Learning objectives
1. Build a custom AWS VPC.
2. Manually configure subnets, routing table, NAT Gateway, Internet Gateway, Network ACL (NACL), Security Groups and IP addresses.
3. Proficient with the set up and use of Bastion host.
Task 1 : Build a custom VPC
Before you start your assignment, do remove all other pre-created settings in the standard Sandbox environment as it may affect your assignment. (Refer to appendix on the settings to delete).
In this task, you will build a VPC from scratch, manually, without using the VPC wizard. Your final VPC will be look like this:
1. Create a new VPC comprising the following.
a. Name : Practical Assignment VPC
b. CIDR : 10.0.0.0/16
c. Tenancy : default
2. Create a public subnet.
a. Name : BastionSubnet
b. CIDR : 10.0.16.0/20
c. Availability Zone : us-east-1a or any AZ1
3. Create a route table.
a. Name : BastionRT
b. VPC : Practical Assignment VPC
4. Create an Internet Gateway
a. Name : PA-IGW
5. Create a Network ACL.
a. Name : BastionNACL
b. VPC : Practical Assignment VPC
6. Create a Security Group
a. Name : BastionSG
b. VPC : Practical Assignment VPC
7. Configure the BastionSubnet (public) of your VPC.
a. Associate it with BastionRT and BastionNACL.
b. Ensure that all traffic destined for the internet gets routed to internet gateway, PA-IGW.
8. Show your tutor your work. Capture a screen shot of your VPC and all it’s setting (to demonstrate that you understand what you are setting) in your report, labelling it task 1. Make sure that your login account is visible in your screen capture.
9. In your own words, write a brief description of what you have setup for Task 1.
Task 2 : Launch a Bastion Host EC2 instance
A bastion host is simply a server that can be used as a dedicated proxy to access the private servers of a network. You will learn how to use a bastion host to access EC2 instances in a private subnet later. First let’s create an EC2 instance that will serve as the bastion host.
1. Create a new EC2 instance and launch it into BastionSubnet.
a. AMI : Amazon Linux 2 (HVM), SSD Volume Type
b. Instance type : General Purpose – t3.micro
c. Instance details (selected):
i. Network : Practical Assignment VPC
ii. Subnet : BastionSubnet
iii. Auto-assign Public IP : Enable
d. Storage : use default selected
e. Tags : optional
f. Configure Security Group : Select existing security group – BastionSG
2. Show your tutor your work. Capture a screen shot of your EC2 instance and all it’s settings in your report,
labelling it task 2.
3. In your own words, explain what you just did in Task 2
Task 3 : Configure BastionNACL and BastionSG for SSH access
1. Given the SSH uses port 22, configure BastionNACL and BastionSG to allow SSH access.
2. Use your OS’s SSH client or Putty for Windows to connect to the bastion host.
3. Upon successful login, you will see the following console.
4. Show your tutor your work. Capture a screen shot of your Security Group and NACL settings in your report, labelling it task 3.
5. Explain the following :-
• What does Task 3 do?
• What can be achieved after completing Task 3?
• What happens if Task 3 is not done correctly?
Task 4 : Create a private subnet and its components (20 Marks)
1. New private subnet configuration:
a. Name : PrivateSubnet
b. CIDR : 10.0.0.0/20
c. Availability Zone : us-east-1b any AZ2
2. Create new route table.
a. Name : PrivateRT
b. VPC : Practical Assignment VPC
3. Create a new Network ACL.
a. Name : PrivateNACL
b. VPC : Practical Assignment VPC
4. Create a Security Group
a. Name : PrivateSG
b. VPC : Practical Assignment VPC
5. Create a NAT Gateway.
a. VPC Dashboard -> NAT Gateways -> Create NAT Gateway
b. Subnet : BastionSubnet
c. Click Elastic IP Allocation ID -> Create New EIP
d. Click Create a NAT Gateway
e. Add a name for the NAT Gateway : PA-NAT
6. Associate PrivateSubnet with the following.
a. PrivateRT
i. Add a route such that all outgoing internet traffic (0.0.0.0/0) is routed to NAT Gateway, PA- NAT.
b. PrivateNACL
7. Show your tutor your work. Capture a screen shot of your settings in your report, labelling it task 4.
8. Write a brief explanation of the tasks performed in Task 4.
Task 5 : Launch a new EC2 instance into PrivateSubnet
1. Create a new EC2 instance and launch it into PrivateSubnet.
a. AMI : Amazon Linux 2 (HVM), SSD Volume Type
b. Instance type : General Purpose – t3.micro
c. Instance details (selected):
i. Network : Practical Assignment VPC
ii. Subnet : PrivateSubnet
iii. Auto-assign Public IP : Disable
d. Storage : use default selected
e. Tags : optional
f. Configure Security Group : Select existing security group – PrivateSG
2. Show your tutor your work. Capture a screen shot of your settings in your report, labelling it task 5.
3. In your own words, explain what you just did in Task 5
Task 6 : Configure PrivateNACL and PrivateSG for SSH access by bastion host
1. Referring to task 3, configure PrivateNACL and PrivateSG to allow SSH access by the bastion host EC2 instance in BastionSubnet.
2. For Windows 10 and Mac OS users, open a terminal and use the following commands.
a. ssh-add -K key-name.pem – this adds the private key to the forwarding agent
b. ssh -A ec2-user@bastion-host-ip-address
3. For Putty users, in order to access the private EC2 instance from the bastion host, we need to perform SSH agent forwarding, which basically forwards the private key securely from the client to the bastion host and then use it to gain access via to the private instance. To do that using Putty, learn from this Youtube.
4. Once logged into the bastion host, simply use the command ‘ssh ec2-user@private-instance-ip-address’
5. Capture a screen shot of your settings in your report, labelling it task 6.
6. Explained what is achieved after completing Task 6.
Task 7 : Test private EC2 instance access to internet
1. This task requires you to configure PrivateNACL and PrivateSG to allow ‘ping’ing so that we can test if
traffic from the private EC2 instance is going out to and coming in from the internet via the NAT Gateway.
2. The ‘ping’ application uses the Internet Control Message Protocol (ICMP). When pinging, an ICMP ‘Echo Request’ message will be sent to the destination. The responding entity will reply with and ICMP ‘Echo Reply’.
3. Referring to tasks 3 and 6, add inbound and outbound rules to PrivateNACL and PrivateSG to allow the private EC2 instance to ping “www.google.com”.
4. If successfully configured, you should see something like this.
Task 8 : Comments about the Architecture
1. In your own words, explain the setup of the above architecture and write your comments on the advantages and disadvantages of this setup.
Buy Custom Answer of This Assessment & Raise Your Grades
The post you will build a VPC from scratch, manually, without using the VPC wizard: Essentials of Cloud Computing Assignment, SMU appeared first on Singapore Assignment Help.