Wednesday, June 11, 2025

VPC part3

 VPC part3

Class 43rd AWS VPC June12th

Vpc peering 

Hybrid Networking

What is the VPN?

Software VPN

Hardware VPN

Direct Connect 

Software VPN -demo 

DNS Resolution 

Firewall: network security for protect the others 

Web àrequest(inbound) 172.0.0.0:80 Server

172.0.0.0:15000-65000

                ß response(outbound)           

 Request is the combination of ‘source IP address and the port number

Response is the combination of Destination ip address and the port number(Ephemeral port)

Notable well Known port numbers 

20           File  Transfer protocol (FTP) data transfer 

21           File  Transfer protocol (FTP) Command Control


Stateful and stateless firewall 

A stateful firewall keeps track of the state of active connections and makes decisions based on the context of the traffic.In AWS VPC ,the primary stateful firewall is security group

Security Groups:

Purpose: Control inbound and outbound traffic at instance level

Stateful nature: If you allow an inbound connection, the response is automatically allowed. The state of the connection is tracked,so the firewall knows that a response to an inbound request is permitted without an explicit outbound rule.

Rules:

Inbound rules: define the allowed inbound traffic to the instances.

Outbound rules:define the allowed outbound traffic to the instances.


Practical

Step1: Created one window instance ccitpublic name , attach the subnet public for the security grp ,So far Security groups , have given All traffic ,it is not good practice to give all traffic 

you need give RDP connect 


Step2: Connect the RPD Windows instance ,Install IIS Webserver in the window machine

>Server Manger >Add Roles and features

Security group we called as Firewall stateful firewall,inbound you need configure and outbound rule it will handle automatically.
NACL :Network access control list state less firewall ,you need configured both inbound and outbound rules  ,then only response will come 
Installation completed ,Webserver configure done you can check in c:drive inetpub folder

Step3: Need to check public ip IIS default page will open , before you need open 80 port in the security group



Outside of the server you can able connect using inbound rules, inside server trying to connect any services for ex: internet to connect need set the outbound rules in security group



Linux Machine 
[root@ip-10-0-1-93 ~]# sudo yum install -y httpd
[root@ip-10-0-1-93 ~]# sudo systemctl start httpd
[root@ip-10-0-1-93 ~]# sudo systemctl enable httpd
[root@ip-10-0-1-93 html]# pwd
/var/www/html
[root@ip-10-0-1-93 html]# vi index.html
[root@ip-10-0-1-93 html]# cat index.html
<h1>Welcome to Linux webpage...!</h1>
[root@ip-10-0-1-93 www]# sudo mkdir -p /var/www/html81
[root@ip-10-0-1-93 www]# sudo cp /var/www/html/index.html /var/www/html81/index.html
[root@ip-10-0-1-93 www]# vi /var/www/html81/index.html
<h1>Welcome to Linux webpage 81 port...!</h1>
[root@ip-10-0-1-93 www]# sudo cp /usr/lib/systemd/system/httpd.service /usr/lib/systemd/system/httpd81.service
[root@ip-10-0-1-93 system]# sudo vim /etc/httpd/conf.d/port81.conf
[root@ip-10-0-1-93 conf.d]# cat port81.conf
Listen 81
<VirtualHost *:81>
 DocumentRoot "/var/www/html81"
 <Directory "/var/www/html81">
  AllowOverride None
  Require all granted
</Directory>
</VirtualHost>
[root@ip-10-0-1-93 conf.d]# sudo systemctl restart httpd

You need to open the security group 81 in the inbound rules
We can able give single ip , in security group , we have all ipv4, instead of that give you own ip
i will access webpage that system ip only.

Security group will work only instance level 


NACL
 state less firewall ,you need configured both inbound and outbound rules  ,then only response will come , It is automatically create whenever you created VPC , it is working subnet level, if you are apply any rule,it will apply all the subnets of the corresponding instances.

Step1: Create network ACL >give name ccitncl >choose you vpc 


VPC Peering :

VPC 1 (Public subnets,private subnet), VPC 2 (public subnet,private subnet), 
you can able to connect public subnet both the vpn,here you need connect public subnet from one vpn other vpn private subnet 

 A VPC Peering Connection is a networking connection between tow VPCs that enables you to route traffic between them using private IPV4 addresses or IPV6 addresses

This connection can be established between VPCs within the same AWS account or across different.

Peering limitations

You cannot create a VPC peering connection between VPCs that have matching or overlapping IPV4 or IPV6 CIDR blocks

VPC peering does not support transitive peering relationships.

You cannot have more than one VPC peering connection between the same two VPCs at the same time

Step1:Created two VPC's  (ccitvpc1 and ccitvpc2),As see below two associated subnets created attached internet gateway for public subnet only 
ccitvpc1

ccitvpc2

Step2:Create Two subnet's for each VPC total 4 subnets created, ccitpublic-ccitvpc1 for public subnet separate route table created attached VPC added internet gateway

one more subnet ccitprivate-ccitvpc1 for private subnet separate route table created attached VPC not internet gateway added


Step3: Same as above   ccitpublic-ccitvpc2, attached vpc and internet gate way 

one more subnet ccitprivate-ccitvpc2 for private subnet separate route table created attached VPC not internet gateway added


Step4:Created two internet gate ways
ccitvpc-1-internet-gateway attached  ccit-vpc1
ccitvpc-2-internet-gateway attached  ccit-vpc2
Step4: Create four Route table public route tables need attached internet gateway


Practical 
Step1:
Need to create one instance using public subnet VPC1, it has internet gate attached,
Need to create one instance using private subnet VPC2 ,it have not internet gate not attached.

