Create AWS VPC with Public, Private Subnet and NAT

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. You can specify an IP address range for the VPC, add subnets, associate security groups, and configure route tables.We recommend this scenario if you want to run a public-

VPC_Archi1.jpg

facing web application, while maintaining back-end servers that aren’t publicly accessible. A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers.

Overview

The following diagram shows the key components of the configuration for this scenario.

vpc33.jpg

The configuration for this scenario includes the following:

  • A VPC with a size /16 IPv4 CIDR block (example: 10.0.0.0/16). This provides 65,536 private IPv4 addresses.
  • A public subnet with a size /24 IPv4 CIDR block (example: 10.0.0.0/24). This provides 256 private IPv4 addresses. A public subnet is a subnet that’s associated with a route table that has a route to an Internet gateway.
  • A private subnet with a size /24 IPv4 CIDR block (example: 10.0.1.0/24). This provides 256 private IPv4 addresses.
  • An Internet gateway. This connects the VPC to the Internet and to other AWS services.
  • Instances with private IPv4 addresses in the subnet range (examples: 10.0.0.5, 10.0.1.5). This enables them to communicate with each other and other instances in the VPC.
  • Instances in the public subnet with Elastic IPv4 addresses  which are public IPv4 addresses that enable them to be reached from the Internet. The instances can have public IP addresses assigned at launch instead of Elastic IP addresses.
  • A NAT gateway with its own Elastic IPv4 address. Instances in the private subnet can send requests to the Internet through the NAT gateway over IPv4 (for example, for software updates).
  • A custom route table associated with the public subnet. This route table contains an entry that enables instances in the subnet to communicate with other instances in the VPC over IPv4, and an entry that enables instances in the subnet to communicate directly with the Internet over IPv4.
  • The main route table associated with the private subnet. The route table contains an entry that enables instances in the subnet to communicate with other instances in the VPC over IPv4, and an entry that enables instances in the subnet to communicate with the Internet through the NAT gateway over IPv4.

In this scenario, the VPC wizard updates the main route table used with the private subnet, and creates a custom route table and associates it with the public subnet.

Main Route Table

The first entry is the default entry for local routing in the VPC; this entry enables the instances in the VPC to communicate with each other. The second entry sends all other subnet traffic to the NAT gateway.

Destination Target
10.0.0.0/16 local
0.0.0.0/0 nat-gateway-id

Custom Route Table

The first entry is the default entry for local routing in the VPC; this entry enables the instances in this VPC to communicate with each other. The second entry routes all other subnet traffic to the Internet over the Internet gateway .

Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw-id

For this example we will be using 10.0.1.0/24 as the private network and 10.0.0/24 as the public network.

Allocate an Elastic IP address for the NAT gateway (IPv4)

Open the Amazon VPC console, In the navigation pane, choose Elastic IPs.

Choose Allocate new address.

 

vpc5.jpg

Choose Allocate from pool of IP Addresss option.

vpc6.jpg

Note down the Allocation ID (here: eipalloc-0437f08746d7b79af )

Create a VPC

Open the Amazon VPC console and select VPC in Service option.

On the VPC dashboard, choose Launch VPC Wizard.

vpc1.jpg

Choose the second option, VPC with Public and Private Subnets, and then choose Select.

vpc2.jpg

You can name your VPC and subnets to help you identify them later in the console. You can specify your own IPv4 CIDR block range for the VPC and subnets, or you can keep the default values.

vpc3.JPG

You can keep the rest of the default values on the page, and choose Create VPC.

vpc4.jpg

vpc7.jpg

Create the WebServer and Database Server security groups

Open the Amazon VPC console, In the navigation pane, choose Security GroupsCreate Security Group.

Provide a name and description for the security group.  For VPC, select the ID of the VPC you created and choose Yes, Create.

Create Security group for both Webserver and Database Server

vpc8.jpg

vpc9.JPG

Select the WebServerSG security group that you created. The details pane displays the details for the security group, plus tabs for working with its inbound and outbound rules.

On the Inbound Rules tab, choose Edit and add rules for inbound traffic

vpc10.JPG

On the Outbound Rules tab, choose Edit and add rules for outbound traffic

Locate the default rule that enables all outbound traffic and choose Remove.

Choose Add rule, Type, MySQL. For Destination, specify the ID of the DBServerSG security group.

Choose Add another rule, Type, HTTPS. For Destination, enter 0.0.0.0/0.

Choose Add another rule, Type, HTTP. For Destination, enter 0.0.0.0/0.

vpc12.JPG

Similarly Create the Database security group

Inbound Rules tab, choose Edit and add rules for inbound traffic

Choose Add  rule, Type, MYSQL. For Source, specify the ID of your WebServerSG security group.

vpc13.JPG

On the Outbound Rules tab, choose Edit and add rules for outbound traffic

vpc14.JPG

Creating Gateways

We will create an Internet Gateway for the public subnet and a NAT gateway for the private one.

Internet Gateway

Go to the Internet Gateway Section and click “Create Internet Gateway” to create an unattached Internet Gateway. Once the Gateway is created, associate it with the VPC.

Create and Attach “Internet Gateway” to our newly created VPC “Testvpn”

So click on Internet Gateways from the menu on the left and then click “Create Internet Gateway

vpc15.JPG

vpc16.JPG

Attach the newly created Internet Gateway to a VPC by selecting your Internet Gateway and click on “Attach to VPC“.

 

vpc17.jpg

vpc18.JPG

 

Create NAT Gateway

NAT Gateway in AWS can provide your private instances with access to the Internet for essential software updates while blocking incoming traffic from the outside world.

The private subnets in your VPC should have access to Internet only through an AWS feature called NAT Gateway. The NAT Gateway configuration is optional and you can skip it if you want your instances in the private subnets to be completely restricted from accessing the Internet.

Go to the NAT Gateway section and you will create a NAT gateway for the Private Subnet. In the NAT Gateway dialog, you will select the public subnet.

Configure NAT Gateway for private subnets in your VPC:

  1. Navigate to the AWS console -> Services.
  2. Go to the Networking & Content Delivery section and click VPC.
  3. Navigate to Virtual Private Cloud -> NAT Gateways -> Create NAT Gateway
  1. On the newly opened page select a public subnet from the Subnet drop-down list in which to create the NAT gateway.
  2. Assign an Elastic IP Address to the NAT Gateway.
  3. Click Create a NAT Gateway.

Now you need to configure the routing for your private subnets. Enable traffic from your private subnets to Internet by using the NAT Gateway you have created.

vpc21.jpeg

 

vpc22.JPG

Route Tables 

 

Now we need to create a new route table by selecting Route Tables and clicking on “Create Route Table“.

We will need to create two route tables. The first route table will be used to give hosts in the public subnet a default route to an Internet Gateway. The second one will be used set up a default gateway in the private subnet pointing to a NAT Gateway so they can get patches and install software. There will already be a Route Table created for your VPC and this one could be repurposed for one of the subnets, it is the default one and will be in effect for any unassociated subnets. I prefer to leave it as is and create two new route tables for each subnet.

vpc19.jpg

vpc20.JPG

Similarly create a private route table.

vpc23.JPG

 

vpc24.JPG

Highlight the public Route Table and select the Routes tab. Click the Edit button and add a Default Route that points to the Internet Gateway your created earlier.

vpc25.jpg

Select “Test_Public_RT”, click on “Routes” tab and “edit”.

Then enter 0.0.0.0/0 for the Destination and select your Internet Gateway for the Target and click on “Save“:

vpc26

vpc27.jpg

Associate this “Teset_Public_RT” route table with Public subnet “Public subnet” (here: subnet-0feba2037eac69c86)

Under Subnet Associations tab Click on Edit subnet associations and add the public subnet id then click on save.

vpc28.JPG

Now you’ll now be able to connect to internet from instances that are launched via Public subnet.

Now, select the Private Route Table and edit the Routes to add a default route to the NAT Gateway.

vpc29.JPG

vpc30.jpg

Navigate to the Subnet Associations tab and associate your private subnets with the route table and save the changes.

vpc31

vpc32

Now traffic from instances in the private subnets destined for the Internet will be redirected to the NAT Gateway.

And with that, we have now created a custom VPC in AWS with a public (10.0.0.0/24) subnet and a private (10.0.1.0/24) subnet.

Reference :

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

%d bloggers like this: