Hey guys, I've got a great lab for you. In
this lab, we're going to launch a network load balancer with an application running on a custom
TCP Port. So the topology will look like this: we have VPCA with a couple of instances running
in a Target group. We're going to have a network load balancer, and then we're going to assign
elastic IP addresses to the subnets in these two different availability zones. So that
means the network load balancer will have static public addresses. Now, bear in mind that
AWS does charge for the use of elastic IPs, whether they're used or not. That was a
change that they made to the pricing. However, for running them for a short period of time like
this, shouldn't cost more than a few pennies. On the right-hand side, we've got VPCB.
This is where our client is going to run that wants to access the application. And
we're going to use a network ACL so I can demonstrate whitelisting IP addresses. And this
is what the network ACL is going to look like: Now, most companies would not allow our custom
application on Port 8181. They will restrict all outbound ports from their VPC or from their
Network. And what we need to do then is open up the specific ports. Now, some standard ports
like web services ports might be open already, but 8181 is a custom Port, so it should
be closed by your security team. Then, when you go to the security team and say, 'I want
you to open this port,' they're going to say, 'Well, I don't want to open it to everything every
destination on the internet. Give me the specific IP addresses that we're going to allow access
to over this port number.' And in this case, we can give the elastic IP addresses for our
two subnets here on the left-hand side. Now, because we have a standard allow
for everything in our Network ACL, and I don't want to go into the complexities
of allowing all the different individual ports and bidirectional ports that we need,
I'm leaving that allow rule in there. And I've got a deny rule here. Normally,
if you have a very secure infrastructure, you'll deny this port by default, but I've had
to add in a deny rule. So we're going to allow using these two rules, and then there's a sort of
blanket deny. So we should only allow traffic to the elastic IPs of the network load balancer
using this particular Port range. So now, with all this in place, our client
should be able to access the network load balancer and the instances in these
two subnets. So let's go and build this out. So we're back in the console, and I'm going to
head over to the EC2 service and head down to launch templates. We need to create an ASG, so
we're going to need a launch template. So I'm going to call this one custom SAS. Scrolling
down a little way, I do want to choose the AMI. I'm going to choose the first one here,
Linux 2023 AMI. Scroll down a little further, instance type is going to be T2 Micro. Key pair
I don't need, so I'll just leave that and do not include for Security Group. I'm going to select my
web access Security Group, and I'm going to have to make sure I have my port open in there. We'll
do that shortly. And then I'm going to scroll all the way down, head over to advanced settings,
go to the bottom, and we have some user data. So in the course download in the Elastic
Load Balancing directory, you'll find the NLB user data shell script. This one is going to
create a simple Flask application using Python, and it's going to have a port number of
8181. When we connect to it on that port, the success response should be that we see a
simple welcome message here. So I'm going to copy all of that code, bring it back into my
user data, and then create my launch template. So now I can head back up to EC2, down
to Auto Scaling groups, create one, and I'll simply call this ASG. Select
my custom SAS app launch template, click on Next. I'm going to put this one
in the default VPC, and I'm going to select availability zones in US East 1A and 1B.
Click on Next, no load balancer at this point in time. We're just going to go through,
select 2 for desired capacity, 2 for minimum, and 2 for maximum. And that's all I need to do.
I'll skip to review, scroll down, and launch. And my ASG is launching with my applications. Now
I want to make sure that my security group has the relevant port. So I chose the web access,
go to inbound rules, make sure you've got the port number here. So let's see, I've already done
it for mine, so I got Port 8181 from any source. Make sure you add that rule. The next thing we
need to do is we will need elastic IP. So let's see, we don't have any elastic IP addresses.
