amazon web services hands-on vpc hol.pdf · vpc hands-on lab copyright 2017, amazon web services,...
TRANSCRIPT
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page2
TableofContentsOverview......................................................................................................................................................3
CreateaVPC.................................................................................................................................................3
VPCObjectWalkthrough..............................................................................................................................7
YourVPCs.................................................................................................................................................7
InternetGateways..................................................................................................................................12
DHCPOptionsSets.................................................................................................................................13
ElasticIPs................................................................................................................................................14
NATGateway..........................................................................................................................................14
PeeringConnections..............................................................................................................................15
NetworkACLs.........................................................................................................................................16
SecurityGroups......................................................................................................................................16
LaunchingVPCInstances............................................................................................................................17
LaunchaPrivateServer..........................................................................................................................17
LaunchaPublicServer...........................................................................................................................23
TerminateBillableServices........................................................................................................................31
AdvancedVPCConcepts.............................................................................................................................33
VPCFlowLogs.........................................................................................................................................33
CreatingFlowLogsforaSubnet.............................................................................................................33
CreatingFlowLogsforaVPC..................................................................................................................35
CreatingFlowLogsforaNetworkInterface...........................................................................................37
VPCEndpoints........................................................................................................................................39
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page3
OverviewThislabwillwalktheuserthroughusingtheVPCwizardtocreateaVPCwithpublicandprivatesubnets,describeeachoftheobjectscreatedbythewizard,andlaunchinstancesintothepublicandprivateVPCsubnets.ThelabwillalsoreviewrecentlyreleasedVPCfeatures–VPCflowlogsandVPCendpoints.Thefollowingisahigh-leveloverviewofthislab:
• CreateaVPC• ExplorethedifferentVPCobjectsandwhattheymean• LaunchEC2instancesintotheVPC• AssignapublicIPaddress(EIP)andtestpublic/privateconnectivity• Advancedconcepts–flowlogsandendpoints
Note:Screenshotsareprovidedtoguideyouthroughthestepsinthelab.Theelementsthatyouwillcreate(e.g.VPC,NATGateway,EIP)willbeuniquetoyouraccount,sothingssuchasVPCIDthatyouseeintheconsolewillnotnecessarilymirrorwhat’sseeninthescreenshot.
CreateaVPCLogintotheAWSConsole,andclickonVPCtogototheVPCdashboard.Alongtheleft,clickonElasticIPs,andclicktheAllocateNewAddressbutton.WearereservinganIPaddresstobeusedlaterintheVPCWizardfortheNATGateway.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page4
ClickonYes,Allocate.
YouwillseethenewEIPallocatedtoyouraccount.NotedowntheAllocationID,whichwewillreferencelaterduringtheVPCwizardandlabcleanup.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page5
ClickonVPCDashboard,thenselecttheStartVPCWizardbuttontolaunchtheVPCcreationwizard.
SelectthesecondoptiontocreateaVPCwithPublicandPrivateSubnetsandclickSelect.NoteinthepicturethatthewizardwillautomaticallycreateandlaunchanNATgatewaytoenableinstancesintheprivatesubnettoconnecttotheInternet.WewilldiscusstheNATgatewayinmoredetaillaterinthislab.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page6
Onthenextpage,enterthefollowingvaluesintotheVPCname,PublicSubnet,andPrivateSubnettextfields:
VPCname:<YourName>PublicSubnet: 10.0.0.0/23PrivateSubnet:10.0.10.0/23
ClickontheElasticIPAllocationIDfield.AlistofavailableEIPswillappear,selecttheEIPthatyouallocatedatthebeginningofthelab.
Wearemodifyingthedefaultsubnetsizestoillustratehowyoucancarveupthesubnetstoyourrequirements,aswellasprovidingsomeroombetweenthe“public”and“private”subnetblockstoaccommodateexpansiontoincludeadditionalAvailabilityZonesinthefutureaswell.
TheVPCwizardwillcreateyoursubnetandletyouknowwhenithasbeensuccessfullycreated.Behindthescenes,thewizardiscreatingandlaunchingtheNATgateway.ClickOKwhenit’sdone
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page7
VPCObjectWalkthroughAfteryourVPCwascreated,youmaynoticethatseveralthingshavebeencreatedforyouasdepictedinthescreenshotbelow.ThenextsetofstepswillwalkyouthroughthevariousVPCobjectsandcomponentsthatwerecreatedforyoubytheVPCWizard.
YourVPCsTheYourVPCslinkprovidesalistofyourVPCsandisagoodlocationtoobtaintheVPCIDforyourVPCs.IfyoucreatemultipleVPCs,theywillbelistedhere.ClickingontheVPCthatwasjustcreatedwillbringupdetailsabouttheVPCliketheIPaddressblock(CIDR),DHCPOptionsSet,RouteTable,NetworkACL,HardwareTenancy(whetherVPCphysicalhardwarewillbeshared[default]ordedicatedtoyou)andDNSconfigurationinformation.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page8
AlsonotethepresenceofaDefaultVPClistedintheYourVPCsdisplay.AsofDecember4th,2013,wecreateadefaultVPCforyouineachregion.ThedefaultVPCincludesasubnetperavailabilityzone,adefaultsecuritygroup,anInternetgateway,andothernetworkingelements.Forthepurposesofthislab,wewillignoretheDefaultVPCandfocusontheVPC’screatedaspartofthelabexercise.
Subnets
TheSubnetslinklistsallofyourVPCsubnetsandallowsyoutocreateadditionalsubnetswithinyourVPCwiththeCreateSubnetsbutton.Clickingonasubnetwillbringupsubnetdetailsincludingitssubnetaddressrange(CIDR),availabilityzone,andassociatedroutetableandnetworkACLs.Clickingontabsunderneathbringsupreleventinfoaboutthesubnet.ClickonthePublicSubnetcreatedbytheVPCWizard.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page9
ClickonRouteTabletabandnoticethatthissubnet’sdefaultroute(0.0.0.0)istheInternetGateway(describedbelowintheInternetGatewaysection).InternetGatewayscanbeidentifiedby“igw”prefixinitsID.Thisroutemakesthissubnetyour“public”subnetbecauseitispublicallyroutablethroughtheInternetGateway.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page10
IfyouclickonthePrivatesubnettoinspectitsdetails,youwillnoticeadifferentroutingtable.
Thissubnet’sdefaultroute(0.0.0.0)istheNATgatewayidentifiedbythe“nat-”prefixinitsID.Thisroutemakesthissubnetyour“private”subnetbecauseitisnotroutingthroughtheInternetGateway.Instead,allclientconnectionstotheInternetaredirectedto,andproxiedby,yourNATgatewayinthe“public”subnet.
RouteTables
TheRouteTableslinklistsallofyourVPCroutetables,allowsyoutomodifyandassociatetheroutetablestosubnets,andallowsyoutocreateadditionalroutetableswithinyourVPCwiththeCreateRouteTablebutton.NoticethattworoutetableswerecreatedbytheVPCWizard,andthesearethesameroutetablesthatweredisplayedinthesubnetdetailsintheprevioussection.NoticetheMainandAssociatedWithcolumns.Thesubnetdesignatedasthe“Main”subnet(Main=Yes)isthedefaultroutetableforthelistedVPC.Thismeansthatallsubnetsthatarenotexplicitlyassociatedwithamorespecificroutetablewillusethisroutetablebydefault.TheAssociatedWithcolumndisplaysnumberofsubnetsexplicitlyassociatedwiththeroutetable.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page11
Noticethatonly1ofthe2subnetscreatedwiththeVPCisassociatedwitharoutetable.Thesecondsubnetisnotexplicitlyassociatedwitharoutetableandisthereforeusingthe“Main”routetable.
Clickingonaroutetablewillbringupdetailsabouttheroute.ClickingonRoutestabunderneathwillbringuproutinginfoaswellastheabilitytomodifytheroutetable’sroutesbyclickingonEditbutton.SimilarlyyoucanviewormodifySubnetAssociations,RoutePropagationandTaginformationpertainingtotheselectedroute.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page12
NoticethattheselectedroutetableisNOTtheMainroutetable(Main=No)anditsdefaultroute(0.0.0.0)istheInternetGateway.Thismeansyour“public”subnetisexplicitlyassociatedwiththisroutetable(clickontheSubnetAssociationstabtoverifythis).NoticethereisanotherroutetableassociatedwiththeVPC,youwillseethedefaultroute(0.0.0.0)isyourNATgateway.
Sowhatdoesallthismean?Bydefault,theVPCWizardcreatedtwosubnetsandtworoutetables.The“public”subnetisassociatedwitharoutetablethatdirectstrafficbydefaultouttotheInternet.The“private”subnetisnotassociatedwithaspecificroutetableandthereforeinheritstheMainroutetableruleswhichdirectstrafficbydefaulttotheNATgatewayinthe“Public”subnet.
Onemorethingtonote:TherulesintheMainroutetabledeterminehowsubnetswillbetreatedbydefault.SincetheMainroutetableisa“private”routetable(itdoesnotrouteanytraffictotheInternetGateway),allnewsubnetscreatedinthisVPCwillbe“private”subnetsbydefault.Theywillremain“private”untiltheyareexplicitlyassociatedwitha“public”routetable(e.g.onethatroutestrafficdirectlytotheInternetGateway).
InternetGatewaysAnInternetGatewayprovides1-to-1staticnetworkaddresstranslation(NAT)mappingforyourVPCinstanceinternalIPaddressestopublicallyroutableElasticIPaddressesthatyoumustexplicitlyassociatewithyour“public”VPCinstances.Forthepurposesofthislab,theVPCWizardcreatedanInternetGatewayandassociateditwithyourVPC.
YoudonotneedtodoanythingspecificallywiththeInternetGatewayinthislab.WepointitoutheretoexplaintheInternetGatewaythatwascreatedforyou,andtopointoutthatInternetGatewayscanbeindependentlycreated,attachedanddetactedtoVPCs.ThisallowsyoutoaddorremovetheInternetGatewaycapabilitiestoyourVPCsaftertheVPChasbeencreated.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page13
DHCPOptionsSetsTheDHCPOptionsSetslinkallowsyoutocontrolsomeDHCPoptionsthattheVPCprovidedDHCPservicewillpresenttoyourinstanceswhentheyboot.BydefaulttheVPCWizardcreatedaDHCPOptionssetthattellsyourVPCinstancestousetheAWSprovidedDNSservicefordomainnameresolution.
VPCallowsyoutocreateandattachnewDHCPOptionstoyourVPCsincludingsettingyourdomainname,domainname(DNS)servers,time(NTP)servers,andMicrosoftWindowsNetBIOSnameserversandnodetype.ThefollowingscreenshotdepictshowtheseoptionscanbeconfiguredwhencreatinganewDHCPOptionsSet.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page14
ElasticIPsVPCElasticIPsarestatic,publicallyroutableIPaddressesthatyoucanassociatewithyourVPCInstances.Earlier,theVPCWizardlaunchedaNATgatewayandassociatedapublicElasticIPaddress.YoucanseethisEIPandassociationbyclickingontheElasticIPslinkandselectingtheAddress.
NATGatewayANATgatewayisamanagedservicethatenablesEC2instancesinprivatesubnetstoreachtheInternetwithoutpubliclyexposingtheinstance.ItusesnetworkaddresstranslationtomaptheprivateIPaddressofanEC2instancetothesharedpublicIPaddressoftheNATgatewayandre-mapsreturntrafficbacktotheinstance.NATgatewayshavebuilt-inredundancyandautomaticallyscalescapacityupto10Gbpsbasedondemand.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page15
Forthepurposesofthislab,aNATgatewaywascreatedforyouearlierintheVPCWizard,andyoucanviewdetailsofyourNATgatewayhere.
PeeringConnectionsAVPCpeeringconnectionisanetworkingconnectionbetweentwoVPCsthatenablesyoutoroutetrafficbetweenthemusingprivateIPaddresses.InstancesineitherVPCcancommunicatewitheachotherasiftheyarewithinthesamenetwork.YoucancreateaVPCpeeringconnectionbetweenyourownVPCs,orwithaVPCinanotherAWSaccountwithinasingleregion.AWSusestheexistinginfrastructureofaVPCtocreateaVPCpeeringconnection;itisneitheragatewaynoraVPNconnection,anddoesnotrelyonaseparatepieceofphysicalhardware.Thereisnosinglepointoffailureforcommunicationorabandwidthbottleneck.ThereisnoneedtocreateaVPCpeeringforthislab.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page16
NetworkACLsNetworkAccessControlLists(NACLs)actasasubnetstatelessfirewall,controllingingressandegressforanentiresubnet(asasecondlayerofdefenseontopofsecuritygroups).IfyouclickontheNetworkACLslinkyouwillseethattheVPCWizardcreatedasingle“default”NACLforyourVPCwithadefaultAllowALLrule.SinceNACLsarestateless,werecommendusingNACLsonlywhenyouwanttoexplicitlydenytraffic.Forexample,weneverwanttouseTFTPor“this”subnetshouldneverbeabletotalkto“that”subnet.
SecurityGroupsAtthispointyoushouldalreadybefamiliarwithEC2SecurityGroupsandunderstandthedifferencebetweenEC2andVPCSecurityGroups.TheSecurityGroupslinkallowsyoutoseeyourVPCSecurityGroups.NoticethattheVPCWizardcreatedSecurityGroupforyoucalled“default”.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page17
LaunchingVPCInstancesWalkthroughlaunchinganinstanceintheprivatesubnet.CreateasecuritygroupandallowICMPrequestsfromtheVPCCIDR.Noticehowthereisnopublicwaytoroutetotheinstance(e.g.youcan’tpingit)?
Nowlaunchaninstanceinthepublicsubnet.CreateanewsecuritygroupandallowICMPrequestsfromtheworld.Notehowyoustillcan’tpingit?AddanEIP.Notehowyoucannowpingthepublicinstancebutnottheprivateone.Connecttopublicinstanceandpingtheprivateone.
LaunchaPrivateServerIntheAWSManagementConsole,EC2tab,clickontheLaunchInstancebutton.OnStep1:ChooseanAmazonMachineImage(AMI)selectthelatestAmazonLinuxAMI.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page18
OnStep2:ChooseanInstanceType,changetheinstancetypetot2.microandclickNext:ConfigureInstanceDetails
OnStep3:ConfigureInstanceDetails,selecttheVPCandPrivateSubnetthatwascreatedinpreviousstepsandclickNext:AddStorage
Formatted: Font:(Default) Times, 12 pt
Deleted:
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page19
LeavedefaultsonStep4.Onthenextscreen,Step5(TagInstance),youcanprovideanameforyourprivateserver(e.g.PrivateServer)andclickNext.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page20
OnStep6:ConfigureSecurityGroup,createanewsecuritygroup.InthisexamplewecallitPrivate_ServersandgivepermissionforallinstancesintheVPCto“ping”theseservers.
ReviewyourselectedoptionsandLaunchyourinstance.
YoushouldhavecreatedakeypairfromtheEC2handsonlab.Selecttheexistingkeypair,acknowledgethatyouhaveaccesstotheselectedprivatekeyfile(*.pem)andclickLaunchInstances.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page21
Ifyoumissedthatlaboraremissingthekeypair,selectCreateanewkeypairfromthefirstdropdown,namethekeypairLab,andclickDownloadKeyPair.Oncedownloaded,clickLaunchInstances.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page22
YouhavenowlaunchedaprivateserverinyourVPC.FindthenewinstanceinyourlistofEC2instancesandselectit.Intheinstancedescription,notethattheinstancehasaprivateIPaddress(10.0.10.177inthescreenshotbelow),butdoesnothaveanyassociatedpublicinformationforconnectingtothisinstance(e.g.noEIPorPublicDNSinformation).ThisinstanceisonlylocallyaccessiblefromwithinyourVPC(theoreticallyitcouldalsobelocallyaccessiblefrominsideacorporatenetworkifwehadestablishedahardwareVPNconnectiontotheVPCfromourcorporatenetwork).
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page23
LaunchaPublicServerNowthatyouhaveaprivateserver,wewilllaunchapublicserveranddifferentiatebetweenthetwo.IntheAWSManagementConsole,EC2tab,clickonLaunchInstancebutton.OnStep1:ChooseanAmazonMachineImage(AMI)selectthe64-bitAmazonLinuxAMI.
Step2:ChooseanInstanceType,changetheinstancetypetot2.microandclickNext:ConfigureInstanceDetails
Formatted: Font:(Default) Times, 12 pt
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page24
Step3,selecttheVPCandselectthePublicsubnet(10.0.0.0/23)andclickNext:AddStorage
LeavethedefaultsonStep4,provideanameforyourpublicserver(e.g.PublicServer)andclickNext.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page26
Step6:Createanewsecuritygroupforyourpublicservers.InthisexamplewecreateasecuritygroupcalledPublic_Servers,withrulestoallowanyoneto“ping”andSSHintotheinstance.
Finally,reviewyoursettings,clickLaunchanduseyourexistingkeypair,acknowledgethatyouhaveaccesstotheselectedprivatekeyfile(*.pem)andclickLaunchInstances.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page27
Youhavenowlaunchedaserverinyourpublicsubnet;howeveritisstillnotpubliclyaccessible.FindthenewinstanceinyourlistofEC2instancesandselectit.Intheinstancedescription,notethattheinstancehasaprivateIPaddress(10.0.1.79inthescreenshotbelow),butdoesnothaveanyassociatedpublicinformationforconnectingtothisinstance(e.g.noEIPorPublicDNSinformation)–justlikeyourprivateinstance.
Tomakethisinstancepublicallyaccessible,weneedtoassigntheserverapublicElasticIPaddress.IntheEC2console,clickontheElasticIPslink.ClickontheAllocateNewAddressbutton.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page28
ClickYes,Allocate.
Nextright-clickonthenewEIPthatwasallocatedandselectAssociateAddress.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page29
SelectyourPublicServerfromtheInstancedropdownandclickAssociate.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page30
YoushouldnowbeabletoconnecttoyourpublicserverusingitsnewElasticIPaddress.Intheexamplescreenshotbelow,wedemonstratethisconnectivitybysimply“pinging”theserver.
YouhavenowsuccessfullycreatedpublicandprivateserversinaVPC.FeelfreetoexploretheinstancedetailsforbothinstancestoseetheEIPassignmenttoyourpublicserverandexaminethedifferencesbetweenthetwoinstances.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page31
TerminateBillableServicesYouwillnotbeabletodeleteyourVPCuntilallinstancesusingtheVPChavebeenterminated.AtthispointfeelfreetoterminatethePublicandPrivateServersthatwecreatedinthislab.
ChecktheboxtoReleasetheEIPalongwithinstanceterminationsothatyoudon’tincurIdleEIPchargesandclickYes,Terminate.
Finally,tocompletelydeletetheVPC,firstdeletetheNATgateway.ClickonNATGatewaysfromtheVPCDashboard,selecttheNATgatewaycreatedearlierinthelab,andclickDeleteNATGateway.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page32
Next,releasetheEIPassociatedwiththeNATGatewayfromthebeginningofthelab.WhileintheVPCdashboard,clickonElasticIPs,selecttheEIPthatwaspreviouslyassociatedwiththeNATgateway.WiththeEIPselected,clickontheActionsdropdownandselectReleaseAddress.
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page33
Finally,clickonYourVPCsintheVPCDashboard,selectyourVPC,andclickontheDeletebutton.
AdvancedVPCConceptsInthissectionwewilldoanoverviewoftwofairlynewVPCfeatures–VPCEndpointsandVPCFlowLogs.
VPCFlowLogs
AmazonVPCFlowLogsisafeaturethatenablesyoutocaptureinformationabouttheIPtrafficgoingtoandfromnetworkinterfacesinyourVPC.FlowlogdataisstoredusingAmazonCloudWatchLogs.Afteryou'vecreatedaflowlog,youcanviewandretrieveitsdatainAmazonCloudWatchLogs.
Flowlogscanhelpyouwithanumberoftasks;forexample,troubleshootingwhyspecifictrafficisnotreachinganinstance,whichinturncanhelpyoudiagnoseoverlyrestrictivesecuritygrouprules.Youcanalsouseflowlogsasasecuritytooltomonitorthetrafficthatisreachingyourinstance.
Thereisnoadditionalchargeforusingflowlogs;however,standardCloudWatchLogschargesapply.
FlowLogscanbecreatedforNetworkInterfaces,SubnetsandVPCs.
CreatingFlowLogsforaSubnet
FollowthebelowstepstocreateaflowlogforyourVPC:
Step1.GotoyourVPCDashboard
Step2.SelectSubnets
Step3.SelecttheSubnethatyouwouldliketocreateaFlowLogfor
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page34
Step4.ClicktheActionbuttonandselectCreateFlowLogfromthedropdownmenuitproduces
1
3
2
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page35
Step4.Filloutthescreenthatfollows.Selectyour“Filter”,thenchosetheIAMRoleyoucreatedforthedestination“CloudWatchAccount”.
CreatingFlowLogsforaVPC
FollowthebelowstepstocreateaflowlogforyourVPC:
Step1.GotoyourVPCDashboard
Step2.SelecttheVPCthatyouwouldliketocreateaFlowLogfor
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page36
Step3.ClicktheActionbuttonandselectCreateFlowLogfromthedropdownmenuitproduces
Step4.Filloutthescreenthatfollows.Selectyour“Filter”,thenchosetheIAMRoleyoucreatedforthedestination“CloudWatchAccount”.
12
3
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page37
CreatingFlowLogsforaNetworkInterfaceFollowthebelowstepstocreateaFlowLogforaNetworkInterface:
Step1.GotoyourEC2Dashboard
Step2.SelectNetworkInterfaces(Itislocatedinthemenuonthelefthandsideofhescreen,underNetwork&Security
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page38
Step3.SelecttheNetworkInterfacethatyouwouldliketocreateaFlowLogfor,thenselectActionsandCreateFlowLogfromthedropdownmenu
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page39
Step4.Filloutthescreenthatfollows.Selectyour“Filter”,thenchosetheIAMRoleyoucreatedforthedestination“CloudWatchAccount”.
VPCEndpoints
AVPCendpointenablesyoutocreateaprivateconnectionbetweenyourVPCandanotherAWSservice(suchasS3)withoutrequiringaccessovertheInternet,throughaNATinstance,NATinstanceGateway,aVPNconnection,orAWSDirectConnect.AnendpointenablesinstancesinyourVPCtousetheirprivateIPaddressestocommunicatewithresourcesinthoseservices.Wewon’tgointodepthinthislababoutendpoints,butitisworthnotingthatyouuseendpointpoliciestocontrolaccesstoresourcesinotherservices.TrafficbetweenyourVPCandtheAWSservicedoesnotleavetheAmazonnetwork.
Today,wesupportEndpointsforconnectionswithAmazonS3withinthesameregiononly.We'lladdsupportforotherAWSserviceslater.
FollowthebelowstepstocreateanEndpointinsideyourVPCthatisattachedtooneormoreRouteTables.
Step1.IntheVPCConsole,ontheleftmostmenu,selectEndpoints
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page41
Step3.SpecifytheVPCandtheservicetowhichyou'reconnecting,forexampleVPCx.x.x.x/xwillbeconnectingtoVPCEndpointsforAmazonS3.YouwillalsoberequiredtospecifyanEndpointPolicy.ThisdeterminesthetypeofaccessyourusersorresourcesinsideyourVPCwillhavetotheintendservicelikeS3.YoucanselectFullAccessorwriteacustompolicyusingJSON.
Oncefinish,select
VPCHands-OnLab
Copyright2017,AmazonWebServices,AllRightsReserved Page42
Step4.TocontroltheroutingoftrafficbetweenyourVPCandtheotherservice,youcanspecifyoneormoreroutetablesthatareusedbytheVPCtoreachtheendpoint.ThenSelect“CreateEndpoint”
Anendpointrouteisautomaticallyaddedtotheroutetable,withadestinationofpl-1a2b3c4d(let’sassumethisrepresentsAmazonS3giventhatS3istheonlyEndpointthatexisttoday).Now,anytrafficfromthesubnetthat'sdestinedforAmazonS3inthesameregiongoestotheendpoint,anddoesnotgototheInternetgateway.AllotherInternettrafficgoestoyourInternetgateway,includingtrafficthat'sdestinedforotherservices,anddestinedforAmazonS3inotherregions.