Assumptions:
- Verify that keypair is associated to ssh-agent of user host machine. More info: - https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/
-
Create VPC:
Networking & Content Delivery
>VPC
- Name Tag: Name of VPC
- IPv4 CIDR Block: 10.0.0.0/16 This is the largest possible address block.
- IPv6 CIDR Block: Amazon provided IPv6 CIDR block
- Tenancy: Default saves money by sharing underlying hardware with other AWS customers. Dedicated tenancy is personal hardware but extremely expensive.
-
Default Resources that are created from Step 1
- 1 dedicated default Route Table
- 1 dedicated default Network ACL
- 1 dedicated Security Group
- 0 Internet Gateway
- 0 Custom Subnets
-
Create Public Subnet:
Subnet
>Create Subnet
- Name Tag: Create Name (eg. naming convention: 10.0.1.0/24 - us-east-1a)
- VPC: Select VPC created in step 1
- Availability Zone: Select availability (us-east-1a)
- IPv4 CIDR Block: 10.0.1.0/24
- Don't Assign IPv6
Create
- Select newly created Subnet >
Actions
>Modify auto-assign IP settings
- Auto-assign IPv4 > Select
Enable auto-assign public IPv4
Save
-
Create Private Subnet:
Subnet
>Create Subnet
- Name Tag: Create Name (eg. naming convention: 10.0.2.0/24 - us-east-2a)
- VPC: Select VPC created in step 1
- Availability Zone: Select availability (us-east-2a)
- IPv4 CIDR Block: 10.0.2.0/24
- Don't Assign IPv6
Create
-
Add Internet Gateway:
Internet Gateway
>Create Internet Gateway
- Name Tag: Internet Gateway name (eg. naming convention: VPC-Demo-IGW)
Create
- Select newly created Internet Gateway >
Actions
>Attach
- Select VPC created in Step 1
Attach
Only one Internet Gateway can be added per VPC
-
Configure Route Table to expose Public Route:
- Select VPC dedicated default Route Table
- Select
Routes
tab Verify that all routes are private (ie associated to Main Route Table) - Select
Create route table
- Name Tag: Route Name (eg. naming convention:
VPC-Demo-Public-Route
) - VPC: Select VPC created in Step 1
Create
- Select newly created Public Route
- Select
Edit Routes
- Select
Add Route
Destination: 0.0.0.0/0 (IPv4) Target: Internet Gateway >VPC-Demo-IGW
- Select
Add Routes
Destination: ::/0 (IPv6) Target: Internet Gateway >VPC-Demo-IGW
-
Associate Public Subnet to Public Route
Route Table
> SelectVPC-Demo-Public-Route
- Select
Subnet Associations
tab - Select
Edit Subnet Associations
- Select Public Subnet (In our case:
10.0.1.0/24 - us-east-1a
) Save
-
Provision EC2 instance within Public Subnet
Services
>Compute
>EC2
- Launch Instance (eg. Linux 2 AMI > T2 Micro)
- Select
Configure Instance Details
Network: Select VPC created in Step 1 Subnet: Select Public Subnet (In our case:10.0.1.0/24 - us-east-1a
) Auto Assign Public IP: Use subnet setting (Enable) - Add Storage
- Add Tag Name: Public-Server (Can hold unsensitive web services etc.)
- Add Security Group
Security Groups are not shared between VPC's, meaning that any Security Group made within AWS Public VPC will not carry over to Private VPC.
- Create New Security Group
Security Group Name:
Subnet_DMZ
(eg. naming convention) Description:Subnet_DMZ
- Add SSH Rule - Add HTTP Rule - Review and Launch
- Launch
- Verify that new instance has Public IP Address Provisioned This instance can be accessed via ssh
-
Associate NAT Gateway
Services
>Networking & Content Delivery
>VPC
>NAT Gateway
- Select
Create NAT Gateway
- Subnet: Select Public Subnet
- Elastic IP Allocation ID: Create New Elastic IP Address
-
Edit Route Table to point to NAT Gateway
- Select Main Route Table
- Select
Edit Routes
>Add Route
Destination: 0.0.0.0/0 Target: Select newly created NAT Gateway
-
Provision EC2 instance within Private Subnet
Services
>Compute
>EC2
- Launch Instance (eg. Linux 2 AMI > T2 Micro)
- Select
Configure Instance Details
Network: Select VPC created in Step 1 Subnet: Select Private Subnet (In our case:10.0.2.0/24 - us-east-2a
) Auto Assign Public IP: Use subnet setting (Disable) - Add Storage
- Add Tag
Name:
Private-Server
(Can hold sensitive DB services etc.) - Add Security Group
- Use Existing Security Group >
default
- Will allow public and private subnets to communicate - SSH rule will be updated during Bastion provisioning - Review and Launch
- Launch
- Verify that new instance does not have Public IP Address Provisioned This instance cannot be accessed via ssh
-
Provision Bastion instance within Public Subnet
Services
>Compute
>EC2
- Launch Instance (eg. Linux 2 AMI > T2 Micro)
- Select
Configure Instance Details
Network: Select VPC created in Step 1 Subnet: Select Public Subnet (In our case:10.0.1.0/24 - us-east-1a
) Auto Assign Public IP: Use subnet setting (Enable) - Add Storage
- Add Tag
Name:
Bastion-Server
- Add Security Group
- Create New Security Group
Security Group Name:
Bastion_SG
(eg. naming convention) Description:Bastion_SG
- Add SSH Inbound Rule Type: SSH Protocol: TCP Port Range: 22 Source:My IP
- Additional IP's for new user hosts needing ssh access are added here
- Be sure to take into account any VPN's being used locally
- Review and Launch
- Launch w/ keypair
- Verify that
Bastion-Server
instance has Public IP Address Provisioned - Associate new Elastic IP address to
Bastion-Server
- Modify SSH rule on Private Subnet Instance to allow for connection only from
Bastion_SG
- Bastion can be accessed via ssh from user host IP. Be sure to use -A flag when connected to enable ssh forwarding:
ssh –A ec2-user@<bastion-IP-address or DNS-entry>
- Private Subnet can be accessed from Bastion via ssh
- Bastion can be accessed via ssh from user host IP. Be sure to use -A flag when connected to enable ssh forwarding: