Creating a new VPC
VPC's are where everything in AWS lives. It stands for Virtual Private Cloud.
To create a new VPC, search for VPC in the console, go to 'Your VPCs' and click 'Create VPC'.
Give the VPC a meaningful name. Next is assigning the IPv4 CIDR block. This is IP range that you can later create subnets within (more on that later). It is a good idea to reserve as big a block as possible for this as you cannot extend these. You can however add an additional CIDR block to the VPC but depending on what you have specified for the starting block, you may be unable to continue on directly from that. I typically create a /16 VPC for example 10.30.0.0/16. This gives you IP's starting at 10.30.0.1 to 10.30.255.255.
There is no need to create an IPv6 CIDR block at this time.
Tenancy can be left as Default.
There is no need to add Tags unless you want to use this for billing tracking.
Click on Create VPC and it will be created.
Creating a new subnet
In the left hand menu under where you selected 'Your VPCs', you will see 'Subnets'. Open this and click 'Create subnet'.
Here you will be asked to select a VPC. Select the VPC you want to add this subnet too and the rest of the settings will become visible.
To allow for maximum resiliency, it is a good idea to create a public and a private subnet in each Availablity Zone (eu-west-1a, eu-west-1b, eu-west-1c). To allow you to easily identify which subnet is in which AZ, name them accordingly: Public Subnet A, Public Subnet B, Public Subnet C, Private Subnet A, Private Subnet B, Private Subnet C.
Select the Availability Zone that corresponds with the name.
For the IPv4 CIDR block, bear in mind that you want to create 6 subnets out of the CIDR block you assigned to the VPC. It's a good idea not to wildly overprovision these but at the same time you don't want to be too restrictive as you cannot extend subnets. You would have to create new ones and it can get messy. Use the tool https://www.ipaddressguide.com/cidr to work out what CIDR blocks to assign. /20 isn't a bad place to start as it will give you 4096 IP addresses per subnet. Using that tool, you can work out that if you make your first subnet 10.30.0.0/20, the final IP address in that range is 10.30.15.255. This means your 2nd subnet can start at 10.30.16.0/20. The last IP in this block is 10.30.31.255 so the next can start at 10.30.32.0/20 and so on.
When you have put in the IPv4 CIDR block for your first subnet, click 'Add new subnet' and keep going until you have made all the subnets you require. When you are done, click 'Create subnet'.
NAT Gateways
With the VPC made and the subnets created, the only thing stopping you from spinning up machines is setting up routing and internet access.
In the last step we made both public and private subnets. The reason being that we want to ensure that only things that need to be pubically exposed go into the public subnet and anything that should remain internal only goes into the private subnet. What makes a subnet public or private is the routing.
In the left hand menu, click NAT Gateways. Here we are going to create a NAT gateway in each public subnet. These NAT gateways are going to be used by the private subnets to allow them to route out to the internet. Click 'Create NAT gateway'.
Give it a name relating to the subnet that you are creating it in for example NAT GW Pub A.
Select the PUBLIC subnet you are creating it in.
Next, click Allocate Elastic IP which will create an IP address and assign an IP address.
Now, click 'Create NAT gateway'. Repeat these steps for the remaining public subnets.
Internet Gateways
NAT Gateways are the mechanism used to give internet access to private (internal) services. Things that live in the public subnet use an Internet Gateway. To create this, select 'Internet Gateways' in the VPC menu and click 'Create Internet gateway;
Very simple this time, just give it a name and click 'Create Internet gateway'. This isn't tied to specific subnet or AZ so can be called anything. Just try to call it something that relates to the VPC for example 'MyFirstVPC Internet Gateway'.
Route Tables
With your VPC, subnets, NAT gateways and Internet gateway all created its time to tie them all together. In the VPC menu, click 'Route Tables'.
There is typically no need for multiple routing tables for each public subnet but you will need a separate route table for each private subnet in order to control which NAT gateway it routes internet traffic to. For example there would be no point in routing internet traffic for private subnet A to public subnet B. While it would work, it is bad for resiliency as if AZ B went offline, your private subnet A would lose internet access. Instead, you need to route internet traffic for each private subnet to the NAT gateway in its corresponding public subnet.
Click 'Create route table' to get started.
Give it a name. For the public route table just call it 'VPC name Public Route Table' or something like that. For the private subnets, call it something like 'VPC name Private Subnet A' and so on. Select the VPC.
You will now see it in the list of route tables. Tick the one you want to edit and you will see some tabs appear at the bottom. The first tab to edit is 'Routes'. For the public subnet, you need to add a route to the internet gateway you created. To do this, click 'Edit routes'
Add the route 0.0.0.0/0 and select the internet gateway as the target. Click Save routes.
Now you need to associate the subnets you created to this route table. Go to Subnet Associations tabs and click 'Edit subnet associations'.
Tick the public subnets and click 'Save'.
Now you need to create a route table for each private subnet. Follow the same steps as above but name them accordingly for each subnet. When editing the routes, add a route to 0.0.0.0/0 selecting as the target the NAT Gateway you created in the corresponding subnet. When editing the Subnet Associations, remember to only associate the private subnet corresponding to the name of that route table and the NAT gateway in the public subnet that it routes to.
Editing existing VPCs/Subnets
In the event of running short on IP addresses in subnets, you can add more. Ideally there will be scope within the existing VPC if a large enough CIDR block was created. If this is the case, you will need to review the subnets in that VPC and see where the last one ends. You can then add more subnets in the same way as it explains above when creating new ones. If its only extra private IP's you need, there is no need to create additional public subnets. You can leverage the NAT gateways in the existing public subnets. Once a new subnet has been made, you need to edit the 'Subnet Associations' in the route table for that private subnet in the same way we set it up above. Just add your new subnet into the relevant route table, making sure to associate them to correct Availabilty Zones. If its public subnets you need, just add them to the existing public subnet route table in its 'Subnet Associations;.
In the event that there is no scope within the existing VPC to add additional subnets, you will need to add an additional CIDR block into it. To do this, go to 'Your VPCs' in the VPC menu, tick the VPC you want to extend and click 'Actions'. Click 'Edit CIDRs'.
In here, click 'Add new IPv4 CIDR.
Specify the size of the CIDR block you want. If the previous one had scope to use a part of that block, you could continue on from that (use https://www.ipaddressguide.com/cidr to work it out). Otherwise you could choose a new class B address for example 10.31.0.0/16. Save this.
Once you have added this into the VPC, you can go back to Subnets and create your subnets as per the above guide. You can then associate them with the existing route tables.
No comments:
Post a Comment