In the previous article we set up VPC and connected to an instance in public subnet. In this article we will be doing and covering the below topics:
- Creating and connecting to instance in private subnet.
- Creating EC2 instance in private subnet.
- Creating Jump Server in public subnet.
- Connecting private Db Server 01 from Jump Server
- Connecting EC2 instances across VPC
- Setting up VPC Peering connection.
- NACL
- Restricting communication from one subnet to other
CREATING AND CONNECTING TO INSTANCE IN PRIVATE SUBNET
First, we are going to see how to launch instances in private subnet and how to connect to the private subnet instances.
Here we are going to launch 2 EC2 instances 1 in public and other in private subnets.
CREATING EC2 INSTANCE IN PRIVATE SUBNET
Below are some of the screenshots while creating the instance in private subnet.
As this instance is in private subnet so allowing it access from my IP does not make any sense and I would not be able to connect to it from My IP over the internet.
And we can see it running in Availability Zone us-west-1b. We have named it as Private-DbServer01.
I have selected private subnet 1, and due to this this instance gets created in Availability Zone us-west-1b.
Now as it is part of private subnet we cannot connect to it directly. So, to connect to it we have to create and connect to a jump server and that jump server has to be in a public subnet.
So now we are going to create a jump server in a public subnet.
CREATING JUMP SERVER IN PUBLIC SUBNET
To create a Jump server, we are using Ubuntu 16.0.4 Free Tier Image.
The below image shows that we have selected the public subnet 1 of our VPC for this jump server.
Gave it a tag name as Jump-Server.
Create security group and key pair to access it over the internet.
Jump server has to be very secure as this will be the only access point to the private instances in private subnet.
Now we can see jump server is also up and running.
CONNECTING PRIVATE DB SERVER 01 FROM JUMP SERVER
Now to access instance in private subnet; i.e. private-DbServer01, we have to allow the jump server in the security group of the private-DbServer01 and need to use private IP to connect to it.
Edit the DB-private-sg and allow the Jump server to do the SSH.
So, we have selected the security group of Jump Server as an inbound rule and clicked save.
NOTE
As we will be connecting from Public Jump Server to Private DB Server 01, so key pair to login to the private-DBServer01 has to be present in the public Jump Server.
So, let’s copy the keypair of private-DBServer01 i.e. vpc-kp.pem to the jump server. For this we will be using the below command.
scp -i Downloads/jumpServer-kp.pem -r Downloads/vpc-kp.pem [email protected]:/home/ubuntu/
Next is to login to the Jump server and see if the key for the private-DBServer01 i.e. vpc-kp.pem has been copied or not.
It has been copied successfully. Now from here we need to SSH to the private-DBServer01 with this vpc-kp.pem key pair as seen below.
As we can see private-DBServer01 have no public IP , thus we will connect to it using private IP.
It says unprotected private key file. So, we need to make sure that it will be read only by the current user. So, we will change the permission with the below command.
chmod 400 vpc-kp.pem
And after this again do the SSH.
Clearly, we can see that we are in the private-DBServer01.
Let us see if private-DBServer01 has access to the internet via NAT Gateway and try to update the packages.
Great 😊 packages are being updated from the internet.
So we have seen how one can connect to the instance in private subnet from the jump server in public subnet.
Next is how to connect to EC2 instances which are placed in different VPCs.
CONENECTING EC2 INSTANCES ACROSS VPC
So far, we have seen how we can connect to instances in a VPC but what if there needs to be a communication b/w instances in different VPCs?
Suppose in a large project one team works on DB development and one team in API development and they may have their own instances in their own environment in their own VPC.
Now if the RDS database is in a different VPC and web server in different VPC, how we can make connections?
To achieve this, we have VPC Peering Connections.
This is done by inter communication b/w VPCs.
Source VPC and destination VPC can be in any region or in different accounts as well.
SETTING UP VPC PEERING CONNECTION
Go to VPC Peering connection and click Create VPC Peering connection.
Here we are going to establish connection b/w VPC in N.California and Ohio region.
First select Ohio region and go to VPC service and get the VPC ID of the default VPC in Ohio region. We need to put the VPC Id while making peering connection if another VPC we are trying to make a connection with is not in the same region as the requestor VPC.
This is the default VPC Id in Ohio region.
Now create a Peering connection in North California region and select the VPC for Ohio region as the destination and enter VPC Id.
Then, click on Create Peering Connection and we can see that the Peering connection that has been created in North California region is waiting for acceptance from the target VPC in Ohio region.
So, we need approve the request from the peering connection of Ohio region.
And click accept. Post acceptance we can see that both the peering connections in Ohio and North California region are in an active state.
After this, you may need to set up some routing rules and security group rules for effective communication.
NACL
This is similar to the security groups . It is for applying security to the subnets. It is like a firewall.
NACL stands for Network Access Control Lists and this is a security layer for the VPC that controls the traffic in and out of one or more subnets. It is an optional layer for your VPC.
One can set up a Network ACL similar to the security group that adds an additional layer of security to your VPC
To create NACL, go to NACL and enter the details as shown below and click save.
Like security groups NACL also has Inbound and Outbound rules.
Security groups by default disable all the communication and allow the communication which we specify; i.e. explicitly allow and Implicitly denied.
NOTE
In NACL while setting up rules the order of rule is very important. As part of the rules, if the first rule doesn’t match then only it will process the second rule else it will not go to the next rule.
RESTRICTING COMMUNICATION FROM ONE SUBNET TO ANOTHER
Now suppose, we don’t want public subnet 1 to allow any Inbound communication from public subnet 2.
For this we have associated Public Subnet 1 with NACL and have added the below rules.
The RULE says all traffic from the instances in the public subnet 2 i.e. 172.20.2.0/23 is denied and next rule says that everything else apart from public subnet 2 is allowed.
Here rules are going to be evaluated in order. So, order is important.
SUMMARY
In this last article of the series of getting started with VPC we learned how we can connect to the instances in private subnet via public subnet, VPC Peering connection and NACL. I hope through this series you now understand VPC and its concepts with its implementation.
You can see some of the previous articles of this series here:
I hope you find this article helpful. Stay tuned for more … Cheers!!