Building Infrastructure on AWS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

if you are a network engineer and thinking of how to build your infrastructure on aws this tutorial is for you in this specific video i am going to walk you through each and every step that is required for you so that you can build your own infrastructure let's get started so i have divided this into two parts in the first part we are going to see the business requirement we are going to see how we can map it to our aws network and in the second part we are actually going to deploy the infrastructure on aws and then we'll end up by summarizing what we have learnt in this video i strongly recommend that you do this process along with me so that you can learn by doing it if you have not created your aws account so far please do so so that you can get started with me so let's see we have a requirement for setting up a new business infrastructure let us first go through the business requirement there is a company called gyanwala and they want to set up their new learning hub in india the founder wants three separate departments hr i.t and finance and he has a requirement that each department will be having separate systems whether it is pc or servers and the department like hr and i t they should be able to reach or connect to internet and the finance department should not be connected to internet so this is our business requirement let's have a look this from a traditional approach perspective and how we can relate to aws to start with the founder thinks okay i have to build this company let me first decide where i'm going to build my company so he picks up a area let's say mumbai in mumbai he then decides to rent out an apartment or a building where he is going to set up his office then this office he breaks into different flows the first floor or the topmost floor he dedicates it with various systems like pc1 pc2 and he tags it with finance department name then similarly he dedicates the second floor for hr department and the floor next to it he dedicates it to it department now he he has a requirement that any traffic which is going from this building whether it is from finance hr rit they need to have a specific path so he builds up builds up a main door so anybody who wants to go out of the building will be going through this main door and since he wants the hr and iit department to have connectivity towards the outside world he will connect the hr block to the door and the same goes with it department as well so now in this specific case how can we correlate this to our aws infrastructure the first area which he has picked up for example mumbai in aws terms that is your region so always when you are trying to build up your infrastructure on aws you have to decide where you want to host your infrastructure so that is something called as a region now within the region we are going to define a building so in terms of aws building represents a bbc so you are going to create a large virtual network within which you will be deploying all your systems then the floors that you see these floors represent subnets the subnets resides in different availability zones these are like different data centers and then the door main door which you see so any system which is part of different subnets they have to go out of the network they have to connect to your main door and that main door is your internet gateway so i want my hr department systems and i t department systems to be able to reach to outside world or in other words i would say they should have internet connectivity so that's why i am going to map these subnets to my internet gateway and this since this connectivity is there these type of subnets will be called as public subnets and the subnet which does not have internet connectivity going via your internet gateway are your private subnets and the arrows that you see which mainly tells the hr department that okay if you have to go out you have to contact to the main door these are your route tables so with this now we have got a pretty basic idea of the different components that we are going to configure in our aws infrastructure with this we can also see like for example at the pc level whether it is a system or a web server that you plan to host these will be called as ec2 instances so now since we have got a basic idea let's proceed with the actual demo of deploying all these components in our aws infrastructure okay so inside your aws management console the first step which you would have to do is choosing the region so from here i want to deploy my infrastructure in specific region so i have selected mumbai as my region now from this services section or from this management console itself if you come down you go to the networking section this is where we plan to start with even though there are multiple default components which will go through but i want to build it right from scratch so i will start with networking and content delivery where i will have a component as vpc so you just click on this once i click on vpc it will show me that at present one vpc is present in your mumbai region so by default aws gives you all the different segments that we have discussed so far as a default option you don't have to create all these unless you really wanted to you can just straight away log in and deploy your instance but i i do not want to do that i want to show you right from scratch how you can build your infra so let's say first we'll select the your vpc section in here we'll click on create i will give it a name as ganwala vpc and whenever you are creating a vpc you would have to define a specific block your complete network will be represented by this cidr block so let us say i am choosing as 192.168.0.0 16. and at present i want the tendency to be just default if you want a dedicated you can choose that as well let me create this so now my vpc is created i can this is my vpc id which is given by aws and at present if you expand here you can see this is my cidr and i can see the details from here as well now once this vpc is created i would have to define my subnets which is for different departments so if i click on subnets in here you can see that by default there are three subnets which are created this is the default subnets which is present in your configuration but i want to create a new subnet so let let's go ahead and create a new subnet and give it a name as gyanwala let us say hr department hr subnet and this subnet has to belong to a vpc so i've just created my vpc i'll select this and this subnet will always be a part of a specific availability zone so from here i'll select as 1a you can think of evaluability zone as a separate data center with separate power and all these resources and whenever you are creating your subnet you need to make sure that it is part of this main cidr block so for example in here i cannot put it as 0 let's say 16. i cannot do this because this does not belong to the same block so this block has to be divided further so let us say i'm dividing it to 182 168 1.0 slash 24 this 1.0 i'm dedicating it for my hr segment so let's let me create this my subnet is created similarly i will also create this is my hr subnet i will also create a subnet for it and from here i've chosen the availability zone as 1b and for this specific block i have decided to go with 2.0 slash 24 create and then let me create one more subnet from here i will choose the specific vpc and the availability zone will be 1c again for this i have chosen as 192 168 3.0 slash 24 and click on create so till now i have chosen my specific region or the area i have also decided the building where i am going to build my infrastructure i have also decided the different floors where i am going to put my different servers or pcs let me just rename this to these subnet okay so now i will have to create a route table in here you can see by default when you create a vpc you know on a route table also gets created so for example you can see this is the route table which is associated with my vpc id and this vpc id is the ganwala vpc which we just created but i don't want to use this i want to use my own routing table so i'll click on create route table and this i have to associate with my vpc so now this route table is associated with my vpc and at present if you once you select this and click on route you will be able to see the specific segment the main cidr which is associated and present this is local and if you see the subnet association at present none of the subnets which i have created are associated with this so by default when we create the subnets unless you have associated with your custom routing table they will be associated with your default or your main route table this is the main route table which gets created when you create a vpc so now i but i want that everything has to be routed as per my routing table so i am going to associate the route table with my subnets so i'll click on edit subnet and then select all of these three in here i can see and this is for hr it and finance then click save so all my subnets are associated now as per this routing table okay this is done now i have a requirement that the systems in my it and hr should be able to reach to the internet so for this i'm going to create my internet gateway so by default you can see there will be a default internet gateway which is associated with your default vpc so in this infra i'm going since i'm doing everything from scratch i am i will be creating a new internet gateway januar internet gateway and just click on create internet gateway now once you create your internet gateway you have to tell aws this internet gateway will be associated with which building there are multiple buildings in aws so i have to make sure that this internet gateway is associated with your vpc so i'll click on action and attach to vpc and from here select the vpc which i created then click on attach so now my building is also ready my door is also ready and in here if you come down in the security section you will see two options one is your network acl and the next is your security groups so if you click on network acl you know by default when we create our subnets there is a of the vpcs you can see acl getting generated and this is will be associated with the subnets which are part of my ganvala vpc so in here you can see by default it says inbound rules allow outbound rules allow if you want you can create your own network acl from here this acl decides the traffic between the subnets we also have the flexibility to restrict it even at the nic level of your specific vms that we are going to launch in different subnets which is going to be controlled by our security groups so let's say for example in here i create a security group let's say my security group this is for hr hr department and in here i have to define the inbound rules with respect to my system so for example if i have to log in to my system maybe on 42 so i can choose from here ssh whom i want to allow let's say i want to open it for everyone by default um nothing will be allowed so if you want all your systems all your source uh pcs to have access to this specific vm that we are going to launch in the subnet then we choose it to anywhere but again it is not a best practice so always try to limit it to specific ips wherein you can define your custom list or your my ip will take the ip address from where you have logged in so as of now i'm just doing it with anywhere and then let's say tags these tags are like optional but definitely useful in terms of identifying the different resources of your departments so for example let me add this add here a tag as department hr sorry the tag will be department and the value of this will be hr and then let me create the security group so in here i have ssh rule to access to allow everyone for this specific hr now let me also go ahead with creating the vms so for example now i want to launch my different systems in in different subnets so i'll be going to services and ec2 ec2 is your compute service which gives you the ability to launch the different instances so then we'll click on instances let's say click on launch instance and after launching an instance you will get an option where in you'll be asked for amazon machine image so each image is unique in terms of the specific product that you want to use maybe you want to um utilize linux in linux there are different variations so the different various images which are available will be having different ami ids this is amazing machine image you can create your own image as well which we can which will be discussing in some other videos so for now just understand that this is your basic ami image based on what you are trying to launch so for example let's say i want to launch my amazon linux or let me just you know go with red hat in here i can see red hat there are different versions so let me just select this i'll accept this continue and now once you have chosen or decided which platform you want to launch your instance on like linux or windows then you'll be asked to define the cpu and the memory for that specific resource so in here at present i'm just going it going for t2 micro there are different family types which are available so if for example if you are choosing t2 micro you will be provided with 1b cpu and 1gb of memory if you go with t2 large you will be provided with 2vcpu and 8 gig of memory let me just select this click on next now in here how many systems i want how many maybe web servers i want to launch so for now i i just want to launch one instance and this instance i am going to launch in which vpc so from here i will choose the gyanwala vpc and the subnet i'm going to define which subnet out of these i want to launch it in so for example at present let's first start with the 1a ap south 1a which is my hr and the hr whether i want