What You’ll Learn

• Creating an Amazon Web Services (AWS) VPC
• Creating public and private subnets
• Creating routes and an internet gateway
• Launching an AWS EC2 instance in the subnets
• Adding network access control lists (ACLs) and security groups

What You’ll Need

• A free tier account on AWS
• An understanding of basic networking concepts
• A willingness to have fun!

You are a network engineer tasked with creating a cloud network. You have heard of AWS and know that it is the most popular cloud provider. You also know that AWS has a service called VPC. You are unsure what that means, but you know that you need to create a VPC for your staging and production instances. So, what do you need to know?

VPC stands for Virtual Private Cloud, which is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud.

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select.

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.

EC2 stands for Elastic Compute Cloud, a web service that provides secure, resizable computing capacity in the cloud. Think of it as a virtual machine in the cloud.

The rest is basic networking concepts. You need to create subnets, route tables, and security groups. You also need to create network ACLs.

Simple enough? Let’s go build out our VPC.

Let’s have a look at our network diagram. We have a VPC with two subnets—one public and one private. We also have an internet gateway to configure and create routes between our subnets.

First, let’s create a VPC:

1. Log in to your AWS account
2. Navigate to the VPC service.
3. Click Create VPC.
4. Under VPC Settings, select VPC Only.
5. Create a new VPC with the following settings:
   • Name tag: CiscoU-VPC
   • IPv4 CIDR block: 10.0.0.0/16
   • IPv6 CIDR block: No IPv6 CIDR Block
   • Tenancy: Default
6. Click Create VPC.

We created a VPC with a Classless Inter-Domain Routing (CIDR) block of /16, meaning that we have 65,536 IP addresses. We are going to use 256 addresses for each subnet.

These concepts should not be new to you. You probably have heard of CIDR blocks and subnetting if you come from a networking background. If you haven’t, may I suggest that you check out the CCNA certification course on Cisco U.

Now that we have our VPC created, let’s create our public subnet.

A public subnet is a subnet that has a route to the internet. It is usually used for resources that need access from the internet. In this case, the resource will be an EC2 instance.

All right, let’s create our public subnet:

1. Navigate to the Subnets section in the VPC service.
2. Click Create subnet.
3. Create a new subnet with the following settings:
   • VPC ID: CiscoU-VPC
   • Subnet name: CiscoU-Public-Subnet
   • Availability Zone: No Preference
   • IPv4 CIDR block: 10.0.1.0/24
4. Click Create subnet.

A few things to note:

• Although we have a /16 CIDR block, we are using /24, meaning that we are using 256 addresses for our subnet.
• We are not selecting an availability zone, meaning that AWS will choose an availability zone for us.
• Although the name of our subnet is CiscoU-Public-Subnet, it is not a public subnet yet. We still need to create a route to the internet.

OK, that was not that bad. Let’s do the same with our private subnet.

Having a private subnet allows us to have resources to restrict internet access, which is excellent for security—maybe a Vault server that houses all secrets and tokens. You don’t want that to be accessible from the internet.

All right, let’s configure our private subnet:

1. Navigate to the Subnets section in the VPC service.
2. Click Create subnet.
3. Create a new subnet with the following settings:
   • VPC ID: CiscoU-VPC
   • Subnet name: CiscoU-Private-Subnet
   • Availability Zone: No Preference
   • IPv4 CIDR block: 10.0.2.0/24
4. Click Create subnet.

Sweet! we now have a private subnet. Let’s move on to the next step.

Our next steps are to create an internet gateway and configure our route tables to make our subnets reachable from the internet.

Before we get started on building our internet gateway, let’s talk about what an internet gateway is:

• An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.
• An internet gateway is not a router. It does not perform any routing functions. It simply serves as a point of entry and exit for traffic going to and from the internet.
• An internet gateway is typically attached to a subnet, enabling instances in the subnet to communicate with the internet. In our case, we will attach it to our public subnet, CiscoU-Public-Subnet.

But before we start, let’s change the settings of our CiscoU-Public-Subnet to allow auto-assign of public IPv4 IP addresses.

