Skip to main content

Create Main VPC

  1. Navigate to the Management account and select the VPC console
  2. Click Create VPC
  3. Name the VPC - babyyoda-vpc1
  4. Set the IP CIDR block 10.16.0.0/16
  5. Select Amazon provided IPv6 and set tenancy to default
  6. Create VPC
  7. Navigate to the VPC that you created and look around.
  8. Click on the VPC and go to Actions > Edit DNS resolution > Enable
  9. Click on the VPC again and go to Actions > Edit DNS Hostnames > Enable
  10. Note the IPv4 and IPv6 CIDRs

Plan out the subnets

Use this tool to configure all of the subnets. If we use the tool, we can enter in the VPC CIDR and then the 16 networks that we want to create - remember the 4 tiers and the 3 availability zones?

sn-reserved-A 10.16.0.0/20 AZA IPv6 00
sn-database-A 10.16.16.0/20 AZA IPv6 01
sn-app-A 10.16.32.0/20 AZA IPv6 02
sn-web-A 10.16.48.0/20 AZA IPv6 03

sn-reserved-B 10.16.64.0/20 AZB IPv6 04
sn-database-B 10.16.80.0/20 AZB IPv6 05
sn-app-B 10.16.96.0/20 AZB IPv6 06
sn-web-B 10.16.112.0/20 AZB IPv6 07

sn-reserved-C 10.16.128.0/20 AZC IPv6 08
sn-database-C 10.16.144.0/20 AZC IPv6 09
sn-app-C 10.16.160.0/20 AZC IPv6 0A
sn-web-C 10.16.176.0/20 AZC IPv6 0B

Creating the Subnets

  1. Navigate to the VPC console of the Management account.
  2. Click on Subnets
  3. Click Create Subnet
  4. Select the VPC that you created
  5. Enter in the Subnet name - sn-reserved-A - make sure you use the tool above and a plan to map out the subnets.
  6. Select the availability zone
  7. Enter in the IPv4 CIDR block
  8. Select the Custom IPv6 dropdown
  9. The first one is 00 as noted above
  10. Add tags, name and the name of the subnet.
  11. Click add new subnet and repeat the above process and increment the IPv6 until all 4 in Availability zone A have been created.
  12. Repeat this process until all 12 subnets in all of the availability zones have been created. image.png

At some point, I'll add the terraform code for this. Look in the IaC-AWS repositories for what we've deployed.

Create the Internet Gateways

  1. Navigate to the VPC console in the management account.
  2. Click on the Internet Gateways section
  3. Click Create Internet Gateway.
  4. Name this IGW babyyoda-vpc1-igw
  5. Click Attach to VPC and select our VPC that we created.
  6. We want to have the Web tier to be public, so we need to create a route table

Create Route Tables

  1. Click on the Route Tables section on the left
  2. Click Create Route Table.
  3. Select the VPC that this is associated with
  4. Name this babyyoda-vpc-route1-web
  5. Click Create.

Associate Route Table with Subnets

  1. Click on the new route table
  2. Click on Subnet Associations
  3. Select the 3 web subnets and click Save
  4. Click on the Routes tab.
  5. Notice that these have two local routes that cannot be changed or removed

Create Routes

  1. On the Routes tab, click Edit Routes.
  2. Add 0.0.0.0/0 as your IPv4 CIDR to your route table.
  3. The target will be your Internet Gateway
  4. Add the IPv6 CIDR, ::/0 with the same target to the Internet Gateway.
  5. Click on the Subnets section.
  6. Select the Web A subnet
  7. Click actions, modify Auto IP settings
  8. Enable
  9. Repeat for Web B and Web C.

Example: image.png

Deploy Bastion Host

  1. Navigate to the EC2 console inside of the management network.
  2. Click Launch instance
  3. Select Amazon Linux 2 AMI 64 bit x86
  4. Click the largest instance available on the free tier. t2.micro is usually the only option
  5. Click Configure Instance Details
  6. Select the VPC and then Select the Web A subnet.
  7. Set the auto-assign to explicitly enable on both IPv4 and IPv6
  8. Look at the other options available and then click Next: Storage.
  9. Look around at the options for storage, but ultimately select the defaults by clicking Next: Tags.
  10. For the tags, add in Name and then BBYYODA-Bastion for the value.
  11. For the Security group, we will create a new security group and call it SG-BabyYoda-Bastion
  12. Add a description if needed, if not, copy the name into that description.
  13. Note the rules for the Security Group, we're enabling SSH, port 22, and we're opening it to ALL of the IP addresses.
    a. You don't want to do this in production. image.png
  14. Click Review and Create and then create the EC2 Instance. image.png
  15. You will need to select a Key Pair, so for this one we will create a specific Key Pair for this. a. I called mine BY-Bastion and then downloaded and launched this instance.
  16. Wait for the status checks to say 2/2 checks passed.

Connect to this EC2 Instance

  1. When the Status Checks are green, right click the instance and select Connect.
  2. Select EC2 Instance Connect and verify the settings are correct and hit Connect.
    image.png

Clean Up

Terminate the EC2 Delete the VPC - I know it was a lot of work, but we'll figure that out to recreate it using CloudFormation quickly.