AWS VPC & Subnets For Beginners

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you've ever set up an ec2 instance on aws then you've already used a vpc or a virtual private cloud it's the virtual networking environment on aws that manages pretty much everything we do with networking the configuration of the vpc determines how we can connect different pieces of our infrastructure together and how we can connect those pieces to the public internet in this video i'll explain what a vpc is and i'll show you how to set up a vpc with both public and private subnets [Music] let's say you want to host a web application in the cloud you'll have a load balancer some ec2 instances running your web application a database and maybe an s3 bucket for file storage before you set up any infrastructure it's a good practice to set up a custom vpc for your project this is an entire private network so we specify the private ip address range that we will use within the vpc then inside the vpc we create subnets with their own private ipcider blocks the vpc is placed within a region and each subnet is placed within an availability zone then we can deploy ec2 instances or other compute services on these subnets each resource can be assigned a private ip address and by default all resources within the vpc can communicate with each other even across different availability zones it works just as you would expect a private network to work but by default a vpc is completely private resources within a vpc can communicate with each other but there's no access to other vpcs or access to the public internet this is great for security but terrible for a web app where we need users to connect to our application over the public internet within a vpc we can use other services to allow other types of networking the most common is an internet gateway which allows open networking on the public internet so we can attach an internet gateway to some of the subnets these will be public subnets to allow connections over the public internet but we can keep some of our subnets private so in this case the load balancer could be on the public subnets but the database and the application instances are all on private subnets with no way of communicating with the outside world directly this adds a really nice extra layer of security this does also mean that i can't simply log into one of the private instances using ssh because there's no way of directly connecting to them over the public internet if resources need to remain private on private subnets but also need to communicate with other things outside of the vpc there are other services we can use like an s3 gateway to connect privately to s3 buckets or a nat gateway to allow connections out of the private subnet without allowing public access to that so i'm going to set up a vpc with a public and a private subnet and i'll deploy an ec2 instance running nginx to the public subnet and a node application to an instance on the private subnet so i won't be able to connect directly to my node application but i will be able to connect to my nginx instance and then that can forward traffic to my private instance and for my nginx instance i'll set that up from scratch but for my private application instance running that node application i already have an ami setup for it right here and it's a node app that connects to an s3 bucket and kind of mimics dropbox in a really simplified way so i should be able to upload files and see those files from this web app so in aws first i need to go to the vpc console and create a new vpc and by default there is already one vpc setup in each region and this is the default vpc that you just get with your amazon account when you create it and the default vpcs are really just here so you can start deploying things easily and testing things but they're not that great in production because they are completely open they all have internet gateways and anything you deploy will be accessible over the public internet and you can look at the different settings of the default vpc but right now we just want to create a brand new vpc so i'm going to click that create vpc button and name this vpc so this is for my file application so i guess i'll call this like my files app vpc i don't know and then we need to provide an ipv4 cider blog so it's going to be the private network address range that we can use within this vpc and you'll generally want to use one of the private ip address ranges so 10.0 or 172.31 or 192.68 and this is very similar to normal private networking with a few minor differences because it is all managed by aws and one of those is the netmask we can use so if i wanted to use the 10.0.0.0 range uh the minimum net mask i can supply here is 16. although usually if i was setting up a private network like this i could supply 8 here but in aws the minimum number is 16. i don't want to get too much into networking here but the 16 here is saying that the first 16 bits will be preserved and then anything after that so these 16 bits will be variable so we have 2 to the power of 16 different ip addresses that we can use within this vbc we'll leave the rest of the settings as the default settings and create this vpc and that's it we now have a vpc with no subnet so we can't do anything with it so the next step is to actually create some subnets and like i said i'm going to create one public subnet and one private subnet generally though you would want more subnets than this for your applications you'd want both public and private subnets across different availability zones for redundancy but we'll just create two right now so i'm going to select my custom vpc here i'll first create the public subnet one um and we can select the availability zone here which can be nice if you want to make sure you distribute across all of them so i might just like 2a for this and then we have the cider block for this subnet within the vpc so it must start now with 10.0 because that's my vpc cider block and then we can specify any subnet range within that to keep things simple i'm just going to go 1.0 24 since 24 of these bits are preserved that's just these three numbers and this number can be variable within this subnet so i will get 2 to the power of 8 ip addresses which is 255 some of those will be used by aws so i think uh five of them are used maybe so it might be 250 different ip addresses which is more than enough for this case uh and that is all i'm gonna do for this so i'll create that subnet and then i'll do the exact same thing again so i'll select my custom vpc uh private subnet one and then i gotta choose a different private ip range so i'll just go 2.0 24 and create that subnet great so now i have uh two subnets on my custom vpc one that's going to be private and one that's going to be public and this is actually enough right now that i could go and create a new ec2 instance so right now i'm going to go create my new ec2 instance that will run my nginx server and we'll put that on the public subnet so i'm going to launch a new instance and for this i'll use amazon linux 2 i'll do it on a t2 micro and then here is where we configure the vpc that we're using so by default it will select the default vpc but i now have my custom vpc so i'll select that it's going to go on the public subnet that i just created by default it won't give this a public ip address but i want to enable a public ip address because this is going to be connected to over the public internet and then everything else i'm going to leave blank right now if you wanted to you could modify the network interfaces and assign a private ip manually but i'm just going to let aws do that for me so i'll go to add storage that's fine add tags that's fine security group i'm going to create a new security group here and i'll call this public load balancer i want to be able to ssh onto this instance and i want to be able to connect through http because this is going to be an http server so that looks good to me review and launch and then i'll launch this instance with my current keeper so kind of a normal configuration but i'm using my custom vpc now and it's on a public subnet so i'm just going to change this name to be uh load balancer and once this is set up i should be able to log on to the instance using ssh install nginx and actually connect to this over http but remember everything in a vpc is private by default so i have no way of connecting to this instance in the vpc and i can show you that right now if i go to connect and copy what i need to ssh from the ssh client it will not even be able to try and connect to this instance because my vpc is not allowing any access to the public internet so in order to do that we need to set up an internet gateway so i'm going to go back to my vpc and there's a few steps in setting up an internet gateway it's a little bit more complex than it probably should be [Music] so pay attention to all the steps here the first thing i'm going to do is find the internet gateway where is it there it is internet gateway and this is the internet gateway that is attached to the default vpc so we need to create one for the custom vpc uh so i'll just call this uh my uh file app internet gateway i think that's the name i'm going with so i'll create this internet gateway once that's created i need to attach this to my vpc so i'll select my custom vpc there and attach the gateway so there's two steps there already the next thing is to create a route table and a route table is the thing within the vpc that manages where traffic goes and there's one already set up by default if i look at my public subnet i'll be able to see that it is connected to the default route table and this is what is allowing traffic to flow between the different subnets within this vpc so by default there's a route table it will allow private networking but what i need to do now is create a new route table to allow connections to the public internet so in the left bar here i need to select route tables and i can see the default route table for the default vpc and my custom vpc but i'm going to create a new route table now i'll call it uh my file app public route table and select my file app vpc and create the route table now within this route table i need to add a new route or edit these routes so by default it will allow networking on the private subnets within the vpc i'm going to add a route to say that any other address that the instances try to connect to can be forwarded to the internet gateway so i'll select internet gateway and select the internet gateway that i just made and this will now allow connections to and from the public internet for any subnet that is using this route table so i'll save the changes i now have that route table set up and then i have to go to my subnets and i'm going to go to my public subnet and go to the route tables tab and edit the route table association because i need all my public subnets any subnets that i want to be public in this vpc to use my public route table instead of the default one and click save and now anything that exists on the public subnet should have access to the public internet so if i go back to my terminal