Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center with the benefits of using the scalable infrastructure of AWS. It is logically isolated from other virtual networks in the AWS cloud.
Goal of this post:
- Use the AWS Management Console to create a VPC
- Use the AWS Management Console to create resources that work with Amazon VPC, including a subnet and an internet gateway
- Configure routing for your VPC using a route table
- Create and manage an EC2 instance and an associated Elastic IP Address (EIP) within your VPC
You can create a new VPC using the AWS Management Console.
Create a Virtual Network
A VPC is an isolated portion of the AWS cloud populated by AWS objects, such as Amazon EC2 instances. You must specify an IPv4 address range for your VPC. Specify the IPv4 address range as a Classless Inter-Domain Routing (CIDR) block; for example,
10.0.0.0/16. You cannot specify an IPv4 CIDR block larger than /16. You can optionally associate an IPv6 CIDR block with the VPC.
- Name tag:
sk_vpc. This is the name for your VPC; doing so creates a tag with a key of Name and the value that you specify.
- CIDR block: 10.0.0.0/16. You should specify a CIDR block from the private (non-publicly routable) IP address ranges as specified in RFC 1918.
- IPv6 CIDR block: No IPv6 CIDR block. VPCs support IPv6 addresses but this is not a focus for now.
default. Dedicated tenancy ensures your instances run on single-tenant hardware.
At this point, Amazon creates the requested VPC and the following linked services:
- a DHCP options set (this set enables DNS for instances that need to communicate over the VPC’s Internet gateway)
- a Route Table (it contains a set of rules, called routes, that are used to determine where network traffic is directed)
- a Network ACL (it is a list of rules to determine whether traffic is allowed in or out of any subnet associated with the network ACL)
Note: No Subnets or Internet Gateways are automatically created – you need to add them autonomously.
Next, we will create Additional Resources within the VPC.
Creating a VPC subnet
A VPC subnet is a range of IP addresses in your VPC. You can add one or more subnets in each Availability Zone, but each subnet must reside entirely within one Availability Zone and cannot span availability zones. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location.
You can create a new subnet for your previously created VPC using the AWS Management Console.
Specify your subnet’s IP address block in CIDR format; for example,
10.0.0.0/24. IPv4 block sizes must be between a
/28netmask, and can be the same size as your VPC.
Select the subnet you just created. As you can see in the description tab at the bottom of the page, the created subnet is automatically attached to the default Route table and the default Network ACL for the
Creating a VPC Internet gateway
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet. It imposes no availability risks or bandwidth constraints on your network traffic. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic and to perform network address translation (NAT) for instances that have been assigned public IP addresses.
You can create a new internet gateway for your previously created VPC using the AWS Management Console.
Attach it to the VPC
Connecting the Internet gateway to the VPC Route Table
To use an internet gateway your subnet’s route table must contain a route that directs internet-bound traffic to the internet gateway. You can scope the route to all destinations not explicitly known to the route table
(0.0.0.0/0), or you can scope the route to a narrower range of IP addresses; for example, the public IP addresses of your company’s public endpoints outside of AWS, or the Elastic IP addresses of other Amazon EC2 instances outside your VPC. If your subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet.
You can add routes to your previously created VPC route table using the AWS Management Console. From the VPC dashboard, click Route tables link in the sidebar menu. Select the Route Table ID associated with your VPC ID and then click the Routes tab.
Click Add another route and enter
0.0.0.0/0 as the Destination CIDR block. In the Target field, click Internet Gateway and then your previously-created internet gateway. Click Save routes:
This sets all external traffic for the main route table of your VPC to go through the internet gateway.
So far, you configured your VPC’s main route table to route external traffic to the internet gateway, which enabled internet connectivity for your VPC.
Creating an EC2 instance
Now you will create an EC2 instance inside your VPC. While configuring instance details make sure you select the VPC that you created above.
- Network: Make sure the cloudacademy-labs VPC is selected for the Network. (It is ok if no default VPC is found.)
Subnet: Select Public-A US-west-2a
- Auto-assign Public IP: Select Enable
- IAM role: Notice that you do not have permissions to list IAM roles. That message is expected and ok. The student account has restricted privileges but the Lab will work fine without listing IAM roles.
On the Configure Security Group page, click Add Rule. Select the All ICMP - IPv4 rule and choose Anywhere as the Source. You will use this additional rule to perform a ping test in a later step:
In the Select an existing key pair or create a new key pair dialog box, select Proceed without a key pair, then select the acknowledgment checkbox, and finally click Launch Instances:
Once the instance is launched, get it’s public ip address and ping it from your terminal.
base) shravan-Downloads# ping 220.127.116.11 PING 18.104.22.168 (22.214.171.124): 56 data bytes 64 bytes from 126.96.36.199: icmp_seq=0 ttl=225 time=77.302 ms 64 bytes from 188.8.131.52: icmp_seq=1 ttl=225 time=76.546 ms 64 bytes from 184.108.40.206: icmp_seq=2 ttl=225 time=76.936 ms ^C --- 220.127.116.11 ping statistics --- 4 packets transmitted, 3 packets received, 25.0% packet loss round-trip min/avg/max/stddev = 76.546/76.928/77.302/0.309 ms (base) shravan-Downloads#
Allocating and Associating an Elastic IP
An Elastic IP address (EIP) is a static and public IP address that you can associate with an EC2 instance. EIPs have the benefit of not changing when you stop and start an EC2 instance, whereas the default public IP that comes with an EC2 instance may change. This gives you the benefit of a reliable IP address to associate with your EC2 instance. In this Lab Step you will allocate an EIP and associate it with your EC2 instance.
Navigate to VPC dashboard and click on Elastic IPs link in the sidebar.
With the EIP still selected, click Actions-> Associate Address and then select the following values:
- Resource type: Instance
- Instance: Select the only instance from the drop-down list. It is the instance you created.
- Private IP: Leave this blank to have an available Private IP automatically assigned.
Now ping the EIP from your laptop.
(base) shravan-Downloads# ping 18.104.22.168 PING 22.214.171.124 (126.96.36.199): 56 data bytes 64 bytes from 188.8.131.52: icmp_seq=0 ttl=226 time=70.098 ms 64 bytes from 184.108.40.206: icmp_seq=1 ttl=226 time=76.043 ms 64 bytes from 220.127.116.11: icmp_seq=2 ttl=226 time=76.356 ms 64 bytes from 18.104.22.168: icmp_seq=3 ttl=226 time=70.120 ms ^C --- 22.214.171.124 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 70.098/73.154/76.356/3.047 ms (base) shravan-Downloads#
So, you allocated an Elastic IP Address and associated it with your EC2 instance.
Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including the selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.