Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Category: Blogs

Categories
Blogs

How to Configure A Dual-NAT Gateway

HOW TO CONFIGURE A DUAL-NAT GATEWAY IN TWO DIFFERENT AVAILABILITY ZONES.

In this comprehensive guide, we will take you through configuring a dual-NAT gateway in two different availability zones, paired with route tables, enabling your private subnets to access the internet securely.

According to our reference architecture, we will create a Nat gateway in the public subnet az1, we will create a route table that we call private route table az1. We will then add a route to that route table to route traffic to the internet through the Nat gateway. We will then associate that route table with the private app subnet az1, and private data subnet az1.

Again, for the second availability zone:

We will create another Nat gateway in the public subnet az2. We will then create another route table called private route table az2, we will add traffic to this route table to route traffic to the internet through the Nat gateway in the public subnet az2. We will then associate this route table with the private app subnet az2 and private data subnet az2.

Let’s start.

Refer to our previous post on creating a Custom 3 tier-VPC. We will use that VPC project to accomplish this project.

To create the Nat gateway first make sure you are in the region where you created the VPC.

Then in the search box, type VPC and select VPC under services.

On the VPC dashboard on the left side of the navigation pane select Nat gateway, then click Create Nat gateway.

We will create the first Nat gateway in the public subnet az1.

In the create Nat gateway dashboard under name give your Nat gateway name, call it Nat gateway az1. Once you’ve given your Nat gateway a name, select the subnet where you want to put your Nat gateway. so under subnet, select the drop-down and look for public subnet az1 then select it. Then for connectivity type leave it on the default public, because we are creating a public Nat gateway.

Scroll down, under elastic allocation ID click allocate an elastic IP and that is going to allocate an elastic IP for you.

These are the only settings we need to create a Nat gateway, scroll down and click Create Nat gateway.
Success, we have created our first Nat gateway in the public subnet az1
Next, we will create a route table and call that route table, private route table az1. On the left side of your screen, select route tables then click create route table.

In the create route table dashboard under name, give your route table a name, and call it private route table az1. Once you’ve given the route table a name, select the VPC you want to create this route table in, so under VPC, select the drop-down and select your prod- VPC.

These are the only settings we need to create a route table now click create route table.

Success, we have successfully created our first private route table in private subnet az1.

Next, we will add a route to the private route table az1 to route traffic to the internet through the Nat gateway in the public subnet az1.

To add a route to this route table, navigate to the routes tab, select edit routes then click Add route

For the destination remember internet traffic is always 0.0.0.0/0 so under destination type in this value.

Then under target, the target is going to be our Nat gateway in the public subnet az1, so click in the search box, then select Nat gateway. Make sure you select Nat Gateway and not Internet Gateway. You should see the Nat gateway in the public subnet az1, it is the Nat gateway we call Nat gateway az1. Select it then click Save Changes.

Successfully, we have added a route to the route table to route traffic to the internet through the Nat gateway in the public subnet az1.
When you scroll down, you can see the routes here.

Next, we will associate this route table with private app subnet az1 and private data subnet az1.

To associate this route table with our subnets, click subnet associations, then click edit subnet associations.

In the edit subnet associations dashboard, under the available subnets, select private app subnet az1, and private data subnet az1. Once you’ve selected the two subnets, click Save Associations.

We have successfully associated our private app subnet az1 and private data subnet az1 to this route table.

And you can see that information, under explicit subnet associations, we have two subnets there.

If you click on the subnet’s association tab a gain, you will see that the private app subnet az1 and private data subnet az1 are associated with the route table.

Next, we will create the second Nat gateway in the public subnet az2. On the left side of the VPC dashboard select Nat gateway. then click Create Nat gateway.

Under Nat gateway settings give the Nat gateway a name, call it Nat gateway az2. Then select the subnet you want to put the NAT gateway in. Under subnets, select the drop-down and select public subnet az2. For connectivity type leave it on the default public because we are creating a public Nat gateway. Under elastic IP allocation ID, click the allocate elastic IP button, this will allocate an elastic IP for you.

Scroll down and click Create Nat gateway.

We have successfully created the Nat gateway.

The next thing we will do is to create another route table and call it private route table az2.

On the left side, select the route table. then click Create Route Table.

Under name give your route table a name, call it private route table az2. Once you’ve given your route table a name then, select the VPC you want to put your route table in, so under VPC, select the drop-down and select your prod VPC. These are the only settings we need to create this route table, click create route table.

We have successfully created a private route table az2.
Now that we have successfully created the private route table az2, we will add a route to this route table to route traffic to the internet through the Nat gateway in the public subnet az2. To add a route to this route table, select the routes tab then click edit routes.

In the edit routes dashboard click Add route

Under destination remember traffic going to the internet is always 0.0.0.0/0 so type it in there and select it.

Then under targets, we will select our Nat gateway, so select the search box, and select Nat gateway.

And this time make sure you select Nat gateway az2. Then click save changes.

We have successfully added a route to this route table to route traffic to the internet through the Nat gateway in the public subnet az2.

To see that route scroll down and you will see it there.

The last thing we will do is associate this route table with private app subnet az2, and private data subnet az2

To associate this route table with our subnets, go to the subnets associations tab, select it then click edit subnet associations.

Under available subnets, we will select the private app subnet az2 and private data subnet az2. Once you’ve selected the subnets, click Save Associations.

We have successfully associated our private app subnet az2, and private data subnet az2 with the private route table az2.

To see that, we can see that we have two subnets under explicit subnet associations.

and if you click on the subnet’s associations tab, you will see that our private app subnet az2, and private data subnet az2 are associated with this route table.

This is how we create Nat gateway to allow resources in our private subnet, to have access to the internet.
Delete The AWS NAT Gateway
After completion of your practice on the NAT Gateway you have to delete it to avoid incurring charges. Remember when you provision a NAT gateway, you are charged for each hour that your NAT gateway is available and each gigabyte of data that it processes.
Deleting a NAT gateway disassociates its Elastic IP address, but does not release the address from your account. So again, make sure you release the elastic IP address from your account.
Stay tuned for more.
If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com
Thank you!
Categories
Blogs

Vpc Part Two: Building A Custom 3-tier Vpc From Scratch

VPC PART TWO: BUILDING A CUSTOM 3-TIER VPC FROM SCRATCH

In our custom 3-tier VPC reference architecture, our infrastructure is divided into 3 tiers. The first tier which we can also call the user interface or presentation tier, has public subnets which can hold resources such as

  • NAT gateways
  • load balancers
  • bastion hosts

On the second tier which I also call the application tier, we have our private subnets, and this is the tier that can hold resources such as EC2 Instances (webservers).

On the third tier which I also call the database tier, we have another private subnet and this is the tier that holds databases.

The subnets are duplicated across multiple availability zones for high availability and fault tolerance.

Finally, we have an internet gateway and route table to allow the resources in the VPC to have access to the internet.

To create this VPC, let’s log into the management console.

The first thing you should do is select the region where you want to create the VPC. according to our reference architecture, this VPC should be in the US East (N. Virginia) region. (us-east-1)

To change your region, select the dropdown in the top right navigation pane in the management console, and make sure you select, Us-east (Northern Virginia).

Straight away type VPC in the search box, then select VPC under services.

In the VPC dashboard, select VPC’s then click create VPC.

Under VPC settings, select VPC only then give your VPC a name, and call it prod-VPC.

Leave it on the IPv4 CIDIR block.

Under IPv4 CIDIR, enter Your CIDIR block. According to our reference architecture, it is 10.0.0.0/16. Then leave it at no ipv6 CIDIR block, tenancy is going to be the default, and tags are optional.  Scroll down and click Create VPC.

We have successfully created our VPC

NOTE: You can see all the VPC’s in your account by selecting the filter by VPC search box below.

Once you filter it by a particular VPC, it will only show you the information on that VPC.

Next, we will enable the DNS hostname for our VPC.

DNS options

If you need public IPv4 DNS hostnames for the EC2 instances launched into your subnets, you must enable both of the DNS options.

Enable DNS hostnames: EC2 instances launched in the VPC receive public DNS hostnames that correspond to their public IPv4 addresses.

To enable the DNS hostname in your VPC, make sure you’ve selected the VPC you’ve just created then select the actions drop-down button, then select edit VPC settings.

On the edit DNS hostnames dashboard, check the box on enable DNS hostname and then click save changes.

We have successfully modified VPC settings and enabled DNS hostname in our VPC.

Next is to create an internet gateway to allow resources in the VPC to communicate with the public. On the left side of the VPC dashboard, select Internet Gateway, and then click Create Internet Gateway.

In the create Internet gateway dashboard, under the name, give your Internet gateway a name, call it prod Internet Gateway and leave tags as optional then click Create Internet Gateway.

You have successfully created an internet gateway.

Next, we will attach the Internet Gateway to the VPC we just created.

To attach an internet gateway to a VPC, click the attach to a VPC

Under available VPC’s, click in the search box and select your prod-VPC. Remember only the VPC that does not have an Internet Gateway attached to it in your account will show up.

You can only attach one internet gateway, to a VPC. We just created this prod VPC and we haven’t attached any internet gateway to it; that’s why it’s the only VPC that is showing there. Select it and then click Attach Internet gateway.

We have successfully attached an internet gateway to our prod VPC.

If you look at the Internet gateway, the state is attached, and the VPC it is attached to is the prod VPC.

Next, we will create our public subnets in the first and the second availability zones, as shown according to our reference architecture. On the VPC dashboard on the left side of the navigation pane, select subnets.

I am still filtering my VPC, by the prod VPC, that’s why we are not seeing subnets in there because we have not created any subnet in that VPC.

We will create our first and second public subnets in this VPC. Click Create Subnet.

In the create subnet dashboard, select the VPC you want to create your subnet. Select the drop-down and select prod-VPC. Scroll down.

In the subnet settings sections, enter the details of your subnets, under name, call it public subnet az1, under Availability zone select the drop-down button and select us-east-1a, for IPv4 subnet CIDR block, enter 10.0.0.0/24. Then scroll down and click add new subnet, this will be the second public subnet.

Use the same procedure and enter the details of the second subnet as shown below. Remember the second subnet should be in us-east-1b AZ leave tags as optional and click create subnet.

Success, we have created our two public subnets.

Next, we will enable auto-assign IP settings. Select the first one and then select actions. Then click edit subnet settings.

Then in the edit subnet settings dashboard under the auto-assign IP settings section, check the box next to enable auto-assign public IPv4 address and then click save.

We have successfully changed the subnet settings.
Repeat the same procedure for the subnet in the second vailability zone. Click the action drop-down, and select Edit subnet settings.

Then in the edit subnet settings dashboard, under the auto-assign public IP settings section, check the box next to enable auto-assign IPv4 address then click save.

You have successfully changed the subnet settings.

Following our reference architecture, we will create a route table. On the left side of the navigation pane on the VPC dashboard, select the route table as shown.

It filters my VPC by the prod VPC, and in the prod VPC, there is only one route table and it is called the main Route table and it is private by default. This route table was created when you created the VPC.

To create the public route table, click Create route table.

In the Create Route Table dashboard, under name call your Route table public Route Table. Under VPC, select the drop-down button, and select your prod-VPC then click Create Route Table.

Route table successfully created. If you go to the routes tab, it shows local, which means it is only routing traffic locally within the VPC. This is because we have not associated this route table with any route.

Let’s add a public route to this route table. To add a route to the route table, make sure you are in the routes tab, and then click edit routes then click add route.

To add a route that routes traffic to the internet to this route table, under destination, click in the search box and type 0.0.0.0/0 then select it.

Then under target click in the search box a gain and here select your internet gateway.

Once you’ve selected the internet gateway, the internet gateway you have in your VPC will show up, and as you can see it’s the prod internet gateway. Select it and then click Save Changes.

The public route has been updated successfully. If you move to the routes tab, you will see the route.

Next, is to associate our two public subnets with the public route table. Move as follows, make sure you are still in the public route table, then move to the subnet associations tab. Once in the subnet association tab, click edit subnet associations.

You will be brought to the subnet association dashboard, here select the two subnets, public subnets az1 and az2 then click save associations.

Finish creating your VPC. Proceed to create the four remaining private subnets.

To create the private subnets, on the left side of the VPC dashboard, select subnets.

It filters by my VPC, and currently, I have two subnets.

We will strictly follow our reference architecture. Click Create Subnet.

In the create subnet dashboard, under VPC, select the drop-down button and select your prod-VPC. Scroll down.

Under the subnet name, enter private app subnet az1, under the availability zone, select the drop-down button and select us-east-1a, under IPv4 subnet CIDR block enter 10.0.2.0/24. Then scroll down at the bottom and click Add New Subnet.

This will be our second private subnet, enter the details as shown below, the details are a reflection of the reference architecture. Again move to the bottom and click add new subnet for the third private subnet.

Repeat the same procedure and enter the subnet details as shown below. Then scroll down and click Add new subnet for the fourth private subnet.

Enter the fourth subnet details as shown below, and make-sure the availability zones and CIDR block in the reference architecture are strictly followed. Click Create Subnets.

We have successfully created the four private subnets.

We created the four private subnets and did not explicitly associate them with any route table, hence they will be implicitly associated with the main route table.

This brings us to the end of this exercise. Pull down and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

Understanding AWS ACL (Access Control Lists): Controlling Subnet Traffic

AWS ACL for subnet traffic control

Understanding AWS ACL (Access Control Lists): Controlling Subnet Traffic

AWS ACL for subnet traffic control

Network traffic flow in AWS

Before starting, let’s see how network traffics move among the resources. Traffics come from the internet to the internet gateway and then, according to the routes defined in the route tables, are directed to the virtual private cloud (VPC) subnets based on the rules defined through AWS ACL (Access Control Lists). 

What is an AWS ACL?

In Amazon Web Services (AWS), NACL stands for Network Access Control List. An AWS ACL (Access Control Lists) is a stateless, rule-based system that acts as a virtual firewall for controlling inbound and outbound traffic at the subnet level in a Virtual Private Cloud (VPC). An AWS ACL (Access Control Lists) allow or deny specific inbound or outbound traffic at the subnet level while the security group controls the qualified traffic to reach and leave the resources.

The ACL resides in front of the VPC subnets, and the security Groups protect the AWS resources, such as EC2 instances. It is one of the most critical differences between Network ACL and Security Group.

Network Access Control lists (NACL’s) are used to manage traffic at the network layer. Hence the name Network access control list. Picture it as the first line of defence for your cloud infrastructure, filtering traffic based on rules you set. ACLs are stateless and filter traffic based on rules defined for inbound and outbound traffic at the subnet level.

When you create a Virtual Private Cloud (VPC), it automatically associates a default NACL that permits all inbound and outbound traffic.

NACL’s are a powerful tool that can be used to improve the security of your AWS VPC. However, it is important to note that NACL’s are just one component of a comprehensive security strategy. To protect your AWS resources, you should also use other security features, such as security groups, IAM roles, and WAF rules.

Components of Network Access Control List (NACL)

AWS ACL for subnet traffic control

Rule Number: Each rule is assigned a unique number, and they are evaluated in ascending order. Once a rule matches incoming or outgoing traffic, it is immediately applied, even if higher-numbered rules contradict it.

Protocol: You have the flexibility to define any standard protocol, such as HTTP, HTTPS, ICMP, SSH, etc. when configuring rules for the ACL.

Inbound Rules: Inbound rules determine the source of incoming traffic and the destination port it is allowed to reach.

Outbound Rules: Outbound rules specify the destination for outgoing traffic and the destination port it can access.

Types of Network ACL

AWS ACL for subnet traffic control

Default Network ACL

The default network ACL permits unrestricted traffic to enter or exit the associated subnet. Additionally, every network ACL includes a rule marked with an asterisk rule number, responsible for denying traffic that doesn’t match any numbered rules. This particular rule is immutable and cannot be altered or deleted.

In this example, the above table is a default Network ACL table, which is associated with a subnet.

Rule 200 allows incoming HTTP traffic (port 80) from the source IP range 10.0.0.0/24.

Rule 201 allows incoming HTTPS traffic (port 443) from the same source IP range 10.0.0.0/24.

Rule 202 permits SSH traffic (port 22) from the source IP range 192.168.1.0/24.

Rule 203 allows RDP traffic (port 3389) from the same source IP range 192.168.1.0/24.

The wildcard rule (*) at the bottom denies all other incoming and outgoing traffic, providing a default security posture that allows only specific types of traffic from specified source IP ranges while denying all other traffic.

Custom Network ACL

This user-defined access control list lets you customize your network security policies.

AWS ACL for subnet traffic control

In this example:

Rule 100 allows incoming HTTP traffic (port 80) from the source IP range 10.0.0.0/24.

Rule 101 permits incoming HTTPS traffic (port 443) from the same source IP range 10.0.0.0/24.

Rule 102 allows SSH traffic (port 22) from the source IP range 192.168.1.0/24.

Rule 103 permits RDP traffic (port 3389) from the same source IP range 192.168.1.0/24.

The wildcard rule (*) at the end serves as a catch-all, denying all incoming and outgoing traffic, and providing a default security posture that allows only specific types of traffic from specified source IP ranges while blocking everything else. This custom Network ACL offers fine-grained control over traffic, allowing or denying access based on defined rules.

Hands-on demo Creating a Network ACL

Log in to the AWS Management Console. Then in the search box, type VPC, then select VPC under services.

AWS ACL for subnet traffic control

In the VPC dashboard on the left side of the navigation pane under security, select “Network ACLs.” Then click “Create Network ACL.”

AWS ACL for subnet traffic control

In the Create Network Access Control list dashboard, Provide the necessary information to create a Network ACL. Under the name, provide a name, for my case I will call it demo-ACL

Then under VPC, select the drop-down button and select your VPC, I created the prod-VPC so I will select it.

These are the only necessary settings to create NACL, leave tags as optional then scroll down and click create network ACL.

AWS ACL for subnet traffic control

Success our NACL has been successfully created.

AWS ACL for subnet traffic control

Note: By default, all inbound and outbound rules deny all traffic for newly created Network ACL as shown below.

Associate Subnet to Network ACL

Note: You can associate a network ACL with multiple subnets. but a subnet can be associated with only one network ACL at a time.

To associate subnets, move to the subnet association tab, then click Edit subnet associations.

In the edit subnet association dashboard, select your subnets by ticking the boxes, under the name, then click save changes.

We have successfully associated our subnets with the created NACL.

AWS ACL for subnet traffic control

Configure Inbound and Outbound rules:

First, launch an instance in the subnets associated with the NACL, then try to access your Public/Application server. It should not be accessible, due to no inbound and outbound rules configured yet. Now, Edit and add a new inbound and outbound rule.

Select the NACL ID then click it, in the ACL dashboard, move to the Inbound rules tab then select Edit Inbound rules

AWS ACL for subnet traffic control

In the edit inbound rule dashboard, click Add new rule.

Remember the rules are added in ascending numbers.

The first rule we will add is HTTP port 80, under rule number enter 100, then under custom TCP select the drop-down and select HTTP. Repeat the same process for HTTPS, and SSH then click save changes.

Then move to the outbound rules tab then, click edit outbound rules.

Add the first rule number. we will add rule 100, then under custom TCP select HTTP port 80, repeat the same, and add rule numbers 200, and 300 for HTTPS and SSH respectively then click save changes.

We have successfully added outbound rules.

Note: Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it gets executed regardless of any higher-numbered rule that might contradict it. For example, if rule 100 allows port 80, and rule 90 denies port 80, finally, port 80 will be denied as rule 90 is evaluated before 100.

Block IP address

Block IP address: Edit the inbound rule and try to block your own IP, after that, you should not be able to access your public/Application server.

This brings us to the end of this demo; always ensure you clean up resources.

Conclusion

NACL’s are important for AWS network security. They work with security groups, which handle different security aspects. NACL’s control traffic at the subnet level, using IP addresses and rules. Security groups manage access at the instance level, based on group memberships. These tools work together to defend against cyber threats.

Thanks for your attention and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at. sales@accendnetworks.com

Thank you!

Categories
Blogs

Vpc Part Two: Building A Custom 3-tier Vpc From Scratch.

VPC PART TWO: BUILDING A CUSTOM 3-TIER VPC FROM SCRATCH.

In our custom 3-tier VPC reference architecture, our infrastructure is divided into 3 tiers. The first tier which we can also call the user interface or presentation tier, has public subnets which can hold resources such as

  • Nat gateways,
  • load balancers
  • and bastion hosts.

On the second tier which I also call the application tier, we have our private subnets, and this is the tier that can hold resources such as EC2 Instances (webservers).

On the third tier which I also call the database tier, we have another private subnet and this is the tier that holds databases.

The subnets are duplicated across multiple availability zones for high availability and fault tolerance.

finally, we have an internet gateway and route table to allow the resources in the VPC to have access to the internet.

To create this VPC, let’s log into the management console.

The first thing you should do is select the region where you want to create the VPC. according to our reference architecture, this VPC should be in the US East (N. Virginia) region. (us-east-1)

To change your region, select the dropdown in the top right navigation pane in the management console, and make sure you select, Us-east (Northern Virginia).

Straight away type VPC in the search box, then select VPC under services.

In the VPC dashboard, select VPC’s Then click create VPC

Under VPC settings, select VPC only then give your VPC a name, and call it prod-VPC.

Leave it on the IPv4 CIDIR block.

Under IPv4 CIDIR, enter Your CIDIR block. According to our reference architecture, it is 10.0.0.0/16. Then leave it at no ipv6 CIDIR block, tenancy is going to be the default, and tags are optional. scroll down and click Create VPC.

We have successfully created our VPC

NOTE: you can see all the VPC’s in your account by selecting the filter by VPC search box below.

Once you filter it by a particular VPC, it will only show you the information on that VPC.

Next, we will enable the DNS hostname, for our VPC.

DNS options

If you need public IPv4 DNS hostnames for the EC2 instances launched into your subnets, you must enable both of the DNS options.

Enable DNS hostnames: EC2 instances launched in the VPC receive public DNS hostnames that correspond to their public IPv4 addresses.

To enable the DNS hostname in your VPC, make sure you’ve selected the VPC you’ve just created then select the actions drop-down button, then select edit VPC settings.

on the edit DNS hostnames dashboard, check the box on enable DNS hostname then click save changes.

we have successfully modified VPC settings and enabled DNS hostname in our VPC.

Next is to create an internet gateway to allow resources in the VPC to communicate with the public. On the left side of the VPC dashboard, select Internet Gateway, then click Create Internet Gateway.

In the create Internet gateway dashboard, under the name, give your Internet gateway a name, call it prod Internet Gateway

leave tags as optional then click Create Internet Gateway.

You have successfully created an internet gateway.

Next, we will attach the Internet Gateway to the VPC we just created.

To attach an internet gateway to a VPC, click the attach to a VPC

Under available VPC’s, click in the search box and select your prod-VPC. Remember only the VPC that does not have an Internet Gateway attached to it in your account will show up.

You can only attach one internet gateway, to a VPC. We just created this prod VPC and we haven’t attached any internet gateway to it, that’s why it’s the only VPC that is showing there. Select it, then click Attach Internet gateway.

We have successfully attached an internet gateway to our prod VPC.

If you look at the Internet gateway, the state is attached, and the VPC it is attached to is the prod VPC.

Next, we will create our public subnets in the first and the second availability zones, as shown according to our reference architecture. On the VPC dashboard on the left side of the navigation pane, select subnets.

I am still filtering my VPC, by the prod VPC, that’s why we are not seeing subnets in there because we have not created any subnet in that VPC.

We will create our first and second public subnets in this VPC. Click Create Subnet.

In the create subnet dashboard, select the VPC you want to create your subnet. Select the drop-down and select prod-VPC. Scroll down.

In the subnet settings sections, enter the details of your subnets, under name, call it public subnet az1, under Availability zone select the drop-down button and select us-east-1a, for IPv4 subnet CIDR block, enter 10.0.0.0/24. Then scroll down and click add new subnet, this will be the second public subnet.

Use the same procedure and enter the details of the second subnet as shown below. Remember the second subnet should be in us-east-1b AZ leave tags as optional and click create subnet.

Success, we have created our two public subnets.

Next, we will enable auto-assign IP settings. Select the first one Then select actions. Then click edit subnet settings.

Then in the edit subnet settings dashboard under the auto-assign IP settings section, check the box next to enable auto-assign public IPv4 address then click save.

We have successfully changed the subnet settings.

Repeat the same procedure for the subnet in the second vailability zone. Click the action drop-down, and select Edit subnet settings.

Then in the edit subnet settings dashboard, under the auto-assign public IP settings section, check the box next to enable auto-assign IPv4 address then click save.

You have successfully changed the subnet settings.

Following our reference architecture, we will create a route table. On the left side of the navigation pane on the VPC dashboard, select the route table as shown.