Select CiscoU-Public-Subnet:

1. Click Actions.
2. Select Edit subnet settings.
3. Check Enable auto-assign public IPv4 address.
4. Click Save.

Now let’s go ahead and build our internet gateway:

1. Navigate to the Internet Gateways section in the VPC service.
2. Click Create Internet Gateway.
3. Create a new internet gateway with the following setting:
   • Name tag: CiscoU-IGW
4. Click Create Internet Gateway.

Great! Let’s attach it to our CiscoU-VPC:

1. Select CiscoU-IGW.
2. Click Actions.
3. Select Attach to VPC.
4. Select CiscoU-VPC.
5. Click Attach Internet Gateway.

OK, perfect, we’re almost there. We now have a way to get public IP addresses to our instances, but we don’t have a route created to direct traffic from our public subnet to the internet gateway.

Let’s create a route table and add a route to our internet gateway.

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. It is no different from a routing table in a router. As a network engineer, you should be familiar with the concept.

Let’s create a route table for our CiscoU-Public-Subnet:

1. Navigate to the Route tables section in the VPC service. Notice that we have a default route table that was created when we created our VPC.
2. Click Create route table.
3. Create a new route table with the following settings:
   • Name tag: CiscoU-Public-RT
   • VPC: CiscoU-VPC
4. Click Create route table.

You now have a way to direct traffic from your public subnet to the internet gateway, but we have to define a route to do that.

Let’s define a route to our internet gateway:

1. Select CiscoU-Public-RT.
2. In the Routes tab, click Add routes.

Notice that we have a default route to resolve all traffic to the local VPC. This is a default route that was created when we created our VPC. 3.Let’s create a catch all route that will allow us to reach the public internet. - Destination: 0.0.0.0/0 - Target: Internet Gateway - Select CiscoU-IGW. 4. Click Save routes.

Next, we need to associate our CiscoU-Public-RT to our CiscoU-Public-Subnet.

1. Select the Subnet Associations tab.
2. Click Edit subnet associations.
3. Select CiscoU-Public-Subnet.
4. Click Save associations.

Voilà! We now have a public subnet that has a route to the internet.

Let’s attach some computing to our newly created network.

EC2 is a web service that provides secure, resizable computing capacity in the cloud. Think of it as a virtual machine in the cloud.

EC2 can help with:

• Deploying applications quickly
• Scaling applications
• Providing developers with complete control of their computing resources
• Reducing the time required to obtain and boot new server instances to minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change

Let’s launch an EC2 instance in our CiscoU-Public-Subnet.

Navigate to the EC2 service:

1. In the search bar, type EC2 and click the service.
2. In the left pane, click Instances.
3. Click Launch Instance.

Here is where we will configure our EC2 instance:

1. Give your instance a name: CiscoU-EC2-Pub

2. Select an Amazon Machine Image (AMI): Amazon Linux 2023 AMI

3. Architecture: 64-bit (x86)

4. Instance Type: t2.micro free tier eligible

5. Key pair: Create a new key pair

   • Key pair name: CiscoU-EC2-Key-Pub
   • Key pair type: RSA
   • Key pair file format: pem for Mac and Linux, ppk for Windows
   • Click Create key pair.
   • Download the key pair and save it in a safe place. You will need it to use Secure Shell (SSH) into your public instance.

6. In the Network Settings section, click Edit. Let’s make sure that we are launching our instance in the right subnet:

   • Network: CiscoU-VPC
   • Subnet: CiscoU-Public-Subnet
   • Auto-assign Public IP: Enable
   • Firewall (Security Group): Create a new security group
     • Security group name: CiscoU-EC2-Pub-SG
     • Description: CiscoU-EC2-Pub-SG
     • Type: SSH
     • Source: My IP. Make a note of your IP address! For example, mine is 69.181.208.75/32.
     • Click Add Rule.

7. Add another rule to allow SSH traffic:

   • Type: SSH
   • Source type: Custom
   • Source: Our VPC CIDR block, which is 10.0.0.0/16

   The rest of the settings can be left as is.

