Assumptions:

• Verify that keypair is associated to ssh-agent of user host machine. More info: - https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/

1. Create VPC: Networking & Content Delivery > VPC

   • Name Tag: Name of VPC
   • IPv4 CIDR Block: 10.0.0.0/16 This is the largest possible address block.
   • IPv6 CIDR Block: Amazon provided IPv6 CIDR block
   • Tenancy: Default saves money by sharing underlying hardware with other AWS customers. Dedicated tenancy is personal hardware but extremely expensive.

2. Default Resources that are created from Step 1

   • 1 dedicated default Route Table
   • 1 dedicated default Network ACL
   • 1 dedicated Security Group
   • 0 Internet Gateway
   • 0 Custom Subnets

3. Create Public Subnet: Subnet > Create Subnet

   • Name Tag: Create Name (eg. naming convention: 10.0.1.0/24 - us-east-1a)
   • VPC: Select VPC created in step 1
   • Availability Zone: Select availability (us-east-1a)
   • IPv4 CIDR Block: 10.0.1.0/24
   • Don't Assign IPv6
   • Create
   • Select newly created Subnet > Actions > Modify auto-assign IP settings
   • Auto-assign IPv4 > Select Enable auto-assign public IPv4
   • Save

4. Create Private Subnet: Subnet > Create Subnet

   • Name Tag: Create Name (eg. naming convention: 10.0.2.0/24 - us-east-2a)
   • VPC: Select VPC created in step 1
   • Availability Zone: Select availability (us-east-2a)
   • IPv4 CIDR Block: 10.0.2.0/24
   • Don't Assign IPv6
   • Create

5. Add Internet Gateway: Internet Gateway > Create Internet Gateway

   • Name Tag: Internet Gateway name (eg. naming convention: VPC-Demo-IGW)
   • Create
   • Select newly created Internet Gateway > Actions > Attach
   • Select VPC created in Step 1
   • Attach Only one Internet Gateway can be added per VPC

6. Configure Route Table to expose Public Route:

   • Select VPC dedicated default Route Table
   • Select Routes tab Verify that all routes are private (ie associated to Main Route Table)
   • Select Create route table
   • Name Tag: Route Name (eg. naming convention: VPC-Demo-Public-Route)
   • VPC: Select VPC created in Step 1
   • Create
   • Select newly created Public Route
   • Select Edit Routes
   • Select Add Route Destination: 0.0.0.0/0 (IPv4) Target: Internet Gateway > VPC-Demo-IGW
   • Select Add Routes Destination: ::/0 (IPv6) Target: Internet Gateway > VPC-Demo-IGW

7. Associate Public Subnet to Public Route

   • Route Table > Select VPC-Demo-Public-Route
   • Select Subnet Associations tab
   • Select Edit Subnet Associations
   • Select Public Subnet (In our case: 10.0.1.0/24 - us-east-1a)
   • Save

8. Provision EC2 instance within Public Subnet

   • Services > Compute > EC2
   • Launch Instance (eg. Linux 2 AMI > T2 Micro)
   • Select Configure Instance Details Network: Select VPC created in Step 1 Subnet: Select Public Subnet (In our case: 10.0.1.0/24 - us-east-1a) Auto Assign Public IP: Use subnet setting (Enable)
   • Add Storage
   • Add Tag Name: Public-Server (Can hold unsensitive web services etc.)
   • Add Security Group Security Groups are not shared between VPC's, meaning that any Security Group made within AWS Public VPC will not carry over to Private VPC. - Create New Security Group Security Group Name: Subnet_DMZ (eg. naming convention) Description: Subnet_DMZ - Add SSH Rule - Add HTTP Rule
   • Review and Launch
   • Launch
   • Verify that new instance has Public IP Address Provisioned This instance can be accessed via ssh

9. Associate NAT Gateway

   • Services > Networking & Content Delivery > VPC > NAT Gateway
   • Select Create NAT Gateway
   • Subnet: Select Public Subnet
   • Elastic IP Allocation ID: Create New Elastic IP Address

10. Edit Route Table to point to NAT Gateway

    • Select Main Route Table
    • Select Edit Routes > Add Route Destination: 0.0.0.0/0 Target: Select newly created NAT Gateway

11. Provision EC2 instance within Private Subnet

    • Services > Compute > EC2
    • Launch Instance (eg. Linux 2 AMI > T2 Micro)
    • Select Configure Instance Details Network: Select VPC created in Step 1 Subnet: Select Private Subnet (In our case: 10.0.2.0/24 - us-east-2a) Auto Assign Public IP: Use subnet setting (Disable)
    • Add Storage
    • Add Tag Name: Private-Server (Can hold sensitive DB services etc.)
    • Add Security Group
    • Use Existing Security Group > default - Will allow public and private subnets to communicate - SSH rule will be updated during Bastion provisioning
    • Review and Launch
    • Launch
    • Verify that new instance does not have Public IP Address Provisioned This instance cannot be accessed via ssh

12. Provision Bastion instance within Public Subnet

    • Services > Compute > EC2
    • Launch Instance (eg. Linux 2 AMI > T2 Micro)
    • Select Configure Instance Details Network: Select VPC created in Step 1 Subnet: Select Public Subnet (In our case: 10.0.1.0/24 - us-east-1a) Auto Assign Public IP: Use subnet setting (Enable)
    • Add Storage
    • Add Tag Name: Bastion-Server
    • Add Security Group - Create New Security Group Security Group Name: Bastion_SG (eg. naming convention) Description: Bastion_SG - Add SSH Inbound Rule Type: SSH Protocol: TCP Port Range: 22 Source: My IP
      • Additional IP's for new user hosts needing ssh access are added here
      • Be sure to take into account any VPN's being used locally
    • Review and Launch
    • Launch w/ keypair
    • Verify that Bastion-Server instance has Public IP Address Provisioned
    • Associate new Elastic IP address to Bastion-Server
    • Modify SSH rule on Private Subnet Instance to allow for connection only from Bastion_SG
      • Bastion can be accessed via ssh from user host IP. Be sure to use -A flag when connected to enable ssh forwarding: ssh –A ec2-user@<bastion-IP-address or DNS-entry>
      • Private Subnet can be accessed from Bastion via ssh