Skip to main content

Designing and Building a Custom VPC from Scratch

Hands-On Lab

 

Photo of Adrian Cantrill

Adrian Cantrill

Training Architect

Length

01:30:00

Difficulty

Intermediate

This hands-on lab provides you with some experience building and connecting the following services inside AWS: - VPC - Subnets - Internet gateway - NAT gateways - Bastion host - Route tables - Security groups - Network Access Control Lists (NACLs) These services are the foundation of networking architecture inside of AWS and cover concepts such as infrastructure, design, routing, and security.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Designing and Building a Custom VPC from Scratch

Introduction

In this hands-on lab, we'll build and connect the following AWS services:

  • VPC
  • Subnets
  • Internet gateway
  • NAT gateways
  • Bastion host
  • Route tables
  • Security groups
  • Network Access Control Lists (NACLs)

Solution

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

Create VPC and Subnet Architecture

Create a VPC

  1. Navigate to VPC.
  2. Click Your VPCs in the left-hand menu.
  3. Click Create VPC, and set the following values:
    • Name tag: labVPC
    • IPv4 CIDR block: 10.0.0.0/16
  4. Leave the IPv6 CIDR block and Tenancy fields as their default values.
  5. Click Create.

Create Subnets

publicA Subnet
  1. Click Subnets in the left-hand menu.
  2. Click Create subnet.
    • Name tag: publicA
    • VPC: labVPC
    • Availability Zone: us-east-1a
    • IPv4 CIDR block: 10.0.0.0/24
  3. Click Create, and close out of the success message.
publicB Subnet
  1. Click Create subnet.
    • Name tag: publicB
    • VPC: labVPC
    • Availability Zone: us-east-1b
    • IPv4 CIDR block: 10.0.1.0/24
  2. Click Create, and close out of the success message.
publicC Subnet
  1. Click Create subnet.
    • Name tag: publicC
    • VPC: labVPC
    • Availability Zone: us-east-1C
    • IPv4 CIDR block: 10.0.2.0/24
  2. Click Create, and close out of the success message.
privateA Subnet
  1. Click Create subnet.
    • Name tag: privateA
    • VPC: labVPC
    • Availability Zone: us-east-1a
    • IPv4 CIDR block: 10.0.4.0/24
  2. Click Create, and close out of the success message.
privateB Subnet
  1. Click Create subnet.
    • Name tag: privateB
    • VPC: labVPC
    • Availability Zone: us-east-1b
    • IPv4 CIDR block: 10.0.5.0/24
  2. Click Create, and close out of the success message.
privateC Subnet
  1. Click Create subnet.
    • Name tag: privateC
    • VPC: labVPC
    • Availability Zone: us-east-1c
    • IPv4 CIDR block: 10.0.6.0/24
  2. Click Create, and close out of the success message.
dbA Subnet
  1. Click Create subnet.
    • Name tag: dbA
    • VPC: labVPC
    • Availability Zone: us-east-1a
    • IPv4 CIDR block: 10.0.8.0/24
  2. Click Create, and close out of the success message.
dbB Subnet
  1. Click Create subnet.
    • Name tag: dbB
    • VPC: labVPC
    • Availability Zone: us-east-1b
    • IPv4 CIDR block: 10.0.9.0/24
  2. Click Create, and close out of the success message.
dbC Subnet
  1. Click Create subnet.
    • Name tag: dbC
    • VPC: labVPC
    • Availability Zone: us-east-1c
    • IPv4 CIDR block: 10.0.10.0/24
  2. Click Create, and close out of the success message.

Create Internet Gateway, Public Routing, and Bastion Host

  1. Select publicA, and click Actions > Modify auto-assign IP settings.
  2. Check the box to Enable auto-assign public IPv4 address.
  3. Click Save, and then un-select publicA.
  4. Select publicB, and click Actions > Modify auto-assign IP settings.
  5. Check the box to Enable auto-assign public IPv4 address.
  6. Click Save, and then un-select publicB.
  7. Select publicC, and click Actions > Modify auto-assign IP settings.
  8. Check the box to Enable auto-assign public IPv4 address.
  9. Click Save.