It is filtering my VPC by the prod VPC, and in the prod VPC, there is only one route table and it is called the main Route table and it is private by default. This route table was created when you created the VPC.

To create the public route table, click Create route table.

In the Create Route Table dashboard, under name call your Route table public Route Table. Under VPC, select the drop-down button and select your prod-VPC then click Create Route Table.

Route table successfully created. If you go to the routes tab, it shows local.

which means it is only routing traffic locally within the VPC. This is because we have not associated this route table with any route.

Let’s add a public route to this route table. To add a route to the route table, make sure you are in the routes tab, then click edit routes then click add route.

To add a route that routes traffic to the internet to this route table, under destination, click in the search box and type 0.0.0.0/0 then select it.

Then under target click in the search box a gain and here select your internet gateway.

Once you’ve selected the internet gateway, the internet gateway you have in your VPC will show up, and as you can see it’s the prod internet gateway. Select it then click Save Changes.

The public route has been updated successfully. If you move to the routes tab, you will see the route.

Next, is to associate our two public subnets with the public route table. Move as follows, make sure you are still in the public route table, then move to the subnet associations tab. Once in the subnet association tab, click edit subnet associations.

You will be brought to the subnet association dashboard, here select the two subnets, public subnets az1 and az2 then click save associations.

finish creating your VPC. Proceed to create the four remaining private subnets.

to create the private subnets, on the left side of the VPC dashboard, select subnets.

It is still filtering by my VPC, and currently, I have two subnets.

We will strictly follow our reference architecture. Click Create Subnet.

In the create subnet dashboard, under VPC, select the drop-down button and select your prod-VPC. Scroll down.

Under the subnet name, enter private app subnet az1, under the availability zone, select the drop-down button and select us-east-1a, under IPv4 subnet CIDR block enter 10.0.2.0/24. Then scroll down at the bottom and click Add New Subnet.

This will be our second private subnet, enter the details as shown below, the details are a reflection of the reference architecture. Again move to the bottom and click add new subnet for the third private subnet.

Repeat the same procedure and enter the subnet details as shown below. Then scroll down and click Add new subnet for the fourth private subnet

Enter the fourth subnet details as shown below, and make-sure the availability zones and CIDR block in the reference architecture are strictly followed. Click Create Subnets.

We have successfully created the four private subnets.

We created the four private subnets and did not explicitly associate them with any route table, hence they will be implicitly associated with the main route table.

This brings us to the end of this exercise. Pull down and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at. sales@accendnetworks.com

Thank you!

Categories
Blogs

Virtual Private Cloud (VPC) Overview: Empowering Secure and Scalable Cloud Networks Part 1

Virtual Private Cloud (VPC) Overview: Empowering Secure and Scalable Cloud Networks Part 1.

With Amazon Virtual Private Cloud (Amazon VPC), you can launch AWS resources in a logically isolated virtual network that you’ve defined.

VPC Fundamentals

A VPC, virtual private cloud is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can specify an IP address range for the VPC, add subnets, add gateways, and associate security groups. 

Subnets

Allow you to partition your network inside your VPC. It’s a range of IP addresses in your VPC. You launch AWS resources, such as Amazon EC2 instances, into your subnets. Subnets are at the Availability Zone level.

You can connect a subnet to the internet, other VPC’s, and your own data Centers, and route traffic to and from your subnets using route tables.

A public subnet is a subnet that is accessible from the internet

A private subnet is a subnet that is not accessible from the interne

To define access to the internet and between subnets, we use Route Tables.

Route tables

A route table contains a set of rules, called routes, that are used to determine where network traffic from your VPC is directed. You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table.

Each route in a route table specifies the range of IP addresses where you want the traffic to go (the destination) and the gateway, network interface, or connection through which to send the traffic (the target).

Access the internet

You control how the instances that you launch into a VPC access resource outside the VPC.

Internet Gateway and NAT Gateways

Internet Gateways help our VPC instances connect to the internet

Public subnet has a route to the internet gateway

NAT Gateways (AWS managed) and NAT Instances (self-managed) allow your instances in your Private Subnets to access the internet while remaining private.

