Secure AWS VPC using Public and Private Subnets

Kunal Shah - Dec 11 - - Dev Community

Secure AWS VPC using Public and Private Subnets

AWS Cloud Hands-on Lab Practice Series

Project Overview —

In this lab, you will gain hands-on experience creating and configuring a Virtual Private Cloud (VPC) using the AWS Management Console. The project will culminate in the deployment of a common two-tiered cloud architecture, including front-end and back-end components.

Solutions Architecture —

Prerequisite —

  • AWS Account with Admin Access.

  • Knowledge about basic networking concepts (such as IP Addressing, CIDR notation, and routing), an understanding with basic cloud operations.

  • Familiarity with navigating the AWS Management Console.

  • AWS LEVEL — BEGINNER — AWS 100

AWS Services Usage —

  • AWS VPC, EC2, SSM, IGW, NGW, Route Table, SG, NACL and IAM

STEP BY STEP GUIDE -

STEP 1 : Create VPC

  • Login to AWS Console with an IAM user having Admin privileges

  • Select us-west-2 region.

  • In the AWS Management Console search bar, enter VPC, and click the VPC result under Services.

  • Click Your VPCs in the left navigation pane.

  • Click Create VPC to begin creating a new VPC.

  • Specify the following VPC details:

  • Resources to create: Select VPC only

  • Name tag: Enter acloudguy-vpc-demo

  • CIDR block: Enter 10.0.0.0/16 (This is a CIDR block from the private (non-publicly routable) IP address ranges as specified in RFC 1918.)

  • Tenancy: Select Default (Dedicated tenancy ensures your instances run on single-tenant hardware. For the purposes of this Lab, the default is fine though.)

  • Notice the VPC and more. option. Choosing this option launches a wizard that makes setting up and configuring a new VPC very simple.

  • For learning the core concepts we are taking VPC only approach.

  • Scroll to the bottom of the page and click Create VPC.

Amazon creates the requested VPC and the following linked services:
DHCP options set: Enables DNS for instances that need to communicate over the VPC’s Internet gateway
Main route table: Table that contains a set of rules, called routes, that are used to determine where network traffic is directed
Network ACL: List of rules to determine whether traffic is allowed in or out of any subnet associated with the network ACL

STEP 2 : Create IGW

  • An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet.

  • It imposes no availability risks or bandwidth constraints on your network traffic.

  • From the VPC Dashboard, click Internet Gateways in the left navigation pane.

  • Click Create internet gateway to begin creating a new gateway with the following -

  • Name tag — acloudguy-igw

  • Click Create Internet Gateway

  • The State of your Internet Gateway will be detached to start.

  • Now you need to attach the new gateway to the VPC you created earlier.

  • Click Actions then Attach to VPC

  • Click Attach internet gateway

  • *IMP *— An Internet Gateway can only be attached to one VPC.

STEP 3 : Create Public Subnet

  • In the VPC Dashboard, click Subnets, Click Create subnet.

  • Configure the following Public subnet details:

  • VPC ID: Select acloudguy-vpc-demo

  • Subnet name: Enter Public-A

  • Availability Zone: Select us-west-2a from the drop-down menu

  • IPv4 subnet CIDR block: Enter 10.0.20.0/24

  • Click Create subnet.

  • In the left navigation pane, click Route Tables, Click Create route table.

  • Configure the following route table settings:

  • Name: Enter PublicRouteTable

  • VPC: Select the acloudguy-vpc-demo VPC from the drop-down menu.

  • Scroll to the bottom of the page and click Create route table.

  • On the route details page, switch to the Routes tab and click Edit routes.

  • Click Add route and Configure the following route settings.

  • Destination: Enter 0.0.0.0/0.

  • Target: Select Internet Gateway, then acloudguy-igw.

  • Click Save changes.

  • Select the Public-A subnet and click the Route table tab.

  • Click the Edit route table association button

  • Select PublicRouteTable from the Route table ID drop-down menu and confirm the following routes

  • Click Save

  • This Public subnet will require a route to the internet, so the associated route table has now been configured to use PublicRouteTable to determine traffic rules.

STEP 3 : Create NAT Gateway

  • In the VPC Dashboard, click NAT Gateways.

  • Click Create NAT gateway.

  • Name: Enter NAT-GW

  • Subnet: Select Public-A

  • Connectivity type: Ensure Public is selected

  • The Public connectivity type will allow this NAT Gateway the ability to access the public internet.

  • Click Allocate Elastic IP next to the Elastic IP allocation ID

  • Click Create NAT gateway.

STEP 4 : Create Private Subnet

  • In the VPC Dashboard, click Subnets, **Click **Create subnet.

  • Configure the following Private subnet details:

  • VPC ID: Select acloudguy-vpc-demo

  • Subnet name: Enter Private-A

  • Availability Zone: Select us-west-2a from the drop-down menu

  • IPv4 subnet CIDR block: Enter 10.0.10.0/24

  • Click Create subnet.

  • In the left navigation pane, click Route Tables, Click Create route table.

  • Configure the following route table settings:

  • Name: Enter PrivateRouteTable

  • VPC: Select the acloudguy-vpc-demo VPC from the drop-down menu.

  • Click Create route table.

  • In the PrivateRouteTable details page, in the Routes tab, click Edit routes

  • Click Add route and configure the following route settings:

  • Destination: Enter 0.0.0.0/0

  • Target: Select IGW for temporary testing.

  • This is to make you understand why Instance is not able to reach Internet even if IGW is attached.

  • Click Save changes.

  • Click Subnets from the left navigation pane, then select the Private-A subnet.

  • In the Route Table tab, and click Edit route table association

  • Select PrivateRouteTable from the Route table ID drop-down menu.

  • Click Save.

STEP 5 : Create a Network ACL for a Private Subnet

  • A **Network Access Control List (NACL) **is an optional layer of security that acts as a firewall for controlling traffic in and out of a subnet.

  • Click Network ACLs **under **Security.

  • Click Create Network ACL

  • Configure the following Network ACL settings:

  • Name: Enter Private-NACL

  • VPC: Select **acloudguy-vpc-demo **from the drop-down menu

  • Click Create network ACL

  • Select Private-NACL from the Network ACLs list and click the Subnet associations tab

  • Click Edit subnet associations: Select the check box for the Private-A subnet to associate it with the network ACL.

  • Click Save changes

STEP 6 : Add rules to a Private Network ACL.

  • Select Private-NACL from the list of Network ACLs

  • Click the Inbound rules tab below the table and click Edit inbound rules

  • Click Add new rule and configure the following:

    Rule number: Enter 100
    Type: Select SSH
    Source: Enter 10.0.20.0/24
    Allow / Deny: Select Allow from the drop-down menu

  • For the second rule, click Add new rule and configure the following:

    Rule number: Enter 200
    Type: Select Custom TCP Rule
    Port Range: Enter 1024–65535
    Source: Enter 0.0.0.0/0
    Allow / Deny: Select Allow from the drop-down menu

  • This will allow return traffic for the outbound rules you will add shortly (the range is specified as 1024–65535 because these are the available ports and not reserved). This enables resources inside the subnet to receive responses to their outbound traffic.

  • Click Save changes.

  • Ensure the Private-NACL is still selected then click the Inbound rules tab below the table to verify your inbound rules match the following.

  • With the Private-NACL still selected, switch to the Outbound rules tab and click Edit outbound rules.

    Click Add new rule and configure the following:
    Rule number: Enter 100
    Type: Select HTTP from the drop-down menu
    Destination: Enter 0.0.0.0/0
    Allow / Deny: Select Allow from the drop-down menu

  • For the second outbound rule, click Add new rule and configure the following:

    Rule number: Enter 200
    Type: Select HTTPS from the drop-down menu
    Destination: Enter 0.0.0.0/0
    Allow / Deny: Select Allow from the drop-down menu

  • For the third outbound rule, click Add new rule and configure the following:

    Rule number: Enter 300
    Type: Select Custom TCP from the drop-down menu
    Port Range: Enter*32768–61000*
    Destination: Enter 10.0.20.0/24 *(The CIDR block of your public subnet)
    **Allow / Deny
    : Select **Allow* from the drop-down menu

  • Click Save changes.

  • **IMP : **When you add or remove rules from a network ACL, the changes are automatically applied to the subnets it is associated with. NACLs may take longer to propagate, as opposed to security groups, which take effect almost immediately.

STEP 7 : Launching EC2 Instance on a Private Subnet.

  • In the AWS Management Console search bar, enter EC2, and click the EC2 result under Services.

  • Create a Key pair from EC2 left pane.

  • Click Launch instances.

  • In the Name and tags section, enter private under Name.

  • In the Instance Type section, you should not change any options. Simply make sure the default **t2.micro **is selected.

  • Select the Key Pair created earlier from drop down.

  • In the Network settings section, click Edit, and configure the following instance details:

  • VPC: Select the acloudguy-vpc-demo VPC

  • Subnet: Select the **Private-A **subnet

  • Auto-assign Public IP: Make sure this is disabled

  • Firewall: Select Create security group

  • Security group name: Enter SG-Private

  • Description: Enter Security group for private subnet instances. Accept SSH inbound requests from Bastion host only.

