Setting up a Virtual Private Cloud (VPC) to host applications in PROD environment with the utilization of a Bastion host
Objective
This project showcases the process of creating a Virtual Private Cloud (VPC) that ensures secure usage of servers within a production environment.
In order to prevent application failure during periods of high request loads, deploy the servers in two availability zones and use AWS services such as Auto scaling group and Application load balancers.
To enable the servers to connect to the internet, we need to implement NAT gateways in both availability zones to establish connectivity.
Summary
We aim to establish a Virtual Private Cloud (VPC) spanning across two availability zones, featuring both public and private subnets. In every public subnet, load balancers and NAT gateways are present. Deploy the application in servers that are initiated through Auto Scaling Groups within the private subnets, enabling their connection to the internet via a NAT gateway.
As our servers reside within a private subnet where our application is deployed which is demonstrated in the diagram below, direct access to these servers might not be available. This is where the bastion host becomes significant, serving as the solution to enable access and management of these servers securely.
Definitions
VPC - A virtual network in the cloud that provides isolated and customizable networking capabilities for resources and services within a cloud environment.
EC2 -Offers resizable compute capacity in the cloud, allowing users to easily launch and manage virtual servers.
ASG - Feature that automatically adjusts the number of compute resources based on demand to maintain performance and manage costs efficiently.
ALB - A networking device that distributes incoming network traffic across multiple servers or resources, ensuring efficient utilization and preventing overload on any single server.
NAT gateway - A network device that allows multiple devices within a private network to share a single public IP address for internet access.
Bastion host/ Jump server - A highly secure intermediary server that controls access between a private network and external networks, enhancing security measures.
Let's deep dive into the project,
Step 1: Creation of VPC
- Go to the AWS console, type VPC then click the "Create VPC" button.
Select the "VPC and more" option - which helps to create public and private subnets, route tables and network connections. Customize the options according to the objective, enable NAT gateway and disable S3 gateway.
Click 'Create VPC', and we can see that the VPC has been created successfully.
Step 2: Create Autoscaling groups
Go to EC2 from the AWS console, then select Auto scaling groups in the left navigation menu.
Click 'Create a launch template' this way we can view the configurations and use this template as a reference for later.
Enter a name to the template. Select the application and AMI, instance type.
Create a keypair and a security group. Make sure to select the VPC that we created in step 1.
Add two inbound rules for the security group to allow traffic to the application, i.e., one is type SSH (port 22), source type is anywhere and the other is custom TCP (port 8000), source type is anywhere.
We have completed our configurations for our project. Now, let's proceed by clicking 'Create launch template'.
The autoscaling group has been created successfully.
Again go to Auto Scaling Group from the console. Click 'Create Autoscaling Group'
Choose launch template:
Enter a preferred name of the ASG and choose the recently created launch template from the drop-down. Click 'Next'.
Choose instance launch options:
Select the created VPC, since we aim to deploy our application securely, so select private subnets in the two availability zones. Click 'Next'.
Configure advanced options:
Do not attach a load balancer/ VPC Lattice service. Enter the health check grace period. Click 'Next'.
Configure group size and scaling policies:
Set the desired capacity as 2, minimum as 1 and maximum as 4. Click 'Next'.
Launch your ASG:
We can view it under the ASG that it has been successfully created.
- Let's head over to Instances and verify the creation status of the EC2 instances in two availability zones.
Both the servers are up and running.
Now that are instances are ready, we can deploy our applications onto the server. To proceed, we require the public IP address to SSH to the remote server to access. As you can see from the image below, our setup currently features only a private subnet, lacking a public IP address.
Bastion host comes to the rescue, it is like a security guard stationed at the entrance of a fortress. Acts as a highly secure gateway between the internet and a private network, kind of like a protective barrier. This "guard" checks and controls who can come into the network from outside, making sure only authorized people get in while keeping out any potential threats.
STEP 3: Create the bastion host/ jump server
Launch an EC2 instance, and make sure it is configured:
In the same VPC
Allow it to be in the public subnet
Enable the auto-assign public IP
Create security group
Set the inbound rules to SSH (port 22) as we need to log in to this remote server from our local.
Click 'Launch instance'.
We can view it under 'Instances'. Now, all three servers are up and running.
Log in to the Bastion host:
Open your terminal.
Navigate to the directory where the keypair is stored upon the creation of autoscaling groups (or)
Use the command to copy the keypair.
Why do we need to copy the key pair from our local machine to the bastion host?
We are using the bastion host as the entry point to login to our application which is present in the private subnet.
Insert the respective details inside the placeholder sign "<>" in the commands.
scp -i /home/c/Downloads/keypair.pem /home/c/Downloads/keypair.pem ubuntu@<public ip address>:/home/ubuntuSSH into the jump host and 'ls' to view whether the keypair is present or not.
Also, note that we can see that we are logged in and the terminal changes to the private IP address of the jump host.
ssh -i "<keypair.pem file>" ec2-user@<public ip address>
STEP 4: Deploy the application in one of the private subnets
Firstly to deploy the application we need to login to the private subnet. As we possess solely the private IP addresses, we will use it to log in from the Bastion server.
Login to the private subnet from the bastion server. Enter the command in the terminal.
ssh -i "<keypair.pem file>" ec2-user@<private ip address>
You can notice that the terminal has now changed to a private IP address.
Let's create a simple HTML application and run this application in this server.
STEP 5: Create a Load balancer
Go to 'Load balancers' from the console.
Click 'Create load balancer'. Select 'Application load balancer'
Since the load balancer is in the public subnet, make sure to select the network mapping accordingly.
Select the created security groups, add listeners and routing as HTTP and port 8000, and click 'Create target group'.
Provide a preferred name and select the same VPC that we have created in Step 1. The target group has been successfully created.
Select two private instances as target groups as we need our load balancer to connect to it.
Go back to the 'Load balancer', repeat the same steps and select the target groups which was created in the previous step.
The Application Load Balancer has been successfully created.
Click the created load balancer which is listed and copy the DNS name.
Now that all configurations and services have been set up, it's time to verify the functionality of our application.
Paste the DNS name in the browser URL.
Voila!! The application is deployed in one of the servers and the traffic is directed to it.
Similarly, deploy an additional application on a different instance and follow the identical process. This will enable you to view the second application alongside the first one.
To conclude, with the creation of VPC using the bastion host, now we can securely log in to our applications in the private subnets.
. . .
Thanks for reading!