Thursday, 6 April 2017

AWS Practical Exercises -- 001

Following exercises are given in order to test your skills and understanding. We will try to setup an environment and cover things along with. 

  1. In Oregon, create a VPC with CIDR 10.0.0.0/24
  2. Divide this VPC into 6 subnets across 2 AZ (e.g. a, b)
  3. Make 2 subnets as Public (namely 1-a, 1-b)
  4. Make 2 subnets as Private with outbound internet (namely 2-a, 2-b) 
  5. Make 2 subnets as Private with no outbound internet (namely 3-a, 3-b)
  6. Create a Public Classic ELB in 1-a and 1-b. It should accept traffic on port 80 from ANYWHERE. Create health checks for the instances in 2-a and 2-b.
  7. Create 2 Linux/Windows instances in 2-a and 2-b with web-server installed (Apache/IIS). These instances should accept traffic on port 80 only from ELB. Register these instances with the ELB.
  8. Create a multi-AZ MySQL RDS in 3-a and 3-b. This DB should accept traffic only on port 3306 from instances in 2-a and 2-b.
  9. Create a Jumpbox / Bastion host in 1-a or 1-b and verify the above connectivity.
  10. Ensure that Security Groups and NACLs are created properly. 
RESOURCES for help:

5 comments:


  1. One of participants has asked me following questions. These are really good and hence I am answering it here --

    1. How to create a private subnet with outbound internet only?
    Ans: Give that instance connectivity to NAT only. NAT allows only Outbound traffic to internet. Please watch https://www.youtube.com/watch?v=G67TaU4qSYE & https://www.youtube.com/watch?v=9bXm82AjWWg

    2. For bastion host, I enabled the ssh in the security group of other two private instances. But the ssh to these private instances did not work if I provided the public ip of the bastion host as source IP in the security group in which the private instances are. it only worked by providing the private ip of the bastion host instead of public. Does it work this way only or I am wrong?
    Ans: Good question. You can provide Public / Private IP in Security Groups. But, in the above case your private instances do not have Public IP hence, they cannot communicate on Public IPs. They can communicate only using Private IPs and hence it worked in above case.

    3. If Modify auto assign public IP address is not enabled in a public subnet and you launch an instance,will the instance get a public ip if we enable this option afterwards and then reboot/stop/start the instance?
    Ans: NO. The Subnet's property only gets applied at the time of EC2 launch. Post this, it just records the behaviour and remembers it. Changing the property (Auto-assign Public IP) at Subnet level would not affect the EC2 after that.

    4. I launched a linux instance and installed apache on it and then created the snapshot and used that AMI to launch the 2 new instances for the ELB. But ELB was showing those instances as OutofService. So I learned that I have to run "chkconfig httpd on" command before taking the snapshot of the source AMI and then create instances.
    Ans: That's right. This command will ensure that Apache service starts running automatically after machine start. After this health check would pass and your instances would come in service.

    5. Also, request you to please create a video session on bastion hosts, if possible.
    Ans: Bastion Host is a small Windows/Linux machine which we launch in Public subnet. This machine acts as the Jumpbox to access private instances. First, we can do SSH/RDP to Bastion host using its Public IP. Then, we can connect to Private instances using their Private IP. I have already shown this in following video -- https://www.youtube.com/watch?v=9bXm82AjWWg

    ReplyDelete
  2. Hellow Sandeep , I managed to do it till the 5th step ,
    From your 6th step, I needed lil clarity .
    You had mentioned saying "Create a Public Classic ELB in 1-a and 1-b. It should accept traffic on port 80 from ANYWHERE. Create health checks for the instances in 2-a and 2-b."


    Questions,
    1. Basically you want the ELB to be the 1st one to be hot before hitting the 2 public subnet? RIght ?
    2. You had mentioned " Create health checks for the instances in 2-a and 2-b"
    So , I Have to create a another ELB for the private subnets too ? thats right ?
    3. Again on your 7th point,
    You had mentioned "Create 2 Linux/Windows instances in 2-a and 2-b with web-server installed (Apache/IIS). These instances should accept traffic on port 80 only from ELB. Register these instances with the ELB"
    So thats again, the traffic need to flow from private ELB right ?
    pls assist .

    ReplyDelete
  3. Hi Sandeep,
    Was working on this assingment ,

    Created 6 subnets ,
    CIDR used were
    10.0.0.0 /27 ---- KI Subnet 1A [Public Subnet] Just amazon ux ec2 instance, USed as Jump box
    10.0.0.32/27 ---- KI Subnet 1B [Public Subnet] In a different AZ, for fail over, Same Config as above
    10.0.0.64/27 ---- KI Subnet 2A [Private Subnet] installed apache, PHP, PHP-MYSQL
    10.0.0.128/27 ---- KI Subnet 2B [Private Subnet] In a different AZ, for fail over, Same Config as above
    10.0.0.160/27 ---- KI Subnet 3A [Multi AZ RDS] No Ec2 instance,Installed MYSQL through RDS console
    10.0.0.224/27 ---- KI Subnet 3B [Multi AZ RDS] No Ec2 instance,Installed MYSQL through RDS console


    Then what else did i do,
    1. 1stly reated CIDR blocks , [pls refer above]
    2. Created VPC [Named it KI]
    3. Created 6 subnets for all the CIDR's
    4. Created Internet Gateway to associate with Public subnet, SO that they can talk with outer world.
    5. Created NAT instance, in public 1A subnet , so that the private instance can reach out through them.
    6. Route table
    1a. Created route table named it "KI Public subnet RT".Edited and added the internet gateway
    1b. Edited the main route table and added the NAT instance
    7. Came to the management console.Created 4 EC2 instances and placed 2 in public subnets and 2 in private subnets [all in different AZ's]
    1.The public subnet Security group[Named it "KI-SG for public subnet"] took , SSH, HTTP, HTTPS traffic.
    2.The private subnet security group[Named it "KI SG for private subnet"] took the traffic only from
    the 10.0.0.0/24


    8. Created 2 load balancers,
    1. Named them "KI-LB-PUBLIC-SUBNETS" and KI-PRIVATE-LB".
    2. I put "KI-LB-PUBLIC-SUBNETS" in front of the public subnets for the incoming traffic .
    3. This load balancer was talking "HTTP" traffic
    4. Created another load blancer [internal one], Kept it for private subnets [2A and 2B]

    9. Created mysql multi AZ rds Instance in 3A and 3B
    1. Took the endpoint information and input that information in CONNECT.PHP in 2A AND 2B

    Questions to you,
    1. I almost achieved most of it. But dint know, how to check the RDS from the APACHE box, coz both are in private subnet
    3. In the secutirty group i added ICMP , but i am still not able to ping the RDS instances from my private subnet 2A and 2B?
    Pls assist

    ReplyDelete
  4. 1. for checking reachability, TELNET is best mechanism. From webserver do a telnet to RDS and MySQL port.

    2. RDS might not support ICMP from OS level, hence better use TELNET.

    ReplyDelete

Note: only a member of this blog may post a comment.

Most Popular Posts