So I'm going to click on allocate, leave the default settings there, click on allocate. Do
the same again and now we have two elastic IPs available. Just remove that filter there, I
can see both elastic IPs. I now need to create a Target group. So let's come down to Target
groups. I'm going to create a new Target group, the target type will be instances. I'll call
this tg-NLB so I know what it is. And here, we're going to set to TCP and then 8181, so that's
the protocol and Port. The health check is going to use HTTP slash. We don't want that, it's not
going to work. Change it to TCP and then it will by default use the custom port number or you can
override it if you like. Okay, so let's click on next. And I've got two instances, so let's add
those, select both, click include as pending below and then create the target group. And
I've got my instances. Now I need to create the load balancer. So I've selected load balancers,
create. We're going to choose to create a network load balancer. I'll just call it NLB, it will be
internet facing ipv4. Default VPC is selected and I want to select US East 1A and 1B. This time I'm
going to select the option to use an elastic IP address and it's chosen one for me. Do the same
for US East 1B, make sure it's not the same, it is for me. So I need to go ahead and make sure
that we've got two different elastic IP addresses here. Then make sure we got the security group set
up correctly. I'm going to use web access again, it has the correct rule there for me. The
listener should be 8181 TCP. Okay, so now we have these different options with the network load
balancer. We're going to choose TCP 8181. Select your target group, now we can go ahead and create
the load balancer. While that's all launching, what I will do is open up EC2 again in a different
window and so that I can use a different VPC. I'll just change to a different region, so maybe I'll
change to US East Ohio here and we'll use the default VPC again. So here I just need to launch
an instance and we just want to have an instance that we can connect to using instance connect and
then run a curl command. So Linux 2023 T2 micro, don't need a key pair, do need to allow
SSH, so I'll just leave that option and then launch the instance. Now this is
going into the default VPC here in Ohio. So what I need to do is just head over to the VPC
Management console, and we're going to inspect the network ACL. Okay, so let's go to network ACL's,
making sure I'm in Ohio. Now I've only got one VPC here, the VPC is the default one, and we can see
that in the outbound rules for the network ACL, we have a rule that says 100, and it's allow.
So the number's 100, and then it's an. So what we'll do now is click on edit outbound rules,
and we want to create basically what I had in the slides. So back in the slides here, we've
got 97, 98, and 99. Remember these are in order, so it's going to check. We're trying to connect
to 8181 with a specific destination IP address, it's going to allow it, and then it's going
to check the next one. If the IP address is a different IP, anything else for that
port number is going to be denied. Um, but all other port numbers will be allowed
by default. So let's put this in place. So what I want to do is add a rule. It's
going to be 97. Port range is 8181, and the destination is going to be one of those elastic
IP addresses. Back in the load balancer here, if we go to network mapping, we can see the
elastic IPs. So I'm going to select the first one, come back, paste, add in the CER block
ranges sl32. Okay, that means an exact match, that's all of the bits available in the subnet.
Market ask next will be 98, also 8181, and then let's come back and allow this particular elastic
IP address sl32. The next rule is purely just to make sure that we are denying to any other address
to prove that it's working. So any destination, this is a deny, the others are all allows. Okay,
so let's save the changes, and it's going to order them for us. So if I come back to outbound rules,
we can see we now have the correct rules in place. So let's see if we're able to connect to
our application now. We're not going to use these specific IPS because we know that
the resolution will happen through DNS. So what we can do is copy the DNS name of the load
balancer. So what we'll do now is we'll connect to our instance using EC2 instance connect,
and this should all work because we do have the relevant connectivity enabled through the
security group. We haven't modified anything in the network ACLS either to prevent this access.
So now what we want to do is run the curl command, and it's going to be to the DNS name of
the network load balancer, colon 8181, that's the port number, and let's see if that
works. Says welcome to my custom SAS app. And so I can keep rerunning this command, no
problem. It's all working. So we just proved that we're able to whitelist these two individual
IPs, and I can prove it to you for sure by coming back. Back, and let's just change these two. Let's
just remove those two rules, and now we just have a deny for that Port. Let's come back to the EC2
instance, run it again, nothing's happening. Okay, so we just broke that access. So we were able
to whitelist those specific IP addresses. Okay, hope you enjoyed that one. I have finished
with this particular lab. I will go back and just reset my rules so I don't leave anything I
don't want in place. I'll remove 99, and I need to go and terminate my EC2 instance as well. So
let's terminate this one. The other thing you'll need to do is back in US East where we started,
I'm going to delete my load balancer. We have to do this before we can release our elastic IPs,
but I don't want you to forget to release those IPs. So I've done that. I'm also going to delete
my auto scaling group to remove those instances. So give it a few minutes, then under elastic IP
addresses, select the address and click on release and release again, and it should successfully
release that address. If it says there's still an association, just give it another minute or
so, refresh here, and then release your address.
