Creating VPC , Nat Gateway with public and private subnets
Manisha Agrawal
Associate DevOps @ Celebal | Docker | Kubernetes | Azure | Azure Devops | Ansible | Terraform | Jenkins | RHEL
Hello Reader, First of all Thank you for visiting my page. Finally I successfully completed the Task4 of Hybrid Multi cloud. Specially , Thank you to Vimal Daga sir .and all the team of linux world pvt.
#vimaldaga #linuxworld #amazon #VPC #NAT #docker #terraform #righteducation #hybridmulticloud
Amazon Virtual Private Cloud(VPC)
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.
You can easily customize the network configuration of your Amazon VPC. For example, you can create a public-facing subnet for your web servers that have access to the internet. You can also place your backend systems, such as databases or application servers, in a private-facing subnet with no internet access. You can use multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
Subnets (Public and Private Subnets)
Subnet is “part of the network”, in other words, part of entire availability zone. Each subnet must reside entirely within one Availability Zone and cannot span zones.
Subnet is a key component in VPC. A VPC can contain all public subnets (or) public/private subnet combination. Private Subnet is a subnet which doesn’t have a route to the internet gateway. A subnet can be configured as a VPN-only subnet by routing traffic via virtual private gateway.
Agenda of this project:-
1. Write an Infrastructure as code using terraform, which automatically create a VPC.
2. In that VPC we have to create 2 subnets:
1. public subnet [ Accessible for Public World! ]
2. private subnet [ Restricted for Public World! ]
3. Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.
4. Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.
5. Create a NAT gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC in the public network
6. Update the routing table of the private subnet, so that to access the internet it uses the nat gateway created in the public subnet
7. Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 sothat our client can connect to our wordpress site. Also attach the key to instance for further login into it.
8. Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same. Also attach the key with the same.
Software Version
1.AWS Version
2.Terraform Version
AWS Configure
Terraform Init
1. AWS Provider
The Amazon Web Services (AWS) provider is used to interact with the many resources supported by AWS. The provider needs to be configured with the proper credentials before it can be used.
provider "aws" {
region = "ap-south-1"
profile = "Task4"
}
Create VPC
# creating a vpc
resource "aws_vpc" "myvpc" {
cidr_block = "192.168.0.0/16"
instance_tenancy = "default"
tags = {
Name = "myvpc"
}
}
Create two subnets and in that PVC ,one as public and other as private.
#public subnet[Accessible for Public World]
resource "aws_subnet" "Mysubnet1" {
vpc_id = "aws_vpc.myvpc.id"
cidr_block = "192.168.0.0/24"
availability_zone="ap-south-1a"
map_public_ip_on_launch = true
tags = {
Name = "Mysubnet1"
}
}
#Private subnet [Restricted for Public World]
resource "aws_subnet" "Mysubnet2" {
vpc_id = "${aws_vpc.myvpc.id}"
cidr_block = "192.168.1.0/24"
availability_zone="ap-south-1b"
tags = {
Name = "Mysubnet2"
}
}
Creating Internet Gateway
An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
An internet gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic.
# creating a public facing internet gateway for connect our VPC
resource "aws_internet_gateway" "gateway" {
vpc_id = "${aws_vpc.myvpc.id}"
tags = {
Name = "gateway"
}
}
Creating a routing table
Creating a route tables to control where network traffic is directed. Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet (subnet route table). You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same subnet route table.
#creating a routing table
resource "aws_route_table" "route_table" {
vpc_id = "${aws_vpc.myvpc.id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.gateway.id}"
}
tags = {
Name = "route_table"
}
}
#associate router with public subnet
resource "aws_route_table_association" "rout-tab-asso" {
subnet_id = aws_subnet.Mysubnet1.id
route_table_id = aws_route_table.route_table.id
}
Creating an Elastic IP
An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing. You can associate an Elastic IP address with any instance or network interface for any VPC in your account. With an Elastic IP address, you can mask the failure of an instance by rapidly remapping the address to another instance in your VPC. Note that the advantage of associating the Elastic IP address with the network interface instead of directly with the instance is that you can move all the attributes of the network interface from one instance to another in a single step.
# Creating an Elastic IP
resource "aws_eip" "my_eip" {
vpc = true
}
Create one Nat Gateway and connect it to the private subnet.
NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Previously, you needed to launch a NAT instance to enable NAT for instances in a private subnet.
#Create one Nat Gateway and connect it to the private subnet.
resource "aws_nat_gateway" "natgw" {
allocation_id = aws_eip.my_eip.id
subnet_id = aws_subnet.Mysubnet1.id
depends_on = [aws_internet_gateway.gateway]
tag = {
name = "nat gateway"
}
}
?#Create a routing table for Nat Gateway, update and associate it with private subnet.
resource "aws_route_table" "myroute_table_natgw" {
vpc_id = "${aws_vpc.myvpc.id}"
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = "${aws_nat_gateway.natgw.id}"
}
tags = {
Name = "myroute_table_natgw"
}
}
resource "aws_route_table_association" "myroute_table_natgw_association" {
subnet_id = "${aws_subnet.Mysubnet2.id}"
route_table_id = "${aws_route_table.myroute_table_natgw.id}"
}
Create Security-groups for wordpress
#Create Security-groups for wordpress.
resource "aws_security_group" "wordpress-sg" {
name = "wordpress-sg"
description = "Allow ssh and httpd inbound traffic"
vpc_id = "${aws_vpc.myvpc.id}"
ingress {
description = "SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
ingress {
description = "HTTP"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "wordpress-sg"
}
}
Create Security-groups for bastion-host
#Create Security-groups for bastion-host.
resource "aws_security_group" "bastion-sg" {
name = "bastion-sg"
description = "Allow bastion host"
vpc_id = "${aws_vpc.myvpc.id}"
ingress {
description = "SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "bastion-sg"
}
}
Create Security-groups for mysql
#Create Security-groups for mysql.
resource "aws_security_group" "mysql-sg" {
name = "mysql-sg"
description = "Allow only ssh inbound traffic"
vpc_id = "${aws_vpc.myvpc.id}"
ingress {
description = "MYSQL"
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
security_groups = [ aws_security_group.bastion-sg.id ]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "mysql-sg"
}
}
Launch one ec2 instance in public subnet using Wordpress AMI
#Launch one ec2 instance in public subnet using Wordpress AMI
resource "aws_instance" "wordpress" {
ami = "ami-000e4324711d48e58"
instance_type = "t2.micro"
key_name = "MyKey11"
vpc_security_group_ids = ["${aws_security_group.wordpress-sg.id}"]
subnet_id = "${aws_subnet.Mysubnet1.id}"
tags = {
Name = "wordpress"
}
}
Launch other ec2 instance in public subnet for bastion-host
#Launch other ec2 instance in public subnet for bastion-host.
resource "aws_instance" "bastion_host" {
ami = "ami-0732b62d310b80e97"
instance_type = "t2.micro"
key_name = "MyKey11"
vpc_security_group_ids = ["${aws_security_group.bastion-sg.id}"]
subnet_id = "${aws_subnet.Mysubnet1.id}"
tags = {
Name = "bastion_host"
}
}
Launch other ec2 instance in private subnet using MYSQL AMI
#Launch other ec2 instance in private subnet using MYSQL AMI
resource "aws_instance" "mysql" {
ami = "ami-08706cb5f68222d09"
instance_type = "t2.micro"
key_name = "MyKey11"
vpc_security_group_ids = [aws_security_group.mysql-sg.id,aws_security_group.bastion-sg.id]
subnet_id = "${aws_subnet.Mysubnet2.id}"
tags = {
Name = "mysql"
}
}
Here we give the instance Id of WordPress which was launched with Public Subnet. then you will get this type of result.
- Now login to your Wordpress site :-
Now destroy the complete infrastructure
terraform destroy --auto-approve