  • Type: SSH

  • Protocol: TCP

  • Port: 22

  • Source type: Custom

  • Source: SG-bastion

  • Tip: *If you don’t recall the name of your bastion host’s security group, leave the **Source* as Custom, and start typing “bastion”. It will find the security group for you. (Example: SG-bastion)

  • Click Add security group rule

  • Type: HTTPS

  • Protocol: TCP

  • Port: 443

  • Source type: Custom

  • Source: 10.0.20.0/24 (Public VPC CIDR)

  • Note: If you also needed Windows access, you would add another rule: Type RDP; Protocol TCP; Port 3389; Source SG-bastion

  • Review the Summary section and click Launch instance

STEP 8 : Test Internet access from EC2 Instance on a Private Subnet.

  • Connect to EC2 instance & hit sudo yum update

  • Although the private instance security group is configured correctly, and you should have outbound access to the internet, it still timed out.

  • The time out is caused by the private NACL denying inbound HTTP traffic.

  • You will need Network Address Translation (NAT) to allow your private instance *outgoing *connectivity to the Internet.

STEP 9 : Change Routes for Private Subnet from IGW to NGW.

  • In the PrivateRouteTable details page, in the Routes tab, click Edit routes

  • Click Add route and configure the following route settings:

  • Destination: Enter 0.0.0.0/0

  • Target: Remove IGW & ADD NGW created in STEP 3*.*

  • This route will eventually send traffic originating from your private subnet and bound for the public internet, to a NAT device.

  • Click Save changes.

  • Click Subnets from the left navigation pane, then select the Private-A subnet.

  • In the Route Table tab, and click Edit route table association

  • Select PrivateRouteTable from the **Route table ID **drop-down menu.

  • Click Save.

STEP 10 : Final Test Internet access from EC2 Instance on a Private Subnet.

  • Important!

  • There are two important configurations worth mentioning again as to why this command should work in your lab environment:

  • The private NACL has an Outbound Rule permitting HTTP (port 80) or HTTPS (port 443) access to anywhere on the internet (0.0.0.0/0)

  • The security group for the NAT device allows HTTP/S access from any instance in the private subnet (that uses the private instance security group, which permits any destination as well)

  • Connect to EC2 instance and Run sudo yum update -y

  • SUCCESS !! It worked!

STEP 11 : Decommission:

  • Go to EC2 -> Terminate the Instance

  • Go to Nat Gateways -> Delete the Nat Gateway

  • Go to Elastic IP address -> release IP address

  • Go to VPC -> Delete VPC

LEARNINGS :

  • The VPC has been configured with two subnets, a public subnet, and a private subnet. If a subnet’s traffic is routed to an Internet gateway, the subnet is known as a public subnet.

  • If a subnet doesn’t have a route to the Internet gateway, the subnet is known as a private subnet. Instances launched in a private subnet do not have publicly routable internet addresses either.

  • Both subnets have a route table associated with them. Instances on the public subnet route internet traffic through the internet gateway. The private subnet routes internet traffic through the NAT device (gateway or instance).

  • Each instance launched in either subnet has its own security group with inbound and outbound rules, to guarantee access is locked down to specific ports and protocols.

  • For example, private instances on the private subnet allow any outbound traffic but only allow SSH access from the bastion host.

  • As another example, although the NAT device is in the public subnet, it cannot be reached from the internet. It has an inbound rule that only grants instances from the private security group (private instances) access.

  • Note that you might allow SSH access from your personal IP address or specific administrator’s as well, or perhaps grant ICMP (ping) access during setup and troubleshooting efforts.

  • In addition to security groups, the private subnet also has a network access control list (NACL) as an added measure of security.

  • NACL’s allow for inbound and outbound rules, specified in priority order. They are set up as implicit allow rules.

  • If none of them are matched, all other traffic is denied.

  • This was proven to work in the Lab by performing operating system updates once the NAT device was in place. The private route table sends the traffic from the instances in the private subnet to the NAT device in the public subnet.

  • The NAT device sends the traffic to the Internet gateway for the VPC. The traffic is attributed to the Elastic IP address of the NAT device.

I am **Kunal Shah, AWS Community Builder, AWS Certified Professional Solutions Architect, helping clients to achieve optimal solutions on the Cloud. Cloud Enabler by choice, DevOps Practitioner having 9+ Years of overall experience in the IT industry.

I love to talk about Cloud Technology, DevOps, Digital Transformation, Analytics, Infrastructure, Cloud Native, Generative AI, Dev Tools, Operational efficiency, Serverless, Cost Optimization, Cloud Networking & Security.

aws #community #builders #VPC #network #security #troubleshoot #hybrid #network #peering #segmentation #validatations #isolated #solution #war #reliability #operations #Excellence #infrastructure #deployment #private #secure #design #acloudguy

*You can reach out to me @ *acloudguy.in

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .