Amazon AWS Certified Developer Associate – Virtual Private Cloud (VPC) Part 2
2. Building Our Own Custom VPC
Okay, so here I am. I’m logged into the AWS console. This is using the new UI. So it might look slightly different to some of the older accounts that are using the old UI. But if you need to get into the VPC section, you can just go down to Networking or go up here to Services and go over to Networking and click on VPC. So this is our VPC dashboard. It tells us all the different instances, all the different things within our VPC.
And up here you’ll see a start VPC Wizard. Now you can build out your own VPCs using this wizard. It’s fantastic. It saves you a lot of time, but of course it means that you won’t learn anything. You need to know how to do this for the exam. So we’re not going to use the wizard. I’m going to show you how to build one out manually yourself. So we’re going to hit cancel and exit. The first thing we need to do is go over to your VPCs and we’re going to create a VPC.
So the name, I’m just going to call it my VPC. And so then we have our Cider block and Insider just stands for Classless Interdomain Routing. And basically this is where we’re going to specify what our IP address ranges are. Now if you remember from the last lecture, there’s three IP address ranges that typically use for internal network addresses. And 100 is the most common certainly within corporate networks. So we’re going to use that. And if you actually see up here, it will tell you that you cannot have a Cider block that’s larger than a 16 network. So 100 can go down to eight. But we’re going to obviously, well let’s try it with a slash eight. It’s going to throw up an error message if I go ahead and hit yes Create. So there we go. I need to do it as a slash 16. That’s the largest that you can have. And then we’ve got our tenancy down here. Basically this is whether or not you’re going to deploy your VPC and all the assets that sit within your VPC onto shared hardware or dedicated by default. It’s obviously always shared. That’s the advantage of public cloud. But if you do have security things that you need to regulatory requirements and you need dedicated hardware underneath it, you can select dedicated.
Don’t do that though because it can be quite expensive. So I’m going to leave that as default and I’m going to go ahead and hit yes Create. And it can sometimes take one or 2 seconds, but there we go, it’s created our VPC. So here we go. We’ve got it. My VPC. We’ve got our VPC ID. We can see in here our VPC Cider address range. So you can see our default VPC is our one seven two address range. This is using the 100 dot O dot O 416. We’ve got our Dhtp option sets. We’ve got our root tables, we’ve got our network ACLs, we’ve got what the tenancy is and whether or not it’s the default VPC or not. Okay? So let’s go and have a look at what else was created when we created this VPC.
If we go into subnets, we can see that there’s two subnets, but these are for our default VPC, so it hasn’t created any new subnets. We go to root tables though. You’ll see, it has created a new root table for my VPC and it’s the main root table. So when you create a VPC, a main root table is created automatically. Let’s go ahead and go over to our security groups and have a look over here. And again, you can see if we just move this across like this, and you can see it there my VPC. So it did create a default security group for this VPC. Let’s also have a look at our network ACLs. And of course, again, it has created a default network ACL for my VPC. So just to recap, when we created our VPCs, it doesn’t automatically create subnets. It also doesn’t automatically create any kind of internet gateway, but it does automatically create a route table, a network ACL, and a security group. And that can be an important fact to remember when you go into any of the Associate exams.
Okay, so just to help you visualize what it is we’ve actually done, we’ve created our VPC, we’ve called up my VPC. I’ve done this in the European Central Region just because I don’t use this very much, and it allows me to demonstrate it to you without preexisting security groups and that sort of thing. And then by default, when we created our VPC, it’s created a root table, it’s created network ACL, and it’s created default security group. We don’t have any subnets available yet, and without subnets, we can’t deploy anything into our VPC. So let’s go ahead and create some subnets. So we click over here and go to subnets.
We’re going to create two subnets. And what I like to do in terms of the naming convention is I like to type in the address range, so 1010 for example, and then I also like to put in the name what availability zone it is in. So in this instance, we’re going to use EU Central one A, and I’m just going to change my VPC over to the VPC that we’ve created. So my VPC and then the side are blocked. So I’m going to use ten dot O, dot one dot O, and I’m going to use a slash 24 address range and go ahead and hit yes Create. And so straight away that will create my new subnet and it’s doing it in my custom VPC. And that subnet is always going to be in EU Central one A.
