Knowledge: 2025

Friday, June 13, 2025

VPC part4

Class 44th AWS VPC June13th

Hybrid Networking

What is VPN?

Software VPN

Hardware VPN

Direct Connect

Software VPN Demo

Hybrid Networking

Establish the communication between two different environments
VPC Peering is the hybrid networking concept in AWS
AWS takes the complete responsibility of maintaining the peering
We can create communication between on-premise data center to cloud,cloud-cloud also
To create communication between on-premise to cloud we need to take the help of come explicit service like VPC(Virtual private network)

VPN(Virtual Private Network)

A virtual Private Network(VPC) is a technology that creates a secure ,encrypted connection over ales secure network,such as the internet

it is two type:

i.Software VPN

ii.Hardware VPN

i.Software VPN: onprem-> cloud able connect , cloud ->onprem not able connect

We need to install a software to establish the communication between the networks
We should select a public subnet server and install the software VPN as well in the On-premise system.
The public server works as a central location to maintain the traffic
The communication establishes over internet using the encrypted tunnels
We can connect to private servers from around the world using a SW VPN(No location dependency)
It provides one-way communication only
For example :Open VPN,Any connect (free service),cisco,AWS client connect.

ii.Hardware VPN

Here router setup(On-premise) required to establish the communication(encrypted tunel)
It is a fixed setup works from the office environment only
It is costlier than software VPN setup
The communication establishes over internet using the encrypted tunnels
It provides two-way communication
For example :aws site-site VPN(s2s)

Direct connect (DC/DX)

Here AWS provides service over the physical cables. Here internet is not required to setup the communication.
Not only Ec2-IAM,S3 and all other AWS services we can connect without internet.
It provides high data transfer as they connected directly over the cables
The problem with DC is data transfer happen without encryption .We need to take the help of S2S to send the data securely
It provides two-way communication

Software VPN

AWS Client VPN

3rd Party providers -openVPN ,cisco etc.

Any connect (free service)

Hardware VPN

aws site-site VPN(s2s)

Practical Software VPN

Step1: Create one instance using private VPC,Create one more instance public PVC there we setup VPN

Step2:Create one more instance for VPN setup, Browse more AMIs select any connect

VPN Giving ubuntu, click subscribe, don't change any security related changes

Select Create security group only , don't change that there will be create some protocols for vpn ,not do any change click launch the instance.

You connect ubuntu AWS console terminal only not ssh , if you want connect ssh change from

ssh -i "AMAZON-LNX-KEY.pem" root@35.177.128.51 --> ssh -i "AMAZON-LNX-KEY.pem" openvpnas@35.177.128.51

it is Agreement , just give yes, after please click enter,enter all enter default yes

You can now continue configuring OpenVPN Access Server by

directing your Web browser to this URL:

https://35.177.128.51:943/admin

During normal operation, OpenVPN AS can be accessed via these URLs:

Admin UI: https://35.177.128.51:943/admin

Client UI: https://35.177.128.51:943/

To login please use the "openvpn" account with "APkByt1I7gxT" password.

See the Release Notes for this release at:

https://openvpn.net/vpn-server-resources/release-notes/

Step 3: admin Connect user name login please use the "openvpn" account with "APkByt1I7gxT" password

https://35.177.128.51:943/admin

and accept the agreement

Step 3: Client Connect user name login please use the "openvpn" account with "APkByt1I7gxT" password

Client UI: https://35.177.128.51:943/

click window install the vpn client locally

Click next and install, Click Agree ,Delete existing connection, need supplu ubutun public ip

Click next and guve user name password "openvpn" account with "APkByt1I7gxT" password.

enable VPN give password more time VPN will connect

Step4: Now we can take window machine in you local using RDP private ip

10.0.1.43

Private Cloud connect successfully in On-prem machine local, usually database point view we can use this real time

-- VPN Concept completed

Organizations

Introduction

Create Organization

Add and remove accounts

Service control policies (SCPs)

AWS SSO-Identity Centre

Aws Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.

AWS Organization includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business.

Introduction

An organization helps you to maintain all the aws accounts under one account called management account.
The management account is the parent container for all the added accounts(member accounts).
You create a policy(service control policy –SCP) to restrict the resource access and apply it to all or selected member accounts in the organization
An Organization has one management account along with zero or more member accounts.
An account can be the member of only one organization at a time
Management account admin has the ultimate privileges to invite new members and remove the existing members in the organization
Management account is the responsible for the payments of all member accounts in the organization
We can divide & manage the member accounts in different categories called organizational units(OUs)
Free-tier feature are applicable with conditions,instead,AWS gives credits to the organization which can share with the member accounts.
Management account can create new member accounts,only emailed enough to create the account as management account takes care of billing activities
No pending bill should remain to the member account in case the account want to come out of the organization

Key point about SCPs:

SCPs apply to accounts, not individual IAM users or roles.
Scps set the maximum available permissions for all IAM users and roles in an account.
If an action is denied by an SCP,no IAM policy can override it.
Scps are enforced only on member accounts –not on the management account
AWS Oganizations is an account management service.
Centraized billing and access management
Services and regions access can be restricted through service control policies(SCPs)
Eligible to get credits/discounts from AWS and can share the discounts to the memer accounts.
Members can be divided into organizational unit (OUS) and maintain the security more flexibly
Management account has ultimate privileges to add/remove the member accounts and set the SCPs

Practical

>AWS Organizations >Creating an organization>click Create organization

Step1: Below is the my vakatisubbu my management account ,adding one more aws account

Step2: Adding one more account invite the organization using his aws accountid give and click send invite ,the notification send to invited person in the aws organization

Step3:After send invited person , below screen he accept the request

Step4: The acceptance will come to you organization, showing accepted

Step5: As see below member account added successfully, now my management account is responsible for the member account , if member account is not paid any bills that bills will need to pay by management account .

Step6:We can create policies restrict the member with out leaving the organization

AWS Organization >Policies > click enable service control policies.

Step7:By default we have Full AWS Access ,instead of the create policy your own,

Give the policy name any :Org-block

Al lservice Choose Organization select Leave Organization policy

Click Add resource and then click create policy

After created the policy attach the policy to the member

Step8: Now the member unable to leave the organization ,getting error permission denied

Step9: Using service control policy ,you can control the limitation to the member , for example you want to block S3 bucket

Step10: If you the create group of unit, all members unique policy create group move the user to the group

Step11:give any name Group-unit and click create organizational unit

Step12:Click the members action ,move to select the Group-unit ,move account-account

Step13: Added the member to the group

Step14: Which is we have created policy earlier s3, we can attach to group-unit (group)

not individual members, for us only 1 member

Identity Center: it is used in Single sign on

is a service that makes it easy to centrally manage access to multiple AWS accounts

Click enable

Step1:Click Create permission sets > give name "permssion-set"select Custom permission set ,choose EC2,S3,im

Step2: added the policy click create, need to add this policy to user

Step3: Create user now , give any dummy email id Click next ,Group(0) click next ,Click add user

Step4:

You need one thing disable Users >setting >multi-factor authentication > configuration select never

click save changes

Step5: with the url username and password ,able to login successfully.

Step6:There above screen shot showing nothin because we are not give any permission to the user

for that click user which we have created and then assign account

Step7:ccit-ssouser , we need select the member permission set then click assign

Click Assign now user can able to access the member permission

Step8:

now you see nprabhu AWS account user permission given to ccit-sso (identity user)

identity user can use nprabhu memeber policies

Step9: Login Identity user created one bucket and uploaded image successfully

rprabhu member account Bucket created and object uploaded successfully

Step10: See below given 3 Permission, given to ccit-ssouser identity user (it is single sign on)

Step11: Action >Remove the member and delete the identity user

Step12: Complete Identity center you need delete

Step13:Now complete Identity center Organization was delete successfully click confirm.

Getting message like below after confirm
The AWS IAM Identity Center configuration in the Europe (London) region has been successfully deleted. You can enable it again in this or any other supported region

Note: Identity center will be applicable only for the one AWS account not possible multiple regions.

