STEP 1- Create a custom VPC
In the search bar search for VPC
This should take you to your VPC dashboard
- Click on create VPC
Provide the following details and click on Create (See image below).
- Select VPC only
- Provide a Name tag (I’m saving mine as IkennaVPC)
- Provide an IPv4 CIDR block (I’m selecting a CIDR block of 10.1.0.0/16)
- In IPv6 CIDR select Amazon provided IPv6 CIDR block
- Select a network border group of your choice; in this case, I’ll be using us-east-1
- Tenancy Select the default only
- Create VPC
STEP 2- Create 2 subnets (Public and Private subnets)
- Click on subnet on the panel to the left
You should see the default subnet attached to your default VPC.
- Click on Create subnet
Under VPC ID select the custom VPC you just created from the dropdown.
Provide the following details and click on Create.
- In Subnet name enter a subnet name (I’m saving mine as Ikenna-Public-Subnet)
- Select Availability zone of your choice; in this case, I’ll be using us-east-1
- Provide IPv4 CIDR. (I’m using 10.1.1.0/24 for this subnet)
- No need for IPv6 CIDR as we will use IPv4.
Scroll to the bottom and click on Add new subnet and enter same information as the Public subnet. However, in this case, the subnet name will be Ikenna-Private- Subnet and the CIDR block will be 10.1.2.2/24, and then click on Create subnet.
STEP 3- Modify Subnet to Auto-Assign IP (For the Public subnet)
- Click Ikenna-Public-Subnet check box
- Click on Actions next to Create subnet
- Click on Edit subnet settings
- Click on the checkbox next to Enable auto-assign public IPV4 address and click on Save
STEP 4- Launch an EC2 Instance in Public Subnet
Under Services, search for EC2 and open it in a new tab
- In the EC2 dashboard, click on Launch to launch an instance.
- Provide a Name for your instance (I’m saving mine as IkennaPublic_Server)
- Choose Amazon Linux, select Amazon Linux 2023 AMI (HVM) architecture and click on Select.
- For the instance type, select t2.micro- This is free
- Create a new key pair.
I’ll be saving mine as MyPublicKP, with a private key file format of .pem
- Click on create key pair
- Under Network Settings, click on Edit
- Select the Custom VPC created earlier; in this case it is IkennaVPC. Under Subnet select the Public Subnet created earlier, here Ikenna-Public-Subnet
- Click on Create security group and provide a Name and Description. I’m saving both the name and description as Ikenna-Public-SG.
- Click on launch instance
STEP 5- Create a second instance. This time it will be saved as IkennaPrivateApp and will be placed inside our Private subnet.
Follow same steps in STEP 4, however, with the following changes-
- Save key pair as “MyPrivateKP”
- In network settings, change the subnet to “Ikenna-Private-Subnet”
- Auto-assign public IP should be set at “Disable”
- Create a new security group. This time I’ll be saving the name and description as Ikenna-Private-SG
- In source part of the SSH rule, select “Custom” for Source type and select Ikenna-Public-SG for Source
vi. Click on launch instance
STEP 6- Create and Attach Internet Gateway to the Custom VPC
- Search for VPC in the search bar and open it
- Click on Internet Gateway on the left navigation panel.
- Click on Create internet gateway button.
- Provide a name for the Internet gateway and click on Create Internet gateway button. (I’ll be saving mine as IkennaIGW2
Now the internet gateway has been created successfully, however we need to attach the internet gateway to the custom VPC we’ve created.
- Click on Action and Select Attach to VPC.
- In available VPCs, select the VPC we just created and click on Attach internet gateway
STEP 7- Create and Configure Public and Private Route Tables
For the Public Route table
- Search for VPC in the search bar and open it
- Navigate to Route Tables from the left navigation menu, and click on create route table
- Provide a name for the route table. (I’m saving mine as PublicRouteTable)
- Select the custom VPC just created, which is IkennaVPC. Click on Create route table.
- Select the newly created PublicRouteTable, under Routes and then click on Edit routes.
- Click on Add route button to add two new rows.
Add following in the rows and click on Save routes
a. In the destination enter 0.0.0.0/0 for IPv4
b. In target select Internet gateway created earlier
c. In the second row at destination enter ::/0 for Ipv6
d. In target select Internet gateway created earlier
For the Private Route table
I’m providing the name as PrivateRouteTable, and then selecting the custom VPC, which is IkennaVPC. Click on Create route table.
STEP 8- Associate Public and Private Route Tables to the Public and Private subnets respectively
For the Public subnet
- Navigate to Subnet Association and click on Edit subnet association button
- Now we will add the Ikenna-Public-Subnet to the route table we created earlier. Click on Save associations.
Do the same for the private subnet and private route table
Now we’ll be able to connect to our Public EC2 instance.
- Back on EC2 console, select the public instance and click on Connect
This should bring you to the page below. Click on “EC2 Instance Connect” and click on connect
And we are now connected to the instance-
STEP 9- CONNECT TO PRIVATE INSTANCE THROUGH PUBLIC INSTANCE (BASTION HOST)
In this section, we’ll be connecting to our Private Instance via our Public Instance which acts as a bastion host to jump into the Private instance.
- Follow previous steps to connect to the Public Instance if you’ve signed out.
- Open the Key (in PEM format) saved when creating the instance (I saved mine as MyPrivateKP). Open in Notepad (this should be in your download folder)
- Back to our Public instances CLI tab, use command “vi PrivateKey.pem” to create a new file.
- After you hit enter you should be brought to the below screen, where we’ll be inserting the contents from the notepad.
- Type “I”, you should see INSERT after doing this
- Now paste the entire contents of the PrivateKey.pem into the newly created file on EC2 Instance
- Once the entire content has been pasted, press the Esc key to leave Insert mode
- To save the changes type “:wq” and press enter.
To confirm that the file has been saved successfully type “ls” and you should see the PrivateKey.pem file stored.
- Switch to root user with command “sudo su”
- Change permission of the newly created file using command “chmod 600 PrivateKey.pem”
- Copy the private IP of our Private Instance as we will require it to connect from our Public Instance to our Private Instance.
To connect to our Private instance, enter the following command-
- ssh ec2-user@PrivateIP -i PrivateKey.pem (In this case mine will be ssh ec2-user@10.1.2.209 -i MyPrivateKey.pem)
We’ve have now successfully connected to the Private subnet via the Public subnet (i.e., from ip-10-1-1-209 to ip-10-1-2-209)
However, note that we still cannot connect to the internet from our Private instance as we do not have a public ip address assigned. In order to connect our private instance to the internet we’ll have to create a NAT gateway.
STEP 10- Create a NAT Gateway
- In the navigation pane, under Virtual private cloud, click on NAT Gateways
- Click on Create NAT gateway
- Enter a name for your NAT gateway (I’m saving mine as IkennnaNGW)
- For subnet- We’ll be placing the NAT gateway in our “Public” subnet, not private.
- Scroll down to Elastic IP allocation ID and click on “Allocate Elastic IP”
- Click on Create NAT gateway
Wait until the “state” shows “Available” and then navigate to the Route tables
- Click on PrivateRouteTable, and then click on Routes.
- Click on Edit routes
- Click on Add route
- Add 0.0.0.0/0 under Destination and under Target select NAT Gateway that you have created earlier and click on Save routes.
Congratulations!!! At this point the private instance is able to connect to the internet.