As see here create three instances CCIT-VPC1-PUB,CCIT-VPC1-PVT ,CCIT-VPC2-PUB

Possibilities: Here we plan to connect or ping private instance VPC1  (i.e CCIT-VPC1-PVT)
from other public instance VPC2 (i.e CCIT-VPC2-PUB) 

Public VPC2 instance
Instance :CCIT-VPC2-INST-PUB
Public IPV4: 35.177.15.196
Private IPV4: 10.0.2.14

Private VPC1 instance
Instance :CCIT-VPC1-INST-PVT
Public IPV4 : 13.41.186.187
Private IPV4: 10.0.1.36

Public VPC1 instance
Instance : CCIT-VPC1-INST-PUB
Public IPV4: 18.169.188.224
Private IPV4: 10.0.1.22

Step2: As below Public VPC2 instance connected, try to ping other VPC1 instance Private ip  10.0.1.36,getting timed out 

PS C:\Users\Administrator> ssh -i "AMAZON-LNX-KEY.pem" ec2-user@35.177.15.196
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Sat Jun 14 15:16:44 2025 from 84.225.106.12
[ec2-user@ip-10-0-2-14 ~]$ ping 10.0.1.36
PING 10.0.1.36 (10.0.1.36) 56(84) bytes of data.
timed out 
timed out 

Step3:As below Public VPC1 instance connected, try to ping Same VPC1 instance Private ip  10.0.1.36,getting resonse, Because of Same VPC, If you are need connect other vpc required VPC peering

PS C:\Users\Administrator> ssh -i "AMAZON-LNX-KEY.pem" ec2-user@18.169.188.224
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Sat Jun 14 14:21:10 2025 from 84.225.106.12
[ec2-user@ip-10-0-1-22 ~]$ ping 10.0.1.36
PING 10.0.1.36 (10.0.1.36) 56(84) bytes of data.
64 bytes from 10.0.1.36: icmp_seq=1 ttl=127 time=0.989 ms
64 bytes from 10.0.1.36: icmp_seq=2 ttl=127 time=1.01 ms
64 bytes from 10.0.1.36: icmp_seq=3 ttl=127 time=1.02 ms
64 bytes from 10.0.1.36: icmp_seq=4 ttl=127 time=0.992 ms
64 bytes from 10.0.1.36: icmp_seq=5 ttl=127 time=0.960 ms

                                               VPC Peering 

Step1:Create Peering connect select VPC2 and select other VPC1 ,click create peering connetion

Step2: After created you need to accept the request here same aws account ,accept here itself ,if other account wait for confirmation to accept

Step3:After Peering active ,need to configure route table of 
ccit-public-rtb-vpc2 add the CDR Range of VPC1 for us 10.0.1.0/24,click save changes


 Now you see peering added route table VPC2 public route to VPC1 Private Ip instance

Step5: You need one more configuration ,ccit-private-rtb-vpc1, give CDR range of VPC2 click save
 Now you see peering added via cross route table VPC1 private route to VPC2 public Ip instance


Previous 

Last login: Sat Jun 14 15:16:44 2025 from 84.225.106.12
[ec2-user@ip-10-0-2-14 ~]$ ping 10.0.1.36
PING 10.0.1.36 (10.0.1.36) 56(84) bytes of data.
timed out 
timed out 

After Peering 

PS C:\Users\Administrator> ssh -i "AMAZON-LNX-KEY.pem" ec2-user@35.177.15.196
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Sat Jun 14 15:50:38 2025 from 84.225.106.12
[ec2-user@ip-10-0-2-14 ~]$ ping 10.0.1.36
PING 10.0.1.36 (10.0.1.36) 56(84) bytes of data.
64 bytes from 10.0.1.36: icmp_seq=1 ttl=127 time=0.970 ms
64 bytes from 10.0.1.36: icmp_seq=2 ttl=127 time=0.964 ms
64 bytes from 10.0.1.36: icmp_seq=3 ttl=127 time=0.962 ms
64 bytes from 10.0.1.36: icmp_seq=4 ttl=127 time=0.934 ms
64 bytes from 10.0.1.36: icmp_seq=5 ttl=127 time=0.980 ms


Previously without peering
VPC2 Public -->  VPC1 private  Connected  Failed 
After peering 
VPC2 Public   --> Peering--> VPC1 private  Connected  Successfully

Step6:Created one more instance CCIT-VPC2-INST-PVT, now plan to connect reverse way 
using same Peering 
VPC1 Public --> VPC2 Private 