window and try to ssh onto that instance i now have access to that instance my private subnet is still completely private but my public subnet is now public on the internet so i'm going to start by installing nginx on this instance and i'm going to start nginx sudo system ctl start nginx and now i should be able to connect to this locally there we go so from the instance i can connect to it and if i visit the public ip address so if i go back to my ec2 instance select my load balancer and try to connect to this in my web browser i should get that nginx landing page so this instance is set up it's working and i can connect to it over the public internet the next thing i want to do is set up an instance on the private network so i'm going to go to my amis because i already have this file app set up and i'm going to launch this but in the private subnet so t2 micro is good we'll configure the instance details again this is going to go on my files app vpc uh the subnet is going to be the private subnet i'm not going to have a public ip address because i just can't connect this over the public internet anyway and then that's pretty much it actually i'll just go to next add storage next add tags in the security group i'm going to create a new one for this application so uh uh private app probably a good enough name i don't need ssh what i want to allow is a tcp connection custom tcp this is a node app that's running on port 8080 and the source i only want to allow connections from within my vpc so i'm going to select 10.0.0.0.16. or i could go one step further and say that the only thing that can connect to this instance is something from my public subnet uh so i could say 1 24 here and then that would only allow connections from the public subnet but i'm going to leave this to anything on the vpc uh is allowed to connect to this thing so we'll review and launch launch i don't need a key pair and this instance should in a minute be completely set up so i'm going to give this a name i'll call this a private app instance and this doesn't have a public ip address but it does have this private ip address right here and this is one of the addresses that could be assigned on that private subnet with the cider block that i supplied i can't connect to this instance over the public internet but any instance on this vpc can still connect to anything else that's on the vpc so although i can't ssh onto that instance i can't actually connect to the web app since this terminal window that i've got open right now is logged in to an instance on the vpc this instance can connect to my other instance my other private instance so if i try and curl the ip address at port 8080 i probably won't work just yet because it's still being set up but in a minute once the instance has set up once the application is launched i should be able to connect to that private instance from my public instance so the app is finished setting up so now if i curl its private ip address at port 8080 i get all of the html that i need for that page so again this instance is completely private to the outside world but i can connect to it from other instances on the same vpc so since i have nginx installed i'm just going to set this up as a reverse proxy so it accepts traffic over the public internet and forwards that traffic to my application which is running on my private instance so i'll modify the nginx configuration file i'm just going to replace this server block with a custom block that will forward traffic to my private ip address at port 8080 and i have other videos on how to set up nginx like this so i will leave a link to those in the description but this should be enough now so if i save this file and restart restart nginx if we now go back to this page and i refresh it should now be forwarding it onto my private node application so it's just there as the reverse proxy and this node app like i said is just set up to uh read files and write files to an s3 bucket so if i click on this view files link i'm going to get an error right now because this instance is on the private subnet it can't connect to anything it can't connect to s3 buckets or any services on the public internet and this is great for security nothing can connect directly to this instance and mess with my application but it does also mean that i can't access an s3 bucket in this case which is really inconvenient so i have my public subnet which can be accessed over the public internet and it can access things over the internet so i could install nginx because my instance could connect two things on the internet then i have my private instance which is completely private nothing can connect to it unless it's on the same vpc and it connects to it over the private network so this is great for security because a hacker can't actually connect directly to any instances running on my private subnet so in my next video i'm going to show you how you can connect to other services and the internet from a private subnet [Music] you
Info
Channel: Sam Meech-Ward
Views: 55,170
Rating: undefined out of 5
Keywords: aws vpc, amazon web services, aws tutorial, aws tutorial for beginners, virtual private cloud, aws subnet, amazon virtual private cloud, vpc aws tutorial, private subnet, public subnet, aws networking, amazon vpc best practices, aws vpc configuration, amazon vpc and subnets, vpc fundamentals, aws vpc endpoint, vpc in aws, aws vpc setup, amazon vpc, aws vpc tutorial
Id: TUTqYEZZUdc
Channel Id: undefined
Length: 16min 39sec (999 seconds)
Published: Mon Nov 15 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.