Friday, 24 September 2021

AWS Networking - Part VIII: AWS Network ACL (NACL)

In this section, I am going to introduce the default Network ACL for subnets in VPC NVKT-VPC-01.

Figure 1-28 shows the complete structure of our VPC NVKT-VPC-01. We have a Public subnet 10.10.0.0/24 in AZ eu-west-2c a Private subnet 10.10.1.0/24 in AZ eu-west-2a. Both subnets are protected by the default VPC’s NACL named NWKT-NACL. NACL allows all traffic to and from the subnet by default.


Figure 1-37: Complete VPC Stack.

AWS Networking - Part VII: Create Subnet and RT Using AWS CloudFormation

In this post, we create a Subnet with the set of properties and attach it to VPC. We also specify a Route Table, which we associate with the Subnet using association.

 In our YAML template (figure 1-34), we have four AWS resources (logical name within parenthesis):

    1) AWS::EC2::VPC (NwktVPC)

    2) AWS::EC2::Subnet (NwktSubnet)

    3) AWS::EC2::RouteTable (NwktPUB2RouteTable)

    4) AWS::EC2::SubnetRouteTableAssociation (NwktRouteTableAssociation)

We are using a Ref function for defining the dependencies between AWS resources when the actual AWS resource Identifier is unknown. For example, the Ref function in AWS::EC2::Subnet resource [2] refers to the resource AWS::EC2::VPC’s logical name NwktVPC (A). We have to use an intrinsic function because we don’t know which  VPC Identifier AWS generates to VPC. After creating the subnet, we specify the subnet-specific Route Table [3]. First, we need to bind it to VPC using the Ref function value NwktVPC (B). Next, we “glue” the Route Table to Subnet using RouteTableAssociation, where we use two Ref functions. The first one refers to Route Table (C), and the second to Subnet (D).


Figure 1-34: Subnet Route Table.

Wednesday, 22 September 2021

AWS Networking - Part VI: Subnet to Route Table Association

At this phase, we have attached subnets to their respective Availability Zones. Next, we will create subnet-specific route tables for both Public and Private subnets.


Figure 1-25: VPC Subnets: Select VPC.

 

Tuesday, 21 September 2021

AWS Networking - Part V: Create Subnet Using AWS Console

When we have created a new VPC, we can start adding subnets to it. We are going to create two subnets. Subnet 10.10.0.0/24 is a Public Subnet in Availability Zone eu-west2c, where we later add an Internet GW. Subnet 10.10.0.0/24 is a Private Subnet in Availability Zone eu-west2a that will use a NAT GW for uni-directional Internet access.


Figure 1-18: VPC Route Table: Routes.

AWS Networking - Part IV: Create VPC Using the AWZ CloudFormation

The focus of this section is to show how we can create a VPC using AWS CloudFormation service. Figure 1-12 shows our example AWS CloudFormation Templates. Its first section, AWSTemplateFormatVersion, specifies the template language format. At the time of writing, 2010-09-09 is the latest and only valid version. We can use the Description section to describe our template. Note that it must follow the AWSTemplateFormatVersion Section. AWSTemplateFormation-Version and Description are optional sections. The Resources section specifies the actual AWS resources and their properties. Each AWS resource is identified with a logical name. I have given the logical name NwktVPC for our example VPC. We can use resource-specific logical names for defining dependencies between resources. For example, when adding the AWS::EC2::Subnet resource to our template, we assign the VpcId value by calling it from the AWS::EC2::VPC resource using !REF intrinsinc function. I will explain the process in the Subnet section later. The resources and their properties are defined under logical names. The Resources section is the only required section in AWS CloudFormation-Template. AWS CloudFormation Templates are identified by using Stack Names in AWS Cloud Formation. Our example Stack Name is MyNetworkStack.


Figure 1-12: AWS CloudFormation: VPC.

Monday, 20 September 2021

AWS Networking - Part III: VPC Verification Using AWS CLI

 

VPC Verification Using AWS CLI


We can verify our VPC configuration by using AWS CLI. Example 1-1 shows the output for command aws ec2 describe-vpc in JSON format. This command lists all our VPC resources with their properties. The first one is the newest VPC NVKT-VPC-01, and the second one is the default VPC which I have named DFLT-VPC. The first VPC gets ordinal zero [0], and the second VPC gets number one [1]. Note that ordinal numbers are not shown in the output. VPC properties describe the VPC-specific CIDR Block, DHCP Options, VPC Identifier, Owner Id, CIDR Block Association, and Tags.

