In one of the previous posts we created custom VPC, now we’ll capture traffic entering to our VPC.

Flow Logs enables us to capture information about the IP traffic going to and from network interfaces in VPC. Flow log data is stored using Amazon CloudWatch Logs

Services-Networking & Content Delivery-VPC

Untitled

 

Your VPC’s:

Untitled.png

Select your VPC-from Actions menu click Create Flow Log

 

Untitled.png

We need to create IAM role to allow VPC’s to interact with CloudWatch-Click “Set Up Permissions”

 

Untitled

 

 

Untitled

 

Now we need to create Destination Log Group,under Management Tools Click CloudWatch

Log groups define groups of log streams that share the same retention, monitoring, and access control settings

Untitled.png

 

Click Logs-Create Log Group

Untitled.png

 

Untitled

 

Now again select your VPC-from Actions menu click Create Flow Log,click on any empty field and select Role and Destination Log group and click Create Flow Log

 

Untitled

 

Creating Log Streams

Log stream represent the sequence of events coming from the application instance or resource being monitored.

From CloudWatch click Logs-click on Log Group

Untitled

Click Create Log Stream

 

Untitled.png

Untitled

Generate some traffic (refresh page)

Untitled.png

After few minutes we’ll see our Log Stream

Untitled.png

Click on it and you’ll see captured traffic

 

Untitled.png

 

Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You can use Amazon CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources.

From AWS console click on Cloudwatch under Management Tools

1

Then click on Dashboard

2

Give dashboard a name

 

3

Choose layout

4

Choose metric

5

 

 

6.PNG

Select interval for monitoring

7.png

 

8

Creating alarm

Click Alarms

9

And choose metric

 

10

And click Next

11.PNG

Select Monitoring interval and define email subscription

 

12.png

Confirm email address

13

 

14

 

15

In this post we enabled “private” network access to the internet using NAT AWS instance,

in this post we’ll do the same using NAT Gateway

Services-VPN-NAT Gateways-Create NAT Gateways

 

1.PNG

Select “public” subnet (subnet with internet access),choose existing or create new Elastic IP Allocation (An Elastic IP address is a public IPv4 address, which is reachable from the Internet)

 

2

Click Edit Route Tables

3

As in example in previous post, select Route table without subnet association (default routing table)-routes-edit-as destination set 0.0.0.0/0-under local select NAT Gateway

 

4

 

1.PNG

 

 

5

As in previous post’s example, SSH from internet-facing VM to VM on private subnet and try to install package/update VM

 

6

 

In previous post we associated subnet to routing table, so VMs in that subnet can access the Internet.

In this one we’ll enable internet access to subnet which won’t be associated to Routing Table

I created 10.0.2.0/24 subnet not associated to Routing Table and 10.0.1.0/24 subnet with internet access

1.png

1.png

I created new AWS instance and assigned “private” subnet

2

3

To enable internet access we need to create NAT instance, after Launching Instance wizard,in step where we need to choose Amazon Machine Image click Community AMIs-under operation system click Amazon Linux-type NAT is search box and choose any of NAT images

4

for network choose custom VPC (created in this post) and select “routable” network (with internet access)

5.PNG

6

It’s essential to allow HTTP/HTTPS access to NAT instance

6-1

7.PNG

After instance starts-select instance-from actions select Networking,Change Source/Dest.Check

8.png

Disable Destination check (any machine in aws is source or destination)

9

Service-VPC-Route Tables-select route table-click Routes-Edit

10.PNG

Add another route

11.PNG

type 0.0.0.0/0 as destination for local select NAT instance

12.png

Because our VM on private network cannot be internet accessible, we need to access to it “indirectly”, via internet-reachable VM

After connecting to internet-facing VM,copy content of pem file,create new file on AWS instance and paste content from clipboard

13.PNG

Try connecting to VM on private network

chmod 400 1.pem ssh -i 1.pem ec2-user@10.0.2.204

 

14.PNG

Virtual Private Cloud (VPC) is custom datacenter in Amazon cloud when we define network (subnets,routing tables,ACL’s..)

