« Previous 1 2 3 Next »
Real World AWS for Everyone
Cloud Config
Your Own Public Cloud
Start by creating a VPC, which serves as a base from which you can launch AWS resources on a virtual network. A VPC can extend over several AZs. You also need security groups. An Internet gateway (IGW), created by default, controls the communication between the instances in the VPC and the outside world; you can adapt the routing tables of gateways and routers to your needs at any time. Once the prerequisites have been met, you can use a VM template (Amazon Machine Images) to create a VM, in this case for the web server, and start it later. AWS for VPN solutions such as Direct Connect [8] will provide administrative access to the VPC. You'll find the VPC Wizard under Services in the Networking & Content Delivery section of the VPC. Clicking on Start VPC Wizard leads you through the process of creating a VPC in a few steps and offers various starting points; in this case, VPC with Public and Private Subnets . Remember to set the region you want to use in the top-right corner. We are starting with a Class B IPv4 address for the VPC itself, as well as one private subnet and one public subnet with a Class C address each. Both should initially be located in the same AZ. To connect the private subnet to the Internet, you can either use the NAT gateway offered below the subnet configuration and request an Elastic IP (EIP) address, or you can click on Use a NAT instance instead to the right if you want to set up the NAT gateway yourself (Figure 2).
This example will use the t2.micro
NAT instance, which is included in the Free Tier option. You'll need a key pair to use the t2.micro
NAT. Create two additional subnetworks Private 2
and Public 2
in the second availability zone for the planned high-availability DB scenario under VPC / Your VPC / Subnets
services. You are free to choose which address ranges you want to use as long as they are in the IP address range of the VPC. One level above, in the VPC dashboard, you will see the entire inventory list, which currently consists of two VPCs (including one default VPC), two routing tables, two security groups, and, if applicable, a NAT gateway; I decided to use a dedicated VM as a NAT gateway. For this reason, an EIP public IP address has already been assigned.
Firewall and Network ACLs
Once you are accustomed to the usability and functionality of the AWS management interface and the logic of the various wizards, you will find it easy to create security groups or routing tables and install VMs from templates. I'll launch an initial security group called Web-SG
to allow HTTP access to the newly created VPC; in the simplest case, you'll need an inbound rule of type HTTP
for all incoming connections (Source 0.0.0.0/0). You can configure Network ACLs and Security Groups through the Security
subsection (Figure 3). Network ACLs operate on all traffic that reaches or leaves the subnet; Security Groups, on the other hand, operate at instance level. In other words: Security groups act as a firewall for the EC2 instance, while network ACLs act as a firewall at the subnet level. However, there is a default network ACL that is virtually wide open.
Creating the Virtual Web Server
Now you can set up the actual web server as a virtual instance. I will use the Amazon Linux AMI as a base template (Figure 4). The launch process is accompanied by an intuitive wizard. First select the instance type, the target VPC, and the subnet on which the new instance will reside. Auto-assign Public IP = Enable ensures that every new virtual network card added to this subnet automatically receives a public IP address. By the way, public IPs are volatile, in contrast to EIPs, meaning that, after a shutdown or reboot of the instance, they are replaced by a new IP address from the AWS pool for the region.
An EIP does not generate any extra costs, because as long as you are using it, Amazon is already earning money with the instance. Costs only arise if you do not use or assign an EIP. Amazon wants to prevent people from hoarding public IP addresses. In the Advanced Details area, you can specify a start configuration for the instance. For Linux machines, the technology is based on cloud-init; Windows systems work with PowerShell scripts. You could also create a script that installs the necessary services and performs some configuration tasks (Listing 1).
Listing 1
Installing Services
01 #!/bin/bash -ex 02 yum -y update 03 yum -y install httpd php mysql php-mysql 04 chkconfig httpd on 05 /etc/init.d/httpd start 06 if [ ! -f /var/www/html/prep.tar.gz ]; then 07 cd /var/www/html 08 Wget here could be a script that prepares the web server for interaction with the database 09 tar xvfz prep.tar.gz 10 chown apache:root /var/www/html/rds.conf.php
As storage for the WWW root, I will use Elastic Block Storage
(EBS) and choose Magnetic
to avoid additional costs. In the beginning, AWS only supported local storage of the underlying commodity hardware. However, this is naturally volatile, because it should not usually be assumed that your own instance will start on the same underlying hardware after a relaunch. The launch instance wizard also runs through the creation and assignment of security groups. If you also want direct SSH access to the web server, you need to set up and assign another security group for SSH. A final click on Launch
starts the instance. AWS offers to generate a key pair and then download both keys (AWS does not store private keys in the cloud) if SSH access is desired. After you click on View Instances
, the new instance first appears in the instance list with the pending
status, which changes to running
after the time required for booting and processing cloud-init. The currently valid public IP appears as a column in the list; more details are revealed in the Description
tab at the bottom. Access to the web server should work via the public IP. In this example, an EIP is not assigned. I use Amazon Linux AMI to create an instance for the NAT server in the second AZ and a matching NAT-SG
security group, within which the private subnets gain access to the NAT device via port range 0-1024.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)