PROJECT: With a Custom VPC, connect to a Private Instance Using a Bastion Host on EC2

Virtual Private Cloud (VPC) enables you to launch AWS resources into a virtual network that you can define. This virtual network closely resembles a traditional network that would operate a corporate data center, with the benefits of using the scalable infrastructure of AWS. The Subnets and EC2 instances run in a private, isolated section of the AWS cloud with direct access to the Internet. Network access control lists and security groups can be used to provide strict control over inbound and outbound network traffic to your instances.

These are the five objectives that was focused on here, so, let’ jump in and I hope you find it as beneficial as it was to me.

OBJECTIVES:

1. Create a Custom VPC CIDR 10.0.0.0/16
2. Create a Private Subnet CIDR 10.0.2.0/24

3. Create a Public Subnet CIDR 10.0.1.0/24

4. Create EC2 (w/ t2 or t3 Nano) Instance for each Subnet

5. Successfully connect to Private Instance (Private IP) from Bastion Host in the VPC

1. Custom VPC CIDR 10.0.0.0/16

• Open and Sign-in to the AWS Console, find and open VPC
• Click on Your VPCs, Create VPC, Add a Name, Enter your VPC CIDR, Add a Tag (Get use to using tags)

Newly Created VPC

2. Private Subnet CIDR 10.0.2.0/24

• Select Subnets, Create subnet, from drop down menu Select the VPC ID you created above
• Add a Name, select your Availability Zone, enter/select your Private subnet CIDR block, Add a Tag

Newly Created Subnet

3. Public Subnet CIDR 10.0.1.0/24

• Click Create subnet, from drop down menu Select the VPC ID you created above
• Add a Name, select your Availability Zone, enter/select your Public subnet CIDR block, Add a Tag

NOTE: Subnet is still private at this time, (CIDR range).

Newly Created Subnet

Two New Subnets Identified

3A. Enabling Subnet for Public Access from VPC Dashboard

• Subnets, Select Subnet designated for Public traffic
• Click Actions and from Drop down menu, select Modify auto-assign IP settings then check the box under Enable Auto-assign IPv4

Subnet with Enable Auto Assign IPv4

3B. Creating the Internet Gateway (IGW) from VPC Dashboard

• Internet Gateways, Create Internet Gateway, Add a name, Create IGW

Created Internet Gateway

3C. Attach IGW to VPC from VPC Dashboard

• Internet Gateways, Actions, from drop down menu select Attach to VPC

VPC with Attached IGW

3D. Create Route-Table, Attach to IGW and Associating Subnet from VPC Dashboard

• Route Tables, Create route table, Add a name, select VPC to attach

Newly Created Route-Table

• Select New Route Table, Route tab, Edit Routes, Add route, add in route 0.0.0.0/0 and choose the IGW as Target

Route Table with Edited and New added Route

• Subnet Associations tab, Edit Subnet Associations, Select your Public Subnet

NOTE: The Public Subnet can now reach the Public Internet.

Public Route Table now Associated to Subnet with Private IPv4

Creating a Bastion Host

4. EC2 w/ t2 or t3 Nano Instances

• From AWS Services, Open EC2 Dashboard, Instances, Launch Instances,
• Select Amazon Linux (Free tier eligible) 64-bit, Select t2.micro (Free tier eligible under Type, Next
• Configure Instance Details, verify your Network is your VPC and Subnet is your Public Subnet, Auto-assign Public IP setting is Use Subnet Settings (Enabled), Next, Next, Add a Tag(s)
• Create Security group, Assign a NEW security group, Add a name
• Change Source to My IP, Review and Launch, Launch
• Create New Key Pair, Download Key Pair, Launch Instances

EC2 Instance for Public Subnet

4A. EC2 w/ t2 or t3 Nano Instances

• Launch Instances, Select Amazon Linux (Free tier eligible) 64-bit, Select t2.micro (Free tier eligible under Type, Next
• Configure Instance Details, verify your Network is your VPC and Subnet is your Private Subnet, Leave Storage as is, Add a Tag(s)
• Configure Security Group, Keep the existing SSH Rule, but modify the source, Select Custom, for the text box, select your Public Security Group (Bastion Host)
• Review and Launch, Launch, Select the existing Key Pair created for the Public Group, Select acknowledgement and Launch instances

EC2 Instance with Private IPv4

Prep Configuration for Testing the Connections

I had trouble here, so I leaned on a fellow learner and saw what he did, tried out his method and it was what I was thinking but never had the hands on experience, so here it goes…

You will need these PuTTy tools;

1. PuTTy
2. PuTTYgen
3. Pageant

• If you are not using a Windows Operating System, please substitute the method according to your OS.

1. Open PuTTygGen, Load and Browse to the Public Key you created earlier, double click it, click Save Private Key, close the Generator

2. Open Pagent, (may be minimized in the task bar, double click it)

3. Add Key, locate and double click the .ppk key file you saved, Close

Testing the Public Instance connection

1. Launch PuTTy, Enter the Public IPv4 address in Host Name box
2. Under Category, Navigate to Connection, SSH, Auth
3. Under Authentication parameters, check box for Allow agent forwarding
4. Click Browse, double click .ppk file
5. Click Open, in the command window, enter ec2-user to login to your Public EC2 instance

NOTE: If prompted with PuTTY Security Alert jargon, read through it and click the appropriate box for your environment

Testing the Private Instance connection

1. Enter this command(s) in the same command window that opened the Public connection

• SSH ec2-user@<Private IP Address>

NOTE: If prompted with PuTTY Security Alert jargon, read through it and click the appropriate box for your environment

• Echo “Test One was a Success” > file.test
• Cat file.txt

You can compare the commands and output to verify testing was a success.

IMPORTANT NOTE: If you have no reason to keep the VPC, IGW, RT, Subnets or SG running, it’s in your favor to detach, delete, release and terminate them where applicable.

Happy Learning!