============================== VPC : Virtual Private Cloud ============================== => VPC stands for Virtual Private Cloud. => VPC provides Virtual Network Environment. => A VPC allows users to create and manage their own isolated virtual networks within the cloud. => VPC provides flexible and secured network environment to manage our resources in AWS cloud. ================ VPC terminology ================ 1) Isolated Network 2) CIDR Blocks 3) Subnets (public & Private) 4) Route Tables 5) Internet Gateway (IGW) 6) NAT Gateway (NGW) 7) VPC Peering 8) Security Groups (Resource level) 9) NACL (subnet level) =============== Types of IP's =============== 1) IPV4 2) IPV6 ========= IPV4 ========= => IPv4 addresses are 32-bit numeric addresses written in four sets of numbers separated by period (e.g : 192.168.0.1) => It is the most widely used IP version and supports approximately 4.3 billion unique addresses => However, due to the increasing number of devices connected to the internet, IPv4 addresses are running out, leading to the adoption of IPv6. =========== IPV6 =========== IPv6 addresses are 128-bit alphanumeric addresses written in eight sets of four hexadecimal digits separated by colons e.g : 2001:0db8:85a3:0000:0000:8a2e:0370:7334 => IPv6 provides a significantly larger address space than IPv4, with approximately 340 undecillion unique addresses. => It was introduced to overcome the IPv4 address exhaustion issue and support the growing number of internet-connected devices. ============ VPC Sizing ============ => The process of deciding no.of IPs required for VPC and no.of IPs required for Subnets is called as VPC Sizing. -> VPC Sizing will be calculated in 2 power 10.0.0.0/16 => 2 power (32-16) => 2 power 16 => 65, 536 10.0.0.0/32 => 2 power(32-32) => 2 power 0 => 1 10.0.0.0/31 => 2 power (32-31) => 2 power 1 => 2 10.0.0.0/30 => 2 power (32-30) => 2 power 2 => 4 10.0.0.0/29 => 2 power (32-29) => 2 power 3 => 8 10.0.0.0/24 => 2 power (32-24) => 2 power 8 => 256 Note: For VPC we will use /16 and for subnet we will use /24 as CIDR range. ======================= VPC Lab Task For Today ======================= 1) Create VPC Use VPC CIDR as : 10.0.0.0/16 Note : It will create one Route Table by default. Rename it as "ashokit-private-rt" 2) Create 2 Subnets (Public and Private Subnets) public Subnet CIDR : 10.0.0.0/24 (256 ips) private Subnet CIDR : 10.0.1.0/24 (256 ips) 3) Create Internet Gateway and Attach to our VPC 4) Create one new Route Table (Name it as public Route Table) 5) Peform Subnet Association with Route Tables => public-rt => public-sn => private-rt => private-sn 6) Attach IGW to Public Route Table in Routes, so that subnet will become public-sn (internet will be available). 7) Create One EC2 VM in public subnet and another EC2 vm in private subnet. 8) Test connectivity of both vms using SSH client. ===================== Step-1 : Create VPC ===================== -> Create a VPC -> CIDR Block : 10.0.0.0/16 -> Select No IPV6 CIDR blok -> Select Default Tenancy -> Create VPC Note: After creating VPC verify its details (DNS hostnames -> Disabled) Note: One Route Table will be created for VPC by default. Rename it as "Ashokit-Private-Route-Table" =========================== Step-2 : Create 2 Subnets =========================== ----------------------- Create Subnet-1 ---------------------- -> Create Subnet Name : public-subnet-az-1 -> select availability zone as 1a -> CIDR Block : 10.0.0.0/24 (It will take 256 ips) ------------------------ Create Subnet-2 ------------------------- -> Create Subnet Name : private-subnet-az-1b -> select availability zone as 1b -> CIDR Block : 10.0.1.0/24 (It will take 256 ips) Note: Every subnet will have Route Table and NACL -> AWS will reserve 5 ips in every subnet (we will get only 251) ================================= Stpe-3 : Create Internet gateway ================================= Note: By default one IGW will be available and it will be attached to default VPC -> Create custom Internet Gateway (ashokit-vpc-igw) -> Attach this IGW to VPC (we can attach IGW to only one VPC) ================================= Step-4 : Create Route Table ================================= Note: When we create VPC, we will get only route table by default. It is called as Main route table. Note : Change existing route table name 'ashokit-vpc-private-rt' -> Create one new Route Table (ashokit-vpc-public-rt) -> Choose vpc and create it Now We have 2 route tables -> Goto route table and attach route tables to subnets (Subnets association for Route Tables) Private Route Table should have Private Subnet Public Route Table should have Public Subnet ========================================== Step-5 : Making Subnet as public ========================================== -> Goto public Route Table -> Edit Routes -> Add Destination as 0.0.0.0/0 and Target as IGW -> Save -> Subnet Associations -> Edit SNET -> Select Public Subnet ====================================== Step - 6 : Create EC2 (Public EC2) ====================================== -> Choose AMI -> Select VPC -> Select Public Subnet -> Assign Public IP as Enable -> Add SSH and Http Protocols -> Download KeyPair -> Launch Instance Note: Goto VPC and Enable DNS Host Enable ======================================== Step - 7 : Create EC2 (Private EC2) ======================================== -> Choose AMI -> Select VPC -> Select Private Subnet -> Assign Public IP as Enable -> Add SSH (source : custom, Range : 10.0.0.0/16) -> Download KeyPair -> Launch Instance ================================= Step - 8 : Test EC2 Connections ================================= -> Connect to Public EC2 using MobaXterm (It should allow to connect) -> Connect to Private EC2 using MobaXterm (It shouldn't allow to connect) ================================================================================= Step - 9 : Connect with 'private-ec2' from 'public-ec2' using 'ssh' connection ================================================================================= Note: As both Ec2 instances are available under same VPC, we should be able to access one machine from another machine. ---------------------- Procedure to access ---------------------- -> Upload pem file into public-ec2 machine (in mobaxterm we have upload option) -> Execute below command to provide permission to access pem file $ chmod 400 -> Execute below command to make ssh connection from public-ec2 to private-ec2 $ ssh -i "pem-file-name" ec2-user@private-ec2-vm-private-ip Ex: ssh -i "ashokitnewkey.pem" ec2-user@65.2.73.111 Note: It should establish connection (this is internal connection) -> Try to ping google from private ec2 (it should not allow because igw is not available) ============================= VPC with NAT Gateway Lab Task ============================= 1) Create NAT gateway in public subnet 2) Add NAT gateway in 'private-subnet-routute-table' 3) After NAT Gateway, we should be able to ping google from 'private-ec2' also Note: Delete Elastic IP and NAT Gateway after practise ==================== What is VPC Peering ==================== => It is used to establish communication between 2 VPCs. => Using VPC peering technique, we can access one VPC resources in another VPC To establish the connection, lets create VPC peering => On the left navigation panel under VPC -> Peering Connections: VPC (Requester) = ashokit_aws_custom_vpc VPC (Accepter) = default_vpc => Now you would see the status Pending Acceptance which means, Requestor has sent a request to the peer now target VPC needs to accept the request. => Go to VPC Peering -> Click on Actions -> Accept Request => Now we need to make entries in Route Tables Now navigate to Route Tables, in Default VPC RT(Route Table) -> Edit routes ########## Default VPC Route Table should have 3 routes ######### (Local + all traffic with IGW + ashokit_aws_custom_vpc IP Range) 172.31.0.0/16 - local 0.0.0.0/0 - Internet-gateway 10.0.0.0/16 - vpc peering (We need to add this) ########### Custom VPC Route Table should have 3 routes ######### (Local + All traffic with IGW + Default VPC IP Range) 10.0.0.0/16 - local 0.0.0.0/0 - Internet-gateway 172.31.0.0/16 - vpc (We need to add this) ########### Allow Traffic in VPC Security Groups ########### Edit Security Group of Default and Custom VPC to allow traffic from each other Default VPC Security Group looks like SSH - 22 - all All Traffic Custom VPC Security Group would look like SSH - 22 - all All Traffic => Create 1 EC2 VM in default VPC and create 1 EC2 VM in custom vpc # Ping default-vpc EC2-VM private IP from ashokit-custom-vpc vm $ ping Note: If ping is successfully then VPC peering is working. =============================================================== Q ) What is the difference between NACL and Security Groups ? =============================================================== ================ Security Group ================ -> Security Group acts as a Firewall to secure our resources -> Security Group contains Inbound Rules & Outbound Rules inbound rules ---> incoming traffic outbound rules ---> outgoing traffic -> In One security group we can add 50 Rules -> Security Group supports only Allow rules (by default all rules are denied) -> We can't configure deny rule in security group Ex : 172.32.31.90 ----> don't accept request from this IP (we can't do this in SG) -> Security Groups are applicable at the resource level (manually we have to attach SG to resource) -> Multiple Security Groups can be attached to single instance & one instance can have 5 security groups ====== NACL ====== -> NACL stands for Network Access Control List -> NACL acts as a firewall for our Subnets in VPC -> NACL applicable at the subnet level -> NACL rules are applicable for all the resources which are part of that Subnet -> In NACL we can configure both Allow & Deny rules Ex: We can block particual IP address (192.168.2.4) to connect with EC2 instance -> One subnet can have only one NACL Note: One NACL can be added to multiple subnets