8. Scroll down and click Launch instance.

9. Once launched, click View All Instances to see your instance.

Next, let’s launch an EC2 instance in our CiscoU-Private-Subnet.

Here, we are going to create an EC2 instance in our CiscoU-Private-Subnet. This is a subnet that does not have a route to the internet. We will access this instance from our CiscoU-EC2-Pub instance.

Click Launch Instance:

1. Give your instance a name: CiscoU-EC2-Priv
2. Select an AMI: Amazon Linux 2023 AMI
3. Architecture: 64-bit (x86)
4. Instance Type: t2.micro free tier eligible
5. Key pair: Create a new key pair
   • Key pair name: CiscoU-EC2-Key-Priv
   • Key pair type: RSA
   • Key pair file format: pem (because our public instance is a Linux instance)
   • Click Create key pair.
   • Download the key pair and save it in a safe place. You will need it to use SSH into your private instance.
6. In the Network Settings section, click Edit. Let’s make sure that we are launching our instance in the right subnet:
   • Network: CiscoU-VPC
   • Subnet: CiscoU-Private-Subnet
   • Auto-assign Public IP: Disable
   • Firewall (Security Group): Create a new security group
     • Security group name: CiscoU-EC2-Priv-SG
     • Description: CiscoU-EC2-Priv-SG
     • Type: SSH
     • Source type: Custom
     • Source: Our VPC CIDR block, which is 10.0.0.0/16. This way, our public instance can use SSH into our private instance.
7. Scroll down and click Launch instance.
8. Once launched, click View All Instances to see your instance.

That was a lot of work. We are almost there! Let’s use SSH into our instances.

First, we’ll use SSH into our CiscoU-EC2-Pub instance. From your Instances view, right-click CiscoU-EC2-Pub, and then click Connect:

1. From the top navigation tab, select SSH client.
2. Copy the SSH command.
3. On your local machine, open a terminal and paste the command. For example, mine is ssh -i "CiscoU-EC2-Key-Pub.pem" ec2-user@54.191.237.93.

A couple of things to note:

• If you get permission denied, make sure that you are in the directory where you saved your key pair.
• If you get a warning about the permissions of your key pair, run chmod 400 CiscoU-EC2-Key-Pub.pem to change the permissions of your key pair.

Now that we are in our public instance, let’s set it up to use SSH into our private instance that’s not accessible from the internet.

In your current terminal, run the following commands:

1. Let’s copy over our private key to our public instance:
   • In your terminal, enter vi CiscoU-EC2-Key-Priv.pem to open a new file.
   • Press i to enter insert mode.
   • Open CiscoU-EC2-Key-Priv.pem in a text editor and copy the contents of the file.
   • Paste the contents of the file in your terminal.
   • Press esc to exit insert mode.
   • Type :wq and enter to save and exit.
2. Let’s change the permissions of our private key:
   • In your terminal, enter chmod 400 CiscoU-EC2-Key-Priv.pem.
3. Now, let’s use SSH into our private instance:
   • Copy and paste the command from the Connect to your instance window. For example, mine is ssh -i "CiscoU-EC2-Key-Priv.pem" ec2-user@10.0.2.160.

You should now be in your private instance. Woo hoo!

Note: If you’d like to learn more about using Vim, you can find an introductory tutorial here or a more intermediate tutorial here

Congratulations! You are on your way to becoming a cloud networking expert.

We learned a lot here. Let’s summarize what we did:

• We learned how to create a VPC.
• We configured a public and private subnet.
• We created an internet gateway and configured a route to the internet.
• We launched an EC2 instance in our public and private subnets.
• We accessed our private instance from our public instance.

All these are fundamental building blocks of cloud networking, but they are not so different from what we are used to in the networking world.

Learn More

What’s next? You can start by checking out the following:

• CCNA certification course on Cisco U.
• ENCC certification training on Cisco U.
• Designing and Implementing Cloud Connectivity (ENCC 300-440)