to connect to outside world or not so for example i want the system which is launched in here to have internet access so i'll choose this option as enabled so that the system gets assigned a public ip address and after this you can also see a network interface which is getting assigned to this specific vm then we click on next in here you can see the storage so by default 10 gb is being added to your system if you want or if you have a higher requirement you can either increase this or you can also add another volume for now i'll leave this to default click on add next tag so add a tag again i'm going to use my department tag and since this is what i'm going to launch in my hr so i'll select this as hr then click next from here i can choose the security group which i created i'll select this and review and launch click on launch so when you are trying to launch this specific instance you will be asked how you want to login so whether you want to create a new existing key pair or existing key pair which is already existing or which you would have created earlier on your aws account you can choose that either so for now i'm just going to choose the existing key pair i'll acknowledge this from from the drop down you'll select the key pair which is currently present in your aws account so always we need to make sure that when later on after the instance gets deployed if you plan to log into the system so you have this a private key so that you'll be able to successfully authenticate and will be able to ssh to the device then i'll click on launch instance so with this now if we click on this icon we can see the instance is getting initiated and instance also got a public ip address and this instance is you know is being launched in 1a this instance is associated with your hr security group it will take a while while this is getting initiated let me also create a security group for it and finance you know if you want you can have a common security group as well to control the different set of systems but it is totally up to your choice it is a good practice you know to separate it out for different departments so let me just choose this as security group finance for finance department and from here i am going to choose the vpc and in my inbound rules i am going to assign for ssh anywhere then tags i'm going to add as my department and this was for finance so i'll just add the value as finance now let me create one more security group and from the drop down i'll select the vpc click on add if you want to allow multiple protocols you can add multiple rules as well so maybe for example if you want to host a web server on on this specific vm that you are going to launch in in this specific subnet so you also have to allow your http rule from here then click on i miss this okay source anywhere and then at the end i'll add up a tag as well department as my id create the security group now security group is created let me come back to my instance and let's launch a new instance let me select this quickly selected and from here i'll select my vpc and the subnet we have already launched for hr let's start with 1b which is id and it also wants to have access to the internet so i'll just enable this option then click on next add storage is fine add tag again department this is my id and from here i'll select existing group id i have created this so now let's review and launch and again i'm going to use the same key to log into the in this specific instance so i'll click on launch now let me go back and launch a new instance and from here i again select the same vpc and in the subnet section i'm going since i'm going to deploy in my finance subnet i'll select the finance and finance does not need to have connectivity towards the internet i should not be nobody from internet also should be able to connect to the finance systems so i i don't want to assign any public ip to this basic system now let me just click on next i don't want to add any extra storage so just click on add tags and from here again department choose it finance from the security i'll select my finance review and launch use the same key okay so this specific region does not support t2 micro so let me change this let us try it too small yes i want to continue foreign it does not support b2 small as well okay let's go back okay so if we are stuck with this specific uh case wherein the specific instance type is not supported in our specific subnet or availability zone let's check so what we can do is if we go to instance type and then maybe from here if i look for availability zone then i want to launch an instance in my south 1c so let's see if i select this i can see here these many different instance types are supported let me just expand this you know these many different types so let me go with the architecture which is supported it is arm and a1 medium so okay now i have this information that in south 1c i have to choose an ami where the architecture is arm and the instance type is a1 medium or any of these you can go with so now let's go back with the ec2 instance launch an instance and from here select this medium the arm 64-bit arm architecture select and let's search for a1 medium okay it is already selected now let's go ahead with next i want one instance and the vpc i want this to be in gyanwala and this should be part of finance i don't want this to be accessible from internet so no public ip assignment now let's go to the storage section i don't want to do any changes next let's add the tag as department finance next and from this i'll choose the security group which is finance then review and launch and launch select the same key and launching the instance while this instance is getting initiated let's have a look at the previous two instances which we have launched so in here you can see you know one and this one instance is launched in 1b this is the ip address is the public ipa address which is assigned to my system and the security group is it and this is in this vpc and associated with this basic subnet this is my instance type so let's say if i from from remote end if i plan to log into the system if i copy this or i can select click on connect and when you click on connect you will see you know the option in which you can try to connect to this specific instance so we need to make sure that we have this key file locally on our system now let me try to log in to the specific system so in here i can type in the details this ec2 dash user is the default username and my ip address of my instance and now while you are trying to access this you need to give in the key as well so from connection ssh authentication you need to make sure that you select your key so let me choose my key i have selected the key then click on open [Music] oh it's i'm not able to connect so which means i missed something let's go back to our ec2 console and check in here i have my public ip assigned to the instance okay now let's check at the security group as per my security group let's check the rules the inbound rules says that i should be able to access via ssh so inbound rule is fine now let's have a look at our vpc so in my vpc uh this vpc is associated with the main route table and let's check the route table in my route table let's check the route table if i select this and click on route in here you can see that at present you know it is only mentioning the details of your local subnet so any packet which is hitting to this vm will definitely come in but in order for the system to respond back the system does not know where to send the packet to so that is the part which we missed so in here you whenever we try to do this configuration from scratch we need to make sure that from the route section you click on edit and add a route saying any network send it to the internet gateway and click on save close okay now my routing also should be fine let's try accessing our instance once again hmm and you know this time if i try to refresh this page i am able to get this screen and i have successfully logged in so in here if i type ifconfig i can see this is my local instance ip address which is assigned to my system now let's check this for another system okay in here let's go back to our ect ec2 instance this instance is part of 192 168 2.7 2.7 should be this one and this is my from my it department and let's check for this this is from my hr department let me try to log into this let's see connect copy and same i need to mention in my ssh the key file and i'm successfully able to login and in here if i type ifconfig now 190 to 168.1.232 and this instance is 192 168 2.7 so let me see can i ping between these two systems from here i am trying to ping the ip address which is in my different segment okay thing is not successful let's try bringing from this system to the system this also is like not successful how about ssh let me try ssh ec2 user at so you see i'm i'm able to get the prompt which means ssh is going through so now the reason being i'll just make put this no i don't want to connect i just wanted to show you that from this specific system which is in in a different department when i'm trying to connect to hr department or from hr uh let's try this from the other direction let's say ssh ec2 dash user at this ip i'm getting this option as well so now which means both ways i'm able to do ssh between the systems now the reason being i have not allowed icmp at my security level and that's why i am not able to ping but still able to ssh i have allowed only ssh access to my system so let's go back this is my system this the hr security group let's select this and in here let us click on edit inbound rules and add a rule for let's say icmp from anywhere and just click on save rules so now i have modified the icmp let me also modify it for let's go to security groups where is it okay let us select our id and here inbound rules edit and let's add icmp here as well okay now i have added the icmp both directions now after adding icmp let me try doing a ping and let's see if it is successful you know bingo i'm able to ping from here also i'm able to pay so i have successfully allowed the ping connection as well as ssh which is allowed as per my initial configuration itself so you can you know limit the different ports at your specific instance level as well on that specific instance based on the different services which are running on you can allow or deny specific protocols let's say for example i have also shown you if by default you do not have the route or you do not plan to okay let me just show you from here i can i reach internet right you know i'm able to reach internet and from this system yes i can reach internet because this these two systems are connected to my internet gateway how as per my where is it let's go back to our networking vpc you can see here the route table and in this route table and the subnets are associated and within this you can also see let me just show you the routes we added this route if for example i i delete this specific route so you will observe that okay let me just delete this edit route and delete this specific route save the moment i do this i will lose access to my systems you see the systems are not responding now and in a while it will just show as timed out or maybe let me try if i try to do a duplicate session no this is not responding so this is how you can build each and every component we can also install um the various services as per your requirement on the instance itself let's say for example this instance you want to make it as a web server so you can install apache on it or this server you want to uh make it as as your database server that also you can do from from those systems you do not want to have internet access so do not associate that with with your internet gateway so to summarize what we have learnt in this basic tutorial is how we can create our vpc we started first with selecting the region then select created our own vpc in in the vpc we then defined the different subnets with respect to different subnets then i created my own routing table this routing table i have associated with my subnets i created a internet gateway so that the systems can go out to the internet and this internet gateway i have associated with my vpc and after creating all this then i showed you um you can control this subnet communication based on the network acls or at the vm level or the specific instances level that you are launching in your system you can configure it configure the various security groups and within the security groups you can you know edit the different ports which you want to allow or deny so and then after this this was about the network part after this we saw how we can launch our instance so launching the instance we clicked on instance and then click on launch instance from here we went through the different options like selecting the ami selecting the instance type the instance storage adding specific tags and mapping the security groups to this specific instance that i want and then launch it we also um came across a specific issue where in specific emi amis we you we are not able to launch in a specific uh availability zone so how you can check this we'll go to services again ec2 and from this instance types we can filter based on the availability zone the availability zone in which you are looking for or planning to launch the specific instance or some instances would be supported on on in all your availability zones so you can do the filter that way as well so um with this i would like to summarize and conclude this specific session i hope you found this informative and now you will be able to deploy your environment by yourself thank you for watching

Info

Channel: F5 Trainer

Views: 1,912

Rating: undefined out of 5

Keywords:

Id: WQUXf16Pmb8

Channel Id: undefined

Length: 56min 2sec (3362 seconds)

Published: Fri Jul 10 2020