FROM GATHERING REQUIREMENTS TO DEPLOYMENT: A LOOK AT IMPLEMENTING NEW CLOUD INFRASTRUCTURE
A NEW CLIENT
A small business received a large infusion of funds from an Angel investor in order to realize their latest business venture. A condition of the investment was their environment must be 100% cloud based. After weeks of discussion with several technical teams, the initial requirements for their cloud platform were provided.
- Databases, applications, and other virtual machines will be managed by the team.
- Servers housing databases and applications should only be accessible by employees.
- At some future date, customers will be able to access web servers to view inventory.
- Servers must be highly available and fault tolerant.
- There must be one network that contains 30 IP addresses and does not allow ingress or egress.
- Employees need a secure way to access servers over the internet because they work remotely.
PREREQUISITES FOR IMPLEMENTATION
- The implementer needs an AWS account with appropriate permission levels and programmatic access.
- The AWS CLI must be installed and properly configured.
There are multiple tools available to create cloud infrastructure on AWS. The Management Console allows administrators to create and maintain services and infrastructure, but this is not always the most efficient deployment method.
Building via the command line using SDKs like Boto3 (the Python SDK for AWS), the AWS Command Line Interface (CLI), or Infrastructure as Code tools like Terraform increase speed of construction, reliability, repeatability, and flexibility.
The AWS CLI is used in these instructions to deploy the infrastructure.
CREATING THE VIRTUAL PRIVATE NETWORK
Start by carving out a portion of the AWS network.
The technical team decided to assign 220.127.116.11/20 to the network.
The chart below details what this IP addressing provides.
If changes to the CIDR block are needed at a future date, the technical team can refer to this document.
Create the virtual private network.
aws ec2 create-vpc — cidr-block 18.104.22.168/20 — query Vpc.VpcId — output text
Note the name of the VPC which will be needed later.
BUILDING THE SUBNETS
An IP subnet calculator was used to determine the networks available for 22.214.171.124/20.
The client requires access to their corporate environment using a secure connection over the internet to connect with their application and database servers.
This solution creates two subnets — one public and one private.
The public subnet allows communication with the internet while the private subnet protects the backend (applications and databases) servers.
Each of these 126.96.36.199/20 subnetworks contain 4,094 usable IP addresses. All of these are not currently needed but allow for infrastructure growth over time. For now, the /23 subnet mask will be used to provide 512 host addresses.
An IP subnet calculator provided the subnets, and the first two were assigned to be the public and private subnets, respectively.
Create both subnets in the VPC (vpc-02c82f5c1aa199970).
aws ec2 create-subnet — vpc-id vpc-02c82f5c1aa199970 — cidr-block 188.8.131.52/23
aws ec2 create-subnet — vpc-id vpc-02c82f5c1aa199970 — cidr-block 184.108.40.206/23
Public Subnet ID subnet-02efd29f0ed47fc81
Private Subnet ID subnet-035f4e74b06f83d17
CREATING THE INTERNET GATEWAY
In order for a subnet to be considered public, it must have access to the internet, which means an internet gateway is required.
Create the internet gateway (IGW).
aws ec2 create-internet-gateway — query InternetGateway.InternetGatewayID — output text
Internet Gateway ID igw-07c8c64208aade7c0
Attach the internet gateway to the VPC.
aws ec2 attach-internet-gateway — vpc-id vpc-02c82f5c1aa199970 — internet-gateway-id igw-07c8c64208aade7c0
Note the command provides no output so use this command to view the IGW details.
aws ec2 describe-internet-gateways
Next, rules must be defined to ensure traffic flows correctly.
When a VPC is deployed a route is automatically created that allows traffic to flow within that network. A new route must be created to direct internet-bound traffic to the internet gateway.
Execute this command to get details on the existing route table assigned to the VPC, and make a note of the RouteTableId.
aws ec2 describe-route-tables — output table
Route Table ID
Add the IGW route to the route table.
aws ec2 create-route — route-table-id rtb-013918f09d6de3041 — destination-cidr-block 0.0.0.0/0 — gateway-id igw-07c8c64208aade7c0
Verify the route table contains the new route.
aws ec2 describe-route-tables — route-table-id rtb-013918f09d6de3041
Verify this route table is associated with the public subnet.
aws ec2 associate-route-table — subnet-id subnet-02efd29f0ed47fc81 — route-table-id rtb-013918f09d6de3041
Here is a consolidated list of components for reference.
Public Subnet Route Table
Private Subnet Route Table
has not been created
Elastic IP Address
CREATING THE NAT GATEWAY
A NAT Gateway allows traffic to travel between hosts residing in a private subnet and the internet. This gateway can be associated with only one public subnet, and it requires an elastic IP (EIP).
Create an elastic IP address.
aws ec2 allocate-address
Create the NAT Gateway.
aws ec2 create-nat-gateway — subnet-id subnet-02efd29f0ed47fc81 — allocation-id eipalloc-00369cae33269b2ba
The NAT gateway may take a while to fully activate.
