AWS HANDS-ON
AWS Hands-On by SERVICE
1
|
STAGE 1
|
1
|
AWS Hands-On By IAM(Identity and Access Management) Service
|
Initially Login AWS Management Console by Root Credentials.
Goto aws services–>>Select IAM
Select location & it should be Global
Select location & it should be Global
Create individual IAM users :
Select Users
Add user
Give the username for the user and we can also have option to add more users
Add user
Give the username for the user and we can also have option to add more users
Select AWS access type as according our requirement as
1>Programmatic access
2>AWS Management Console access
1>Programmatic access
2>AWS Management Console access
we can also customize the password or we can use default generated password
Click on Next Permissions
Click on Next Permissions
Adding users to a group ans assigning Role and Policies :
We can create new group or we can assign an existing group.
For creating new Group and assigning user to it as follows :
We can create new group or we can assign an existing group.
For creating new Group and assigning user to it as follows :
Click Create new group
Give a name for the group
Give a name for the group
Assign the required policies for that group and click on create group.
And we can create Roles for the User or we can use existing Roles.
And we can create Roles for the User or we can use existing Roles.
Now we can Review all the deatils about our created users and Click on create User.
Now we can see our IAM Access key ID and we can also download Secret access key.
Now we can see our IAM Access key ID and we can also download Secret access key.
Now Navigate to users tab and selected our new user.
Now we can access link for that user without Root access
Now Logout from the AWS Console Root user
Login with Our newly created IAM USER Credentials.
Now we can access link for that user without Root access
Now Logout from the AWS Console Root user
Login with Our newly created IAM USER Credentials.
1
|
AWS Hands-On By Amazon Simple Storage Service (Amazon S3) Service :
|
Create a bucket inside of Amazon S3 :
Goto AWS Services
select S3
Click on create bucket
Bucket name : nCodeIT123
Region : select the region
Click on Next
select S3
Click on create bucket
Bucket name : nCodeIT123
Region : select the region
Click on Next
Set properties :
Select Versioning and enable it.
click on Next
Select Versioning and enable it.
click on Next
Set permissions :
Change if we want
Next Review all the details of the S3 Bucket and create.
Change if we want
Next Review all the details of the S3 Bucket and create.
Add an object to the bucket :
Select the bucket that we created
We must have image or text or any other file , that will be used as a object for the AWS S3 bucket.
Click on Upload
Click on Add file then select a .jpg or any image file or any file
Click on Next
Manage public permissions : Do not grant public read access to this objects
Click on Next
Permissions : Give required permissions
Click on Next
Review all the info about the object and Upload
Now go back to the bucket that we created and we can see our uploaded image
Select the image and right click on it
Select Make public to give access as public for that S3 object file.
Select the image and right click on it
Select Make public to give access as public for that S3 object file.
Manage Access Permissions On An Object :
Copy the code available at https://github.com/CloudAssessments/s3-learning-activities/blob/master/anonymous
Select S3
Click on Permissions
select Bucket policy
paste the code that we have copied
Copy the code available at https://github.com/CloudAssessments/s3-learning-activities/blob/master/anonymous
Select S3
Click on Permissions
select Bucket policy
paste the code that we have copied
Note : Here we need to put the currect arn that we have for the AWS S3 object at “Resource”:
Now Save
Now Save
Amazon S3 Versioning and Lifecycle Policies :
Enable Versioning :
Navigate to the S3 Management Console in AWS.
Click the title of the bucket with s3bucket in its name and click the Properties tab.
Click the Versioning section and select the Enable Versioning option.
Repeat these steps to enable Versioning on the tmpfiles bucket.
Navigate to the S3 Management Console in AWS.
Click the title of the bucket with s3bucket in its name and click the Properties tab.
Click the Versioning section and select the Enable Versioning option.
Repeat these steps to enable Versioning on the tmpfiles bucket.
Create Lifecycle Policies :
Navigate to the Management tab and ensure the Lifecycle section is highlighted.
Use the Add lifecycle rule button to begin adding lifecycle rules to match those outlined in the Introduction.
For the s3bucket bucket: “documents” lifecycle: We will set up a rule that transitions files inside of any “document” folders within the bucket to the Standard – Infrequent Access Storage Class 30 days after the object’s creation.
Navigate to the Management tab and ensure the Lifecycle section is highlighted.
Use the Add lifecycle rule button to begin adding lifecycle rules to match those outlined in the Introduction.
For the s3bucket bucket: “documents” lifecycle: We will set up a rule that transitions files inside of any “document” folders within the bucket to the Standard – Infrequent Access Storage Class 30 days after the object’s creation.
Click the Add lifecycle rule button if you haven’t already.
Give the rule an appropriate name, like documents-infreq-access.
For the filter setting, type a prefix of documents (this will apply the rule to any folders or objects who’s names start with “documents”).
Click on the Next button.
Check the option to configure transition for the Current version.
Click the + Add Transition link and set it to Transition to Standard-IA after 30 days.
Click the Next buttons. Notice the options here, but leave them unchanged. Again, click the Next button.
Ensure the desired setting of 30 days after the object’s creation date has been set. (Transition to Standard-IA after 30 days)
Review the other information, then click the Save button.
Give the rule an appropriate name, like documents-infreq-access.
For the filter setting, type a prefix of documents (this will apply the rule to any folders or objects who’s names start with “documents”).
Click on the Next button.
Check the option to configure transition for the Current version.
Click the + Add Transition link and set it to Transition to Standard-IA after 30 days.
Click the Next buttons. Notice the options here, but leave them unchanged. Again, click the Next button.
Ensure the desired setting of 30 days after the object’s creation date has been set. (Transition to Standard-IA after 30 days)
Review the other information, then click the Save button.
Whole bucket LifeCycle Next, we will create a rule that applies to the entire bucket that archives previous versions of objects after 5 days and delete them after 10.
Click Add LifeCycle rule and set the Rule Name to something appropriate: archive-versions
If no filter is defined, the rule will apply to the whole bucket. Leave the filter settings empty and click the Next button.
Check the Previous versions option for the transition.
Click the + Add transition link and select a Transition to Standard-IA after 30 days.
Add another transition, this time for Transition to Amazon Glacier after 60 days.
Click the Next button.
Leave these settings alone and click Next again.
If no filter is defined, the rule will apply to the whole bucket. Leave the filter settings empty and click the Next button.
Check the Previous versions option for the transition.
Click the + Add transition link and select a Transition to Standard-IA after 30 days.
Add another transition, this time for Transition to Amazon Glacier after 60 days.
Click the Next button.
Leave these settings alone and click Next again.
Verify the settings and notice the warning.
We see this because the rules we just configure apply to everything, including the documents preset from our previous rules.
Click the Save button.
We see this because the rules we just configure apply to everything, including the documents preset from our previous rules.
Click the Save button.
For the tmpfiles bucket: Finally, we will set up a rule that permanently deletes objects in tmpfiles bucket.
Since Versioning is enabled for this bucket, we first need to instruct the current version of the objects to Expire in addition to Permanently Deleting previous versions.
Since Versioning is enabled for this bucket, we first need to instruct the current version of the objects to Expire in addition to Permanently Deleting previous versions.
Navigate to the Lifecycle settings for the tmpfiles bucket.
Click Add lifecycle rule. Leave the filter setting empty so the rule applies to the entire bucket. Give it a fitting name of tmp-delete. Click Next.
Since we aren’t transitioning the objects between storage classes, leave these settings unchanged and click Next.
We want to set the Current version and Previous versions to expire, so check both of those options under Configured expiration.
Configure the settings to Expire current version of object after 5 days.
Similarly, set it to Permanently delete previous versions after 5 days from becoming a previous version.
Click Add lifecycle rule. Leave the filter setting empty so the rule applies to the entire bucket. Give it a fitting name of tmp-delete. Click Next.
Since we aren’t transitioning the objects between storage classes, leave these settings unchanged and click Next.
We want to set the Current version and Previous versions to expire, so check both of those options under Configured expiration.
Configure the settings to Expire current version of object after 5 days.
Similarly, set it to Permanently delete previous versions after 5 days from becoming a previous version.
Click the Next button.
Verify the settings are correct and click the Save button.
Verify the settings are correct and click the Save button.
Amazon S3 Permissions :
Create a CORS configuration :
we need 2 S3 buckets.
Click the title of the bucket that has s3bucket1 in its name.
Navigate to the Properties tab.
Click the Static Website Hosting section and copy the bucket’s Endpoint URL.
Enable Use this bucket to host a website.
Click the title of the bucket hosting the resource (with s3bucket2 in its name) and view its Permissions.
Click the Add CORS Configuration button.
we need 2 S3 buckets.
Click the title of the bucket that has s3bucket1 in its name.
Navigate to the Properties tab.
Click the Static Website Hosting section and copy the bucket’s Endpoint URL.
Enable Use this bucket to host a website.
Click the title of the bucket hosting the resource (with s3bucket2 in its name) and view its Permissions.
Click the Add CORS Configuration button.
we will be presented with an example configuration. Between the <AllowedOrigin> tags, delete the “*” and replace it with the Endpoint URL that we copied. Paste and prepend http:// to it if it isn’t already there.
The line will resemble the following as ,
<AllowedOrigin>http://your-endpoint-url.amazonaws.com</AllowedOrigin>
Ensure that the <AllowedMethod> tag is set to allow GET.
The rest of the defaults are fine.
Click the Save button and Close the configuration.
We are now able to make cross-domain requests in scripts hosted on the Endpoint URL without them being blocked by the browser.
The line will resemble the following as ,
<AllowedOrigin>http://your-endpoint-url.amazonaws.com</AllowedOrigin>
Ensure that the <AllowedMethod> tag is set to allow GET.
The rest of the defaults are fine.
Click the Save button and Close the configuration.
We are now able to make cross-domain requests in scripts hosted on the Endpoint URL without them being blocked by the browser.
Create a bucket policy :
Go to the properties of the bucket with s3bucket1 in its title.
Expand the Permissions section and click Add Bucket Policy.
In the bottom left of this window, click the AWS Policy Generator link.
Configure it with these settings as example one : “Select Type of Policy” – S3 Bucket Policy “Effect” – Allow “Principal” – arn:aws:iam::<account_number>:user/User-1 “AWS Service” – Amazon S3 “Actions” – ListBucket “Amazon Resource Name (ARN)” – arn:aws:s3:::<bucket_name>
Go to the properties of the bucket with s3bucket1 in its title.
Expand the Permissions section and click Add Bucket Policy.
In the bottom left of this window, click the AWS Policy Generator link.
Configure it with these settings as example one : “Select Type of Policy” – S3 Bucket Policy “Effect” – Allow “Principal” – arn:aws:iam::<account_number>:user/User-1 “AWS Service” – Amazon S3 “Actions” – ListBucket “Amazon Resource Name (ARN)” – arn:aws:s3:::<bucket_name>
Click Add Statement to add it to the policy, then click Generate Policy.
Now we will be presented with a Policy JSON Document that you can copy and paste.
Copy the text, go back to AWS, and paste it into the Bucket Policy Editor.
Click the Save button on the editor to check the policy.
Now we will be presented with a Policy JSON Document that you can copy and paste.
Copy the text, go back to AWS, and paste it into the Bucket Policy Editor.
Click the Save button on the editor to check the policy.
If there are any errors, it will show in red.
Once the errors have been fixed, the save button saves and applies the policy.
Once the errors have been fixed, the save button saves and applies the policy.
1
|
STAGE 2
|
1
|
AWS Hands-On by Amazon Elastic Compute Cloud (EC2)
|
Create an EC2 instance :
Navigate to EC2 Dashboard by clicking the Services dropdown menu from the navigation bar at the top of the AWS website.
Click EC2 under the Compute section to launch the EC2 Dashboard.
Use the Launch Instance button to create a new instance.
Select the Amazon Linux AMI at the top of the list (if you don’t see it immediately, click the Quick Start tab on the left).
Leave the default selection of t2.micro Instance Type and click the Next: Configure Instance Details button in the bottom right.
Take note of the Network and Subnet settings, but they should remain unchanged in this HandsOn Workshop.
Ensure the Auto-assign Public IP setting is set to Enable.
All other settings can remain unchanged.
Once we’ve verified these details, click the Next: Add Storage button in the bottom right.
This page would allow us to automatically provision additional Elastic Block Storage volumes and connect them to our EC2 instance, which we could use to configure additional storage.
For this Hands-Workshop, we will give only the defaults and click the Next: Add Tags button in the bottom right.
We can use the default entry with the “Name” key to give our instance a fitting name.
In the “Value” column, type the name learning-ec2.
Click the Next: Configure Security Group button in the bottom right.
Near the top of the page, we can see the Assign a security group label that lets us choose to create a new security group or select an existing one.
Since an SSH rule is included by default, we can move on. (Note: In practice, it is safer to restrict the Source setting.
The default setting allows all sources.)
Click the Review and Launch button in the bottom right.
Review the settings and click the Launch button in the bottom right.
We will receive a prompt about a key pair.
Choose to Create a new key pair and type in a Key pair name of first-instance.
Use the Download button and save the file to our Downloads directory.
Finally, click the Launch Instances button to instruct AWS to launch an instance with the setting’s we’ve defined.
Once we see it, click the View Instances button.
Click EC2 under the Compute section to launch the EC2 Dashboard.
Use the Launch Instance button to create a new instance.
Select the Amazon Linux AMI at the top of the list (if you don’t see it immediately, click the Quick Start tab on the left).
Leave the default selection of t2.micro Instance Type and click the Next: Configure Instance Details button in the bottom right.
Take note of the Network and Subnet settings, but they should remain unchanged in this HandsOn Workshop.
Ensure the Auto-assign Public IP setting is set to Enable.
All other settings can remain unchanged.
Once we’ve verified these details, click the Next: Add Storage button in the bottom right.
This page would allow us to automatically provision additional Elastic Block Storage volumes and connect them to our EC2 instance, which we could use to configure additional storage.
For this Hands-Workshop, we will give only the defaults and click the Next: Add Tags button in the bottom right.
We can use the default entry with the “Name” key to give our instance a fitting name.
In the “Value” column, type the name learning-ec2.
Click the Next: Configure Security Group button in the bottom right.
Near the top of the page, we can see the Assign a security group label that lets us choose to create a new security group or select an existing one.
Since an SSH rule is included by default, we can move on. (Note: In practice, it is safer to restrict the Source setting.
The default setting allows all sources.)
Click the Review and Launch button in the bottom right.
Review the settings and click the Launch button in the bottom right.
We will receive a prompt about a key pair.
Choose to Create a new key pair and type in a Key pair name of first-instance.
Use the Download button and save the file to our Downloads directory.
Finally, click the Launch Instances button to instruct AWS to launch an instance with the setting’s we’ve defined.
Once we see it, click the View Instances button.
Getting Started With Windows Server On Amazon EC2 :
Launch An EC2 Windows 2012 server or Instance :
Goto AWS EC2 console
Click on Launch instance
Select Microsoft Windows Server 2012 R2 Base-ami-c951acb4 in the dropdownlist
Select General purpose t2.small instance
Click on Next:Configure Instance Details
Select the Network section with available VPC
Select the Subnet with available one
Enable Auto-assign Public IP
Keep rest of the settings as default and click on Advance Details on left buttom of the page
Copy the power shell script from the URL https://github.com/CloudAssessments/ec2-learning-activities/blob/master/getting-started-with-windows-server-on-amazon-ec2-windows-user-data
Past the above copied Script at user data of the Advance details
the above script is to be executed only when the instance creation time for the Configuration.
Click Next:Add Storage
Select storage size as 30GB and select Volume Type as General Purpose SSD(GP2)
Click Next:Add Tags
Select Add Tag and and give name as key as Name and Value as windows-web-server-anthony
Click on Add another tag and give Key as app and Value as windows-web-application-photos
Click Next:Configure Security Group
Goto AWS EC2 console
Click on Launch instance
Select Microsoft Windows Server 2012 R2 Base-ami-c951acb4 in the dropdownlist
Select General purpose t2.small instance
Click on Next:Configure Instance Details
Select the Network section with available VPC
Select the Subnet with available one
Enable Auto-assign Public IP
Keep rest of the settings as default and click on Advance Details on left buttom of the page
Copy the power shell script from the URL https://github.com/CloudAssessments/ec2-learning-activities/blob/master/getting-started-with-windows-server-on-amazon-ec2-windows-user-data
Past the above copied Script at user data of the Advance details
the above script is to be executed only when the instance creation time for the Configuration.
Click Next:Add Storage
Select storage size as 30GB and select Volume Type as General Purpose SSD(GP2)
Click Next:Add Tags
Select Add Tag and and give name as key as Name and Value as windows-web-server-anthony
Click on Add another tag and give Key as app and Value as windows-web-application-photos
Click Next:Configure Security Group
Configure The Security Group of the Instance With Port 3389 and Port 80 :
In order to connect using RDP we need to ensure port 3389 is open to 0.0.0.0/0 and in order for our webserver to serve traffic it needs to be open on port 80 to 0.0.0.0/0
Select Type: Custom TCP I , Protocol : TCP ,Port Range :3389 , Source : Custome 0.0.0.0/0
Click on Add Role Select Type:HTTP
Click Review and Launch
In order to connect using RDP we need to ensure port 3389 is open to 0.0.0.0/0 and in order for our webserver to serve traffic it needs to be open on port 80 to 0.0.0.0/0
Select Type: Custom TCP I , Protocol : TCP ,Port Range :3389 , Source : Custome 0.0.0.0/0
Click on Add Role Select Type:HTTP
Click Review and Launch
Create A Key Pair And Associate It To The Instance :
As we are creating the EC2 instance it is important to associate the Key Pair in order to be able to decrypt the administrator password.
Click Launch and create a new key pair , and give Key pair name as webserver-ncodeit then click on Download keypair
Click on Launch Instance
Click View Instances
Now we can check all the deatils of the created EC2 instance.
As we are creating the EC2 instance it is important to associate the Key Pair in order to be able to decrypt the administrator password.
Click Launch and create a new key pair , and give Key pair name as webserver-ncodeit then click on Download keypair
Click on Launch Instance
Click View Instances
Now we can check all the deatils of the created EC2 instance.
Connect to windows based instance :
Goto EC2 Console, select Instances then click on Connect
Click on Choose file and give choose key pair from that we created during EC2 instance creation
Click on Decrypt Password and click on Download Remote Desktop File
Then give Connection name :windows-server , PC name: copy & paste from public IP from EC2 Instance description
Give User name : Administrater password : Give password
Click on close and give a double click on it
Click on Continue on the page of Verify Certificate.
Goto EC2 Console, select Instances then click on Connect
Click on Choose file and give choose key pair from that we created during EC2 instance creation
Click on Decrypt Password and click on Download Remote Desktop File
Then give Connection name :windows-server , PC name: copy & paste from public IP from EC2 Instance description
Give User name : Administrater password : Give password
Click on close and give a double click on it
Click on Continue on the page of Verify Certificate.
Allocate An Elastic IP Address :
Use the EC2 console an allocate an Elastic IP address for usage.
Copy the Public IP from EC2 Windows-websever-server-ncodeit Description
click on Running then select Instance state then select stop,yes stop
Again right click on instance and start it
Now Select Elastic IP under Network & Security
Click on Allocate new address and select allocate.
Use the EC2 console an allocate an Elastic IP address for usage.
Copy the Public IP from EC2 Windows-websever-server-ncodeit Description
click on Running then select Instance state then select stop,yes stop
Again right click on instance and start it
Now Select Elastic IP under Network & Security
Click on Allocate new address and select allocate.
Associate The Elastic IP Address To The Windows Instance :
In this step we are going to use our new Elastic IP address by associating it to the Windows EC2 instance.
Now right click on Allocation ID and select associate address
Select Instance & click on Associate
access IP on the browser
In this step we are going to use our new Elastic IP address by associating it to the Windows EC2 instance.
Now right click on Allocation ID and select associate address
Select Instance & click on Associate
access IP on the browser
Creating EC2 Amazon Machine Images (AMIs) :
Add software to an instance :
First we makesure that we are in an appropriate region
Once we have launched an EC2 instance,
Navigate back to the list of EC2 instances (click the Instances link from the list on the left side of the page).
Ensure only the web-build instance is selected, then click the Connect button above the list to view connection details.
Copy the “Example” command near the bottom and paste it into a terminal window to connect.
Type yes at the first prompt regarding a fingerprint.
Type the following command: sudo yum update -y
Then type the following commands in succession: sudo yum install httpd sudo service httpd start sudo chkconfig httpd on
Add software to an instance :
First we makesure that we are in an appropriate region
Once we have launched an EC2 instance,
Navigate back to the list of EC2 instances (click the Instances link from the list on the left side of the page).
Ensure only the web-build instance is selected, then click the Connect button above the list to view connection details.
Copy the “Example” command near the bottom and paste it into a terminal window to connect.
Type yes at the first prompt regarding a fingerprint.
Type the following command: sudo yum update -y
Then type the following commands in succession: sudo yum install httpd sudo service httpd start sudo chkconfig httpd on
Create an AMI :
Navigate back to the list of Instances on AWS.
Right click on the web-build instance, and select the Create Image option.
Type an appropriate image Name of my-web-application.
For the Description, we can use my-web-application again.
Leave all of the other defaults and click the Create Image button.
Navigate back to the list of Instances on AWS.
Right click on the web-build instance, and select the Create Image option.
Type an appropriate image Name of my-web-application.
For the Description, we can use my-web-application again.
Leave all of the other defaults and click the Create Image button.
Use the AMI to launch an instance :
We can use the AMI created a moment ago to launch a new instance that has the httpd software pre-installed.
Navigate to the “AMIs” section (under the “Images” group in the list on the left side of the page).
Right click on the my-web-application AMI that we created and choose Launch.
We can use the AMI created a moment ago to launch a new instance that has the httpd software pre-installed.
Navigate to the “AMIs” section (under the “Images” group in the list on the left side of the page).
Right click on the my-web-application AMI that we created and choose Launch.
Create a Classic Elastic Load Balancer (ELB) :
Create a Classic Load Balancer :
Navigate to the Load Balancers page in the EC2 section of AWS.
Click the Create Load Balancer button in the top left.
Select the Classic Load Balancer option and click Continue.
Complete all of the required steps in order to successfully create the load balancer.
Create a Classic Load Balancer :
Navigate to the Load Balancers page in the EC2 section of AWS.
Click the Create Load Balancer button in the top left.
Select the Classic Load Balancer option and click Continue.
Complete all of the required steps in order to successfully create the load balancer.
Add subnets to the load balancer :
In the Select Subnets section of this page, we’ll notice that we have 2 private subnets and 2 public subnets.
Since an Internet-facing load balancer requires an Internet Gateway to function properly, we will need to select the public subnets – even though our instances are in the private subnets.
Click the + icon on listings for both public subnets.
This will add them to the “Selected Subnets” list below.
Click the Next: Assign Security Groups button at the bottom of the page.
Keep default settings for the Securitygroups and click on next:Configure Health Check
change healthy threshold to 2 and keep remaining as dafault and click on Next:Add EC2 Instances
Keep all default settings and click on Next:Add Tags
Give name in Key field and volume then click on Review & create.
In the Select Subnets section of this page, we’ll notice that we have 2 private subnets and 2 public subnets.
Since an Internet-facing load balancer requires an Internet Gateway to function properly, we will need to select the public subnets – even though our instances are in the private subnets.
Click the + icon on listings for both public subnets.
This will add them to the “Selected Subnets” list below.
Click the Next: Assign Security Groups button at the bottom of the page.
Keep default settings for the Securitygroups and click on next:Configure Health Check
change healthy threshold to 2 and keep remaining as dafault and click on Next:Add EC2 Instances
Keep all default settings and click on Next:Add Tags
Give name in Key field and volume then click on Review & create.
Attach the load balancer to an existing Auto Scaling Group :
Click the Auto Scaling Groups link under the Auto Scaling section in the navigation list to the left of the page.
Click the Edit button under the details.
In the Load Balancers setting, choose the application-load-balancer that we just created.
Click the Save button.
If we go back to the Load Balancer section, we will see the instances begin to populate as the health checks determine the statuses of each instance.
Click the Auto Scaling Groups link under the Auto Scaling section in the navigation list to the left of the page.
Click the Edit button under the details.
In the Load Balancers setting, choose the application-load-balancer that we just created.
Click the Save button.
If we go back to the Load Balancer section, we will see the instances begin to populate as the health checks determine the statuses of each instance.
Introduction to the Application Load Balancer :
Create a Target Group :
Goto AWS EC2 Console ,check the running instances
Now we want to add these running instances into a target group
Again go back to EC2 console and select Target Groups under Load Balancers.
Click on Create target Group.
And give Target group name : NcodeIT-Group , protocol : HTTP,Port :80,Target type :instance ,VPC:select available one
Now Health check settings :
Give Protocol : HTTP ,Path:/
Advanced health check settings :
Port:traffic port ,Healthy threshold:3, Unhealthy threashold :2,Timeout:5,Interval:10,Success codes:200
Click Create.
Create a Target Group :
Goto AWS EC2 Console ,check the running instances
Now we want to add these running instances into a target group
Again go back to EC2 console and select Target Groups under Load Balancers.
Click on Create target Group.
And give Target group name : NcodeIT-Group , protocol : HTTP,Port :80,Target type :instance ,VPC:select available one
Now Health check settings :
Give Protocol : HTTP ,Path:/
Advanced health check settings :
Port:traffic port ,Healthy threshold:3, Unhealthy threashold :2,Timeout:5,Interval:10,Success codes:200
Click Create.
Associate the Target Group to an Auto Scaling Group :
Now again goto EC2 Console and select AutoScaling Groups under AUTO SCALING tab.
Discard if we receive any error.
Click on the existing Auto Scaling Group to view its properties.
Select Details and click on edit ,Give target group :ca-tg and SAVE
If we want to check out the properties of our new target group and click the Instances tab, we will see the instances that were created by the Auto Scaling Group.
Now again goto EC2 Console and select AutoScaling Groups under AUTO SCALING tab.
Discard if we receive any error.
Click on the existing Auto Scaling Group to view its properties.
Select Details and click on edit ,Give target group :ca-tg and SAVE
If we want to check out the properties of our new target group and click the Instances tab, we will see the instances that were created by the Auto Scaling Group.
Create an Application Load Balancer :
Goto EC2 console Load Balancers Under Load Balancing and Create Load Balancer.
Select Application Load Balancer and Continue to the next step.
Type a name of lab-load-balancer and ensure that it’s internet facing (we want to be able to view the web page hosted by the instances).
For the VPC setting, select the VPC that is available.
We will select both availability zones and choose the public subnets in each (since it’s internet facing).
Continue on to the next step.
We can ignore the warning about HTTPS for this session.
Continue with the next step to Configure Security Groups.
Select the Security Group created when the lab started (not the default).
Click Next: Configure Routing.
We want to choose an Existing Target Group and select our groupname as NcodeIT-Group.
Leave all other options unchanged and continue through the rest of the steps.
Once we’re finished, we will be able to see the new load balancer being provisioned in the Load Balancers section.
Once the Status changes to active, we are ready to navigate to its DNS Name in our browsers.
Goto EC2 console Load Balancers Under Load Balancing and Create Load Balancer.
Select Application Load Balancer and Continue to the next step.
Type a name of lab-load-balancer and ensure that it’s internet facing (we want to be able to view the web page hosted by the instances).
For the VPC setting, select the VPC that is available.
We will select both availability zones and choose the public subnets in each (since it’s internet facing).
Continue on to the next step.
We can ignore the warning about HTTPS for this session.
Continue with the next step to Configure Security Groups.
Select the Security Group created when the lab started (not the default).
Click Next: Configure Routing.
We want to choose an Existing Target Group and select our groupname as NcodeIT-Group.
Leave all other options unchanged and continue through the rest of the steps.
Once we’re finished, we will be able to see the new load balancer being provisioned in the Load Balancers section.
Once the Status changes to active, we are ready to navigate to its DNS Name in our browsers.
Auto Scaling and High Availability :
Create a simple “scale-up” policy which adds 1 instance when a CloudWatch alarm is triggered :
In the details pane of the Auto Scaling Group, click the Scaling Policies tab.
Click the Add Policy button.
Type in an appropriate Name of “scale-up”.
Click the Create new alarm link to the right of the Execute policy when setting.
Create a simple “scale-up” policy which adds 1 instance when a CloudWatch alarm is triggered :
In the details pane of the Auto Scaling Group, click the Scaling Policies tab.
Click the Add Policy button.
Type in an appropriate Name of “scale-up”.
Click the Create new alarm link to the right of the Execute policy when setting.
Let’s create an alarm based off the example described above.
Uncheck the Send a notification to setting for this session.
For the “Whenever” setting, we will use the Average of CPU Utilization
“Is” should be set to >= 70.
“For at least” 1 consecutive period(s) of 5 Minutes.
The default Name of alarm will suffice for this lab, so click the Create Alarm button to continue.
Uncheck the Send a notification to setting for this session.
For the “Whenever” setting, we will use the Average of CPU Utilization
“Is” should be set to >= 70.
“For at least” 1 consecutive period(s) of 5 Minutes.
The default Name of alarm will suffice for this lab, so click the Create Alarm button to continue.