--Thanks

Wednesday, June 11, 2025

VPC part3

Class 43rd AWS VPC June12th

Vpc peering

Hybrid Networking

What is the VPN?

Software VPN

Hardware VPN

Direct Connect

Software VPN -demo

DNS Resolution

Firewall: network security for protect the others

Web àrequest(inbound) 172.0.0.0:80 Server

172.0.0.0:15000-65000

ß response(outbound)

Request is the combination of ‘source IP address and the port number

Response is the combination of Destination ip address and the port number(Ephemeral port)

Notable well Known port numbers

20 File Transfer protocol (FTP) data transfer

21 File Transfer protocol (FTP) Command Control

Stateful and stateless firewall

A stateful firewall keeps track of the state of active connections and makes decisions based on the context of the traffic.In AWS VPC ,the primary stateful firewall is security group

Security Groups:

Purpose: Control inbound and outbound traffic at instance level

Stateful nature: If you allow an inbound connection, the response is automatically allowed. The state of the connection is tracked,so the firewall knows that a response to an inbound request is permitted without an explicit outbound rule.

Rules:

Inbound rules: define the allowed inbound traffic to the instances.

Outbound rules:define the allowed outbound traffic to the instances.

Practical

Step1: Created one window instance ccitpublic name , attach the subnet public for the security grp ,So far Security groups , have given All traffic ,it is not good practice to give all traffic

you need give RDP connect

Step2: Connect the RPD Windows instance ,Install IIS Webserver in the window machine

>Server Manger >Add Roles and features

Security group we called as Firewall stateful firewall,inbound you need configure and outbound rule it will handle automatically.

NACL :Network access control list state less firewall ,you need configured both inbound and outbound rules ,then only response will come

Installation completed ,Webserver configure done you can check in c:drive inetpub folder

Step3: Need to check public ip IIS default page will open , before you need open 80 port in the security group

Outside of the server you can able connect using inbound rules, inside server trying to connect any services for ex: internet to connect need set the outbound rules in security group

Linux Machine

[root@ip-10-0-1-93 ~]# sudo yum install -y httpd

[root@ip-10-0-1-93 ~]# sudo systemctl start httpd

[root@ip-10-0-1-93 ~]# sudo systemctl enable httpd

[root@ip-10-0-1-93 html]# pwd

/var/www/html

[root@ip-10-0-1-93 html]# vi index.html

[root@ip-10-0-1-93 html]# cat index.html

<h1>Welcome to Linux webpage...!</h1>

[root@ip-10-0-1-93 www]# sudo mkdir -p /var/www/html81

[root@ip-10-0-1-93 www]# sudo cp /var/www/html/index.html /var/www/html81/index.html

[root@ip-10-0-1-93 www]# vi /var/www/html81/index.html

<h1>Welcome to Linux webpage 81 port...!</h1>

[root@ip-10-0-1-93 www]# sudo cp /usr/lib/systemd/system/httpd.service /usr/lib/systemd/system/httpd81.service

[root@ip-10-0-1-93 system]# sudo vim /etc/httpd/conf.d/port81.conf

[root@ip-10-0-1-93 conf.d]# cat port81.conf

Listen 81

DocumentRoot "/var/www/html81"

AllowOverride None

Require all granted

</Directory>

</VirtualHost>

[root@ip-10-0-1-93 conf.d]# sudo systemctl restart httpd

You need to open the security group 81 in the inbound rules

We can able give single ip , in security group , we have all ipv4, instead of that give you own ip

i will access webpage that system ip only.

Security group will work only instance level

NACL

state less firewall ,you need configured both inbound and outbound rules ,then only response will come , It is automatically create whenever you created VPC , it is working subnet level, if you are apply any rule,it will apply all the subnets of the corresponding instances.

Step1: Create network ACL >give name ccitncl >choose you vpc

VPC Peering :

VPC 1 (Public subnets,private subnet), VPC 2 (public subnet,private subnet),

you can able to connect public subnet both the vpn,here you need connect public subnet from one vpn other vpn private subnet

A VPC Peering Connection is a networking connection between tow VPCs that enables you to route traffic between them using private IPV4 addresses or IPV6 addresses

This connection can be established between VPCs within the same AWS account or across different.

