Lab 2: Build your VPC and Launch a

Web Server
  

Accessing the AWS Management Console

1. At the top of these instructions, choose Start Lab to launch your lab.

A Start Lab panel opens displaying the lab status.

2. Wait until you see the message "Lab status: ready", then choose the X to close the
Start Lab panel.
3. At the top of these instructions, choose AWS

This will open the AWS Management Console in a new browser tab. The system will
automatically log you in.

Tip: If a new browser tab does not open, there will typically be a banner or icon at the
top of your browser indicating that your browser is preventing the site from opening pop-
up windows. Choose on the banner or icon and choose "Allow pop ups."

4. Arrange the AWS Management Console tab so that it displays along side these
instructions. Ideally, you will be able to see both browser tabs at the same time, to make
it easier to follow the lab steps.

Task 1: Create Your VPC

In this task, you will use the VPC Wizard to create a VPC an Internet Gateway and two
subnets in a single Availability Zone. An Internet gateway (IGW) is a VPC component
that allows communication between instances in your VPC and the Internet.
After creating a VPC, you can add subnets. Each subnet resides entirely within one
Availability Zone and cannot span zones. If a subnet's traffic is routed to an Internet
Gateway, the subnet is known as a public subnet. If a subnet does not have a route to
the Internet gateway, the subnet is known as a private subnet.
 The wizard will also create a NAT Gateway, which is used to provide internet
connectivity to EC2 instances in the private subnets.

5. In the AWS Management Console, on the Services menu, choose VPC.

6. Choose Launch VPC Wizard
7. In the left navigation pane, choose VPC with Public and Private Subnets (the second
option).
8. Choose Select then configure:
o VPC name: Lab VPC
o Availability Zone: Select the first Availability Zone
o Public subnet name: Public Subnet 1
o Availability Zone: Select the first Availability Zone (the same as used above)
o Private subnet name: Private Subnet 1
o Elastic IP Allocation ID: Choose in the box and select the displayed IP address
9. Choose Create VPC

The wizard will create your VPC.

10. Once it is complete, choose OK

The wizard has provisioned a VPC with a public subnet and a private subnet in the
same Availability Zone, together with route tables for each subnet:

The Public Subnet has a CIDR of 10.0.0.0/24, which means that it contains all IP
addresses starting with 10.0.0.x.

The Private Subnet has a CIDR of 10.0.1.0/24, which means that it contains all IP
addresses starting with 10.0.1.x.

Task 2: Create Additional Subnets

In this task, you will create two additional subnets in a second Availability Zone. This is
useful for creating resources in multiple Availability Zones to provide High Availability.

11. In the left navigation pane, choose Subnets.

First, you will create a second Public Subnet.

12. Choose Create subnet then configure:

o VPC ID: Lab VPC
o Subnet name: Public Subnet 2
o Availability Zone: Select the second Availability Zone
o IPv4 CIDR block: 10.0.2.0/24

The subnet will have all IP addresses starting with 10.0.2.x.

13. Choose Create subnet

You will now create a second Private Subnet.

14. Choose Create subnet then configure:

o VPC ID: Lab VPC
o Subnet name: Private Subnet 2
o Availability Zone: Select the second Availability Zone
o CIDR block: 10.0.3.0/24

The subnet will have all IP addresses starting with 10.0.3.x.

15. Choose Create subnet

You will now configure the Private Subnets to route internet-bound traffic to the NAT
Gateway so that resources in the Private Subnet are able to connect to the Internet,
while still keeping the resources private. This is done by configuring a Route Table.

A route table contains a set of rules, called routes, that are used to determine where
network traffic is directed. Each subnet in a VPC must be associated with a route table;
the route table controls routing for the subnet.

16. In the left navigation pane, choose Route Tables.

17. Select the route table with Main = Yes and VPC = Lab VPC. (Expand the VPC ID
column if necessary to view the VPC name.)
18. In the Name column for this route table, choose the pencil then type Private Route Table
and choose Save
19. In the lower pane, choose the Routes tab.

Note that Destination 0.0.0.0/0 is set to Target nat-xxxxxxxx. This means that traffic
destined for the internet (0.0.0.0/0) will be sent to the NAT Gateway. The NAT Gateway
will then forward the traffic to the internet.

This route table is therefore being used to route traffic from Private Subnets. You will
now add a name to the Route Table to make this easier to recognize in future.

20. In the lower pane, choose the Subnet Associations tab.

You will now associate this route table to the Private Subnets.

21. Choose Edit subnet associations

22. Select both Private Subnet 1 and Private Subnet 2.

You can expand the Subnet ID column to view the Subnet names.

23. Choose Save associations

You will now configure the Route Table that is used by the Public Subnets.

24. Select the route table with Main = No and VPC = Lab VPC (and deselect any other
subnets).
25. In the Name column for this route table, choose the pencil then type Public Route Table ,
and choose Save
26. In the lower pane, choose the Routes tab.

Note that Destination 0.0.0.0/0 is set to Target igw-xxxxxxxx, which is the Internet
Gateway. This means that internet-bound traffic will be sent straight to the internet via
the Internet Gateway.

You will now associate this route table to the Public Subnets.

27. Choose the Subnet Associations tab.

28. Choose Edit subnet associations
29. Select both Public Subnet 1 and Public Subnet 2.
30. Choose Save associations

Your VPC now has public and private subnets configured in two Availability Zones:

Task 3: Create a VPC Security Group

In this task, you will create a VPC security group, which acts as a virtual firewall. When
you launch an instance, you associate one or more security groups with the instance.
You can add rules to each security group that allow traffic to or from its associated
instances.

31. In the left navigation pane, choose Security Groups.

32. Choose Create security group and then configure:
o Security group name: Web Security Group
o Description: Enable HTTP access
o VPC: Lab VPC
33. In the Inbound rules pane, choose Add rule
34. Configure the following settings:
o Type: HTTP
o Source: Anywhere-IPv4
o Description: Permit web requests
35. Scroll to the bottom of the page and choose Create security group

You will use this security group in the next task when launching an Amazon EC2
instance.

Task 4: Launch a Web Server Instance

In this task, you will launch an Amazon EC2 instance into the new VPC. You will
configure the instance to act as a web server.

39. On the Services menu, choose EC2.

40. Choose Launch Instance, and then choose Launch Instance

First, you will select an Amazon Machine Image (AMI), which contains the desired
Operating System.

41. In the row for Amazon Linux 2 (at the top), choose Select

The Instance Type defines the hardware resources assigned to the instance.

42. Select t2.micro (shown in the Type column).

43. Choose Next: Configure Instance Details

You will now configure the instance to launch in a Public Subnet of the new VPC.

44. Configure these settings:

o Network: Lab VPC
o Subnet: Public Subnet 2 (not Private!)
o Auto-assign Public IP: Enable
45. Expand the Advanced Details section (at the bottom of the page).
46. Copy and paste this code into the User data box:

#!/bin/bash
# Install Apache Web Server and PHP
 yum install -y httpd mysql php
# Download Lab files
wget https://aws-tc-largeobjects.s3.us-west-2.amazonaws.com/CUR-TF-100-ACCLFO-2/2-lab2-vpc/s3/lab-app.zip
unzip lab-app.zip -d /var/www/html/
# Turn on web server
chkconfig httpd on
service httpd start

This script will be run automatically when the instance launches for the first time. The
script loads and configures a PHP web application.

47. Choose Next: Add Storage

You will use the default settings for storage.

48. Choose Next: Add Tags

Tags can be used to identify resources. You will use a tag to assign a Name to the
instance.

49. Choose Add Tag then configure:

o Key: Name
o Value: Web Server 1
50. Choose Next: Configure Security Group

You will configure the instance to use the Web Security Group that you created earlier.

51. Select Select an existing security group

52. Select Web Security Group.

This is the security group you created in the previous task. It will permit HTTP access to
the instance.

53. Choose Review and Launch

54. When prompted with a warning that you will not be able to connect to the instance
through port 22, choose Continue
55. Review the instance information and choose Launch
56. In the Select an existing keypair dialog, select I acknowledge....
57. Choose Launch Instances and then choose View Instances
58. Wait until Web Server 1 shows 2/2 checks passed in the Status Checks column.

This may take a few minutes. Choose refresh in the top-right every 30 seconds for
updates.

You will now connect to the web server running on the EC2 instance.
59. Select Web Server 1.
60. Copy the Public DNS (IPv4) value shown in the Description tab at the bottom of the
page.
61. Open a new web browser tab, paste the Public DNS value and press Enter.

You should see a web page displaying the AWS logo and instance meta-data values.

The complete architecture you deployed is: