RSS Feed Subscribe to RSS Feed


Setting up a VPC in AWS

In the previous blog post, we created a simple HelloWorld example in AWS. We did the bare minimum (as any HelloWorld example should!) by taking advantage of a default VPC, Subnet, NACL, and Internet Gateway but, by necessity for our example, creating a custom Security Group.

In this tutorial, we will shy away from defaults and create a VPC from scratch. Again, this is done in the guise of HelloWorld.

As before, this is by no means a step-by-step tutorial, but I’ve found it useful to write this out as a prep for my upcoming AWS Solutions Architect Associate exam.

Create a VPC

Creating the VPC itself is actually simple. In this example, I called it HelloVPC:

Note that creating a (non-default) VPC will create a default Security Group, NACL and Route Table (although we may need to tweak them), but will not create a default subnet and Internet Gateway.

What do the defaults give us?

  • The default Security Group will not allow any inbound traffic (other than from instances in the same Security Group), but will allow outbound traffic.
  • The default NACL will simply allow all inbound and outbound traffic.
  • The default Route Table will look something like this:

Which I think means local traffic only. Not public.

We will later need to modify the Security Group and Route Table, but these defaults will do for now.

What we don’t have at all however, is a subnet, an EC2 instance to actual run our web server, nor an Internet Gateway. So let’s create those…

Create a Subnet

Again, this is relatively simple. We create a Subnet (which I called HelloSubnet) and associate it with out HelloVPC. We gave our VPC 65,536 IPs address via our CIDR block. So here we give our subnet a subset of those IPs, specifically 256 via the CIDR block (actually technically 251 IPs since 5 are always reserved, as explained in VPC_Sizing).

Create an EC2 instance

Next, we create an EC2 instance within our subnet. I used some defaults here (default AMI, instance type, EBS root volume) but for the “Configure Instance Details”, associated it it with our new HelloVPC and HelloSubnet. And by default, instances launched into a non-default VPC are not assigned a public IPv4 address, so we select “Auto-assign Public IP” to be Enable.

For the security group, for now we associate it with our HelloVPC’s default  (since this blocks incoming internet traffic, it won’t suffice, but we will fix this later).

OK, at this point, we have created a VPC, a subnet in that VPC, and an EC2 instance within that subnet with a public IP address.

Create our Security Group

At this point we can’t access our EC2 instance from either ssh or http(s), since we are using the restrictive default Security Group. So, we setup a new Security group that permits HTTP, HTTPS and SSH access. This step is exactly as described in out previous HelloWorld example.

Now, we want to ssh into our instance (to setup an apache web server), but we can’t. Why not?

We can’t ssh in yet because as we mentioned at the start, one things that a (non-default) VPC does not come with is an Internet Gateway, so we need to create that AND update our route table to use it…

Create Internet Gateway

Again, this part is simple. Create an InternetGateway (under the VPC section), and associate it with our HelloVPC.

Create a Route Table

A default route table was created when we created our VPC, and any new subnet that is not explicitly associated with a route table will be associated with that default route table, as our HelloSubnet is. So we could modify it, but since it is the default, it would make all future subnets  public too. Instead, we create a new non-default Route Table, in our HelloVPC, that we will associate with our HelloSubnet that we want to make public. We give it a Destination of (all traffic) and a Target of the Internet Gateway we just created.

Create our web server

Now we can ssh into our EC2 instance and create our simple webserver. Again, we set it up in the same manner we did for the HelloWorld example (that is, install Apache with a simple html file).

OK, at this point, we have created a VPC, a subnet in that VPC, an EC2 instance within that subnet, and a webserver running in our EC2 instance. And we have enabled access by configuring a Internet Gateway, a Route Table and a Security Group.

So, finally, we can go to http://<yourEC2ip>, and you should be able to see our incredibly awesome “Hello, World”.


Homework question: How can you make an EC2 instance public without using relying on the Security Group?


Tags: , ,

Leave a Reply