Creating an AWS VPC
It’s sometimes the case that you’d like to wrap your Amazon EC2 instances, and perhaps some EFS file stores, up in a nice private environment, as if you had your own little data center. You’d have your own network segments, with perhaps a DMZ or a NAT gateway. You’d be able to define ingress and egress rules for each segment.
AWS bundles those capabilities up in their Virtual Private Cloud (VPC) service.
Configuring a VPC isn’t particularly intuitive; it took a couple of us who already have AWS experience a few hours to work through the options.
The process distilled below outlines two of the most common scenarios:
- a single Internet-facing subnet
- a segmented network containing both a DMZ and a private subnet routed through NAT
The steps below can all be scripted and done from a command line, but I’m going to walk you through them using the AWS web console.
Address block
Regardless of which scenario appeals to you, you first need to choose an IPv4 address block for your VPC. You can use any RFC 1918 address you’d like, taking a couple things into consideration:
-
Make the block big enough to expand. Once you’ve allocated a CIDR block to a VPC, you can’t expand it. There’s no reason to use a /16 block if you’re only going to run a few VMs, but it’s wise to think ahead for future expansion.
-
Avoid any address overlap with your other networks, including your home LAN (and those of any collaborators). You may end up with a VPN at some point. If so, you’ll want discreet address blocks to facilitate easy routing.
Also, decide before you begin whether or not you want IPv6 addressing as part of your setup. I’m a big fan of IPv6, but I’ll be the first to admit that it complicates routing and firewall rules.
Create a VPC
Both of the two scenarios outlined start with the same step:
Task: Create a VPC
- Navigate to AWS > VPC > Your VPCs.
- Press Create VPC button.
- Name tag: Choose a name. Make it descriptive.
- IPv4 CIDR block: use all or part of subnet chosen above
- IPv6, yes or no?
- Tenancy: unless you have highly sensitive data, default is fine here.
- The artifact of this task is a VPC ID.
Fork in the road
At this point, you need to answer a couple questions.
- Will your VPC need multiple subnets?
- If so, how will routing be configured?
One of your subnets needs a direct route to the Internet, but not all of them do. Others can be put behind a NAT gateway.
Simple case: one Internet-connected subnet
Task: Create Subnet
- Navigate to AWS > VPC > Subnets.
- Press Create Subnet button.
- Choose and enter a name.
- VPC: use one just created
- Verify CIDRs
- Choose Availability Zone (unnecessary for simple cases)
- IPv4 CIDR block: use entire VPC CIDR block
Optionally, you can modify the subnet to auto-assign public IPv4 addresses.
- Navigate to AWS > VPC > Subnets.
- Select new subnet.
- Press Subnet Actions button.
- Choose Modify auto-assign IP settings.
- Select to Auto-assign IPs and Save.
Task: Create Internet Gateway
- Navigate to AWS > VPC > Internet Gateways.
- Press Create Internet Gateway button.
- Choose and enter a name.
- Attach to VPC.
Task: Edit Route Tables
- Navigate to AWS > VPC > Route Tables.
- Select route table for new VPC.
- In botton pane, select Routes tab and press Edit button.
- Press Add another route button.
- Destination: 0.0.0.0/0
- Select Target, which will be your newly created Internet gateway.
- Press Save.
- In botton pane, select Subnet Associations tab and press Edit button.
- Select your new subnet.
- Press the Save button.
From there, you can proceed to creating EC2 or EFS instances that will reside in your new VPC/Subnet. At least one of your EC2 instances will need an Amazon-issued public address in order for you to be able to log into any of them; in this scenario, however, probably all of them will benefit from public addresses.
VPC containing DMZ and private subnet, with NAT
The AWS VPC-NAT instructions are tremendously helpful for understanding what’s going on here.
First off, you’ll need to break your VPC CIDR into at least two subnets. At least one you’ll want to designate as “public” and at least one as “private.” Don’t stress over those designations; they have more to do with routing than address space.
The instructions below capture the simplest case, with only two subnets.
Task: Create “public” subnet
- Navigate to AWS > VPC > Subnets.
- Press Create Subnet button.
- Choose and enter a name.
- VPC: use one just created
- Verify CIDRs
- Choose Availability Zone (unnecessary for simple cases)
- IPv4 CIDR block: use only part of VPC CIDR(s)
Optionally, you can configure the public subnet to auto-assign public IPv4 addresses. Instructions can be found earlier in this document.
Task: Create Internet Gateway
- Navigate to AWS > VPC > Internet Gateways.
- Press Create Internet Gateway button.
- Choose and enter a name.
- Attach to VPC.
Task: Create Internet Route
- Navigate to AWS > VPC > Route Tables
- Press Create Route Table button.
- Choose and enter a name.
- Attach to VPC.
- Select newly created route table
- In botton pane, select Routes tab and press Edit button.
- Press Add another route button.
- Destination: 0.0.0.0/0
- Select Target: your newly create Internet Gateway
- Press Save
- In botton pane, select Subnet Assocations tab and press Edit button.
- Choose the public subnet
- Save
Task: Create Elastic IP
- Naviate to AWS > VPC > Elastic IPs
- Press Allocate new address and follow the prompts
Task: Create “private” subnet
- Follow the instructions for the public subnet, using a different part of the VPC’s CIDR block and, obviously, a different name. Do not configure this subnet to auto-assign public IPv4 addresses.
Task: Create NAT Gateway
- Naviate to AWS > VPC > NAT Gateways
- Press Create NAT Gateway button.
- In Subnet, associate it with your public subnet
- In Elastic IP Allocation ID, assign your Elastic IP.
Note Under the hood, a NAT gateway is special-use virtual machine. The process to create it may take several minutes.
At this point, you may have to wait a while if your NAT Gateway has not yet been created and brought online.
Task: Create NAT Route
- Navigate to AWS > VPC > Route Tables
- Press Create Route Table button.
- Choose and enter a name.
- Attach to VPC.
- Select newly created route table
- In botton pane, select Routes tab and press Edit button.
- Press Add another route button.
- Destination: 0.0.0.0/0
- Select Target: your newly created NAT Gateway
- Press Save
- In botton pane, select Subnet Assocations tab and press Edit button.
- Choose the private subnet
- Save
Further steps
You’ll want to create at least one EC2 instance in the public subnet, and assign it a public IPv4 address, so you can SSH into that host and, from there, into the private subnet.
The default rules will allow your “DMZ” hosts full access to the VMs in the “private” subnet. You can edit the subnet’s ingress and egress rules if that’s not what you want.
Note that an AWS NAT gateway cannot be configured for functions like port forwarding or VPN termination. You’ll need to configure your own NAT host if you need those functions.
Clean up
- Terminate all EC2 instances
- Delete NAT Gateway (and wait and wait …)
- Delete VPC, which will also delete all your subnets, security groups, Network ACLs, Internet gateways, and routing tables.