In AWS console click VPC under Networking & Content Delivery

1.png

 

Your VPC’s-Create VPC

3

CIDR Block size must be between 16-28

Tenancy-default-use shared hardware

dedicated-use dedicated hardware (incurs costs)

4

 

5.PNG

After creating VPC Route table and Network ACL’s are automatically created

5

 

6

 

Creating subnets

From VPC dashboard click Subnets-Create Subnet

8

Under availability zone choose AZ or let AWS chooses it for you (No Preference)

 

9

 

10

By default addresses won’t be automatically leased to VM’s

 

click on subnet-subnet actions-Mofidy auto-assign IP settings

 

10-1.png

Click Auto-assign IPs

10-2

 

3 addresses are reserved:

1-vpc router
2-dns server
3-future use

Creating Internet Gateway

we need gateway in order to allow access to our VPC from the internet

 

Internet Gateway-Create Internet Gateway

11

 

Bind Gateway to subnet-click Attach to VPC

 

12

 

13

Edit Routing table

We need to allow internet access from subnet

Route Tables-Click on Route table (created during VPC creation)-Click on Subnet Association-Edit)

14.PNG

Click on check-box to assign subnet to Routing Table

 

15

 

Click on Routes-Add another route

16.png

 

Enter route

 

17.PNG

Create new EC2 instance and select our VPC-under subnet create subnet we created

 

18

 

20.PNG

 

19

Amazon Elastic File System (Amazon EFS) provides scalable file storage for use with Amazon EC2 instances in the AWS Cloud

In AWS console click EFS under storage

1.PNGClick create file system

2.PNG

Select availability zone when you want this EFS to spread to

3.PNG

Set name and performance mode

4.PNG

Click Amazon EC2 mount instructions

5.png

Because i’m using Amazon image, only one command i need to use (the last one)-copy it to clipboard

6

VM to which we want to attach EFS,needs to be member of default security group

click on VM-Actions-Networking-Change Security Groups

7

Click on default one,in VM create new folder (mount point) and mount EFS

mkdir /mounts
sudo mount -t nfs4 -nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 fs-f2dc103b.efs.eu-west-1.amazonaws.com:/ /mount
findmnt | grep '/mount'

 

9.PNG

 

 

 

Auto Scaling is mechanizam which enables Amazon EC2 instances availability to handle the load for application. We create collections of EC2 instances-Auto Scaling groups. We can specify the minimum number of instances in each Auto Scaling group, and Auto Scaling ensures that group never goes below this size.

In this example we’ll create highly available web server

In this post we created EC2 instance,during this creation we can specify BootStrap script which can automatically configure VM during creation.

I uploaded example html file to one of my bucket,didn’t specify any permissions

1.PNG

This file will be copied to Amazon VM during it’s creation,we’ll also install Apache by BootStrap script

I created a role and assigned it AmazonS3FullAccess Policy

2.PNG

#!/bin/bash
yum install httpd -y
yum update -y
aws s3 cp s3://bucket-irleand/index.html /var/www/html/index.html
service httpd start
chkconfig httpd on

This role will be specified during VM creation (EC2 instance is in the same region my bucket-Irleand)

2.PNG

Creating Elastic Load Balancer

Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances.,it enables  fault tolerance in applications

Services-EC2-Load Balancers

1.PNG

Create Load Balancer

1

Application load balancers routes traffic on Application Layer,Classic Load Balancer on 4th OSI layer

1.PNG

Choose subnets and protocols

1.PNG

We got warning because we don’t have SSL certificates

1

Create new or choose existing Security group

1.PNG

Create new group,choose port and protocol,specify path (if path doesn’t exists it would declare load balancer as unoperational

1.PNG

Healthy treshold:Number of consecutive healthy checks successes before load balancer is considered unhealthy

Unhealthy treshold:Number of consecutive healthy checks failure before load balancer is considered unhealthy

Timeout:Number of seconds after balancer is considered unhealthy

Interval:Number of seconds between health checks

Select instance which will be part of Balancer in instances section-click Add to registered,instance will show in Registered instances field

1.PNG

Copy Load Balancer DNS to browser and test access

1.PNG

1.PNG

Now, click Launch Configuration

1.PNG

Click Create Auto Scaling Group

1.PNG

Then click Create Launch Configuration

1.PNG

1.PNG

1.PNG

Add IAM role (as we did for first machine) and specify same BootStrap script

1.PNG

Add Storage

1.PNG

Specify Security Group and Key Pair

1.PNG

1.PNG

Specify number of instances (one instance will be created in every subnet),subnets

Click Advanced and specify load balancer,because i created application load balancer i need to specify target group created earlier and select Health Check type

1.PNG

Specify Health Check Grace Period,in our case this is time needed for BootStrap script to execute,if our script needs more time, we need to specify it here

1.PNG

1.PNG

Create Auto Scaling Group

1.PNG

And tags:

1

After Auto Scaling group starts to initialize new AWS instance will be created with our html file being copied from bucket and apache service installed,so if any of those instances fails, other will take over

 

1.PNG