aws cloud assignment
Seneca Report Template TELE20483 Lab 2: Construction of VPCs with private subnet with NAT Gateways Submission Instructions To be submitted via SLATE Value 12.5% of final grade Due Date March 17th, 2023 Learning Outcomes Covered in Assignment 1. Design and deploy virtual private clouds. 2. Plan IPv4 and IPv6 address allocation for virtual private clouds. 3. Configure IPv4 address subnetting in a cloud environment. 4. Enable controlled public access to network resources and services. 5. Configure private networks in a cloud. 6. Configure virtual gateways to access resources in the cloud. Table of Contents Lab 2: Construction of VPCs with private subnet with NAT Gateways0 1.Assignment Outline3 2.Assignment Details and Expected Outcomes4 3.Network Connectivity Requirements6 4.Submission Requirements8 5.Assignment Grade Breakdown9 6.Suggested Implementation Steps11 7.Appendix – Artifacts to be included into the report12 1. Assignment Outline The objective of this assignment is to explore network connectivity in the Virtual Private Cloud. The students will deploy 6 EC2 instances in the different VPCs in the same region. The instances will be attached to public and private subnets. The instances will have different ingress and egress requirements: instances that should be accessed from the internet will be attached to the public subnets (ingress from internet). Instances that need access to the internet but should not be accessed from the internet (internet egress only) will be deployed into private subnet. To enable EC2 instances in the private subnets access to the internet, NAT gateways will be deployed in each VPC. Student will configure VPC internal routers via route tables definition based on the requirements of each of the subnets. Student should configure VPC Peering between VPC-A and VPC-B and verify connectivity between instances in peered VPCs. The topology should be built out using python boto3 or AWS Management Console. 2. Assignment Details and Expected Outcomes In this assignment, the student is to perform the tasks below: · Deploy three EC2 instances in VPC-A and VPC-B using python script and boto3 library or AWS Management Console. The instances should be deployed into different subnets as specified in Figure 1 below. · All the instances should have httpd webserver installed. The servers should display student’s name and the hostname of the EC2. Details of expected submission artifacts are in the Appendix. · Network connectivity specifications should be implemented and verified based on Tables 1-5 below. · Security Groups, Route Tables and Subnets should be configured to achieve the desired connectivity while only allowing the required connectivity. VPC Peering Figure 1 VPC-A and VPC-B Topology Table 1: VPC-A CIDR and subnets Network Component CIDR VPC-A 10.0.0.0/16 subnet-public-1 10.0.1.0/24 subnet-public-2 10.0.2.0/24 subnet-private-3 10.0.3.0/24 Table 2: VPC-B CIDR and subnets Network Component CIDR VPC-B 192.168.0.0/16 subnet-public-1 192.168.1.0/24 subnet-public-2 192.168.2.0/24 subnet-private-3 192.168.3.0/24 3. Network Connectivity Requirements The highlights of the connectivity requirements are outlined below. Please refer to Tables 3,4 for more details. · The web servers web-01 and web-02 should have SSH and HTTP from the internet · The web servers web-01 and web-02 should have SSH and HTTP access to the web-03 in their corresponding VPCs. · The web-03 have access to the Internet via their NAT gateways. · No one can access the web-03 if the connection is initiated from the Internet. · web-01 in VPC-A should be able to send HTTP request to web-03 in VPC-B via VPC Peering using curl command Table 3: Connectivity requirements for instances in their respective VPCs. Connectivity From Internet To Internet Web-01 Web-02 Web-03 Web-01 SSH from your laptop, HTTP from anywhere Any Access X X SSH, HTTP Web-02 SSH from your laptop, HTTP from anywhere Any Access X X SSH, HTTP Web-03 X Any Access via NAT Gateway X X X Table 4: Connectivity requirements via VPC peering VPC-A Web-01 in VPC-B Web-02 in VPC-B Web-03 in VPC-B Web-01 X X HTTP Web-02 X X X Web-03 X X X Explain 1. What is the reason NAT GW is created in the public subnet? What will happen if we create it in the private subnet? 2. Why cannot web-03 instance be reached from the internet? 3. Why should VPCs connected via VPC peering have non-overlapping CIDR ranges? What will happen if their ranges overlap? 4. Submission Requirements Your submission should include: 1. Python script named create_vpcs.py (optional, in case you implemented the assignment with python) 2. Word document with the a. Screenshots of AWS Management console featuring: i. VPCs ii. Subnets iii. security groups iv. route tables v. connectivity verifications b. Answers to the “Explain” questions Please see Appendix for the example of a submission section Important Note: the screenshots in the report should be clearly labeled with captions and attributed to the section/functionality that is being demonstrated 5. Assignment Grade Breakdown Task Task Description Points 1. Create VPC, subnets, IGW, NAT GW Create VPCs and subnets with the correct CIDR ranges Create IGW and attach it to the respective VPCs Create NAT GW in the correct subnet 10 2. Rote Tables Ensure that the route tables are correctly configured to define the private and public subnets 5 3.Deploy EC2 instances hosting static websites and demonstrate the required connectivity inside respective VPCs. Connectivity to web-01, VPC-A Connectivity to web-02, VPC-A 10 Connectivity to web-03, VPC-A 10 Connectivity to web-01, VPC-B Connectivity to web-02, VPC-B 10 Connectivity to web-03, VPC-B 10 4.Create peering connection and demonstrate that web-01 in VPC-A can connect to web-03 in VPC-B Web-01 in VPC-A should be able to send HTTP request to web-03 in VPC-A Update route tables and security groups to allow the traffic flow. 15 5.Explain What is the reason NAT GW is created in the public subnet? What will happen if we create it in the private subnet 5 Why cannot web-03 instance be reached out from the internet? 5 Why should VPCs connected via VPC peering have non-overlapping CIDR ranges? What will happen if their ranges overlap? 10 6.Cleanup Demonstrate that all the EC2 instances are deleted and the EC2 console does not have any running instances. Demonstrate that there is only default VPC left, and VPC-A and VPC-B have been deleted along with other components you created 10 Total: 100 Important Notes: · Cleanup of all the deployed infrastructure is crucial to ensure the AWS Academy budget will last until the end of the course. 6. Suggested Implementation Steps 1. Create VPCs, subnets, Internet and NAT gateways, and route tables. All the subnets should be in the same Availability zone. 2. Create security groups for web-01, web-02 and web-03 and open the inbound traffic based on the specification. 3. Create web-01, web-02 and web-03 instances in VPC-A and VPC-B, verify the connectivity based on the specification. Make sure to bootstrap (User Data) these VMs so they show their hostname (which includes the IPv4 private address) and your name in their landing web page. 4. Create peering connection between VPC-A and VPC-B. Update route tables and security groups. Verify connectivity between web-01 in VPC-A and web-03 in VPC-B by sending HTTP request from web-01 in VPC-A to web-03 in VPC-B 5. Cleanup the infrastructure you created 6. 7. Appendix – Artifacts to be included into the report 1. Create VPC, subnets, IGW, NAT GW (the screenshots below are an example and demonstrate a subset of required functionality) Figure 2 VPC-A CIDR and configuration Figure 3 VPC-A subnets Figure 3 public-subnet-2 routes in VPC-A Figure 4 private-subnet-3 routes 2. Create security groups for web-01, web-02 and web-03 and open the inbound traffic based on the specification. (Example shows SG for web-01 in VPC-A only) Figure 5 Security for web-01 Figure 6 Security group for web-03 3. Create web-01, web-02 and web-03 instances in VPC-A, verify the connectivity based on the specification (below screenshots are samples and the list is incomplete) a. Connectivity to web-01 from the laptop Figure 7 Verified that I can SSH and send HTTP request to web-01 in VPC-A from my laptop b. Connectivity to web-03 from web-01 Figure 8 Connecting to web-03 from web-01 using SSH and sending HTTP request Note: use the command below to copy private ssh key from your laptop to web-01 scp -i assignment3.pem assignment3.pem
[email protected]:/tmp 4. Create peering connection between VPC-A and VPC-B. Update route tables and security groups. Verify connectivity between web-01 in VPC-A and web-03 in VPC-B by sending HTTP request from web-01 in VPC-A to web-03 in VPC-B 5. Cleanup Cleanup task completed – there are no instances and only a default VPC Winter 2023