Setting-up the most basic infrastructure On AWS
Why do we need two machines when we can use a single ec2-instance for both database setup and application deployment?
There are multiple reasons for it:
- It provides us with the basic principle of SOC(Separation of concerns) i.e application layer is segregated from the database layer.
- In any case, if our production machine is shut down or stopped, we have our data stored in a completely different machine.
- Probably the most important reason is that our data shall not be accessed through the internet rather than from the application machine itself
Public subnet has a route to the Internet. Private subnet does not have access to the Internet
Steps to create the Infra setup
- Create a separate VPC say my-vpc. Do not use a wizard. This is in addition to the default VPC that AWS creates. Use CIDR as 10.200.0.0/16 and rest are default.
- Associate my-vpc to an Internet gateway. Create a new Internet gateway my-ig and attach it to my-vpc.
- Create 2 subnets — one public and one private.
- Public subnet -
a. my-public-subnet, select my-vpc, choose any availability zone, and CIDR block as 10.200.0.0/24.
b. To make it public, create a new route table — my-public-rt, choose my-vpc.
c. RT has a default route for traffic within the VPC. To enable internet traffic, edit the route table to add a new route — Destination 0.0.0.0/0, and choose my-ig as the internet gateway.
d. Associate the route table my-public-rt to my-public-subnet subnet. - Private subnet :
a. my-private-subnet, select my-vpc, choose any availability zone and CIDR block as 10.200.1.0/24 (it is 1.0 because 0.0 256 addresses have been consumed by public subnet).
b. Create a new route table — my-private-rt, choose my-vpc.
c. RT has a default route for traffic within the VPC. No other routes are required as there is no internet traffic into the private subnet
d. Associate the route table my-private-rt to my-private-subnet subnet - Create 2 EC2 instances — one each in public and private subnets.
- EC2 instance in public subnet — Launch instance of your choice. The key configurations are:
a. Configure Instance details — Select my-vpc as the Network, subnet as my-public-subnet, Auto-assign public IP as Enable. Default the rest.
b. Add tag with {key, name} as {Name, my-public-ec2}.
c. Security group — SG Name as my-public-sg-1. SSH : Source as MyIP or keep it as anywhere so that you can access your public machine from anywhere.
d. Launch and create key pair (or) provide existing key pair. - EC2 instance in private subnet — Launch instance of your choice. The key configurations are:
a. Configure Instance details — Select my-vpc as the Network, subnet as my-private-subnet, Auto-assign public IP as Disable. Default the rest.
b. Add tag with {key, name} as {Name, my-private-ec2}
c. The private EC2 instance will not be accessible from the Internet directly. Rather, it should be opened for access from the public subnet. We will also configure ping from the public subnet. To do this, configure Security group as — SG Name as my-private-sg-1. SSH : Source as Custom (only from the public subnet), so 10.200.0.0/24. Allow ICMP from the same range for the ping.
d. Launch and create key pair (or) provide existing key pair - The public instance will have the IPV4 Public IP and the private instance will not have it.
- Connect to public EC2 instance from the local machine using the command:
Ssh -i <location of pem file> ec2-user@<Public IPV4 IP of public EC2>This will enable the connection.
11. Ping the Private IPV4 IP of the private EC2 instance from the public EC2 instance. This should be successful.
12. You cannot SSH into the private EC2 instance
13. To test ssh from public to private EC2 instance,
a. ship the .PEM file to public EC2 instance.
b. chmod it to 400.
c. try ssh to the private EC2 instance. This should be successful.
14. You cannot connect to the Internet from the private EC2 instance, because there is no outbound access enabled from the instance.
And that's how you create the basic infra in AWS.
