Tuesday, May 15, 2018

Setting up and accessing Public/Private(NAT G/W) EC2 instances

On AWS console look for EC2 service and click on it to get to EC2 dashboard . Fig below shows EC2 dashboard.



Public Instance :


Click on Launch Instance and choose AMI and instance type after which we can configure instance into the VPC we just created .  Under subnets we can select the private and public once for 2 different instances . Rest all the other fields can be kept default .




In Tab 6 , we will create a new policy and allow traffic on specific ports.


Finally , Review all the details and click on launch once all details seem accurate.


Once the Public Instance comes up you will see as below , it will show public IP, key which can be used to access the instance and all the other details .





From My desktop i can reach to the EC2 instance i just spined up .


Desktop abizeradenwala$ ssh -i Abizerpem.pem ec2-user@54.213.230.44
Last login: Wed May  9 06:02:43 2018 from 50.225.159.163
[ec2-user@ip-10-0-1-13 ~]$ sudo su -
[root@ip-10-0-1-13 ~]# uptime

 18:17:34 up 6 days, 23:05,  1 user,  load average: 0.00, 0.01, 0.05
[root@ip-10-0-1-13 ~]#


Private Instance :

Similar process is followed for private instance but once it comes up it doesn't have public IP's, this is due to fact that auto assignment of IP's for this subnet was disabled .


 Also this instance is not ping-able nor can be reached from Desktop or other private instances . 

So now question is how can this private instances serve request and receive requests -  Answer is NAT instance or G/W .


Rest of the blog walks through allocating a NAT gateway inside the public subnet, and updating the default route tables to make sure specific traffic goes through the NAT gateway for private EC2 instance.
Step 1: Creating NAT g/w and Associate a route table with the gateway subnet 
1) Go to existing subnets and copy the public subnet ID "subnet-e8d55e91" in our case.
2) Create NAT gateway .

3) Once the NAT G/W is available you should see the status turn green .


4) Now select the Routes tab for the newly created Route table and add another route 

Enter 0.0.0.0/0 in Destination, and choose AbizerVPC’s NAT gateway (starts with “nat-xxxxxx”) from Target, and then click Save



Lets make sure the added Nat route becomes Active .

5) Go to the Subnet Associations tab, edit and check the gateway subnet you created in Step 1, and then click Save. This grants direct internet access for the gateway subnet, making it a “public subnet” but routable via NAT G/W.



YaY now private instance is reachable Via NAT g/w and can be reached to.

[root@ip-10-0-1-13 ~]# ping 10.0.2.77
PING 10.0.2.77 (10.0.2.77) 56(84) bytes of data.
64 bytes from 10.0.2.77: icmp_seq=1 ttl=64 time=0.964 ms
64 bytes from 10.0.2.77: icmp_seq=2 ttl=64 time=0.845 ms
^C
--- 10.0.2.77 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.845/0.904/0.964/0.066 ms



[root@ip-10-0-1-13 tmp]# ssh -i Abizerpem.pem ec2-user@10.0.2.77
Last login: Tue May 15 18:42:07 2018 from ip-10-0-1-13.us-west-2.compute.internal
[ec2-user@ip-10-0-2-77 ~]$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet 10.0.2.77  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::4a8:57ff:fe41:915a  prefixlen 64  scopeid 0x20<link>
        ether 06:a8:57:41:91:5a  txqueuelen 1000  (Ethernet)
        RX packets 3598  bytes 200871 (196.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3935  bytes 226415 (221.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 64  bytes 5920 (5.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 64  bytes 5920 (5.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[ec2-user@ip-10-0-2-77 ~]$ 


We have reached our end goal , We have VPC with 2 subnets (Public/Private) and both can reach out to the world via IGW and NAT G/W .



















No comments:

Post a Comment