Configure Internet Gateway

  1. Click Internet Gateways in the left-hand menu.
  2. Click Create internet gateway.
  3. Set the name tag as "labVPCIGW", and click Create.
  4. Select the newly created IGW, and click Actions > Attach to VPC.
  5. Select labVPC, and click Attach.

Configure Routing

  1. Click Route Tables in the left-hand menu.
  2. Click Create route table, and set the following values:
    • Name tag publicRT
    • VPC labVPC
  3. Click Create.

Add Default Public Route

  1. Select publicRT, and click the Routes tab.
  2. Click Edit routes, Add route, and set the following values:
    • Destination: 0.0.0.0/0
    • Target: Internet Gateway, and select labVPCIGW
  3. Click Add route again, set the following values:
    • Destination ::/0
    • Target: Internet Gateway, and select labVPCIGW
  4. Click Save routes.
  5. Click Close.

Associate with Subnets

  1. Select publicRT, and click the Subnet Associations tab.
  2. Click Edit subnet associations.
  3. Select publicA, publicB, and publicC.
  4. Click Save.

Create a Bastion Host

  1. Navigate to EC2, and click Launch Instance.
  2. On the AMI page, select the Amazon Linux 2 AMI with 64-bit (x86) architecture.
  3. Choose the t3.micro instance type, and click Next: Configure Instance Details.
  4. On the Configure Instance Details page, set the following values:
    • Network: labVPC
    • Subnet: publicB
    • Auto-assign Public IP: Use subnet setting (Enable)
  5. Click Next: Add Storage, and then click Next: Add Tags.
  6. On the Add Tags page, add the following tag:
    • Key: Name
    • Value: BastionHost
  7. Click Next: Configure Security Group.
  8. Select Create a new security group, and set the following values:
    • Security group name: bastionSG
    • Description: bastionSG
  9. Click Review and Launch, and then Launch.
  10. In the key pair dialog, select Create a new key pair.
  11. Give it a Key pair name of "vpclab".
  12. Click Download Key Pair, and then Launch Instances.
  13. Click View Instances, and give it a few minutes to enter the running state.

Verify Bastion Host Is Working

  1. When the bastion host has 2/2 status checks, right-click the instance, click Connect, and copy the ssh connection command.
    • Linux/macOS users will need to run a chmod 400 vpclab.pem command first to avoid errors.
    • Windows users can connect using this as a guide.
  2. Open a terminal window, and run the ssh connection command to connect to your bastion host.

Configure Private Internet Connectivity Using NAT Gateway

Create the NAT Gateways

  1. In the AWS console, navigate to VPC.
  2. Click NAT Gateways in the left-hand menu.
  3. Click Create NAT Gateway.
  4. Set the subnet to publicA.
  5. Click Create New EIP and then Create a NAT Gateway.
  6. Click Close.
  7. Click Create NAT Gateway.
  8. Set the subnet to publicB.
  9. Click Create New EIP and then Create a NAT Gateway.
  10. Click Close.
  11. Click Create NAT Gateway.
  12. Set the subnet to publicC.
  13. Click Create New EIP and then Create a NAT Gateway.
  14. Click Close.
  15. Select each NAT gateway, and copy each one's NAT Gateway ID as well as the public subnet it's in (this information can be found in the Details tab). Paste these values into a text file, as we will need them later.

Create Three Private Route Tables

  1. Click Route Tables.
  2. Click Create route table, and set the following values:
    • Name tag: privateA-RT
    • VPC: labVPC
  3. Click Create and then Close.
  4. Click Create route table, and set the following values:
    • Name tag: privateB-RT
    • VPC: labVPC
  5. Click Create and then Close.
  6. Click Create route table, and set the following values:
    • Name tag: privateC-RT
    • VPC: labVPC
  7. Click Create and then Close.

Route Table Associations

privateA-RT
  1. With privateA-RT selected, click the Subnet Associations tab.
  2. Click Edit subnet associations.
  3. Select dbA and privateA
  4. Click Save.
  5. On the same route table, click the Routes tab.
  6. Click Edit routes, Add route, and set the following values:
    • Destination: 0.0.0.0/0
    • Target: NAT Gateway, and paste the NAT Gateway ID in the list you made earlier
  7. Click Save routes and Close.
privateB-RT
  1. Select privateB-RT, and click the Subnet Associations tab.
  2. Click Edit subnet associations.
  3. Select dbB and privateB
  4. Click Save.
  5. On the same route table, click the Routes tab.
  6. Click Edit routes, Add route, and set the following values:
    • Destination: 0.0.0.0/0
    • Target: NAT Gateway, and paste the NAT Gateway ID in the list you made earlier
  7. Click Save routes and Close.
privateC-RT
  1. Select privateC-RT, and click the Subnet Associations tab.
  2. Click Edit subnet associations.
  3. Select dbC and privateC
  4. Click Save.
  5. On the same route table, click the Routes tab.
  6. Click Edit routes, Add route, and set the following values:
    • Destination: 0.0.0.0/0
    • Target: NAT Gateway, and paste the NAT Gateway ID in the list you made earlier
  7. Click Save routes and Close.

Configure and Test VPC Security

  1. Navigate to EC2.

  2. Click Launch instance.

  3. On the AMI page, select the Amazon Linux 2 AMI with 64-bit (x86) architecture.

  4. Choose the t3.micro instance type, and click Next: Configure Instance Details.

  5. On the Configure Instance Details page, set the following values:

    • Network: labVPC
    • Subnet: privateA
    • Auto-assign Public IP: Use subnet setting (Disable)
  6. Click Next: Add Storage, and then click Next: Add Tags.

  7. On the Add Tags page, add the following tag:

    • Key: Name
    • Value: appserver
  8. Click Next: Configure Security Group.

  9. Select Create a new security group, and set the following values:

    • Security group name: appSG
    • Description: appSG
  10. Change the rule Source to bastionSG.

  11. Click Review and Launch, and then Launch.

  12. In the key pair dialog, select Choose an existing key pair.

  13. Choose the vpclab key pair.

  14. Click Launch Instances.

  15. Click View Instances, and give it a few minutes to enter the running state.

  16. In the terminal session, run the following command:

    ssh-add -k vpclab.pem
  17. In the AWS console, right-click the BastionHost instance, and click Connect.

  18. Copy the ec2-user@IP_ADDRESS portion of the connection command.

  19. In the terminal session, run the following (replacing <ec2-user@IP_ADDRESS> with what you just copied):

    ssh -A <ec2-user@IP_ADDRESS>
  20. In the AWS console, right-click the appserver instance, and click Connect.

  21. Copy the ec2-user@IP_ADDRESS portion of the connection command.

  22. In the terminal session, run the following (replacing <ec2-user@IP_ADDRESS> with what you just copied):

    ssh <ec2-user@IP_ADDRESS>
  23. Enter the following twice to exit out of both the BastionHost and app server:

    exit

Modify NACL

  1. In the AWS console, navigate to VPC.
  2. With the default NACL selected, click the Inbound Rules tab.
  3. Click Edit inbound rules.
  4. Click Add Rule, and set the following values:
    • Rule #: 50
    • Type: ALL Traffic
    • Source: Your IP address, and append /32 at the end
    • Allow / Deny: DENY
  5. Click Save.
  6. In the terminal session, try to log in to the bastion host. You won't be able to since your IP address is matched against the explicit DENY rule.
  7. In the AWS console, remove rule #50 to remove the explicit DENY.
  8. In the terminal, try connecting to the bastion host again, which should work this time.

Conclusion

Congratulations on completing this hands-on lab!