Peering limitations

You cannot create a VPC peering connection between VPCs that have matching or overlapping IPV4 or IPV6 CIDR blocks

VPC peering does not support transitive peering relationships.

You cannot have more than one VPC peering connection between the same two VPCs at the same time

Step1:Created two VPC's (ccitvpc1 and ccitvpc2),As see below two associated subnets created attached internet gateway for public subnet only

ccitvpc1

ccitvpc2

Step2:Create Two subnet's for each VPC total 4 subnets created, ccitpublic-ccitvpc1 for public subnet separate route table created attached VPC added internet gateway

one more subnet ccitprivate-ccitvpc1 for private subnet separate route table created attached VPC not internet gateway added

Step3: Same as above ccitpublic-ccitvpc2, attached vpc and internet gate way

one more subnet ccitprivate-ccitvpc2 for private subnet separate route table created attached VPC not internet gateway added

Step4:Created two internet gate ways

ccitvpc-1-internet-gateway attached ccit-vpc1

ccitvpc-2-internet-gateway attached ccit-vpc2
Step4: Create four Route table public route tables need attached internet gateway

Practical

Step1:

Need to create one instance using public subnet VPC1, it has internet gate attached,

Need to create one instance using private subnet VPC2 ,it have not internet gate not attached.

As see here create three instances CCIT-VPC1-PUB,CCIT-VPC1-PVT ,CCIT-VPC2-PUB

Possibilities: Here we plan to connect or ping private instance VPC1 (i.e CCIT-VPC1-PVT)

from other public instance VPC2 (i.e CCIT-VPC2-PUB)

Public VPC2 instance

Instance :CCIT-VPC2-INST-PUB

Public IPV4: 35.177.15.196

Private IPV4: 10.0.2.14

Private VPC1 instance

Instance :CCIT-VPC1-INST-PVT

Public IPV4 : 13.41.186.187

Private IPV4: 10.0.1.36

Public VPC1 instance

Instance : CCIT-VPC1-INST-PUB

Public IPV4: 18.169.188.224

Private IPV4: 10.0.1.22

Step2: As below Public VPC2 instance connected, try to ping other VPC1 instance Private ip 10.0.1.36,getting timed out

PS C:\Users\Administrator> ssh -i "AMAZON-LNX-KEY.pem" ec2-user@35.177.15.196

, #_

~\_ ####_ Amazon Linux 2023

~~ \_#####\

~~ \###|

~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023

~~ V~' '->

~~~ /

~~._. _/

_/ _/

_/m/'

Last login: Sat Jun 14 15:16:44 2025 from 84.225.106.12

[ec2-user@ip-10-0-2-14 ~]$ ping 10.0.1.36

PING 10.0.1.36 (10.0.1.36) 56(84) bytes of data.

timed out

Step3:As below Public VPC1 instance connected, try to ping Same VPC1 instance Private ip 10.0.1.36,getting resonse, Because of Same VPC, If you are need connect other vpc required VPC peering

PS C:\Users\Administrator> ssh -i "AMAZON-LNX-KEY.pem" ec2-user@18.169.188.224

, #_

~\_ ####_ Amazon Linux 2023

~~ \_#####\

~~ \###|

~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023

~~ V~' '->

~~~ /

~~._. _/

_/ _/

_/m/'

Last login: Sat Jun 14 14:21:10 2025 from 84.225.106.12

[ec2-user@ip-10-0-1-22 ~]$ ping 10.0.1.36

PING 10.0.1.36 (10.0.1.36) 56(84) bytes of data.

64 bytes from 10.0.1.36: icmp_seq=1 ttl=127 time=0.989 ms

64 bytes from 10.0.1.36: icmp_seq=2 ttl=127 time=1.01 ms

64 bytes from 10.0.1.36: icmp_seq=3 ttl=127 time=1.02 ms

64 bytes from 10.0.1.36: icmp_seq=4 ttl=127 time=0.992 ms

64 bytes from 10.0.1.36: icmp_seq=5 ttl=127 time=0.960 ms

VPC Peering

Step1:Create Peering connect select VPC2 and select other VPC1 ,click create peering connetion

Step2: After created you need to accept the request here same aws account ,accept here itself ,if other account wait for confirmation to accept

Step3:After Peering active ,need to configure route table of

ccit-public-rtb-vpc2 add the CDR Range of VPC1 for us 10.0.1.0/24,click save changes

Now you see peering added route table VPC2 public route to VPC1 Private Ip instance

Step5: You need one more configuration ,ccit-private-rtb-vpc1, give CDR range of VPC2 click save

Now you see peering added via cross route table VPC1 private route to VPC2 public Ip instance

Previous

Last login: Sat Jun 14 15:16:44 2025 from 84.225.106.12

[ec2-user@ip-10-0-2-14 ~]$ ping 10.0.1.36

PING 10.0.1.36 (10.0.1.36) 56(84) bytes of data.

timed out

After Peering

PS C:\Users\Administrator> ssh -i "AMAZON-LNX-KEY.pem" ec2-user@35.177.15.196

, #_

~\_ ####_ Amazon Linux 2023

~~ \_#####\

~~ \###|

~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023

~~ V~' '->

~~~ /

~~._. _/

_/ _/

_/m/'

Last login: Sat Jun 14 15:50:38 2025 from 84.225.106.12

[ec2-user@ip-10-0-2-14 ~]$ ping 10.0.1.36

PING 10.0.1.36 (10.0.1.36) 56(84) bytes of data.

64 bytes from 10.0.1.36: icmp_seq=1 ttl=127 time=0.970 ms

64 bytes from 10.0.1.36: icmp_seq=2 ttl=127 time=0.964 ms

64 bytes from 10.0.1.36: icmp_seq=3 ttl=127 time=0.962 ms

64 bytes from 10.0.1.36: icmp_seq=4 ttl=127 time=0.934 ms

64 bytes from 10.0.1.36: icmp_seq=5 ttl=127 time=0.980 ms

Previously without peering

VPC2 Public --> VPC1 private Connected Failed

After peering

VPC2 Public --> Peering--> VPC1 private Connected Successfully

Step6:Created one more instance CCIT-VPC2-INST-PVT, now plan to connect reverse way

using same Peering

VPC1 Public --> VPC2 Private

Private VPC2 instance

Instance : CCIT-VPC2-INST-PVT

Public IPV4: 13.41.204.78

Private IPV4:10.0.2.40

Previously without peering

VPC1 Public --> VPC2 private Connected Failed

VPC1 Public connected

PS C:\Users\Administrator> ssh -i "AMAZON-LNX-KEY.pem" ec2-user@18.169.188.224

, #_

~\_ ####_ Amazon Linux 2023

~~ \_#####\

~~ \###|

~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023

~~ V~' '->

~~~ /

~~._. _/

_/ _/

_/m/'

Last login: Sat Jun 14 15:52:15 2025 from 84.225.106.12

[ec2-user@ip-10-0-1-22 ~]$ ping 10.0.2.40

PING 10.0.2.40 (10.0.2.40) 56(84) bytes of data.

--- 10.0.2.40 ping statistics ---

11 packets transmitted, 0 received, 100% packet loss, time 10415ms

Step7: need add peering added route table VPC1 public route table to give CDR range of the VPC2 click save

Now you see peering added via cross route table VPC2 private route to VPC1 public CDR range of Ip click save

VPC1 Public --> Peering--> VPC2 private Connected Successfully

PS C:\Users\Administrator> ssh -i "AMAZON-LNX-KEY.pem" ec2-user@18.169.188.224
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'

[ec2-user@ip-10-0-1-22 ~]$ ping 10.0.2.40
PING 10.0.2.40 (10.0.2.40) 56(84) bytes of data.
64 bytes from 10.0.2.40: icmp_seq=1 ttl=127 time=1.50 ms
64 bytes from 10.0.2.40: icmp_seq=2 ttl=127 time=1.17 ms
64 bytes from 10.0.2.40: icmp_seq=3 ttl=127 time=1.06 ms

Finally Concept

-Thanks