In this article, we will learn about how to create a Virtual Private Cloud (VPC) and secure it in a production environment. To ensure high availability, we deploy servers in two availability zones using auto-scaling group and load balancers. The servers are deployed on private subnets and receive requests through load balancers. They can connect to the internet using a NAT gateway. The VPC consists of both public and private subnets in two availability zones, with each public subnet housing a NAT gateway and a load balancer. Servers running on private subnets receive traffic from the load balancers and scale up or down as needed with auto-scaling groups. This setup ensures that servers remain secure while maintaining efficient and reliable internet connectivity through the NAT gateway.
Create VPC
Let's create a VPC as shown in the above preview.
The route table will help navigate the traffic from public subnets to private subnets.
Now, we need to create ECS instances using auto-scaling groups so that servers can be scaled up and down when required.
Create EC2 using Auto Scaling Groups
EC2->Auto Scaling groups->Create Auto Scaling group
Auto scaling groups can be created using a launch template.
Ensure inbound rules are added to allow SSH access to the servers and port 8000 to access the app.
Create a launch template.
Once the launch template is created, configure the VPC, group size, and scaling policies.
Now, let's go to EC2 to verify if there are two instances created, one in each availability zone, and if they are running.
Create a Bastion server to access EC2 instances securely
Since the servers are deployed on private subnets, we cannot directly SSH into them. Therefore, we need to create a Bastion instance, which can be used as a jump server to connect to the servers.
Create the Bastion instance in the same VPC and ensure SSH is enabled in the rules.
Make sure that the public IP address is enabled and the VPC public IP is selected in the settings.
Now, launch the Bastion server.
Copy the PEM file from your local saved file to the Bastion server so that it can connect to other machines via SSH.
For MAC/ Linux scp -i /path/to/your-key.pem /path/to/local-file.pem ec2-user@ec2-xx-xx-xx-xx.compute-1.amazonaws.com:/home/ec2-user/
To use scp (secure copy) in Windows, we'll need to have an SSH client installed. Windows 10 and later versions come with an SSH client by default Install SSH Client (if needed).
Open Settings:
- Press Windows + I to open Settings
- Add Optional Features.
- Go to Apps > Optional features
- Click Add a feature
- Search for OpenSSH Client and click Install
Or If we are using mobaxterm, use upload button to upload PEM file to bastions serve from local machine
- As the PEM file is copied to the Bastion server, use the private IP address of the server and SSH from the Bastion server using the PEM file.
ssh -i /path/to/your-key.pem ec2-user@private-ip
- If the PEM file on the Bastion server has permissions that are too open (e.g., read-write permissions for all users), SSH may reject the connection for security reasons. To fix this, we need to restrict the permissions of the PEM file. Here's how we can do it:
- To check current permission of PEM file
rw-rw-r-- 1 ubuntu ubuntu 1674 Jan 26 10:12 devops_man.pem
To resolve this -
chmod 400 /home/ubuntu/devops_man.pemNow we can ssh to Ec2 server from bastion
ssh -i /home/ubuntu/devops_man.pem ubuntu@10.0.144.75
Install an application on one of the Ec2 server
Install basic python app on the server
As Python is running on EC2, we are going to create a load balancer to distribute the load to target groups. EC2->Load balancers->Create Application Load Balancer
Ensure we select our VPC groups, both zones, and public IP subnets.
Create a target group and open port 8000 where the Python server is running and attach the load balancer to the target group.
Use the DNS link from the load balancers to see if it reaches the simple Python server
Install the Python app on the second EC2 instance in the same way. Install an application on one of the Ec2 server
If we launch the Python app on multiple tabs of a browser, the load balancer will distribute the traffic between the two servers. This setup ensures that no single server becomes overwhelmed with too many requests. By spreading the load evenly, the load balancer helps maintain optimal performance and reliability of your application.
More detailed information about VPC can be found here AWS-VPC-Documentation