Let’s finish configuring this policy:
Set “Take the action” to Add 1 instances when 70 <= CPUUtilization < +infinity
Set “Take the action” to Add 1 instances when 70 <= CPUUtilization < +infinity
For this session, we will be creating a simple scaling policy.
Click the Create a simple scaling policy link at the bottom.
Click the Create a simple scaling policy link at the bottom.
Define an amount of time the policy should wait before deciding to add another instance:
Set “And then wait” to 300 seconds.
We are done configuring this particular policy, so click the Create button to create and add it.
Set “And then wait” to 300 seconds.
We are done configuring this particular policy, so click the Create button to create and add it.
Create a simple “scale-down” policy which removes 1 percent of the group when a CloudWatch alarm is triggered :
Click the Add policy button.
Type an appropriate name of “scale-down”.
Click the Create new alarm link.
Uncheck the notification option at the top.
Click the Add policy button.
Type an appropriate name of “scale-down”.
Click the Create new alarm link.
Uncheck the notification option at the top.
Configure the settings:
“Whenever”: Average of CPU Utilization
“Is”: <= 40 Percent
“For at least” 1 consecutive period(s) of 5 Minutes
The default name is fine, so click the Create Alarm button.
Click the Create a simple scaling policy link at the bottom.
We want to set the Take the action option to Remove 1 percent of group.
For the And then wait setting, type 200 seconds.
Click the Create button to create and add this scaling policy.
“Whenever”: Average of CPU Utilization
“Is”: <= 40 Percent
“For at least” 1 consecutive period(s) of 5 Minutes
The default name is fine, so click the Create Alarm button.
Click the Create a simple scaling policy link at the bottom.
We want to set the Take the action option to Remove 1 percent of group.
For the And then wait setting, type 200 seconds.
Click the Create button to create and add this scaling policy.
Working with EBS :
Create an EBS Volume, Attache the EBS Volume to the Instance and Mount the EBS Volume to /data :
Navigate to EC2 Console and click on running instance
select Volumes under Elastic Block Store in EC2 Console.
Click on Create Volume, and give details like as
Volume Type : General Purpose SSD(GP2) , Size:10kb
And keep all other fields as default and click on create.
Now right click on Instance and select attache Volume, And select instance
And keep other fields as default
Now goto EC2 Console and click on Instances and copy that EC2 Instance IP address
Do SSH from commandline terminal like ssh User-1@<IP of Instance>.
And use lsblk command to check Volume is attached or not.
To add a file system to this EBS Volume use the command mkfs -t ext4 /dev/xvdf
mkdir /data
mount /dev/xvdf /data
cd /data
Create a file like touch hello.txt and check list of files with ll command.
Navigate to EC2 Console and click on running instance
select Volumes under Elastic Block Store in EC2 Console.
Click on Create Volume, and give details like as
Volume Type : General Purpose SSD(GP2) , Size:10kb
And keep all other fields as default and click on create.
Now right click on Instance and select attache Volume, And select instance
And keep other fields as default
Now goto EC2 Console and click on Instances and copy that EC2 Instance IP address
Do SSH from commandline terminal like ssh User-1@<IP of Instance>.
And use lsblk command to check Volume is attached or not.
To add a file system to this EBS Volume use the command mkfs -t ext4 /dev/xvdf
mkdir /data
mount /dev/xvdf /data
cd /data
Create a file like touch hello.txt and check list of files with ll command.
1
|
STAGE 3
|
1
|
AWS Hands-On by Amazon Virtual Private Cloud (VPC)
|
Create a VPC :
Navigate to the VPC Dashboard in AWS.
Click the our VPCs link in the navigation pane to the left of the page.
Click the Create VPC button at the top of the list.
Set the Name tag to my-new-vpc
Define the IPv4 CIDR block to be 10.0.0.0/16
Leave the IPv6 CIDR block and Tenancy settings unchanged.
Click the Yes, Create button.
Navigate to the VPC Dashboard in AWS.
Click the our VPCs link in the navigation pane to the left of the page.
Click the Create VPC button at the top of the list.
Set the Name tag to my-new-vpc
Define the IPv4 CIDR block to be 10.0.0.0/16
Leave the IPv6 CIDR block and Tenancy settings unchanged.
Click the Yes, Create button.
Create subnets inside of a VPC :
Create the private subnet:
Click the Subnets link on the left of the page.
Use the Create Subnet button to get started.
Since this is a subnet we intend to keep as private, type a Name tag of my-private-subnet.
Set the VPC to the new one we created (identified by the my-private-subnet name we gave it).
For the Availability Zone, we can choose appropriate one.
Set the IPv4 CIDR block to 10.0.1.0/24
Click the Yes, Create button.
Now we will create the subnet we want to be public.
Click the Create Subnet button.
Set the Name tag to my-public-subnet so that we can easily identify which subnet we intend to be public (we will attach the Internet Gateway to this one later in the lab).
Set the VPC to my-public-vpc
Choose the same availability zone as the private subnet: us-east-1a
Set the IPv4 CIDR block to 10.0.2.0/24
Click Yes, Create.
Now we can see list of subnets that we created and here we can observe our Public subnet that just now we created is also appear as private.
To connect to Internet Gateway its mandatory to have a Public Subnet.
For this we need to Enable Auto-assign IP.
Now click on the Subnet Actions on the top and select Modify auto-assign IP Settings
Enable auto-assign public IPv4 address, then SAVE.
Click the Subnets link on the left of the page.
Use the Create Subnet button to get started.
Since this is a subnet we intend to keep as private, type a Name tag of my-private-subnet.
Set the VPC to the new one we created (identified by the my-private-subnet name we gave it).
For the Availability Zone, we can choose appropriate one.
Set the IPv4 CIDR block to 10.0.1.0/24
Click the Yes, Create button.
Now we will create the subnet we want to be public.
Click the Create Subnet button.
Set the Name tag to my-public-subnet so that we can easily identify which subnet we intend to be public (we will attach the Internet Gateway to this one later in the lab).
Set the VPC to my-public-vpc
Choose the same availability zone as the private subnet: us-east-1a
Set the IPv4 CIDR block to 10.0.2.0/24
Click Yes, Create.
Now we can see list of subnets that we created and here we can observe our Public subnet that just now we created is also appear as private.
To connect to Internet Gateway its mandatory to have a Public Subnet.
For this we need to Enable Auto-assign IP.
Now click on the Subnet Actions on the top and select Modify auto-assign IP Settings
Enable auto-assign public IPv4 address, then SAVE.
Create an Internet Gateway :
Let’s create an Internet Gateway that we can attach to the subnet to make it private.
Click the Internet Gateways link on the left of the page.
Click the Create Internet Gateway button
Type a Name tag of my-internet-gateway to fit the naming for the Internal Gateway .
Use the Yes, Create button to create the Internet Gateway.
Now we can see list of gateways and we can observe that the state of the internet gateway is detached
Now attache this gateway to VPC,for this click on Attache to VPC.
Give VPC that we created above.Click Yes attache.
Let’s create an Internet Gateway that we can attach to the subnet to make it private.
Click the Internet Gateways link on the left of the page.
Click the Create Internet Gateway button
Type a Name tag of my-internet-gateway to fit the naming for the Internal Gateway .
Use the Yes, Create button to create the Internet Gateway.
Now we can see list of gateways and we can observe that the state of the internet gateway is detached
Now attache this gateway to VPC,for this click on Attache to VPC.
Give VPC that we created above.Click Yes attache.
Associate the Internet Gateway to a Route Table :
We will now configure a new Route Table for the Internet Gateway and explicitly associate it to the subnet we want to be public.
Navigate to the Route Tables page.
Click the Create Route Table button.
Type a Name tag of my-route-table
Set the VPC to my-new-vpc.
Click the Yes, Create button.
we’ll see the new Route Table in the list.
It should be selected by default, We’ll configure it further using the pane at the bottom of the page.
Select the Route Table that we created.
We will now configure a new Route Table for the Internet Gateway and explicitly associate it to the subnet we want to be public.
Navigate to the Route Tables page.
Click the Create Route Table button.
Type a Name tag of my-route-table
Set the VPC to my-new-vpc.
Click the Yes, Create button.
we’ll see the new Route Table in the list.
It should be selected by default, We’ll configure it further using the pane at the bottom of the page.
Select the Route Table that we created.
Let’s add a new route for the Internet Gateway:
Click the Routes tab.
Click the Edit button.
Click the Add another rule button to add an entry.
For the Destination, type 0.0.0.0/0 (this represents any/every IP address).
For the Target, select the Internet Gateway we created a moment ago (we named it my-internet-gateway).
Click the Save button.
Click the Routes tab.
Click the Edit button.
Click the Add another rule button to add an entry.
For the Destination, type 0.0.0.0/0 (this represents any/every IP address).
For the Target, select the Internet Gateway we created a moment ago (we named it my-internet-gateway).
Click the Save button.
We can now explicitly associate this Route Table to the subnet we want to be public :
Navigate to the Subnet Associations tab.
Click the Edit button.
Check the Associate box beside the subnet we called my-public-subnet.
Click the Save button.
Since we’ve connected an internet gateway, the subnet we called my-public-subnet is now actually public.
Navigate to the Subnet Associations tab.
Click the Edit button.
Check the Associate box beside the subnet we called my-public-subnet.
Click the Save button.
Since we’ve connected an internet gateway, the subnet we called my-public-subnet is now actually public.
Creating and Testing a Peering Connection with a Private VPC :
Create a VPC :
The environment already has one VPC. Now we need to create a second VPC so there are two that can be peered together.
The environment already has one VPC. Now we need to create a second VPC so there are two that can be peered together.
Navigate to the VPC page
Click “Create VPC”
Give a name to it and a CIDR block (use different VPC CIDR 10.99.0.0/16)
Click “Yes, Create”
Click “Create VPC”
Give a name to it and a CIDR block (use different VPC CIDR 10.99.0.0/16)
Click “Yes, Create”
Create a Public Subnet in the new VPC :
Create a public subnet in the VPC we just created.
Choose “Subnets” in the left column
Click “Create Subnet”
Give it a name, choose the new VPC, and add a CIDR block (that is a part of our VPC CIDR 10.0.0.0/24)
Click “Yes, Create”
Create a public subnet in the VPC we just created.
Choose “Subnets” in the left column
Click “Create Subnet”
Give it a name, choose the new VPC, and add a CIDR block (that is a part of our VPC CIDR 10.0.0.0/24)
Click “Yes, Create”
Create a VPC Peering Connection:
Create a VPC peering connection between the two VPCs in the account (and make sure the connection is accepted/active)
Create a VPC peering connection between the two VPCs in the account (and make sure the connection is accepted/active)
Creating the Peering Connection :
Choose “Peering Connections” in the left column
Click “Create Peering Connection”
Supply it a name tag as peering1
Use our 2nd VPC as the “Requester”
Use 1st VPC as the “Accepter”
Click “Create Peering Connection”
Click “Ok”
Check the box beside our new Peering Connection
Click “Actions”
Choose “Accept Request”
Click “Yes, Accept”, then “Close”
Setup the necessary routing
Choose “Route Tables” in the left column
Check the box next to the PublicRT in the first VPC
Edit the route table to add a route to our 2nd VPC CIDR using a Target the Peering Connection
Customer Gateways : 10.99.0.0/16
Click “Save”
Check the box next to our 2nd VPC’s route table
Edit the route table to add a route to the 1st VPC CIDR (10.99.0.0/16) using a Target the Peering Connection
Click “Save”
In that same route table, associate the subnet from our new VPC with the table
Click “Save”
Choose “Peering Connections” in the left column
Click “Create Peering Connection”
Supply it a name tag as peering1
Use our 2nd VPC as the “Requester”
Use 1st VPC as the “Accepter”
Click “Create Peering Connection”
Click “Ok”
Check the box beside our new Peering Connection
Click “Actions”
Choose “Accept Request”
Click “Yes, Accept”, then “Close”
Setup the necessary routing
Choose “Route Tables” in the left column
Check the box next to the PublicRT in the first VPC
Edit the route table to add a route to our 2nd VPC CIDR using a Target the Peering Connection
Customer Gateways : 10.99.0.0/16
Click “Save”
Check the box next to our 2nd VPC’s route table
Edit the route table to add a route to the 1st VPC CIDR (10.99.0.0/16) using a Target the Peering Connection
Click “Save”
In that same route table, associate the subnet from our new VPC with the table
Click “Save”
Create two EC2 instances, one in each VPC, and test the connection using SSH :
Create two EC2 instances (one in each VPC).
These instances will be used to test the VPC peering connection.
Create two EC2 instances (one in each VPC).
These instances will be used to test the VPC peering connection.
Create two instances
for the first EC2 Instance select VPC2 and its subnet ,and disable the auto-assign Public IP
One in first VPC in one of the DMZ subnets with a public IP
Create and download a new key pair
similarly create another EC2 Instance with VPC1 and enable Auto-assign Public IP
One in the new VPC in the public subnet with a public IP
Use the same key pair as the other instance
Connect across the Peering Connection
Copy the public IP of the instance in the 1st VPC
Go to the terminal
Change the permissions on the downloaded key (chmod 400 peeringkey.pem)
Set up SSH forwarding, use the follwing commands:
$ ssh-agent bash
$ ssh-add <peeringkey.pem>
$ssh -A ec2-user@public_IP_copied_from_the_instance-of-VPC1
Go to the EC2 console and copy the private IP of the instance in the 2nd VPC
Back in the terminal, type the following:
$ ssh ec2-user@private_IP_copied_from_the_instance_with VPC2
we just connected across the peering connection using a private IP
for the first EC2 Instance select VPC2 and its subnet ,and disable the auto-assign Public IP
One in first VPC in one of the DMZ subnets with a public IP
Create and download a new key pair
similarly create another EC2 Instance with VPC1 and enable Auto-assign Public IP
One in the new VPC in the public subnet with a public IP
Use the same key pair as the other instance
Connect across the Peering Connection
Copy the public IP of the instance in the 1st VPC
Go to the terminal
Change the permissions on the downloaded key (chmod 400 peeringkey.pem)
Set up SSH forwarding, use the follwing commands:
$ ssh-agent bash
$ ssh-add <peeringkey.pem>
$ssh -A ec2-user@public_IP_copied_from_the_instance-of-VPC1
Go to the EC2 console and copy the private IP of the instance in the 2nd VPC
Back in the terminal, type the following:
$ ssh ec2-user@private_IP_copied_from_the_instance_with VPC2
we just connected across the peering connection using a private IP
Creating a NAT Gateway :
Create 2 New instance with Private VPC (disable the auto-assign Public IP) & Public VPC and proceed with all default settings with new SSH Key pair.
Now connect to Public Vpc instance through terminal
Use below commands to establish peering between Public & Private VPC.
