Amazon Web Services (AWS) offers robust tools for configuring and managing Virtual Private Clouds (VPCs). In this comprehensive guide, we will walk you through the process of setting up a highly secure VPC with layered security controls, using the AWS Command Line Interface (CLI). By the end of this tutorial, you will have created a VPC featuring both public and private subnets, configured security groups, and implemented Network Access Control Lists (NACLs) – all from the command line. Let’s embark on this journey to fortify your AWS VPC.
Lab Prerequisites:
- An AWS account with the necessary permissions to create and manage VPC resources.
- AWS CLI installed and configured with your AWS credentials.
Lab Steps:
Step 1: Signing in to the AWS Management Console Using the AWS CLI, you can set the default AWS Region to “US East (N. Virginia)” (us-east-1) by running the following command:
aws configure set region us-east-1
Step 2: Creating a New VPC You can create a new VPC using the AWS CLI with the following command:
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --no-ipv6-pool
Step 3: Creating and Attaching an Internet Gateway Create an internet gateway and attach it to the created VPC using the AWS CLI:
# Create an internet gateway
aws ec2 create-internet-gateway
# Attach it to the VPC
aws ec2 attach-internet-gateway --internet-gateway-id <internet-gateway-id> --vpc-id <vpc-id>
Step 4: Creating Two Subnets To create public and private subnets, you can use the AWS CLI as follows:
# Create a public subnet
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.1.0/24
# Create a private subnet
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.2.0/24
Step 5: Creating Route Tables, Configuring Routes, and Associating Them with Subnets You can create route tables, configure routes, and associate them with subnets using the AWS CLI:
# Create a public route table
aws ec2 create-route-table --vpc-id <vpc-id>
# Create a private route table
aws ec2 create-route-table --vpc-id <vpc-id>
# Configure routes for the public route table
aws ec2 create-route --route-table-id <public-route-table-id> --destination-cidr-block 0.0.0.0/0 --gateway-id <internet-gateway-id>
# Associate the public subnet with the public route table
aws ec2 associate-route-table --subnet-id <public-subnet-id> --route-table-id <public-route-table-id>
# Associate the private subnet with the private route table
aws ec2 associate-route-table --subnet-id <private-subnet-id> --route-table-id <private-route-table-id>
Step 6: Creating a Security Group You can create a security group using the AWS CLI:
# Create a security group
aws ec2 create-security-group --group-name whizlabs_securitygroup --description "Security group for multilayered VPC" --vpc-id <vpc-id>
# Add inbound rules to the security group
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol icmp --port -1 --cidr 0.0.0.0/0
Step 7: Creating and Configuring Network ACL You can create and configure NACLs using the AWS CLI:
# Create a network ACL
aws ec2 create-network-acl --vpc-id <vpc-id> --tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=whizlabs_NACL}]'
# Configure inbound rules for the NACL
aws ec2 create-network-acl-entry --network-acl-id <nacl-id> --rule-number 100 --protocol tcp --rule-action allow --ingress --cidr-block 0.0.0.0/0 --port-range From=22,To=22
aws ec2 create-network-acl-entry --network-acl-id <nacl-id> --rule-number 200 --protocol icmp --rule-action allow --ingress --cidr-block 0.0.0.0/0
# Configure outbound rules for the NACL
aws ec2 create-network-acl-entry --network-acl-id <nacl-id> --rule-number 100 --protocol icmp --rule-action allow --egress --cidr-block 0.0.0.0/0
aws ec2 create-network-acl-entry --network-acl-id <nacl-id> --rule-number 200 --protocol tcp --rule-action allow --egress --port-range From=1024,To=65535 --cidr-block 0.0.0.0/0
Step 8: Launching 2 EC2 Instances You can launch EC2 instances with the AWS CLI:
# Launch the public EC2 instance
aws ec2 run-instances --image-id