Latest posts by Jason Coltrin (see all)
- Windows 10 Fall Creators Update installation and features - Thu, Nov 2 2017
- Install Microsoft SQL Server on Ubuntu Linux - Thu, Jan 5 2017
- Use PowerShell with Google Cloud Platform - Thu, Dec 8 2016
VPC Definition and security model ^
A VPC is a network logically separated and isolated from other virtual networks inside the AWS cloud. In the same manner an administrator would secure servers behind a firewall and access control lists on premise, you can also isolate instances (virtual servers) inside your VPC.
The Shared Responsibility Model is a term that AWS uses to define “security of the cloud” in addition to “security in the cloud.” Because “security in the cloud” is our responsibility, we need to protect our own content, platform, applications, systems, and networks. A VPC with multiple logical networks is a good start in securing your AWS network resources.
This will be a multi-part series of articles. In this first article, we describe our demo network with a diagram, create a new VPC, and build two subnets in separate availability zones. Our second article here demonstrates how to create an Internet Gateway, build both Private and Public Route Tables, Private and Public Network Access Control Lists, and Private and Public Security Groups, as well as set associations among these components. Lastly, in our third article here, we show how to set up an instance in each of our networks (Public and Private), test connectivity, and ensure only our Bastion instance has the ability and keys necessary to connect to our Private instance, via SSH and Pageant.
Visual Representation of the Demo Network ^
The following diagram outlines how our VPC network will look when we complete our task.
As displayed in the diagram, by creating a second Security Group and subnet, 10.0.2.0/24, we effectively isolate the instances in that subnet from the outside world. Our Private instance will not have any public IP addresses or ports open to the outside. Our Bastion instance is used much like a management gateway and is the only point of entry for the management of our Private instances. While inbound traffic is secured, our Internet Gateway allows Private instances to connect to the Internet and make outbound requests for updates and patches.
How to create a VPC in Amazon AWS ^
If you want to follow along with this tutorial, go ahead and sign up for a new Free Tier account with AWS here. The free tier is good for 12 months and allows you to run one instance per month or two instances for half of a month. If you leave both instances running all month, you may be charged a nominal amount of money on your credit card (a credit card is required to sign up for the free account). Should you not want to run this setup in production, either shut down your instances after completing your testing or delete your second instance. With only one instance running all month, or two instances running for half of a month, you probably won’t see a bill for a year.
After signing up and providing your credit card information, go ahead and sign in to the console. The default AWS console look and feel has changed recently. The first thing to do in the console is change your Availability Zone to U.S. West (N. California). There may be other availability zones closer to you that have multiple zones in the location, but I recommend you keep both zones in the same location. Do this by changing the default option in the location drop-down menu, next to your name, in the upper-right corner of the console. Next, browse down to the Networking section, and click on VPC.
While we could use the VPC wizard, we are going to create one from scratch. You can disregard the default VPC for now.
Create an AWS VPC ^
Click on Create VPC.
Provide the Name Tag of your choice. We’ll use 4sysopsVPC.
Give it the CIDR block 10.0.0.0/16. This CIDR will give you 65k hosts. If you think you may reach this limit, by all means, plan ahead by providing more hosts than you think necessary, and set the CIDR to /8.
Leave Tenancy as default and click Yes, Create.
That’s all we need to do for our VPC.
Create AWS VPC Subnets ^
Next, we’ll create and name our two subnets, place them in the appropriate VPC, select the Availability Zone, and define the CIDR blocks.
Select Subnets, then Create Subnet.
We’ll give our first subnet a Name tag: Public-Subnet.
Next, select the VPC we previously created, named vpc-xxxxxxxx (10.0.0.0/16) | 4sysopsVPC.
Choose the first availability zone, us-west-1a.
Provide the CIDR block 10.0.1.0/24.
When complete, we’ll find the new subnet listed with our other two default subnets:
Now, create another subnet by clicking on Create Subnet again. However, this time, we will change the Name tag to Private-Subnet, the VPC to vpc-xxxxxxxx (10.0.0.0/16) | 4sysopsVPC, the Availability Zone to us-west-1c, and the CIDR block to 10.0.2.0/24. The result should look similar to the following:
We now have two subnets, and a VPC has been created. In the next article, we’ll build an Internet Gateway, Route Tables, NACLs, and Security Groups, and set associations between the components.