Networking

Amazon VPC - Virtual Private Cloud

Setup Amazon VPC Example

Source: [REF-1]

Goals:

• Load balancer is accessible over internet

• Containers should in the private network not accessible from public network. The container is encapsulated in AWS ECS "Task".

We are creating a VPC with four subnets (two private and two public). We are also setting up Internet Gateway to be connected to the two public subnets.

• From AWS console go to VPC to define a logically isolated virtual network

• Make sure you are in the correct AWS region

• On the VPC dashboard, click the "VPCs" resource to show "Your VPCs" page

• Create a new VPC by providing the following and click "Create":

  • Name tag: myvpc

  • IPv4 CIDR block*: 10.0.0.0/16 (meaning: 10.0.0.0 to 10.0.255.254; or 65,534 host IPs; also see ipinfo.io); CIDR is Classless Inter-domain Routing.

  • IPv6 CIDR block: No

  • Tenancy: Default

• The newly created VPC ID will be like: vpc-0010**

VPC Setup Overview

Setup subnets

Let's assume that we want to subdivide the above VPC network (10.0.0.0/16) into 4 sub-networks; two subnets will be pubic where the load-balancer will run; and two other subnets will be private where the tasks (or containers) will run.

• From the "Your VPCs" page, got to the "Subnets" page from the left-hand-side navigation bar; click "Create subnet":

  • Name tag: myvpc-public-01

  • VPC*: <select the VPC ID created above - vpc-0010**>

  • VPC CIDRs: <will automatically be shown, 10.0.0.0/16 assigned above)

  • Availability Zone: us-west-2

  • IPV4 CIDR block*: 10.0.1.0/24 (allocating 254 host IPs only between 10.0.1.0 to 10.0.1.254; use the Visual Subnet Calculator to determine the IPs)

• Repeat the same for the remaining subnets:

  • myvpc-public-02; us-west-2 (or us-west-1 if need geographic redundancy); 10.0.2.0/24

  • myvpc-private-01; us-west-2; 10.0.3.0/24

  • myvpc-private-02; us-west-2; 10.0.4.0/24

Setup Internet Gateway

An Internet Gateway is the mechanism to allow the public subnet(s) within the VPC to reach the internet; the public subnet is the subnet with a public IP address. Only one gateway is allowed per VPC. See [REF-6] for the difference between NAT and Internet gateway. Setup an Internet Gateway as follow:

• From the left-hand-side navigation bar, click "Internet Gateways", and click "Create internet gateway", as follow:

  • Name tag: myvpc-igw

• Attach to a VPC:

  • VPC*: <select the VPC ID created above - vpc-0010**>

Setup Route Tables

• Create route table from the left-hand-side navigation bar, "Route Tables" page:

  • Name tag: myvpc-public-rt

  • VPC*: <select the VPC ID created above -vpc-0010**>

• Select the newly created route table, rtb-***, and go to the "Routes" tab. There will be a default route that will route traffics from (10.0.0.0/16) which is the IP range of the vpc (i.e., myvpc or vpc-0010**), to the local vpc network only.

• Edit the Routes to add a new route that will route traffics from any IPs to the Internet gateway, except the 10.0.0.0/16 IPs:

  • Destination: 0.0.0.0/0 (any routes)

  • Target: <select the Internet Gateway created above, myvpc-igw, or igw-***>

• Next, go to the "Subnet Associations" tab to attach the two public subnets:

  • Edit subnet associations, and select the two public subnets

• Create a second route table, for the traffics that do not need Internet gateway:

  • Name tag: myvpc-private-rt

  • VPC*: <select the VPC ID created above -vpc-0010**>

• The second route table, we don't need to modify the routes on the "Routes" tab; keep the default route that will route traffics from (10.0.0.0/16) to the local vpc network only. Instead, go to the "Subnet Associations" tab to attach the two private subnets:

  • Edit subnet associations, and select the two private subnets

Setup Application Load Balancer

Source: [REF-1] youtube-@27 mins

Creating an internet-facing load balancer that will route traffic to private network.

• From aws console, go to EC2 page; and from the left-hand side navigation bar, click "Load Balancers".

• Create "Application Load Balancer", specifically for Http & Https, and enter the following:

  • Name: myapplb

  • Scheme: internet-facing

  • IP address type: IPv4

  • Listeners > Load Balancer Protocol: HTTP Port: 80

  • Availability Zones > VPC: <choose available vpc, in this case the one created above, myvpc>

  • Availability Zones > Availability Zones: <choose the public subnets in the vpc; two were created above; myvpc-public-01 & myvpc-public-02

• Next Step 2, to configure security settings for Https, but skip for now

• Next Step 3, to configure security group which is a set of firewall rules for inbound traffics; and create a new security group:

  • Security group name: myapplb-secg

  • Add rule - but there is a default rule already created; so modify the rule: Type: HTTP; Port: 80; Source: 0.0.0.0/0 (or any IP from the internet). So, any traffic from the internet will be able to access the load balancer.

• Next Step 4, configure routing target group so that the load balancer redirects any traffics from the internet to the outbound "Target group":

  • Target group > Target group: New target group

  • Target group > Name: myapplb-targetg

  • Target group > Target type: IP

  • Target group > Protocol: Http

  • Target group > Port: 80

  • Health checks > Protocol: Http

  • Health checks > Path: /health

• Next Step 5, register Targets; skip this step because ECS will assign the IP dynamically.

• Finally, create the load balancer

• Now, the load balancer will be available to be assigned, for example, by ECS

Setup NAT Gateway

A NAT gateway, Network Address Translation, is the mechanism to allow the private subnet(s) within the VPC to access the internet; but restrict the external traffics from initiating a connection to the private subnets. See [REF-6] for the difference between NAT and Internet gateway.

Source: [REF-1] youtube-@34 mins

• From aws console, go to VPC and select NAT Gateways from the left-hand side navigation bar

• Create a NAT Gateway, and choose the "Subnet" that the NAT Gateway will run; the subnet needs to be the one with internet access; so in this case we choose: myvpc-public-01

• For the "Elastic IP Allocation ID*", create a new EIP

• Then, create the NAT gateway

• Now, we are ready to assign the NAT Gateway to the subnets that need internet access, by configuring the subnet's Route Table. For this example, we only need to configure the private subnets where the services will run. We will not run the services in the public subnets.

References

• [REF-1] AWS Fargate - Running Dockerized Apps

• [REF-2] AWS VPC Crash Course

• [REF-3] AWS Amazon Virtual Private Cloud (Amazon VPC)

• [REF-4] ipinfo.io - for how to specify network CIDR block

• [REF-5] Visual Subnet Calculator

• [REF-6] AWS - Difference between NAT Gateway and Internet Gateway

• [REF-7] Iana Protocol Number