Highly Available Virtual Private Cloud.

10 min readJul 1, 2023

In VPC we can build our own network in our account in the region we decided, we can decide public network, private network, can distribute our subnets into multiple available zones for high availability, can setup our own routing table, gateways etc. VPC is basically a logical datacentre within AWS region.

NAT and Internet Gateway:

Private subnet elements can access to the internet via nat gateway of public subnet, but what traffic of private subnet to be forward to the nat gateway is decided by route table.

Internet and nat gateway both are routers but internet gateway is direct to internet connections. An Internet Gateway is used to enable communication between a VPC and the internet.

It acts as a gateway to connect the VPC to the internet, allowing inbound and outbound internet traffic.
Internet Gateway provides a public IP address to instances within the VPC that require internet connectivity.
A NAT (Network Address Translation) Gateway allows instances within a private subnet to access the internet while preventing inbound internet traffic from reaching those instances.
It provides outbound internet connectivity for private instances by translating their private IP addresses to public IP addresses.

Now we will do some hands on VPC:

Tasks to be done in AWS:

NACL (Network access control list) is for subnets we can allow/deny inbound and outbound traffic to subnets, like SG for instances.

Bastion Host is the server also called jump server is to access private subnet means it stays in public subnet and you access this server then access to private subnets via this.

We will create VPC first:

Once we create a new VPC it will auto create a NACL and route table associated with it, but we will create our own:

Lets create four subnets now by selecting newly created VPC:

Second public subnet should be in other AZ for higher availability:

We have created two public subnets but there is nothing public about that once we attached the IG then it will become the public subnet:

Now create private subnets that on same two different AZ as done for public subnets:

Now create internet gateway for public subnets:

Once IG is created attach it to the VPC:

Now through route table we will attach IG to public subnets:

Now edit roues of IG:

Now we have made our public subnet to actual public because we attached IG to them.

Now create a NAT gateway for private subnets but remember to select the public subnet where NAT gateway will reside, because NAT gateway always reside in public subnet, Also allocate elastic ip to it:

Now create a route table for private subnets and also associate private subnet with it as did for vpro-pub-RT,

Also add default route toward nat gateway in vpro-pri-RT:

Any instance we launched in public subnet should get public ip automatically for that allow assign public ip in action tab of both public subnet.

Also enable DNS on pub subnets:

Now its time to use it by launching few instances:

Create a new centos t2.micro EC2 instance for our webserver by selecting your VPC and private subnet yes private subnet because it is better to put your all instances including webserver in private subnets and setup the load balancer in public subnet so instances will be save and also accessible from public.

We will use below mentioned script in user data section of EC2 instance to setup a web service on that:

You can also create new key pairs and new security group to make inbound and outbound policies for this instance like allow port 80 for web traffic etc.

VPC and security group:

Script to be use to in user data section to configure web services on this instance:

#!/bin/bash

# Variable Declaration

PACKAGE=”httpd wget unzip”

SVC=”httpd”

URL=’https://www.tooplate.com/zip-templates/2098_health.zip'

ART_NAME=’2098_health’

TEMPDIR=”/tmp/webfiles”

# Installing Dependencies

echo “########################################”

echo “Installing packages.”

echo “########################################”

sudo yum install $PACKAGE -y > /dev/null

echo

# Start & Enable Service

echo “########################################”

echo “Start & Enable HTTPD Service”

echo “########################################”

sudo systemctl start $SVC

sudo systemctl enable $SVC

echo

# Creating Temp Directory

echo “########################################”

echo “Starting Artifact Deployment”

echo “########################################”

mkdir -p $TEMPDIR

cd $TEMPDIR

echo

wget $URL > /dev/null

unzip $ART_NAME.zip > /dev/null

sudo cp -r $ART_NAME/* /var/www/html/

echo

# Bounce Service

echo “########################################”

echo “Restarting HTTPD service”

echo “########################################”

systemctl restart $SVC

echo

# Clean Up

echo “########################################”

echo “Removing Temporary Files”

echo “########################################”

rm -rf $TEMPDIR

echo

sudo systemctl status $SVC

ls /var/www/html/

Once we create EC2 instance we will not be able to access it because we have created it in private subnet even if we had public ip then we will not also be able to access it because all the traffic goes through NAT gateway, so we will create a Bastion Host to access this instance.

So first launch the bastion host as new EC2 instance, with amazon linux os, t2.micro instance type, select your own VPC but select the public subnet for this as bastion host server will reside in public subnet:

Note: Try to use CIS (Centre for internet security) amazon AMI os for bastion host that is not free, this is hardened machines because bastion host security is important if it is compromised then webster that is in private subnet will also be compromised because through bastion we will take ssh of webserver.

We will login to bastion host server from there will take ssh of webserver.

Edit the security group of webserver that bastion host will be able to take ssh session of webserver:

Now login the bastion host server from your laptop then save .pem key file of webster in bastion host server so that bastion host server will be able to take ssh of web server.

Now copying the webster key to bastion host server:

Now from bastion host server take ssh of webserver through its private ip:

Also make sure to assign only read permission to webserver key file so that no other than ec2-ser will be able to read or write in this key file:

Now check the web service status on webserver as we install web services on webster using bash scripts on user data section during server launching:

Now time to create a load balancer. We will go for application load balancer.

EC2→ load balancer→ create load balancer → application load balancer:

Create new security group for load balancer and allow port 80 from anywhere:

Create a target group where we will add our webserver instance:

Now select that target server in load balancer:

Go to target group and select target there and choose webserver as target so that target group will monitor health check for it if it is healthy then only traffic will be routed toward that target group instance:

Final thing, webserver security group should allow connection from load balancer so edit security group of webserver

Now to go your load balancer and copied DNS paste in your browser a website should appear, actually our request will first hit on load balancer on port 80 then load balancer will route the request to target group instance where we select our webserver:

So our website is accessible from the public but webserver is save in the private subnet. So for high availability we can create another webserver and in another private subnet and bastion host or jump server in another public subnet as we have created two private and public subnets:

Once both servers are created now go to target group and there select DR Webserver also same as we did for primary webserver so that target group will monitor the health of both if primary goes down our web services will host from DR webserver:

Now we have create two webservers now you can shut the primary ec2 webserver instance and refresh the browser our website will still be available through DR webserver.

You can also use any domain hosting for your load balancer we will use godaddy hosting to host our load balancer:

Website is accessible through our domain name:

Now we will do VPC peering, connecting two VPC together. If you want an instance at VPC A want to talk VPC B then there is option an VPC peering. You can do VPC peering across different regions, accounts

Lets create a new VPC in new region: