AWS Network Project using VPC and NAT

AWS Network Project implementing plan
An organisation wants to move some important servers in the cloud. They decided to use AWS services.  The plan to design their own private network in the cloud using VPC services of AWS because they don’t want to allow internet services to all machines.

The main reason is that to ensure network and data security. They want to mitigate network system vulnerability from public access; another reason is that minimising the cost. If they want to access the internet from each machine; they will need several public IP addresses. Therefore, they will need to buy several public IP and resources cost will be increased. They will use only a public IP and will access all private instances using NAT.  The goal is they will control and access EC2 private instance from their physical machine using NAT Machine.

Task lists:

1.       Creating the BASE VPC

2.       Creating Subnet from public and private

3.       Attach an internet gateway to VPC

4.       Configuring  Route tables

5.       Creating a NAT instance for accessing cloud service from real machine

6.        Creating a private instance which will be accessed through NAT instance from a real machine.

7.       Accessing private cloud instance through NAT from physical machine

Diagram:

VPC network project diagram.pngA virtual private cloud (VPC) is logically isolated from another virtual network in the AWS Cloud which is dedicated to AWS account. You can launch any AWS instance resources into your VPC, for example, Amazon EC2 instances. AWS cloud provides you freedom to design your own VPC; you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings.

Steps for the task: Creating the BASE VPC

1.      Select VPC from Networking and content Delivery in the AWS management console. Click on VPC; You will get VPC dashboard

2.      Click on Start VPC Wizard.  You will get the option for selection of VPC configuration. In this lab demonstrate, I selected VPC with public and private subnets because I don’t want to access my private instance directly from the internet.

Note: AWS cloud service has offered four different VPC configuration options. You can select any one based on your organisation network design or how you want to control your network system.2.jpg

Steps for tasks: Creating Subnet from public and private and NAT instance

1.       After selecting VPC configuration option, you will get VPC with public and private subnets conjuration pages. Select your IPV4 CIDR block. You can configure your network IP address by your own choice or you can go with AWS default IPv4 CIDR block.3.jpg

In this lab demo: IPV4 CIDR block: 192.168.0.0/16

Public subnets IPv4 CIDR: 192.168.0.0/24

Private subnets IPv4 CIDR: 192.168.1.0/24

2.      Provide the details of NAT instance. I selected t2.micro. Key pair you can create before or later. Or you can go with available options that will be display based on your previous key pair.4

Note: You can create VPC, public and private subnet individually from separate navigate panel. 

3.      Click on create VPC. VPC will be created with NAT instance and private and public subnets.

6.jpg

4.      After successfully created VPC, click on ok. You will see the VPC Dashboard with details of new created “VPC-lab”7.jpg

Steps for the task: Attach an internet gateway to VPC

1.      In the navigate panel, click on Internet Gateway8.jpg

2.      In my lab, internet gateway (IGW) was created automatically with VPC. But you can create Internet Gateway here separately. Click on Create Internet Gateway9.jpg

3.      Select the newly create internet gateway “IGW” and attached to new created VPC by click on “attach to VPC”11.jpg

4.      In the Attach to VPC pane, provide the name of VPC and click on Yes, Attach. Keep in mind that, you will only see available VPC name which has not yet attach to the Internet gateway.

Steps for task: Public and private subnets

1.     You can create public and private subnet during VPC configuration or you can create separately by click on Navigate panel. Create subnet.In this lab, I already configured public and private subnets with VPC creation12.jpg13.jpg

2.      If you want to create Subnets separately from navigate pane, click on “Subnets. Then click on “Create Subnets”.14.jpg

3.      In the create subnet dialogue box – type the name of the tag, select the VPC from drop-down list and availability zone and finally provide your subnet IPV4 CIDR which is associated with your VPC network ID.

4.      Click on Yes, Create. Your public subnets will be created successfully

5.      Repeat the step again for creating private subnets.

Steps for task: Configuring Route tables

1.      Click route table in the navigate panel. With public route selected, click on “Subnet Associations” and click on Edit.

2.      In the check box, thick the public subnet “192.168.0.0/2415.jpg

3.      click on Save

16.jpg

4.      Now you must see only the private subnet on a table labelled “The following subnets have not been explicitly associated with any route tables and are therefore using the main route table.

5.      Click on Create Route Table after clicking Route Tables from navigate pane.

6.      In the name tag, type “Private routetable VPC-lab or any name you want to give”. In the VPC drop down list, Click Lab VPC18.jpg

7.      Now select the Private route. Click on Edit. Select the Subnet Associations tab if it is not selected yet.

Note that: Private subnet is not associated with the Main route table by default. You can have to select private Subnet from check box and click Save.17.jpg

Steps for the task: Creating a NAT instance for accessing cloud service from real machine

Network Address Translation (NAT) server that allows servers in the private subnet to initiate outbound connects to the Internet. You will able to access to download and access Internet services; for example Amazon S3 and other resources. It does not allow system on the internet to initiate inbound connections to the server in the private subnet.

The public IP address assigned to the NAT server to allows it to communicate with the Internet.

1.      Launch Instance and select quick start from step 1: Choose an Amazon Machine Image (AMI) of Amazon Linux AMI 2016.09.1 (HVM), SSD Volume Type.19.jpg

2.      On the Choose Instance type page, select a suitable instance for your image which will determine RAM, Storage and process speed of your instance. The default instance is t2.micro. Click on “Next: Configure instance details”20.jpg

3.      On the configuration details page,

In the network drop-down list –select VPC-lab.

In the Subnet drop-down list – select public subnet

In the Auto-assign Public IP drop-down list – select Enable21.jpg

4.      Click on “Advanced details to expand it. The following script put on the User data comment box.

#!/bin/sh

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 0 >

/proc/sys/net/ipv4/conf/eth0

/send_redirects

/sbin/iptables -t nat -A POSTROUTING

-o eth0 -s 0.0.0.0/0 -j MASQUERADE

/sbin/iptables-save >

/etc/sysconfig/iptables

mkdir -p /etc/sysctl.d/

cat < /etc/sysctl.d/nat.conf

net.ipv4.ip_forward = 1

net.ipv4.conf.eth0.send_redirects = 0

EOF

This script helps you to create Linux shell script configures in your server as a NAT server by enabling IP forwarding on the machine and by enabling IP masquerading so that the NAT server can make the external request on the behalf of internal server.22.jpg

5.      Click on “Next: Add Storage”. Provide your storage size or you can select default size which is defined by AWS.23.jpg

6.      Click on Next: Add tags. Provide the name of the Tag Instance value NAT-instance24.jpg

7.      Click on Next: Configuration Security Group. You will get two options for assign a security group. A: Create a new Security group B: Select an existing security group

In this lab, I selected to create a new Security group, Name of the security group: NAT-SG and in the description box, write down: NAT security Group.25.jpg

8.      Add rule, allow the “All Traffic” from Type drop-down and Source drop-down: Select “Anywhere”

9.      Click on “Review and Launch”. Your NAT instance will be successfully deployed.28.jpg

10.  Select the NAT Server that you have been created. And go to Action panel. From the drop-down list, point-over Networking and click on “Chang Source/Dest.Check, click on “Yes, Disable “on the enable Chang Source/Dest.Check from the dialogue box.26.jpg

11.  Click on VPC from Services pane. Click on Route Table from Navigation panel. Select Private route table column that must be only one entry for local.

12.  Click on Edit. Click on Add another route and select destination box and type 0.0.0.0/0 and in the target box type NAT to point to the instance, and then select it. Click Save.27.jpg

Steps for the task: Creating a private instance which will be accessed through NAT instance from a real machine

1.     Follow the step of creating a NAT instance for creating the Private instance of Linux.

2.      Click on “EC2” from AWS services console. On the quick start select Amazon Linux AMI image and click select.30.jpg

3.      On the page Configure Instant Details, Select the Network – VPC-Lab, Subnet: Private subnets (192.168.1.0/24), Auto-Assign public IP Disable.

4.      Click on “Next:  Add storage”. Accept the default and click on “Next: Tag Instance and in the Value: put Private instance31.jpg

32.jpg

33.jpgSteps for the task: Accessing private cloud instance through NAT from physical machine

1.      Ping your NAT machine public IP address from your laptop. It must be pingable from your local machines. If not, check your security group setting and allow inbound traffic for my IP.34.jpg

2.      Connecting Amazon EC2 instance using Putty

You need to download Putty, pageant for this exercise

You need to download key-pair PPK for windows, and PEM for Linux

3.      Log in as an ec2-user through Putty SSH with your public IP address36.jpg

4.      Testing NAT instance

To test instance can communicate through the Internet from NAT instance. You need to run “ ping ietf.org” command. You will receive a series of continuous response that will be similar to the following screenshot.

Note: If you get no response from your instance, go to security setup and allow ICMP traffic.  And also keep in mind that this test only works on websites which have ICMP enabled. Without ICMP, you will not get any response.

Press Ctrl+C to end the ping command.36.jpg

5.      To verify that your instance can communicate to  private instance

In this lab: private IP: 192.168.1.102.

Run this command to login private instance: ssh ec2-user@

When prompted for the response, type YES and Press Enter. If you do not successfully connect your private instance, check your key-pair authentication again. Key must be private authentication.37.jpg

6.      Verify private instance to connect to the internet, run the following command

Ping ietf.org38.jpg

You will receive series of continuous responses. Then your project is successfully implemented. Congratulation.

If no response after the ping, check your group security setting and user profile setting once again.

Thank you!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s