 

aws ec2 describe-vpcs

{

    "Vpcs": [

        {

            "CidrBlock": "10.10.0.0/16",

            "DhcpOptionsId": "dopt-09217361",

            "State": "available",

            "VpcId": "vpc-04ef72cc79a73f82e",

            "OwnerId": "123456654321",

            "InstanceTenancy": "default",

            "CidrBlockAssociationSet": [

                {

                    "AssociationId": "vpc-cidr-assoc-0379c0e3e854f43ff",

                    "CidrBlock": "10.10.0.0/16",

                    "CidrBlockState": {

                        "State": "associated"

                    }

                }

            ],

            "IsDefault": false,

            "Tags": [

                {

                    "Key": "Name",

                    "Value": "NVKT-VPC-01"

                }

            ]

        },

        {

            "CidrBlock": "172.31.0.0/16",

            "DhcpOptionsId": "dopt-09217361",

            "State": "available",

            "VpcId": "vpc-cfbac1a7",

            "OwnerId": "123456654321",

            "InstanceTenancy": "default",

            "CidrBlockAssociationSet": [

                {

                    "AssociationId": "vpc-cidr-assoc-89d487e1",

                    "CidrBlock": "172.31.0.0/16",

                    "CidrBlockState": {

                        "State": "associated"

                    }

                }

            ],

            "IsDefault": true,

            "Tags": [

                {

                    "Key": "Name",

                    "Value": "DFLT-VPC"

                }

            ]

        }

    ]

Example 1-1: AWS CLI: Retrieve VPC Information.


We can use filters for retrieving information only from some specific resources. The command aws ec2 describe-vpcs --filters Name=tag:Name,Values=NVKT-VPC-01 shows VPCs where we have attached the Key/Value pair Name/NVKT-VPC-01.

 

aws ec2 describe-vpcs --filters Name=tag:Name,Values=NVKT-VPC-01

{

    "Vpcs": [

        {

            "CidrBlock": "10.10.0.0/16",

            "DhcpOptionsId": "dopt-09217361",

            "State": "available",

            "VpcId": "vpc-04ef72cc79a73f82e",

            "OwnerId": "123456654321",

            "InstanceTenancy": "default",

            "CidrBlockAssociationSet": [

                {

                    "AssociationId": "vpc-cidr-assoc-0379c0e3e854f43ff",

                    "CidrBlock": "10.10.0.0/16",

                    "CidrBlockState": {

                        "State": "associated"

                    }

                }

            ],

            "IsDefault": false,

            "Tags": [

                {

                    "Key": "Name",

                    "Value": "NVKT-VPC-01"

                }

            ]

        }

    ]

}

Example 1-2: AWS CLI: Retrieve VPC Information.


We can also query resource-specific information using the command aws ec2 describe-vpcs --query "Vpcs[0]". The zero within square brackets after the resource Vpcs identifies the ordinal number of a resource. In our example, VPC NVKT-VPC-01 is the first one, and it has an ordinal number zero.

 

aws ec2 describe-vpcs --query "Vpcs[0]"

{

    "CidrBlock": "10.10.0.0/16",

    "DhcpOptionsId": "dopt-09217361",

    "State": "available",

    "VpcId": "vpc-04ef72cc79a73f82e",

    "OwnerId": "123456654321",

    "InstanceTenancy": "default",

    "CidrBlockAssociationSet": [

        {

            "AssociationId": "vpc-cidr-assoc-0379c0e3e854f43ff",

            "CidrBlock": "10.10.0.0/16",

            "CidrBlockState": {

                "State": "associated"

            }

        }

    ],

    "IsDefault": false,

    "Tags": [

        {

            "Key": "Name",

            "Value": "NVKT-VPC-01"

        }

    ]

}

Example 1-3: AWS CLI: Retrieve VPC Information.


If we want to see only some specific resource properties, we can add the properties after the resource, separated by a dot. Example 1-4 shows how we can see the CIDR Block Association for VPC NVKT-VPC-01 (ordinal zero).

 

aws ec2 describe-vpcs --query "Vpcs[0].CidrBlockAssociationSet"

[

    {

        "AssociationId": "vpc-cidr-assoc-0379c0e3e854f43ff",

        "CidrBlock": "10.10.0.0/16",

        "CidrBlockState": {

            "State": "associated"

        }

    }

]

Example 1-4: AWS CLI: Retrieve CIDR (Properties) Association to VPC (Resource).


We can change the output representation from the JSON to table by using the option --output table. The table output is a good choice when we create documentation about VPCs. Note that you can use this option with all other commands too.

 

aws ec2 describe-vpcs --query "Vpcs[0].CidrBlockAssociationSet" --output table

 

------------------------------------------------------

|                    DescribeVpcs                    |

+-----------------------------------+----------------+

|           AssociationId           |   CidrBlock    |

+-----------------------------------+----------------+

|  vpc-cidr-assoc-0379c0e3e854f43ff |  10.10.0.0/16  |

+-----------------------------------+----------------+

||                  CidrBlockState                  ||

|+------------------+-------------------------------+|

||  State           |  associated                   ||

|+------------------+-------------------------------+|

 

Example 1-5: AWS CLI: Retrieve CIDR Association to VPC – Table Output.

AWS Networking - Part II: Create VPC - AWS Console

The first thing to do when we create a VPC is to log in to the AWS console. Then we select the AWS Region where we want to launch our VPC. We are going to use VPC Region Europe (London) eu-west-2. As the last step, we give the name to VPC and associate a CIDR block 10.10.0.0/16 to it.

Figure 1-3: Virtual Private Cloud (VPC) – Example VPC.