Open in app

Sign in

Write

Sign in

AWS — Networking and Security

Let’s explore AWS — Networking and Security — Part 1

Let’s build our own Public Networking and Security and understand how it works

Arun Kumar
10 min readSep 9, 2023

Many people thinks that EC2 instance can be initialised by creating a VPC and Security Groups.

But is that it? Not really

AWS does lot of heavy lifting behind the scene which we are not aware of. It is both good and bad in a way — GOOD that we don’t have to do it by our-self and BAD that we don’t know how it works or what we should do to make it work.

Image Courtesy: AWS

Let’s find out what we have to do in order to create our own network and security.

Last thing before diving into. We will learn and understand what is:

  1. Virtual Private Cloud (VPC)
  2. Subnets
  3. Security Group
  4. Route Table
  5. Internet Gateway

Scenario:

We are going to deploy two EC2 instance that is going to do the following —

  1. Web application which can be accessed by anyone.
  2. NodeJS Server which can only be accessed by the web application that we create.

Let’s see how the web application and nodeJS server code looks like:

Simple NodeJS server
Simple HTML webpage

As you can see, it’s a simple weather application that just display the details which is fetched from the NodeJS server.

1. Let’s create a VPC for our application

VPC is a virtual network where we can run services such as EC2 instance, RDS. Think it as your own personal private network in the cloud which you can control.

If you noticed, AWS will have a default VPC in all the region (It deleted my default VPC). But for this learning process, let’s create a new VPC.

a. Open your AWS console and navigate to VPC window.

My VPC window with no default VPC in it.

b. Click on Create VPCbutton and you should see a form similar as below.

Create VPC form in AWS

For now, we will choose VPC only under Resources to create

It’s always a good practice to name your VPC with a proper context which will help you to understand the intent use of it.

Keep the default selected options for IPv4 CIDR block , IPv6 CIDR block and Tendency (We will cover CIDR block in a different blog)

Classless Inter-Domain Routing (CIDR) allocates IP address for the resources. In this case, we are allocating an IP address for our VPC.

c. Set IPv4 CIDRas 10.0.0.0/16

d. Click Create VPC

Our newly created VPC

Now, we have our own VPC network 🎊🎊🎊

2. Let’s create a Public Subnet

As the name implies, Subnet are segmented piece of a larger network. Think it as a portion of our VPC that we created. Each VPC are allowed to have up-to 200 subnets.

At this stage, we are going to create Public Subnetbecause our EC2 instance should be shared/accessed from the outside world. We will see how to configure Private Subnet when creating the NodeJS server in the next blog.

Navigate to Subnets which can be found in the right side menu.

You might see some default subnets for the default VPC that AWS created in your console. Don’t worry about those.

My Subnet lists (I deleted all default subnets)

a. Click on Create subnet

b. Select the VPC IDthat we created in the previous step. (you will see similar window as below.)

We are going to create two subnets — each for one availability zone.

It’s always a good practice to create subnets on multiple availability zone in case of any network failure.

Provide proper name and availability zone for the two subnets. Provide the following IPv4 CIDR block for the two subnets. (We will see about these IP address splits in a different blog)

  1. 10.0.1.0/24
  2. 10.0.2.0/24

Hit Create subnet and you will find two subnets listed in your window as below.

Our newly created subnets

Hooray 🥳 . We have our own VPC and subnets.

3. Let’s create a EC2 instance

Navigate to the EC2 window and click Launch instances

Couple of things that you have to do here:

  1. Give a proper name for the EC2 instance and choose the free tier Amazon Linux OS image.
  2. In the Security groups, create a new security group (we will see how/why to update the security groups in the later stage).
  3. In the Key pair (login) option, generate a new key-pair or select a existing key-pair that you already have.

Why we need a key-pair?

That’s how we are going to SSH into our EC2 instance from our terminal.

Instance creation

Hooray 🥳. We have our own EC2 instance for the web application.

4. Let’s ssh to your EC2 instance

Let’s connect our EC2 instance through SSH and see what happens.

  1. Select the EC2 instance that you created and click Connect button which can be found at the top right corner.
  2. Navigate to SSH client and copy the ssh command.

3. Open your Terminal and navigate to the folder where your key-pair is present, paste the command and press Enter

What happened? The terminal is showing something as below.

Time out error when connecting EC2 instance thorugh SSH

Why the terminal is not letting us to ssh ?

If you notice the IP address in the command, it starts with 10.0.X.X which is a private IP address.

What do you mean by private IP address?

Inside a VPC network, lot of services such as EC2, RDS will be running. These services can be referred/reached through this private IP address (kind of an identity for the service). But you can’t use it to reach from outside the VPC network i.e., through our browser or terminal.

Then how can we reach out to our EC2 instance?

Simple. We have to create a public IP addressfor our EC2 instance which can be used to reach from outside our VPC network.

5. Let’s create and assign Elastic (public) IP address

Elastic IP address is a public IPv4 address, which is reachable from the internet. As we want our EC2 instance to be accessed from outside world, we are going to create and assign an elastic IP address.

