hands-on virtual private computing
TRANSCRIPT
2
Overview Amazon’s Virtual Private Cloud (VPC) allows you to launch AWS resources in a virtual network that you
define. You can define an environment that closely resembles a traditional network.
You can optionally create encrypted VPN connections between your branch offices or corporate
headquarters and use VPC as an extension of your corporate datacenter. You have complete control
over IP address ranges, Subnets, Routes, Gateways, DNS and Security settings.
Plan For this exercise we will be creating a VPC with two subnets. Devices in one subnet will have a security
group attached that allows access from any computer on the Internet using Microsoft’s Remote Desktop
Protocol on port TCP/3389. The second subnet will have its access restricted to only devices in the first
subnet.
Requirements For this lab you will need an Amazon AWS account and a valid key pair,
Procedure Please login to your AWS account.
Select the option for VPC. Once that has loaded, verify that you are working in the N. Virginia region.
3
Press the button in the middle titled ‘Get started creating a VPC’. The wizard has a number of different
use cases that it can help you with. We are going to start with the single public subnet and add parts to it.
4
We can accept the default options here. If we wanted though we could select a different IP CIDR block.
You’ll note that we are given a very large block of addresses because an address space only needs to be
unique within each VPC. Multiple accounts and even multiple VPCs within a single account can use the
same IP space.
Since we are OK with these options we can create the VPC. After a short moment we are given a
confirmation that it is complete.
5
Please close that window and then select the option on the left side marked Elastic IPs.
We are going to assign one public IP address for use in this VPC.
6
Next we need to create a second subnet so please select that option.
7
We are going to add a new subnet as 10.0.1.0/24. You will see the option for Availability Zone. What are
some reasons to have it in the same AZ as the first subnet, and what are some reasons to have it in a
different AZ?
8
Next we need to spin up a couple of servers. So please select the EC2 option in the top left menu.
We are going to use the classic wizard to launch a Windows 2008 R2 server.
9
It is important to select that you want to launch into your VPC. It is not possible to move a machine from
EC2 to VPC or the other direction.
10
You can see that we have the option to select what private IP address we want to assign. Alternatively
we can allow the management system to automatically select one. For ease of use, why don’t we
statically assign 10.0.0.10
While we step through the wizard we will get to the question of security groups. The wizard will offer to
create one where port 3389 is allowed from the world, and that is exactly what we want. The name does
leave a little to be desired, so let us give it something a little more descriptive.
11
And step through the rest of the way to complete the wizard. We will then launch another server but
select the other subnet (10.0.1.0/24) and statically assign 10.0.1.10.
12
This server will need a different security group. We only want it to be reachable from the first server, but
this is the cloud and IP addresses might change. So, how should we identify the first server for the
security group?
We can capture the Group ID of the first security group and define that as the source for the rule in the
second security group.
13
14
Now, I have problems remembering the instance ID’s, so why don’t we name the first one bastion and the
second one secure.
Next we can assign the IP address from earlier to our bastion server.
15
16
The servers now should be up and running and we should be able to get the password for our bastion
server.
17
After that, login to the server using Windows Remote Desktop Client and the public IP address you
assigned. You’ll find in there that you now have RDP access to the secure server on its 10.0.1.10 IP
address.
Feel free to play around. You can adjust the security groups to further restrict access. One thing to keep
in mind is that security groups are one way only so even though the bastion server has full access to the
secure server, the secure server has no access to the bastion.
At the end of the lab please ensure that you have terminated all running instances.