VPC Deployment

---

---

1. Build VPC network ( 192.168.0.0/16 ) for Bastion Host deployment
   1. VPC à Create VPC à VPC only à IPv6 CIDR à Enter 192.168.0.0/16 and click on create vpc
   2. VPC à Create VPC à VPC only à IPv6 CIDR à Enter 172.32.0.0/16 and click on create vpc

 

 

 

Just to separate

 

1. Create NAT Gateway in Public Subnet and update Private Subnet associated Route Table accordingly to route the default traffic to NAT for outbound internet connection.

1. Create Two IGW for each VPC
   1. VPC à Internet Gateway à provide name à create internet gateway

 

space for sep

1. Attach igw to their respective VPC’s
   1. VPC à Internet Gateways à select a igw à Actions à attach to VPC à choose a vpc à Attach internet gateway

 

 

space for separation

 

1. Creating Five Subnets
   1. VPC à Subnets à Create subnet à Enter vpc, subnet name , AZ and IPv4 cidr based on your vpc

Subnet1: public-bastion-01

 

 

 

Make sure your enable auto-assign public IPv4 setting is enabled

 

 

 

Subnet2: private-application-01 

 

 

 

 

 

 

 

Subnet-3: private-application-02 

 

Subnet-4: public-application-01

 

 

 

 

 

Subnet-5: public-application-02c

VPC à Nat gateways à Create NAT gateway à Provide Name à Subnet details and allocate elastic ip

 

 

 

Route Table1: public-bastion-route

 

 

 

VPC à Route Tables à Subnet Associations à Edit subnet associations à choose subnet the one that is for bastion

 

 

 

Edit Routes for this route table

VPC à Route tables à your route table à edit routes

 

 

 

Route Table-2: 

 

VPC à Route Tables à Subnet Associations à Edit subnet associations à choose subnet the one that is for private application

 

 

 

Edit Routes for this route table

VPC à Route tables à your route table à edit routes

 

 

 

 

Route Table-3: private-application-route-02

VPC à Route Tables à Subnet Associations à Edit subnet associations à choose subnet the one that is for private application

 

Edit Routes for this route table

VPC à Route tables à your route table à edit routes

Route Table-4: private-application-route-02

 

 

 

VPC à Route Tables à Subnet Associations à Edit subnet associations à choose subnet the one that is for public application

 

 

 

Edit Routes for this route table

VPC à Route tables à your route table à edit routes

 

1. Launch Instance as a bastion in our bastion-vpc, except below customization you can go with other default options

Choose our Golden AMI that was created previously

 

 

In Network settings à click edit

 

 

2. Launch two Instance in different AZs edwiki-vpc-application-01

Choose our golden AMI, Application VPC and public-application-01 subnet

 

Note: security group should accept traffic for ssh and port 80, these instances are just for checking the connectivity you can terminate them later on as we will be managing instances via ASG later in the section

 

In Advanced details section in User data add below

 

#!/bin/bash

yum update -y

service httpd start

#rm -rf /var/www/html/*

git clone https://bitbucket.org/dptrealtime/html-web-app.git /var/www/html/

 

3. Create Transit gateway

VPC à Transit gateways à Create transit gateway à Provide ASN as 4200000000 à Leave other settings default

 

 

4. Create Transit Gateway Attachments

VPC à Transit gateway attachments à Create Transit gateway attachment

Create another attachment for another VPC

 

 

 

 

 

 

Validate Transit Gateways routes 

VPC à Transit gateway route tables à routes

 

 

 

 

 

 

 

5. Modify route tables of both the VPCs to route traffic to Transit Gateway

 

Route Table: private-application-route-01

 

 

Route Table: public-bastion-route

 

 

 

 

 

 

Subnet Association for private-application-route-01

 

1. Create an S3 Bucket

Place your application configuration here

Upload your configuration in this bucket

Amazon S3 à Buckets à edwiki-application-config-1 à Upload

 

 

 

 

 

 

 

 

 

 

 

 

 

2. Create an IAM Policy to allow access to this bucket only

IAM à Policies à Create policy à JSON à paste below policy and replace your bucket name and then save and attach to the role which was previously created named as SSM+Cloudwatch-FullAccess

IAM à Roles à Add permissions

 

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "VisualEditor0",

             "Effect": "Allow",

             "Action": [

                 "s3:GetObject",

                 "s3:ListBucket",

                "s3:GetBucketLocation"

            ],

             "Resource": [

                 "arn:aws:s3::: YOUR_BUCKET_NAME/*",

                 "arn:aws:s3::: YOUR_BUCKET_NAME"

            ]

        }

    ]

}

 

 

 

 

3. Create Launch Configuration

EC2 à Launch configurations à Create launch configuration

LC SNAP-1

 

 

 

 

 

LC Snap-02

LC SNAP-03

#!/bin/bash

yum update -y

systemctl start httpd

aws s3 cp s3://edwiki-application-config-1/index.html /var/www/html/

systemctl restart httpd

sudo service awslogsd start

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

LC SNAP-04

 

 

 

1. Create Auto Scaling Group

EC2 à Auto Scaling Groups à Create Auto Scaling group

ASG-1

 

 

 

 

 

 

 

 

 

 

 

 

 

ASG-2

 

ASG-3

 

Health check for 2/2 checks not for service failure checks, if you need service health checks then you will need to enable ELB option

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ASG-4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ASG-5

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Keep the remaining configurations as default and create an ASG

This will Create two servers in the respective subnets and respective logs will be pushed to cloudwatch

 

EC2à Target Group à Create target group

Keep the remaining configuration as default

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TG-2

 

 

 

 

 

Keep the rest configuration as default

 

 

3. Associated TG and ASG , Edit the ASG

EC2à ASG à your asg group à edit load balancing and choose application, Network and select the target group which we created in previous step

 

 

 

 

 

 

 

1. Create a Load Balancer

NLB-1

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

NLB-2

Note: To attach Amazon EC2 instances that are located in a private subnet, first create public subnets. These public subnets must be in the same Availability Zones as the private subnets that are used by the backend instances. Then, associate the public subnets with your load balancer.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

if you are unable to get the Target group then you might have chosen the protocol HTTP instead of TCP for NLB

 

Select the Target group

 

Then create load balancer

 

2. Update Route53

Create a route53 Hosted zone for your domain

 

 

Copy the Name server on your DNS provider portal ie. Change the default nameservers by the ones provided by AWS

 

Example go daddy editing default name server

 

 

 

 

Create a CNAME Record for NLB DNS

Now you should be able to view the website using your domain

 

 

3.  Create a cloudwatch log group

 

 

 

 

 

 

 

 

 

 

 

 

 

Create a policy with below permissions

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": [

         "logs:CreateLogGroup",

         "logs:CreateLogStream",

        "logs:PutLogEvents",

         "logs:DescribeLogGroups",

         "logs:DescribeLogStreams"

      ],

      "Resource": "*"

    }

  ]

}   

 

Create a IAM role with Trusted entity type as AWS service and use case as EC2

And attach the above policy, edit trust relationship of the role with below text

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {

        "Service": "vpc-flow-logs.amazonaws.com"

      },

      "Action": "sts:AssumeRole"

    }

  ]

}

 

 

 

 

 

 

 

Trust Relationships

 

 

 

 

 

 

 

 

 

 

 

 

 

4. Now Create VPC flow logs for each VPC

VPC à Your VPCs à Select your VPC and click on Flow logs à Create flow log

 

 

 

 

 

 

 

 

Choose destination log group and IAM role, create flow logs, repeat the same step for another VPC

 

 

 

 

 

 

 

 

 

 

 

Now we can view the logs in cloudwatch in our edwiki-vpc-flow-logs group on ENI basis

 

 

 

 

 

 

 

 

For better understanding you can consider below image

---

Previous