NAT Gateways allow an instance in your VPC to initiate outbound connections to the internet but prevent unsolicited inbound connections from the internet. NAT maps multiple private IPv4 addresses to a single public IPv4 address. You can configure the NAT device with an Elastic IP address and connect it to the internet through an internet gateway. This makes it possible for an instance in a private subnet to connect to the internet through the NAT device, routing traffic from the instance to the internet gateway and any responses to the instance.

A default VPC includes an internet gateway, and each default subnet is a public subnet. Each instance that you launch into a default subnet has a private IPv4 address and a public IPv4 address. These instances can communicate with the internet through the internet gateway. An internet gateway enables your instances to connect to the internet through the Amazon EC2 network edge.

By default, each instance that you launch into a nondefault subnet has a private IPv4 address, but no public IPv4 address, unless you specifically assign one at launch, or you modify the subnet’s public IP address attribute. These instances can communicate with each other, but can’t access the internet.

You can enable internet access for an instance launched into a nondefault subnet by attaching an internet gateway to its VPC.

If you associate an IPv6 CIDR block with your VPC and assign IPv6 addresses to your instances, instances can connect to the internet over IPv6 through an internet gateway. Alternatively, instances can initiate outbound connections to the internet over IPv6 using an egress-only internet gateway.

IPv6 traffic is separate from IPv4 traffic; your route tables must include separate routes for IPv6 traffic.

NACL (Network ACL)

A firewall that controls the traffic from and to the subnet (i.e., the first mechanism of defence of our public subnet)

Can have ALLOW and DENY rules

Are attached at the Subnet level

Rules only include IP addresses

To establish internet connectivity inside a subnet:

The network ACLs associated with the subnet must have rules to allow inbound and outbound traffic — The network access control lists (ACLs) that are associated with the subnet must have rules to allow inbound and outbound traffic on port 80 (for HTTP traffic) and port 443 (for HTTPS traffic). This is a necessary condition for Internet Gateway connectivity

Security Groups

A firewall that controls the traffic to and from an Elastic network interface (ENI) or an EC2 Instance (i.e., a second mechanism of defense)

Can only have ALLOW rules

Rules can include IP addresses as well as other security groups.

Egress-Only Internet Gateways

VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances.

You cannot associate a security group with an egress-only Internet gateway.

You can use a network ACL to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic.

VPC Flow Logs

Capture information about network traffic: VPC Flow Logs, Subnet Flow Logs & Elastic Network Interface Flow Logs

DHCP Options Sets

Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network.

You can assign your own domain name to your instances, and use up to four of your own DNS servers by specifying a special set of DHCP options to use with the VPC.

Creating a VPC automatically creates a set of DHCP options, which are domain-name-servers=AmazonProvidedDNS, and domain-name=domain-name-for-your-region, and associates them with the VPC.

DNS

AWS provides instances launched in a default VPC with public and private DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance.

AWS provides instances launched in a non-default VPC with a private DNS hostname and possibly a public DNS hostname, depending on the DNS attributes you specify for the VPC and if your instance has a public IPv4 address.

From the Settings, click on “Create Volume.”

Set VPC attributes enableDnsHostnames and enableDnsSupport to true so that your instances receive a public DNS hostname and the Amazon-provided DNS server can resolve Amazon-provided private DNS hostnames.

VPC Peering

Connect two VPC’s privately using the AWS network

Make them behave as if the two VPC’s are in the same network.

We do this by setting up a VPC peering connection between them.

The two VPC’s must not have overlapping CIDR (IP address range)

VPC Peering is not transitive. If we have a peering connection between (VPC A and VPC B) and (VPC A and VPC C) this does not mean that VPC C can communicate with VPC B (this means there is no transitivity)

VPC Endpoints

Use when you need private access from within your VPC to an AWS services

Endpoints allow you to connect to AWS services using a private network instead of the public network.

This gives you increased security and lower latency to access AWS services

Use VPC Endpoint Gateway for S3 and DynamoDB. Only these two services have a VPC Gateway Endpoint (remember all the other ones have an Interface endpoint (powered by Private Link — means a private IP).

Use VPC Endpoint Interface for the rest of the services

Site to Site VPN & Direct Connect

Site-to-Site VPN: On-premise VPN to AWS over the public internet. The connection is automatically encrypted

Direct Connect (DX): Establish a private secure and fast physical connection between on-premise and AWS

Stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at. sales@accendnetworks.com

Thank you!