Navigate to Elastic IPs (From the menu bar, go to Networks & Security -> Elastic IPs ). Below is my Elastic IPs window. Let’s create a new one.

Elastic IP address
  1. Click on Allocate Elastic IP address and you should see a window similar as below:

2. Click Allocate and you will find the newly created Elastic IP in your window.

So it’s done. But is it?

We still have to link this Elastic IP address with our EC2 instance. So, select the Elastic IP address that we created, click Actions and then Associate Elastic IP address . You should see a window similar as below:

  1. Let the Resource type be Instance
  2. Choose the EC2 instance that we created in the Instance field.
  3. Click Associate

Did you face an issue which says:

Don’t worry. We are almost there. I promise.

As we all know, our EC2 instanceis inside a VPC network and it needs a way to communicate to the outside world — Some kind of gate.

That’s what we are gonna do now. We are going to create a gate, which is called as Internet Gateway.

6. Let’s create Internet Gateway

Internet Gateway is a VPC component that allows communication between our VPC and the internet. Think it as our modem in our house which connects our laptop with the internet.

Search for Internet Gateways in the search bar and you can find it under Virtual Private Cloud . You should see similar as below.

  1. Click on Create Internet Gateway and you should see a menu similar as below.

2. Enter a name and click Create Internet Gateway

Now we have created a gateway. But we have to tell AWS to use this Gateway for our VPC network. To do that, click on Actions and then click Attach to VPC

Then click on Available VPCs and select our VPC.

Click Attach internet gateway . That’s it. We have a gate for our VPC 🥳.

7. Link Elastic IP address to our EC2 instance

Now, let’s navigate to Elastic IPs and select the one that we created.

Follow the same steps that we did before. (Select our instance and then click Associate ).

Hooray 🥳. We have our own public IP address for our EC2 instance.

8. Let’s link our Internet Gateway with our route table

Even though, we have our public IP address and Internet Gateway, we still can’t able to ssh.

Why? Because we have to declare our Internet Gateway into our Route Table, so that AWS can allow any communication through the Internet Gateway.

Route table is a set of rules in our VPC network which used to determine where data packets traveling over an IP network will be directed. Think it as directory which tells AWS where any network connection needs to be travelled.

Let’s do it. Navigate to Route tables by searching it on the search bar.

You should see a Route tablewhich is created when we created our VPC network.

a. Select the Route table that is associated/connected with your created VPC. Then navigate to Routes and you should see one route which configured as below:

List of routes in the Route table

The default route that is listed tells AWS that whatever services inside the VPC network can communicate with each other. If you remember correctly, our VPC network is 10.0.0.0/16 hence the destination.

b. Now, click on Edit routes button at the right corner of the table.

c. Click Add route and enter 0.0.0.0/0 (means any connection from outside).

d. In the Target input, search Internet Gateway and then select the one that we created. Then click Save changes.

Now the Routes table should look similar as below.

9. Let’s finally connect to our EC2 instance

All done. All network settings are configured.

  1. Before running the command, again navigate to your EC2 instance, click Connect and copy the ssh command. If you notice, it will have our public IP address.
  2. Run the command in your terminal.

Hooray 🥳. we are connected.

EC2 instance has been connected through SSH

10. Let’s add our HTML code into our EC2 instance

  1. Run the following command to install and start the httpd service.
sudo yum update -y
sudo yum install -y httpd
sudo systemctl enable httpd

# start the httpd service
sudo systemctl start httpd
sudo service httpd start

2. Below command will start the server in our EC2 instance. Now let’s add our HTML code into it.

Enter the below command in the terminal

cd /var/www/html/

# Create a HTML file by below command
nano index.html

3. Paste the HTML code that we have (refer at the top of the blog) and save it.

11. Promise — One last step. Security Groups

One last step that we have to do in order to access our HTML page in EC2 instance. We have to allow inbound request (i.e., request from the outside world) for our EC2 instance in the security group.

Security groups acts as a firewall which controls the traffic allowed to and from the resources in our VPC. Think it as a Security Guard for our VPC.

  1. Navigate to Security Groups (search it in the search bar) and then select the security group that is linked with our VPC.
Inbound rules of our security group

2. Go to Inbound rules tab and click Edit inbound rules.

3. Click Add rule . Enter All TCP and in the source input field, enter 0.0.0.0/0

FINALLY WE ARE DONE.

Now go to your EC2 instance and copy the public IP address. Open a new tab, paste it and run it. Make sure it’s http:// (not https://)

Next blog, we will see how to configure our private NodeJS server.

Please let me know in the comments about your thoughts. Thank you for your time and let’s meet again on the next blog soon.

AWS
Network Security
Vpc
Internet Gateway
Routing

--

--

Arun Kumar
Arun Kumar

Written by Arun Kumar

9 Followers
4 Following

Senior Software Engineer at Tech Mahindra

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams