Cloud Config

Your Own Public Cloud

Start by creating a VPC, which serves as a base from which you can launch AWS resources on a virtual network. A VPC can extend over several AZs. You also need security groups. An Internet gateway (IGW), created by default, controls the communication between the instances in the VPC and the outside world; you can adapt the routing tables of gateways and routers to your needs at any time. Once the prerequisites have been met, you can use a VM template (Amazon Machine Images) to create a VM, in this case for the web server, and start it later. AWS for VPN solutions such as Direct Connect [8] will provide administrative access to the VPC. You'll find the VPC Wizard under Services in the Networking & Content Delivery section of the VPC. Clicking on Start VPC Wizard leads you through the process of creating a VPC in a few steps and offers various starting points; in this case, VPC with Public and Private Subnets . Remember to set the region you want to use in the top-right corner. We are starting with a Class B IPv4 address for the VPC itself, as well as one private subnet and one public subnet with a Class C address each. Both should initially be located in the same AZ. To connect the private subnet to the Internet, you can either use the NAT gateway offered below the subnet configuration and request an Elastic IP (EIP) address, or you can click on Use a NAT instance instead to the right if you want to set up the NAT gateway yourself (Figure 2).

Figure 2: A VPC with public and private subnets forms the basis for the AWS cloud.

This example will use the t2.micro NAT instance, which is included in the Free Tier option. You'll need a key pair to use the t2.micro NAT. Create two additional subnetworks Private 2 and Public 2 in the second availability zone for the planned high-availability DB scenario under VPC / Your VPC / Subnets services. You are free to choose which address ranges you want to use as long as they are in the IP address range of the VPC. One level above, in the VPC dashboard, you will see the entire inventory list, which currently consists of two VPCs (including one default VPC), two routing tables, two security groups, and, if applicable, a NAT gateway; I decided to use a dedicated VM as a NAT gateway. For this reason, an EIP public IP address has already been assigned.

Firewall and Network ACLs

Once you are accustomed to the usability and functionality of the AWS management interface and the logic of the various wizards, you will find it easy to create security groups or routing tables and install VMs from templates. I'll launch an initial security group called Web-SG to allow HTTP access to the newly created VPC; in the simplest case, you'll need an inbound rule of type HTTP for all incoming connections (Source 0.0.0.0/0). You can configure Network ACLs and Security Groups through the Security subsection (Figure 3). Network ACLs operate on all traffic that reaches or leaves the subnet; Security Groups, on the other hand, operate at instance level. In other words: Security groups act as a firewall for the EC2 instance, while network ACLs act as a firewall at the subnet level. However, there is a default network ACL that is virtually wide open.

Figure 3: Configuring security settings in the VPC dashboard.

Creating the Virtual Web Server

Now you can set up the actual web server as a virtual instance. I will use the Amazon Linux AMI as a base template (Figure 4). The launch process is accompanied by an intuitive wizard. First select the instance type, the target VPC, and the subnet on which the new instance will reside. Auto-assign Public IP = Enable ensures that every new virtual network card added to this subnet automatically receives a public IP address. By the way, public IPs are volatile, in contrast to EIPs, meaning that, after a shutdown or reboot of the instance, they are replaced by a new IP address from the AWS pool for the region.

Figure 4: Amazon Linux AMI is a good choice for most Linux VMs and includes CLI tools for Python, Ruby, Perl, and Java.

An EIP does not generate any extra costs, because as long as you are using it, Amazon is already earning money with the instance. Costs only arise if you do not use or assign an EIP. Amazon wants to prevent people from hoarding public IP addresses. In the Advanced Details area, you can specify a start configuration for the instance. For Linux machines, the technology is based on cloud-init; Windows systems work with PowerShell scripts. You could also create a script that installs the necessary services and performs some configuration tasks (Listing 1).

01 #!/bin/bash -ex
02 yum -y update
03 yum -y install httpd php mysql php-mysql
04 chkconfig httpd on
05 /etc/init.d/httpd start
06 if [ ! -f /var/www/html/prep.tar.gz ]; then
07 cd /var/www/html
08 Wget here could be a script that prepares the web server for interaction with the database
09 tar xvfz prep.tar.gz
10 chown apache:root /var/www/html/rds.conf.php

As storage for the WWW root, I will use Elastic Block Storage (EBS) and choose Magnetic to avoid additional costs. In the beginning, AWS only supported local storage of the underlying commodity hardware. However, this is naturally volatile, because it should not usually be assumed that your own instance will start on the same underlying hardware after a relaunch. The launch instance wizard also runs through the creation and assignment of security groups. If you also want direct SSH access to the web server, you need to set up and assign another security group for SSH. A final click on Launch starts the instance. AWS offers to generate a key pair and then download both keys (AWS does not store private keys in the cloud) if SSH access is desired. After you click on View Instances , the new instance first appears in the instance list with the pending status, which changes to running after the time required for booting and processing cloud-init. The currently valid public IP appears as a column in the list; more details are revealed in the Description tab at the bottom. Access to the web server should work via the public IP. In this example, an EIP is not assigned. I use Amazon Linux AMI to create an instance for the NAT server in the second AZ and a matching NAT-SG security group, within which the private subnets gain access to the NAT device via port range 0-1024.