VPC in the real world.

ByFrancisco

AWS VPC enterprise environments

What is Python?

When we are working with networking in AWS, by default the platform is allocating a default VPC and all the components around it to deploy an EC2 instance in a couple of clicks. However, when we are working in enterprise environments, we are going to face a totally different scenario, because we need to be able to create our own VPC following the best practices around Well architecture framework. Therefore, in this post we are going to cover how to set up a private and public VPC following the best practices and always with an enterprise vision.

Key components:

  1. Subnet
  2. Internet Gateway
  3. Security group

Diagram

tERRAFORM


terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}


resource "tls_private_key" "ssh" {
  algorithm = "RSA"
  rsa_bits  = "4096"
}

resource "aws_key_pair" "generated_key" {
  key_name   = "terraform-pem"
  public_key = tls_private_key.ssh.public_key_openssh


}

resource "local_file" "private_key" {
  content         = tls_private_key.ssh.private_key_pem
  filename        = "terraform.pem"
  file_permission = "0600"
}

# Configure the AWS Provider
provider "aws" {
  region = "us-east-1"
}

resource "aws_vpc" "terraform_vpc" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = "true"
  tags = {
    Name = "enterprise-week-1"
  }
}

resource "aws_internet_gateway" "terraform_vpc_internet_gateway" {
  vpc_id = aws_vpc.terraform_vpc.id
  tags = {
    Name = "Terraform"
  }
}



resource "aws_route_table" "terraform_aws_route_table" {
  vpc_id = aws_vpc.terraform_vpc.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.terraform_vpc_internet_gateway.id
  }
   tags = {
    Name = "enterprise-week-1"
  }
}


resource "aws_subnet" "terraform_subnet_app" {
  vpc_id            = aws_vpc.terraform_vpc.id
  cidr_block        = "10.0.1.0/24"
  availability_zone = "us-east-1a"
  map_public_ip_on_launch = true

  tags = {
    Name = "enterprise-week-1"
  }
}

resource "aws_subnet" "terraform_subnet_db" {
  vpc_id            = aws_vpc.terraform_vpc.id
  cidr_block        = "10.0.2.0/24"
  availability_zone = "us-east-1a"
  map_public_ip_on_launch = true

  tags = {
    Name = "enterprise-week-1"
  }
}

resource "aws_eip" "terraform_eip" {
  vpc = true
  tags = {
    Name = "enterprise-week-1"
  }
}

resource "aws_security_group" "terraform_security_app" {
  name   = "terraform_security_group-terraform_security_app"
  vpc_id = aws_vpc.terraform_vpc.id
  ingress {
    //cidr_blocks = ["0.0.0.0/0"]
    description = "Acceso al puerto ICMP desde el exterior"

    from_port   = -1
    to_port     = -1
    protocol    = "icmp"
    cidr_blocks = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

    ingress {
    cidr_blocks = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
    description = "HTTP access"
    from_port   = 80
    to_port     = 80
    protocol    = "TCP"
  }

    ingress {
    cidr_blocks = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
    description = "HTTP access"
    from_port   = 22
    to_port     = 22
    protocol    = "TCP"
  }

  tags = {
    Name = "Terraform",
  }
}

resource "aws_security_group" "terraform_security_db" {
  name   = "terraform_security_group-terraform_security_db"
  vpc_id = aws_vpc.terraform_vpc.id
  ingress {
    //cidr_blocks = ["0.0.0.0/0"]
    description = "Acceso al puerto ICMP desde el exterior"

    from_port   = -1
    to_port     = -1
    protocol    = "icmp"
    cidr_blocks = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

    ingress {
    cidr_blocks = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
    description = "SSH access"
    from_port   = 22
    to_port     = 22
    protocol    = "TCP"
  }

    ingress {
    cidr_blocks = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
    description = "HTTP access"
    from_port   = 5432
    to_port     = 5432
    protocol    = "TCP"
  }

  tags = {
    Name = "Terraform",
  }
}


resource "aws_instance" "terraform_instance_app" {
  ami           = "ami-053b0d53c279acc90"
  key_name = aws_key_pair.generated_key.key_name

  instance_type = "t2.micro"
  subnet_id = aws_subnet.terraform_subnet_app.id

  vpc_security_group_ids = [aws_security_group.terraform_security_app.id]
  tags = {
    Name = "appmachine",
  }
  user_data = <<-EOF
              #!/bin/bash
              sudo apt update -y
              sudo apt-get install ec2-instance-connect -y
              sudo apt install openjdk-17-jre -y
              sudo apt install openjdk-17-jdk -y
              sudo apt install git -y
              sudo systemctl status sshd
                            
              EOF
}


resource "aws_instance" "terraform_instance_db" {
  ami           = "ami-053b0d53c279acc90"
  key_name = aws_key_pair.generated_key.key_name

  instance_type = "t2.micro"
  subnet_id = aws_subnet.terraform_subnet_db.id


  vpc_security_group_ids = [aws_security_group.terraform_security_db.id]
  tags = {
    Name = "dbmachine",
  }
  user_data = <<-EOF
              #!/bin/bash
              sudo apt update -y
              sudo apt-get install ec2-instance-connect -y
              sudo apt install openjdk-17-jre -y
              sudo apt install openjdk-17-jdk -y
              sudo apt install git -y
              sudo systemctl status sshd              
              EOF
}

###############################################################
output "server_private_ip" {
  value = [aws_instance.terraform_instance_db.private_ip,aws_instance.terraform_instance_app.private_ip ]
}

output "server_public_dns" {
  value = [aws_instance.terraform_instance_db.public_dns,aws_instance.terraform_instance_app.public_dns]
}

output "server_public_ipv4" {
  value = [aws_instance.terraform_instance_db.public_ip,aws_instance.terraform_instance_app.public_ip]
}
output "server_id" {
  value = [aws_instance.terraform_instance_db.id,aws_instance.terraform_instance_app.id]
}


###############################################################
//terraform output -raw private_key > terraform.pem
output "private_key" {
  value     = tls_private_key.ssh.private_key_pem
  sensitive = true
}

Conclusion:

Creating an AWS subnet and VPC instance is important when working with the default VPC for several reasons:

  1. Isolation: By creating subnets within a VPC, you can isolate different components of your infrastructure. Each subnet can have its own security groups and network ACLs, allowing you to control traffic flow and enhance the security of your applications.
  2. IP address management: A VPC enables you to have complete control over IP address ranges. By creating subnets, you can allocate specific IP ranges to different parts of your infrastructure, making it easier to manage and scale your resources. This also helps prevent IP address conflicts.
  3. Control traffic flow: Subnets within a VPC can be connected via routing tables, allowing you to control how traffic flows between different subnets and the internet. This enables you to implement custom network architectures and securely connect resources.
  4. Enhanced security: Creating subnets within a VPC allows you to associate security groups and network ACLs to control inbound and outbound traffic. This enables you to implement fine-grained security policies to protect your applications and data.
  5. Flexibility and scalability: By creating subnets within a VPC, you have the flexibility to design and deploy your infrastructure according to your specific requirements. This includes being able to span subnets across Availability Zones for high availability and scalability.

Overall, creating an AWS subnet and VPC instance when working with the default VPC provides you with greater control, security, and scalability for your infrastructure.

Similar Posts