So again, this is so important to remember going into any of the exams. One subnet always equals one availability zone. You cannot have subnets spanning multiple Availability Zones, okay? You can have security groups spanning multiple Availability Zones. You can have network ACL spanning multiple Availability Zones, but one subnet always equals one Availability Zone. So we’ve created it. You can see over here, and this is quite cool as well, tells you what, how many available IP addresses are available. So we’ve got 251 addresses available in this subnet, and that also can be certainly an exam topic in the Professional Level exams is how many addresses does AWS reserve by default? And for each subnet that you create, three addresses are reserved by default. And I’m not counting the dot O’s and the dot. You can get that information very easily just by typing VPC IP reservations. It will bring up this web page which is VPC and subnets that’s available at docs.
AWS Amazon. com, Amazonvpclatuserguide and then Vpcunderscore subnets HTML and then all we need to do is click on here and you can see the three different IP address ranges that you can use which are non publicly routable. If you scroll down, you can see what’s reserved. So three addresses are reserved automatically, that’s one, two and three. Like I said, I’m not really counting 25 and zero because you can’t address them anyway. So the dot one is reserved for AWS for the router, dot two is reserved by AWS for basically DNS services, and then dot three is reserved by AWS for future use. Now that probably won’t come up in any of the Associates exams, maybe in SysOps, but it is something important to remember for the Professional exam.
Okay, so coming back to the AWS Management console, we’re going to create our second subnet again, I’m just going to make sure it’s in my custom VPC, and I’m going to call this 100 20, and then what availability zone that it’s going to be in. So I’m going to specify that this one is going to be in EU Central one B. So. EU Central One b. And so my Cider address range is exactly what I’ve used in my name tag. So I’m going to use 100 two, and then I’m going to do a forward slash 24 and go ahead and create this subnet. So now we’ve got two subnets. One is in EU central, one A. And the other one is in EU central, one B. Each of them have 251 IP addresses available. And so basically I’m going to have one as a public subnet and one as a private subnet. So in order to make things public and private, the very first thing we need to do is attach a way of the Internet being able to access this VPC.
So how do we do that? Well, it would seem pretty obvious, we need to go over to Internet gateways and we’re going to create an Internet gateway. So let’s call this my IGW and go ahead and hit Create and then you can see by default it’s detached, it’s not doing anything. So you want to attach it to a VPC and we’re going to attach it to My VPC and go ahead and hit attach. Now a common thing that will come up is whether or not you can boost your internet speeds by attaching multiple Internet gateways to a VPC. Let’s just create a new one. We’ll call it my IGW two and go ahead and hit yes.
Create. So we’ve created that. If we go to attach to VPC, we’re not going to have any VPCs in the drop down menu. And that’s because you cannot attach multiple internet gateways to a VPC. It just doesn’t work like that.
Remember that Internet gateways are engineered to be highly resilient anyway. There’s no single points of failure. You can’t attach multiple Internet gateways to a VPC to either boost its performance or to reduce any single points of failure. So I’m going to go ahead and just delete that one now. So we’ve got our Internet gateway, it’s attached to our VPC. Now before we provision any EC two instances into our subnets, we’re going to have to create a route out to the Internet so that those EC two instances would be able to apply Yum updates. For example, they’ll be able to patch their operating systems with the latest security patches. So we do that going into the root tables. Now as you remember, when we created a VPC, it created a root table by default. This is it here. And you can actually, if you click here or maximize it a bit more, you can actually go in and see roots.
So this route is always created by default. So when we create multiple subnets inside this VPC, they will all be able to talk to each other. So this is the main route table. Basically it’s probably best practice to leave this as is and always make sure the main root table is private just in terms of a security concern. And then what we want to do is we’re going to create a new route table. We’re going to call this My public route. And basically any subnets that are associated with this route table will have a route out to the Internet. So it becomes very easy to track. So I’m going to go ahead and create this. We’re going to select the My VPC and hit Create. And that will create a brand new route table. And then what we want to do is we want to associate a subnet to this root table.
Well actually first thing we want to do is create a route out to the Internet. So let’s do that. We’ll go edit and we’ll add another route. So right now we want to say that all traffic Ozero, and then we go over to the target and it will automatically select your Internet gateway. So you just point it to your Internet gateway and you go ahead and hit save. Okay? So there we go. So what have we actually done? Well, we’ve created a new root table and we’ve given that root table a route out to the Internet, and it’s not our main root table. And one thing to note is that whenever you create a new subnet by default, it will always be associated with your main root table. And for that exact reason, you probably don’t want a route out to the Internet on your main root table, because it means that every single subnet that you create by default will be Internet accessible.
And it’s not very good in terms of security. Best practices. So there we go we’ve created our new route we’ve given it a route out to the Internet. The last thing we need to do now is associate a subnet to it. So we’ll click on subnet associations. It says here you do not have any subnet associations and then it always gives you this warning the following subnets have not been explicitly associated with any root tables and are therefore associated with the main root table. So what we want to do is we’re going to go edit and we’re going to associate our one dot o, so our EU central one A, and that’s going to basically make this subnet associated with this route table. And it will give us Internet access to anyone or any EC, two instances that are deployed into this subnet. So I’m going to go ahead and hit save and there we go it’s creating our root table. Now, there’s one last thing that we probably want to do before we deploy an EC two instance into it. And that’s just go over to our subnets.
And you can see here we’ve got our one dot and our two dot o. If we click on the one dot o. And if we go all the way across, you can see here it says, auto assign public IP addresses. And right now it says no. Now of course this subnet is supposed to be our public subnet we do want any EC two instance going into this subnet to be available to the Internet. So I’m just going to go to subnet Actions and I’m going to go modify auto assign a public IP and I’m going to go ahead and hit enable Autoassign public IP and save that there. So now every time I deploy an EC two instance into this subnet it’s going to basically automatically assign a public IP address to it. So let’s go ahead and deploy two EC two instances one into 10 and one into 20. So when we go ahead over here I’m going to go and click on EC Two which is under Compute Services and then I’m going to go in and start launching some instances so I’m going to use the Amazon Linux AMI going to go ahead and hit Next. I’m going to make sure I’m using my new VPC not the default VPC. You can see the number of IP addresses available and then I want it to obviously go into my 10 because that’s going to be my public subnet and I’m going to leave everything else as is. But I’m going to go down here and just write a cool little bootstrap script.
Before I do that though, do take notice of this auto, assign public IP addresses, use the subnet setting. If you forgot to enable it in the subnet section, you can also just hit enable here and it will always give it a public IP address as well. But right now because we did enable it in the subnet setting section, we can just use subnet settings. So we’ll go down here and I’m going to write a cool little bootstrap script. Okay, so as always we start with our Shebang, which is just the number sign followed by an exclamation mark and then the path to our interpreter and our interpreter basically just interprets our Bash commands. So it’s four bin bash. The first thing we’re going to do is we’re going to do yum, install Httpd minus yes, then we’re going to apply our update. So yum update minus yes. Then we’re going to turn on the Apache service. So we’re going to make this into a little web service so service Httpd start. We’re also going to make it so that if this EC two instance reboots it will automatically start the Httpd service.
We do check config Httpd on and then the very last thing we’re going to do is create our own little web page. So we’re going to do echo open quotation marks and I’m just going to do a little bit of HTML here. So HTML header one and it will just say hello cloud gurus with an exclamation mark at the end, close out our header, close out our HTML tag and then close out our exclamation marks. And then we’re going to write this to our VAR HTML directory and we’re going to call it index HTML. And that’s literally it very simple little bootstrap script. I’m going to copy and paste this and we’ll have it in the resource sections of the course. Go ahead and hit next to add our storage. We’ll keep the storage as default and I’m just going to call this my web server as its name. Go ahead and configure our security group. Now because this is a new VPC, we’re going to create a new security group. I’m going to call it Web DMZ. Web DMZ and I’m going to open this up to port 80 as well as SSH.
So we’re going to allow Http traffic into anything in the security group. I’m going to go ahead and hit review and launch. So we’re all good to go and we’re going to go ahead and hit launch. I have an existing key pair called my German key pair. You might want to create a new one if you don’t have a key pair in this region, go ahead and hit launch instances. So there we go. If we go back to viewing our instances, here’s a naughty one. I had to terminate earlier because I did a mistake in the Bootstrap script. But this one is being provisioned right now. And what you will notice is that if you’ve done it right in terms of your subnets and enabling auto allocation of IP addresses, this new EC Two instance, once it has been provisioned, will automatically have a public IP address. Now, if yours doesn’t, it just means that you didn’t add that to your subnet when you first created it.
There’s an easy way around it is you can just go and provision basically an elastic IP address, and you do that just by going down over here, clicking on Elastic IPS. Let’s go ahead and just have a quick look at how we do it. So you’d allocate a new address? Yes, allocate. And then you would basically assign this elastic IP address associated to your EC Two instance. I’m going to go and just release this address though. So go ahead and hit yes release. So let’s go back to our EC Two dashboard and have a look at our instance. It should hopefully have come up. There it is. And we’ve got our public IP address already assigned, and it depends on how long the Bootstrap script takes to run. But let’s go ahead and just so let’s paste in the IP address in here, hit Enter, and with any luck, there we go. Hello, Cloud Gurus. So it has all worked and it is internet accessible. We can add access it via Http. We should also be able to SSH into that instance using the public IP.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »