Building Your Own Cloud Network on AWS: A Beginner’s Guide

Introduction:

Welcome to the world of cloud computing! If you’re new to Amazon Web Services (AWS) and want to set up your own virtual network, you’ve come to the right place. In this guide, we’ll walk you through the process of creating a Virtual Private Cloud (VPC) with public and private subnets, and launching instances within it. Don’t worry if these terms sound complicated; we’ll explain everything in simple, easy-to-understand language.

Why This Blog Matters

In today’s digital world, cloud computing is a game-changer. It allows businesses and individuals to manage their computing resources over the internet instead of relying on physical hardware. This blog aims to make cloud networking concepts accessible to beginners by explaining them in simple terms and guiding you through a practical setup. Understanding these concepts will help you harness the power of cloud computing for personal projects, learning, or even for career advancement.

Key Concepts and Their Importance

1. What is a Virtual Private Cloud (VPC)?

• Definition: A Virtual Private Cloud (VPC) is like your own private network within the cloud. It allows you to create and manage your virtual network environment.
• Importance: A VPC gives you control over your network configuration, such as IP addresses, subnets, and route tables. This control ensures that your resources are secure and organized according to your needs.

2. Subnets: Public and Private

• Public Subnet:
• Definition: A public subnet is a section of your VPC where resources can directly access the internet.
• Importance: Resources in a public subnet can be accessed from anywhere, making it ideal for web servers or applications that need to be publicly available.
• Private Subnet:
• Definition: A private subnet is a section of your VPC that does not have direct access to the internet.
• Importance: Resources in a private subnet are shielded from the internet, enhancing security. It is ideal for databases or backend services that should not be exposed to external traffic.

3. Internet Gateway

• Definition: An Internet Gateway is a component that connects your VPC to the internet.
• Importance: Without an Internet Gateway, resources in your VPC cannot communicate with the outside world. It allows your public subnet resources to access the internet and vice versa.

4. Route Tables

• Definition: A Route Table is like a traffic guide that tells your network where to send data packets.
• Importance: Proper routing ensures that data flows efficiently between your resources and the internet. For example, a route table associated with a public subnet will direct traffic to the Internet Gateway.

5. Security Groups

• Definition: Security Groups are virtual firewalls that control incoming and outgoing traffic to your resources.
• Importance: They protect your resources by defining rules for which traffic is allowed or denied. For example, you might set rules to allow web traffic (HTTP/HTTPS) while blocking other types.

6. Key Pairs

• Definition: Key Pairs are used to securely access your EC2 instances via SSH.
• Importance: They ensure that only authorized users can connect to your instances, adding a layer of security.

The Practical Setup: An Overall Idea

1. Creating a VPC:

• Purpose: Establish your private network in the cloud.
• How-To: Use the AWS CLI to create a VPC with a specific IP range. Tag it with a name for easy identification.

2. Setting Up Subnets:

• Purpose: Divide your VPC into public and private areas.
• How-To: Create subnets for different purposes. Assign one as a public subnet (for internet-facing resources) and another as a private subnet (for secure, internal resources).

3. Configuring an Internet Gateway:

• Purpose: Connect your VPC to the internet.
• How-To: Create and attach an Internet Gateway to your VPC. Update the route table of your public subnet to direct traffic through this gateway.

4. Managing Traffic with Route Tables:

• Purpose: Guide data traffic within your VPC.
• How-To: Create and configure route tables to ensure proper traffic flow between subnets and the internet.

5. Implementing Security Groups:

• Purpose: Protect your resources by controlling network access.
• How-To: Create security groups with rules that define what traffic is allowed in and out of your resources.

6. Creating Key Pairs:

• Purpose: Securely access your EC2 instances.
• How-To: Generate a key pair and use it to connect to your EC2 instances.

Prerequisites

Before starting the process of setting up a cloud network on AWS, it is important to ensure that the following prerequisites are met:

1. AWS Account

• Requirement: To utilize AWS services, you must have an active AWS account. This account provides access to the AWS Management Console and AWS CLI.
• Action: Sign up for an AWS account at aws.amazon.com.

2. AWS CLI Installation

• Requirement: The AWS Command Line Interface (CLI) must be installed on your local computer. The CLI allows you to interact with AWS services via command-line commands.
• Action:
• For Windows users: Download and install the AWS CLI from the AWS CLI installation guide.
• For macOS users: Install using Homebrew with the command brew install awscli.
• For Linux users: Follow the installation instructions provided on the AWS CLI installation page.

3. Configured AWS CLI

• Requirement: The AWS CLI must be configured with your AWS credentials and default settings. This configuration allows the CLI to authenticate and execute commands on your behalf.
• Action: Configure the CLI using the command

aws configure

• Provide your AWS Access Key ID, Secret Access Key, default region, and desired output format when prompted.

4. Basic Understanding of AWS Concepts

• Requirement: A fundamental understanding of key AWS concepts such as Virtual Private Cloud (VPC), subnets, security groups, and EC2 instances is essential for effectively setting up and managing resources.
• Action: Review AWS documentation and training resources, such as the Introduction to Amazon EC2 and the AWS Cloud Practitioner Essentials.

IAM Permissions

• Requirement: Proper IAM (Identity and Access Management) permissions are necessary to create and manage VPCs, subnets, security groups, and EC2 instances.
• Action: Ensure that your IAM user has the appropriate permissions to perform these actions. If needed, consult with your AWS administrator to obtain the required access.

Step 1: Setting Up Your Virtual Playground (VPC)

Think of a VPC as your own private playground in the cloud. It’s a space where you can create and manage your virtual resources. Let’s create one!

Command:

aws ec2 create-vpc --cidr-block 192.168.0.0/16 --tag-specifications "ResourceType=vpc,Tags=[{Key=Name,Value=ayushvpc}]"

• 192.168.0.0/16: This is the address space for your playground. It’s like your neighborhood’s postal code but for computers.
• ayushvpc: This is the name of your playground. You can name it anything you like!

Step 2: Adding Internet Access (Internet Gateway)

To connect your playground to the internet, you need an Internet Gateway. It’s like the gate of your playground that allows you to go out and come in.

Command:

aws ec2 create-internet-gateway

Tag it:

aws ec2 create-tags --resources <InternetGatewayId> --tags Key=Name,Value=ayush-igw

Replace <InternetGatewayId> with the ID from the first command’s output.

Step 3: Creating Your Neighborhood (Subnets)

Now, let’s divide your playground into two areas: a public area where anyone can visit, and a private area just for you.

Public Subnet:

aws ec2 create-subnet --vpc-id <VPC_ID> --cidr-block 192.168.1.0/24 --availability-zone <AZ> --tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=public-subnet}]"

Private Subnet:

aws ec2 create-subnet --vpc-id <VPC_ID> --cidr-block 192.168.2.0/24 --availability-zone <AZ> --tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=private-subnet}]"

• 192.168.1.0/24 and 192.168.2.0/24: These are smaller parts of your playground. The public one is open to everyone, and the private one is for restricted access.

Step 4: Connecting the Public Subnet to the Internet

To let the public subnet access the internet, we need a Route Table, which is like a map that tells data where to go.

Create Route Table:

aws ec2 create-route-table --vpc-id <VPC_ID> --tag-specifications "ResourceType=route-table,Tags=[{Key=Name,Value=public-route-table}]"

Add Route to Internet:

aws ec2 create-route --route-table-id <ROUTE_TABLE_ID> --destination-cidr-block 0.0.0.0/0 --gateway-id <InternetGatewayId>

Associate with Public Subnet:

aws ec2 associate-route-table --route-table-id <ROUTE_TABLE_ID> --subnet-id <PUBLIC_SUBNET_ID>

This setup ensures that anything in the public subnet can access the internet, and vice versa.

Step 5: Getting Online (Assigning Public IPs)

We want our public area to be easily accessible, so we need to make sure it assigns public IPs automatically.

Command:

aws ec2 modify-subnet-attribute --subnet-id <PUBLIC_SUBNET_ID> --map-public-ip-on-launch

This step ensures that any instance (like a virtual computer) launched in the public subnet gets a public IP.

Step 6: Security First (Creating a Security Group)

A Security Group in AWS is like a firewall that protects your playground. Let’s create one that allows all types of traffic, but be careful with this in real-life scenarios!

Create Security Group:

aws ec2 create-security-group --group-name allow-all-sg --description "Security group allowing all traffic" --vpc-id <VPC_ID>

Allow All Inbound Traffic:

aws ec2 authorize-security-group-ingress --group-id <GroupId> --protocol all --port all --cidr 0.0.0.0/0

Allow All Outbound Traffic:

aws ec2 authorize-security-group-egress --group-id <GroupId> --protocol all --port all --cidr 0.0.0.0/0

Special Note on Security Group Rules

When working with AWS security groups, it’s important to understand that by default, security groups allow all outbound traffic. This means that unless you’ve explicitly modified the rules, you might encounter an error if you try to add a rule that already exists.

Error Scenario: If you run a command to authorize outbound traffic, such as:

aws ec2 authorize-security-group-egress --group-id <GroupId> --protocol all --port all --cidr 0.0.0.0/0

You might see an error message like:

An error occurred (InvalidPermission.Duplicate) when calling the AuthorizeSecurityGroupEgress operation: the specified rule "peer: 0.0.0.0/0, ALL, ALLOW" already exists

What Does This Mean? This error means that the rule you’re trying to add is already present in the security group. AWS security groups, by default, allow all outbound traffic unless you specify otherwise. This means your security group is already configured to allow all outbound traffic.

What Should You Do?

• Verify Existing Rules: Use the describe-security-groups command to check the current rules of your security group:

aws ec2 describe-security-groups --group-ids <GroupId>

• Modify Rules if Needed: If you need to change or remove rules, you can use the revoke-security-group-egress command to remove existing rules and then re-add them if necessary:

aws ec2 revoke-security-group-egress --group-id sg-06363f47431607301 --protocol all --port all --cidr 0.0.0.0/0

This special note helps clarify why you might encounter duplicate rule errors and how to address them effectively.

Step 7: Launching Your Virtual Computers (Instances)

Now, let’s bring some life into our playground by launching virtual machines, known as instances. We’ll create one in the public area and another in the private one.

Public Instance:

aws ec2 run-instances --image-id <AMI_ID> --count 1 --instance-type <INSTANCE_TYPE> --key-name <KEY_PAIR_NAME> --subnet-id <PUBLIC_SUBNET_ID> --associate-public-ip-address --security-group-ids <SECURITY_GROUP_ID> --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=public-instance}]"

Private Instance:

aws ec2 run-instances --image-id <AMI_ID> --count 1 --instance-type <INSTANCE_TYPE> --key-name <KEY_PAIR_NAME> --subnet-id <PRIVATE_SUBNET_ID> --security-group-ids <SECURITY_GROUP_ID> --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=private-instance}]"

Special Note on Key Pairs

When launching EC2 instances, a key pair is essential for secure SSH access. Key pairs consist of a public key and a private key, which work together to allow you to connect to your instances securely.

Why Key Pairs Matter:

• Security: The private key remains with you and is used to authenticate access to your instance. The public key is placed on the instance.
• Access: Without the private key, you won’t be able to access your instance.

Creating a Key Pair: In the blog, we assumed you have a key pair ready. However, if you don’t have one, you’ll need to create it before launching instances. Here’s how to create a key pair using the AWS CLI:

1. Create a Key Pair:

aws ec2 create-key-pair --key-name <KEY_PAIR_NAME> --query 'KeyMaterial' --output text > <KEY_PAIR_NAME>.pem

2. Set Permissions for Your Key File:

Ensure the private key file has the correct permissions:

chmod 400 <KEY_PAIR_NAME>.pem

3. Using the Key Pair: When launching your instance, specify the key pair name with the --key-name parameter:

aws ec2 run-instances --image-id <AMI_ID> --count 1 --instance-type <INSTANCE_TYPE> --key-name <KEY_PAIR_NAME> --subnet-id <SUBNET_ID> --security-group-ids <SECURITY_GROUP_ID> --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=example-instance}]'

Important Reminder:

• Backup Your Private Key: Store it securely. Losing your private key means losing access to your instance.
• No Key Pair: If you didn’t create a key pair at launch time, you won’t be able to connect to the instance via SSH later. You’d need to create a new instance or use other methods to access it.

Conclusion:

Congratulations! You’ve just set up a VPC with public and private subnets, connected it to the internet, created security rules, and launched instances in AWS. This is a fundamental skill for anyone looking to dive into cloud computing, and you’ve done it in a simple, straightforward way.