Create a route table, and add a route that directs traffic bound for the internet from the private subnet to the NAT gateway.
aws ec2 create-route-table — vpc-id vpc-02c82f5c1aa199970
Private Subnet Route Table ID
Add the previously discussed route to the new route table.
aws ec2 create-route — route-table-id rtb-083b7c9846c2c527d — destination-cidr-block 0.0.0.0/0 — gateway-id nat-04da280ba20b72a8e
Associate the new route table with the private subnet.
aws ec2 associate-route-table — route-table-id rtb-083b7c9846c2c527d — subnet-id subnet-035f4e74b06f83d17
THE STANDALONE PRIVATE NETWORK
The client requested an isolated network with 30 usable host ip addresses.
To accomplish this, use one of the subnetwork addresses (the tech team chose 220.127.116.11) and the /27 subnet mask. The results of this addressing is shown in the below chart.
Build the isolated network.
aws ec2 create-vpc — cidr-block 18.104.22.168/27 — query Vpc.VpcId — output text
CREATE A VPN SERVER
Before creating the EC2 instance that will act as the VPN server, a security group with the necessary rules must be constructed using these two commands.
aws ec2 create-security-group — group-name “VPNServer” — description “VPN Server SG” — vpc-id vpc-02c82f5c1aa199970
Security Group ID
aws ec2 authorize-security-group-ingress — group-id sg-06936a4b469ddee35 — protocol tcp — port 22 — cidr 0.0.0.0/0
Create another elastic IP address.
aws ec2 allocate-address
Elastic IP Addr Allocation ID
Create a file called auto-openvpn.sh, and add the following lines.
This script will run when the EC2 instance is created.
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
APPROVE_INSTALL=y ENDPOINT=$(curl -4 ifconfig.co) APPROVE_IP=y IPV6_SUPPORT=n PORT_CHOICE=1 PROTOCOL_CHOICE=1 DNS=1 COMPRESSION_ENABLED=n CUSTOMIZE_ENC=n CLIENT=ClientVPNServer PASS=1 ./openvpn-install.sh
Create the VPN server in the public subnet. An existing key pair labeled Ohio2021 is used.
aws ec2 run-instances — image-id ami-064ff912f78e3e561 — count 1 — instance-type t2.large — key-name Ohio2021 — subnet-id subnet-02efd29f0ed47fc81 — user-data file://auto-openvpn.sh
VPN EC2 Instance ID
CREATE SECURITY GROUPS
Create security groups for both application and database servers.
aws ec2 create-security-group — group-name “ApplicationServers” — description “Application Servers SG” — vpc-id vpc-02c82f5c1aa199970
aws ec2 create-security-group — group-name “VPNServer” — description “Database Servers SG” — vpc-id vpc-02c82f5c1aa199970
Application Server Security Group
Database Server Security Group
CREATE AUTOSCALING GROUPS FOR APPLICATIONS AND DATABASES
Auto-scaling can be used to provide a fleet of servers that scale up and down based on a defined trigger and a predetermined maximum and minimum number of desired servers.
Launch configurations must be created for both database servers and application servers. These configurations specify elements that will be used in the autoscaling group. Until the client provides specifics regarding their infrastructure (see the Project Summary section), placeholder values are used.
Create the Launch Configurations
aws autoscaling create-launch-configuration — image-id ami-064ff912f78e3e561 — instance-type t2.micro — key-name Ohio2021 — security-groups sg-0d7d80b1fcd2ec7dd — launch-configuration-name dbservers-lc
aws autoscaling create-launch-configuration — image-id ami-064ff912f78e3e561 — instance-type t2.micro — key-name Ohio2021 — security-groups sg-01cd99d68a43dbcb4 — launch-configuration-name dbservers-lc
The AMI IDs are specific to the region the AS groups will reside in.
CREATE THE AUTOSCALING GROUPS
Now the autoscaling groups can be defined using the database and application launch configurations.
Create the auto scaling groups.
aws autoscaling create-auto-scaling-group — auto-scaling-group-name dbservers-asg — availability-zones us-east-2a us-east-2b — launch-configuration-name dbservers-lc — max-size 3 — min-size 1
aws autoscaling create-auto-scaling-group — auto-scaling-group-name appservers-asg — availability-zones us-east-2a us-east-2b — launch-configuration-name appservers-lc — max-size 3 — min-size 1
Each of the initial requirements provided by the client have been addressed, and the technical team is ready to meet with the client to review their new cloud platform. Meetings can be scheduled to discuss and test the current implementation, and any lessons learned can be tracked in preparation for the next sprint.
Databases, applications, and other virtual machines will be managed by the team.
EC2 instances were created instead of managed services, i.e. RDS, which gives the client full control of their virtual machines.
Servers housing databases and applications should only be accessible by employees.
The EC2 instances used for databases and applications were placed in a private subnet.
At some future date, customers will be able to access web servers to view inventory.
There are enough ip addresses available in the public subnet to use with a large number of new EC2 instances.
Servers must be highly available and fault tolerant.
Autoscaling groups were created based on launch templates created for both database and application servers. The client is responsible for building the AMI images that contain all the software and configurations necessary to run their platform. These AMI images can be referenced in the launch templates.
One network that contains 30 ip addresses and does not allow ingress or egress.
An isolated network was created with 30 usable ip addresses.
All staff members work remotely. Employees need a secure way to access servers over the internet.
A VPN server was created in the public subnet. User accounts can be created for employees that allow them to tunnel into their network, and routing can be put in place to allow traffic between public and private subnets.
IP SUBNET TABLE USED FOR REFERENCE