Level Up In Tech; AWS VPC Project
Set up a Bastion Host and Private Instance in EC2, using Separate Subnets within the Same Custom, Built-from-Scratch VPC
For the Level Up In Tech bootcamp, the AWS VPC Project instructions were as follows:
- Build a Custom VPC with a CIDR of 10.0.0.0/16
- Create a Public subnet with a CIDR of 10.0.1.0/24
- Create a Private subnet with a CIDR of 10.0.2.0/24
- Launch an EC2 t2 or t3 nano instance in the private subnet with only a private IP address
- You will need to create a bastion host in the public subnet with a public IP address
- You will need to connect “successfully” to the private instance from the bastion host in your VPC!
I will document each step of the process in completing the assigned Project.
Step 1: VPC and Subnet Creation
The first step is to navigate to the VPC Dashboard in AWS. Select “Your VPC’s” from the left menu to create the custom VPC with a CIDR of 10.0.0.0/16.
Select “Create VPC”:
Fill in the VPC’s name and IPv4 address:
After creating the VPC, the following confirmation page should appear with the new VPC’s details:
The next task is to select the “Subnets” option on the left menu to create two subnets for the new VPC: a public subnet with a CIDR of 10.0.1.0/24, and a private subnet with a CIDR of 10.0.2.0/24.
Navigate to “Subnets” and click “Create subnet”:
Enter the required information for the private subnet:
Click “Add new subnet,” and enter the required information for the public subnet, where our Bastion host will be located:
View the updated list of subnets to confirm their state is “Available”:
Step 2: Subnet Configuration
The next several steps will configure the subnets to provide public access to the Bastion host, but limit access to the private host to only the Bastion host using SSH, Port 22.
INTERNET GATEWAY
First, select “Internet Gateways” from the left menu of the VPC Dashboard, and create an internet gateway:
The new internet gateway must be attached to the new VPC. Click on “Attach to VPC” in the Actions menu:
Select the new VPC from the list of available VPC’s, and click “Attach internet gateway”:
ROUTE TABLES
Next, navigate to “Route Tables” in the VPC Dashboard, and click on “Create Route Table” to create two new route tables, one for each subnet.
Click “Edit Routes” to add the paths suitable for each subnet. Add the internet gateway we just created to the public route table only. DO NOT add the internet gateway to the private subnet. The private subnet’s route table should only include SSH access from the public subnet.
Next, click on “subnet associations” for each route table to associate with the appropriate subnet.
NETWORK ACCESS LISTS (ACL’s)
Next, select “Network ACL’s” from the Security portion of the left menu in the VPC Dashboard. Click “Create Network ACL” to create Network Access Control Lists for each subnet.
Configure the inbound and outbound rules for each subnet in the same manner as the route tables:
To finish the NACL setup, click “subnet associations” on each NACL’s tabs to associate each NACL with the appropriate subnet, as shown in the following two screenshots:
NAT GATEWAY
Next, a NAT gateway is needed to allow the public subnet to communicate with the private subnet. Select “Nat Gateways” on the VPC Dashboard list, and create one NAT gateway for the public subnet.
ELASTIC IP ADDRESS
Allocate an Elastic IP to assign to the NAT gateway. Select “Elastic IPs” from the left menu and click “Allocate Elastic IP address”:
Next, associate the allocated EIP with the public subnet by selecting the appropriate option from the Actions menu:
SECURITY GROUPS
The necessary security groups for each subnet can be created and assigned by selecting “Security Groups” from the menu. The inbound and outbound rules for each should mirror the rules for the route tables and NACL’s.
Security Group for the Bastion host:
Security Group for the private host:
Step 3: Instance Configuration and Launch
LAUNCH INSTANCES
From either the VPC Dashboard or the EC2 Dashboard, use the EC2 instance wizard to launch a basic EC2 instance in the public subnet.
Step 1: Choose an AMI
Step 2: Choose an Instance Type
Step 3: Configure Instance Details for the Bastion Host
For Storage options (Step 4) and Tags (Step 5), add your desired settings.
Step 6: Configure Security Group
Step 7: Review and Launch
Next, create the private host using the EC2 wizard, selecting the new VPC as the network and the private subnet during Step 3:
STEP 4: Test and Confirm Network
When the EC2 instances are up and running, and have competed 2/2 status checks, check the configuration details to ensure the correct networking and security settings.
Details for Bastion Host:
Details for Private Host:
When the instances are ready, open up a CLI to SSH into the Bastion host using its public IPv4 address. It is important to avoid exposing your key pair on the Bastion host, so use ssh agent forwarding to securely manage your keys. When inside the Bastion host, complete the project by SSH’ing into the private host with its private IPv4 address.
During my setup for this project, I mistakenly allocated a reassigned Elastic IP address, used during a test run of the Project, to the Bastion host. As a result, the ssh-agent generated the following warning:
After correcting the EIP allocation, I was able to SSH into the Bastion host using ssh agent forwarding with no problems. Using a simple SSH into the private host via its private IPv4 address, I was able to gain access immediately.
Conclusion
Thank you for visiting my documentation page for the Level Up In Tech AWS VPC Project. The process of putting together, testing, and troubleshooting all the components for the Project completion was a great learning experience.