$ cd Downloads
$ ls <keypair.pem>
$ chmod 400 <keypair.pem>
$ ssh-add <keypair.pem>
$ ssh -A ec2-user@public_IP_copied_from_the_instance-of-PublicVPC
Go to the EC2 console and copy the private IP of the instance in the 2nd VPC
Back in the terminal, type the following:
$ ssh ec2-user@private_IP_copied_from_the_instance_with PrivateVPC
we just connected across the peering connection using a private IP
$ sudo yum update
Here we can see Timeout error because this Vpc peering is not within subnet that is connected to Internet Gateway, So it can’t access outside internet.
To fix this problem we allow Private VPC Instance into NAT Gateway.
Navigate to the VPC Dashboard in AWS.
Select Create a new NAT Gateway.
Now connect to Public Vpc instance through terminal
Use below commands to establish peering between Public & Private VPC.
$ cd Downloads
$ ls <keypair.pem>
$ chmod 400 <keypair.pem>
$ ssh-add <keypair.pem>
$ ssh -A ec2-user@public_IP_copied_from_the_instance-of-PublicVPC
Go to the EC2 console and copy the private IP of the instance in the 2nd VPC
Back in the terminal, type the following:
$ ssh ec2-user@private_IP_copied_from_the_instance_with PrivateVPC
we just connected across the peering connection using a private IP
$ sudo yum update
Here we can see Timeout error because this Vpc peering is not within subnet that is connected to Internet Gateway, So it can’t access outside internet.
To fix this problem we allow Private VPC Instance into NAT Gateway.
Navigate to the VPC Dashboard in AWS.
Select Create a new NAT Gateway.
Create the proper routes in route tables :
We want to assign this new NAT Gateway to the Public subnet so it can access the internet.
Click the text field for the Subnet setting. Select the subnet titled Public.
Use the Create New EIP button to create and select a new Elastic IP.
Create a NAT Gateway.
Click the Edit Route Tables button.
Select the Route Table associated to our Private subnet.
Note: The private subnet was not explicitly assigned to the Route Table containing an Internet Gateway, therefore it was implicitly associated to the Main route table.
Click on the Routes tab in the settings pane at the bottom of the page.
Click the Edit.
Add another route with a Destination of 0.0.0.0/0 (signifying any/all IP addresses).
Choose the NAT we just created as the Target (identified by the nat prefix).
Click the Save button.
Again goback to the terminal and check VPC Peering.
We want to assign this new NAT Gateway to the Public subnet so it can access the internet.
Click the text field for the Subnet setting. Select the subnet titled Public.
Use the Create New EIP button to create and select a new Elastic IP.
Create a NAT Gateway.
Click the Edit Route Tables button.
Select the Route Table associated to our Private subnet.
Note: The private subnet was not explicitly assigned to the Route Table containing an Internet Gateway, therefore it was implicitly associated to the Main route table.
Click on the Routes tab in the settings pane at the bottom of the page.
Click the Edit.
Add another route with a Destination of 0.0.0.0/0 (signifying any/all IP addresses).
Choose the NAT we just created as the Target (identified by the nat prefix).
Click the Save button.
Again goback to the terminal and check VPC Peering.
AWS Security Essentials – VPC Endpoints and Securing S3 :
For this we need to have S3 Buckets with objects and 2 instances one with public IP and anther without Public IP.
first of all check the permissions of the owner a/c of the S3 bucket object.
Goto Properties then enable Versioning and SAVE.
click on Default encryption and enable AWS-KMS, select a key as aws/s3 and save.
Now we can check the files of the bucket encrypted or not under Overview , here we can observe the files are not encrypted
now to encrpt these files by again going to proprties and click on Default encryption and enable AWS-KMS, select a key as aws/s3 and save.
Again go back to Properties and check versioning is enable or not, then click on Static website hosting
Select Use this bucket to host a website and index document and error document as index.html and error.html. & SAVE
Make index and error files as public.
For this we need to have S3 Buckets with objects and 2 instances one with public IP and anther without Public IP.
first of all check the permissions of the owner a/c of the S3 bucket object.
Goto Properties then enable Versioning and SAVE.
click on Default encryption and enable AWS-KMS, select a key as aws/s3 and save.
Now we can check the files of the bucket encrypted or not under Overview , here we can observe the files are not encrypted
now to encrpt these files by again going to proprties and click on Default encryption and enable AWS-KMS, select a key as aws/s3 and save.
Again go back to Properties and check versioning is enable or not, then click on Static website hosting
Select Use this bucket to host a website and index document and error document as index.html and error.html. & SAVE
Make index and error files as public.
Installing CLI in instance having only private IP :
Goto EC2 console and Acces that instance Public IP with the Command line
Do ssh to the Private Ip of another instance.
Now go to the VPC Dashboard, click on subnets and select an appropriate subnet.
selection of subnet should be connected to Private IP instance and NAT Gateway.
Again goback to commandline run “aws configure” and give AWS Access Key & Secret acess Key IDs.
And give default region name.
$ aws s3 ls
$ aws s3 ls <filename>
Goto EC2 console and Acces that instance Public IP with the Command line
Do ssh to the Private Ip of another instance.
Now go to the VPC Dashboard, click on subnets and select an appropriate subnet.
selection of subnet should be connected to Private IP instance and NAT Gateway.
Again goback to commandline run “aws configure” and give AWS Access Key & Secret acess Key IDs.
And give default region name.
$ aws s3 ls
$ aws s3 ls <filename>
To provide security for these files we need to delete NATGATEWAY.
Goto VPC and select NATgateway and click on actions ,delete NAT gateway.
And also delete/remove NATGateway on route tables under routes os the specific route table.
Goto VPC and select NATgateway and click on actions ,delete NAT gateway.
And also delete/remove NATGateway on route tables under routes os the specific route table.
Again goto the terminal and use below commands
$ aws s3 ls
Here we can’t access because we deleted NATGate so files would be safe.
$ aws s3 ls
Here we can’t access because we deleted NATGate so files would be safe.
Creating VPC End points for S3 :
Goto VPC Console and select Endpoints
Click on Endpoint select the fields as Service category :AWS Services ,Service Name :S3 , VPC: availble one.
Configure Route tables :select an appropriate one
Click Endpoint.
Now we can check the created End point that assigned to Route table by going to Route tables section in VPC.
Now we can see list of buckets without the NATGATEWAY because we created VPC End points to S3
Goto the commandline and use “aws s3 ls” to see list of buckets.
Goto VPC Console and select Endpoints
Click on Endpoint select the fields as Service category :AWS Services ,Service Name :S3 , VPC: availble one.
Configure Route tables :select an appropriate one
Click Endpoint.
Now we can check the created End point that assigned to Route table by going to Route tables section in VPC.
Now we can see list of buckets without the NATGATEWAY because we created VPC End points to S3
Goto the commandline and use “aws s3 ls” to see list of buckets.
Security Groups and Network ACLs :
Troubleshoot HTTP issues with the problematic NACL :
Goto EC2 and try to access Public IP on the browser as well as in command line.
To solve this issue we need to do some troubleshoot
For this click on inbound roles under security groups, here we can check the port as 80 not 22.
click on the security groups and select Inbound and click on edit.
click on Add role :SSH Source : 0.0.0.0/0 then SAVE
Once check outbound also.
Now again try to access instance Public IP .
Goto EC2 and try to access Public IP on the browser as well as in command line.
To solve this issue we need to do some troubleshoot
For this click on inbound roles under security groups, here we can check the port as 80 not 22.
click on the security groups and select Inbound and click on edit.
click on Add role :SSH Source : 0.0.0.0/0 then SAVE
Once check outbound also.
Now again try to access instance Public IP .
SO We will first check the settings of the Network ACL since it is the “first destination” for traffic inbound for the instance.
Navigate to the VPC Dashboard and click the Network ACLs link on the left.
Since HTTP isn’t working, check out the Inbound Rules that apply to the HTTP type.
Notice there are both ALLOW and DENY rules for HTTP. These rules are applied in order of their Rule #.
Since the number of the DENY is lower than the ALLOW, we know that HTTP is not being allowed to pass through.
Since HTTP isn’t working, check out the Inbound Rules that apply to the HTTP type.
Notice there are both ALLOW and DENY rules for HTTP. These rules are applied in order of their Rule #.
Since the number of the DENY is lower than the ALLOW, we know that HTTP is not being allowed to pass through.
We could technically fix this by changing the rule numbers such that the ALLOW comes before the deny, but the best solution is to remove the DENY rule (since the later rule could never be applied).
Click the Edit button and delete the rule that is DENYing HTTP.
Save the changes.
Copy/paste the public DNS of the instance into a new tab to see if HTTP is working now. (Find the Public DNS of the instance from the EC2 Dashboard in the Instances section.)
Save the changes.
Copy/paste the public DNS of the instance into a new tab to see if HTTP is working now. (Find the Public DNS of the instance from the EC2 Dashboard in the Instances section.)
Troubleshoot SSH issues with the problematic NACL :
Now consider SSH, which is also broken.
Notice the last rule in the list. Its rule number (*) is considered larger than any other number, therefore denying any inbound traffic that isn’t explicitly allowed.
If we want SSH to make it to the instance, we must add an inbound rule to allow it.
Now consider SSH, which is also broken.
Notice the last rule in the list. Its rule number (*) is considered larger than any other number, therefore denying any inbound traffic that isn’t explicitly allowed.
If we want SSH to make it to the instance, we must add an inbound rule to allow it.
Click the Edit button and add a new rule:
Type: SSH
Source: 0.0.0.0/0 (this is the CIDR block for any/all IPs)
Save the changes.
Try to connect with SSH. Copy the public DNS of the instance from the EC2 Dashboard and run this command in Terminal: ssh ec2-user@<paste-the-public-dns>
Unfortunately, it will fail to connect. In practice, we would need to ensure our Outbound Rules are configured correctly (since Network ACLs are stateless), but we can assume they are correct for this lab in particular. We now know that our Network ACL has been configured properly for SSH, but we need to check the Security Group configuration since SSH still doesn’t work.
Type: SSH
Source: 0.0.0.0/0 (this is the CIDR block for any/all IPs)
Save the changes.
Try to connect with SSH. Copy the public DNS of the instance from the EC2 Dashboard and run this command in Terminal: ssh ec2-user@<paste-the-public-dns>
Unfortunately, it will fail to connect. In practice, we would need to ensure our Outbound Rules are configured correctly (since Network ACLs are stateless), but we can assume they are correct for this lab in particular. We now know that our Network ACL has been configured properly for SSH, but we need to check the Security Group configuration since SSH still doesn’t work.
Troubleshoot SSH issues with the problematic Security Group :
In the VPC Management Console, navigate to the Security Groups section.
Click on the Security Group to view it’s properties and navigate to the Inbound Rules tab.
There is no inbound rule for SSH, hence the broken behavior.
In the VPC Management Console, navigate to the Security Groups section.
Click on the Security Group to view it’s properties and navigate to the Inbound Rules tab.
There is no inbound rule for SSH, hence the broken behavior.
Add a new Inbound Rule:
Type: SSH
Source: 0.0.0.0/0 (Notice that we can add security groups as the source, not only an IP range)
Save the changes.
Since Security Groups are stateless, we know that return traffic for SSH will be allowed automatically. Now that we have ensured that both the Network ACL and Security Group have been configured to allow SSH, we can try to connect again.
Type: SSH
Source: 0.0.0.0/0 (Notice that we can add security groups as the source, not only an IP range)
Save the changes.
Since Security Groups are stateless, we know that return traffic for SSH will be allowed automatically. Now that we have ensured that both the Network ACL and Security Group have been configured to allow SSH, we can try to connect again.
Open Terminal and re-run the SSH command: ssh ec2-user@<instance-public-hostname>
Type yes to accept the fingerprint.
Use the password 123456 to confirm that you are able to log in successfully.
Type yes to accept the fingerprint.
Use the password 123456 to confirm that you are able to log in successfully.
Building a Three Tier Network VPC From Scratch in AWS :
Create a VPC :
Create a VPC with the following CIDR Block Range (10.99.0.0/16)
Navigate to the VPC service in the AWS Console
Navigate to “your vpcs”
Click on Create VPC
Enter VPC name and CIDR block range
Create a VPC with the following CIDR Block Range (10.99.0.0/16)
Navigate to the VPC service in the AWS Console
Navigate to “your vpcs”
Click on Create VPC
Enter VPC name and CIDR block range
Create six (6) Subnets :
Create six (6) subnets in the VPC you just created. One pair of subnets for the DMZ layer, one pair for the AppLayer, and one pair for the DBLayer. Each pair should be split between AZs.
In the VPC console, navigate to “subnets”
Select “create subnet”
Fill in the form, making sure to select the proper VPC, AZ, and CIDR block range
Repeat 5 more times to create six total subnets
Create six (6) subnets in the VPC you just created. One pair of subnets for the DMZ layer, one pair for the AppLayer, and one pair for the DBLayer. Each pair should be split between AZs.
In the VPC console, navigate to “subnets”
Select “create subnet”
Fill in the form, making sure to select the proper VPC, AZ, and CIDR block range
Repeat 5 more times to create six total subnets
Create a NAT Gateway :
Create a NAT Gateway and provide it with a route to the Internet via the public Route TableIn the VPC console, navigate to “Nat Gateways”
Click on “Create Nat Gateway”
Fill out the form, making sure to choose the appropriate subnet AND generating an EIP address
Create a NAT Gateway and provide it with a route to the Internet via the public Route TableIn the VPC console, navigate to “Nat Gateways”
Click on “Create Nat Gateway”
Fill out the form, making sure to choose the appropriate subnet AND generating an EIP address
Create three (3) NACLs and associate them with subnets :
Create three NACLs and associate each to one of the subnet groupings (DMZ, AppLayer, and DB layer subnets)
Create three NACLs and associate each to one of the subnet groupings (DMZ, AppLayer, and DB layer subnets)
Create Three NACLs:
In the VPC console, navigate to “Network ACLs”
Click on “Create Network ACL”
Fill out the form, making sure to select the proper VPC.
Repeat twice more to create a total of three NACLs
Associate NACLs with Subnets:
In the VPC console, navigate to “Network ACLs”
Click on “Create Network ACL”
Fill out the form, making sure to select the proper VPC.
Repeat twice more to create a total of three NACLs
Associate NACLs with Subnets:
Select one NACL and navigate to the “Subnet Associations” tab
Click on “Edit”
Select the two subnets that need to be associated with this NACL.
Click “Save”
Repeat twice more, associating the remaining NACLs with the remaining subnets.
Click on “Edit”
Select the two subnets that need to be associated with this NACL.
Click “Save”
Repeat twice more, associating the remaining NACLs with the remaining subnets.
No comments:
Post a Comment