route table for Private Subnets via our new NAT gateway

Goto the AWS VPC console
In the left hand navigation pane select Route Tables
Click Create Route Table button
Type Private Route Table for Name Tag
For VPC, click the down arrow and Select our New-VPC
Click Create
Click on the route table ID in the screen that pops up
Click the Routes tab
Click Edit Routes
Click Add route
Type 0.0.0.0/0 for the Destination
Under Target click the down arrow and select our New-NAT-Gateway
Click Save Routes
Close the screen that pops up
Click the Subnet Associations tab
Click the Edit Subnet Associations button
Click Private-Subnet-A and Private-Subnet-B
Then click Save

A Working VPC with two public and two private subnets is now operational

Optional – Testing the new VPC with a bastion host

See the page Create Security group and setup “allow SSH”
See the page Create an EC2 instance and setup an EC2 instance in either one of the public subnets with a public IP address and assign the Allow SSH security group created in the first step, assign the new EC2 instance a tag Key=”Name”, Value=”Bastion Host“.
- Note: A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet.
Jot down the Private IP address of the new EC2 instance (the private IP address will be used in the next step)
Create another new Security group that allows SSH only from the private IP address of the new EC2 instance created above), bastion host and name it “SSH-Bastion”
Create another EC2 Instance in a private subnet, without a public IP Address.
- Any server installed into a Private Subnet, should not have a public IP address. Without a private IP address we are eliminating the ability to connect to an EC2 instance from the internet (hence why it is called “private”)
- We need another avenue to connect to a private server, which is why we created the bastion host. We’ll connect to a bastion host, and then SSH from the Bastion host to a private server
Ideally by now, you have created an AWS Key Pair for example “testkey.pem” and you have already copied the key pair to an appropriate folder. This instruction assumes that you have the key located in the hidden folder /.ssh.
- At the command line, type in:

ssh-add ~/.ssh/testkey.pem

Note: the above line assumes the location of your private key, change the path to your private key above, if your private key is located somewhere besides the /.ssh folder
- ssh-add is a command for adding SSH private keys into the SSH authentication agent for implementing single sign-on with SSH. The agent process is called ssh-agent
- Note: this allows us to connect to bastion host, and then from the bastion host connect to a private server (without having to copy our private keys to the bastion host)
Now we connect to the Bastion host using the following command

ssh -A ip-address

Where “ip-address” is the public ip-address of the bastion host

And now we connect to a private server, once connected to the bastion host

CleanUP

Once finished with this exercise, be sure to delete the following. You do not want to leave the resources running from this tutorial or it will consume your allocation of Free Tier Hours and especially the NAT Gateway as it is not free within a Free Tier account

Note: If you did use a NAT gateway, it will only cost you less than a dollar (today’s pricing in the us-west region) to run a NAT gateway for a few hours

Terminate the EC2 instances
Delete the new Security Groups
- Note: Its Ok to leave security Groups in place, Security groups are Free in AWS
Delete the NAT Gateway (especially remember to delete the Nat gateway, it is not Free)
Release all Elastic IP addresses addresses
Delete the VPC
- Note: Its Ok to leave a VPC with subnets in place
- A VPC and its subnets are Free on any AWS account

Architecture

Architecture – I’d like to define IT Architecture as the glue between management and propellor heads.

Business managers are not always up to speed on technology, like engineers, developers, or technical leads. Often an architect will capture a manager’s business goal and requirements and translate them into technical solutions. Architects then deliver the technological solutions as blueprints to the engineers, developers, and technical leads. Inversely, architects explain the technology that engineers, technical leaders, and developers will deliver, into a language understood by business managers.

IT Architecture

An Information Technology architect’s primary goal at the beginning of any project would be to capture business goals, project requirements and understand the business processes necessary to help deliver business objectives.

I’d like to think that an architect delivers the blueprints for construction.

Anyone can build a Shack

To build a castle, you’ll need an architect in your team

My intent is to cover the following topics regarding Architecture:

Why architecture is important (purpose, goals, business importance)
Intent of architecture
- What a solutions architect provides and what solutions architecture doesn’t provide
- Today’s architect vs. yesterday’s architect
- Where does an architect fit into an organization
- When moving from waterfall projects into Dev/Ops and Agile planning, how does an architect still provide value within speedy agile programs
Architecture as an organization
- Yes, if a business is large enough, it probably should be an organization
Architecture framework
- Deliverables
  - Important Elements of deliverables
- Methods
- Structure
Architectural reviews
Development and then Blueprints