Private VPC2 instance
Instance : CCIT-VPC2-INST-PVT
Public IPV4: 13.41.204.78
Private IPV4:10.0.2.40

Previously without peering
VPC1 Public -->  VPC2 private  Connected  Failed 

VPC1 Public connected 
PS C:\Users\Administrator> ssh -i "AMAZON-LNX-KEY.pem" ec2-user@18.169.188.224
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Sat Jun 14 15:52:15 2025 from 84.225.106.12
Last login: Sat Jun 14 15:52:15 2025 from 84.225.106.12
[ec2-user@ip-10-0-1-22 ~]$ ping 10.0.2.40
PING 10.0.2.40 (10.0.2.40) 56(84) bytes of data.
^C
--- 10.0.2.40 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10415ms

Step7: need add peering added route table VPC1 public route table to give CDR range of the VPC2 click save

Now you see peering added via cross route table VPC2 private route to VPC1 public CDR range of Ip click save 



VPC1 Public   --> Peering--> VPC2 private  Connected  Successfully

PS C:\Users\Administrator> ssh -i "AMAZON-LNX-KEY.pem" ec2-user@18.169.188.224
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
[ec2-user@ip-10-0-1-22 ~]$ ping 10.0.2.40
PING 10.0.2.40 (10.0.2.40) 56(84) bytes of data.
64 bytes from 10.0.2.40: icmp_seq=1 ttl=127 time=1.50 ms
64 bytes from 10.0.2.40: icmp_seq=2 ttl=127 time=1.17 ms
64 bytes from 10.0.2.40: icmp_seq=3 ttl=127 time=1.06 ms



Finally Concept 



-Thanks 









by at No comments:

VPC part2

 VPC part2

Class 42nd AWS VPC June 11th

IP Address division Task

Create a vpc with 512 IPs CIDR range 

1.Divide the VPC CIDR to 4 subnets with 128 IPs.

2.Divide the VPC CIDR to 4 subnets with 64,64,128,256 IPs

 Second task completed successfully.

Task2

Subnets

CDIR Block

Subnet range

Subnet range

 

Subnet1

10.0.2.0/23

10.0.2.0/26

10.0.2.63

 

Subnet2

 

10.0.2.64/26

10.0.2.127

 

Subnet3

 

10.0.2.128/25

10.0.2.255

 

Subnet4

 

10.0.3.0/24

10.0.3.255


VCP Component

 Create internet gateway 

After create cci-igw, attached to our vpc 

Route tables 
While created vpc automatically one route table created default ,if you are not specified any route table condition by  default all our network operation will perform with that default route table.

Create our own public route table
Step1:
Step2:
After created ,need specify some rule to the route table 
Which is we have created subnet -->through route table -->access internet gate called as public subnet 
                                          subnet --> called as private subnet

 
Step3:

Create one more Route table for private
Step1:Not give any rules to internet gate way for private route table that means no internet access for this route table

Security Group Setup

Step1:

When every you create vpc automatically one security group created, you select your security group using your VPC ID ,edit give any name 

Edit the inbound rules, delete the existing security group ,add one rule with all traffic click save rules


Practical with Server Behavior, attached VPC subnet
Step1: Created one window machine ,select existing vpc and public subnet
 

After created ,Window machine need to get the password connect >Action >security >get password 

upload downloaded .pem key file save the password 



Step2: Using public  ip 54.246.26.83 RDP connected and also able access internet .




 Private subnet instance creation steps 
Step1:  Create one instance ccit-private 


Step2: try to connect instance local RDP ,getting error 

ccitprivate subnet edit check enable auto-assign public IPV4 address click save 

Step3:
This Private Subnet Route table internet gateway not enabled to subnet ,so using private ip with in AWS environment i.e with in ec2 instance( for ccitpublic), try to connect using  private ip
with private connected , but internet unable to acces as you see below screen shot


Step4: If you want internet for the private subnet ,simple attach the internet way to the private subnet 

See now internet coming in private instance also 


--Done 

What are the IPV4 & IPV6 addresses ?
0      0    0    0 
8bit 8bit8bit8bit

What is IPV4?

An IPV4 (internet protocol version 4) address is a number label assigned to each device connected to a computer network that uses the internet protocol for communication

It is a 32 bit ip address, and we can generate a maximum 4 billion+ addresses with this IPv4.

Each block in this IP address called Octets and each Octet can hold maximum 8 bit memory. 4(Octets)*8(bits)=32. That’s why it called 32 bit ip address.

The Aws Free Tier for Ec2 will include 750 hours of public IPV4 address usage per month for the first 12 months,effective 01-Feb-24

0.0.0.0 ip 255*255*255*255 =   4,228,250,625 400cores (it is very less)

For instance as you see we have Public  54. 246.26.83,3.253.84.108  charged and private are free

What is IPV6 ?

0      0    0    0 

16bit 16bit16bit16bit

.An IPV6(inter protocol version 6) address I alpha numerical label assigned to each device connected to a computer network that uses the internet protocol for communication

It is  a128 but ip address,and we can generate a maximum 3 trillion+ addresses with this IPV6

Each block in this IP address can hold maximum 16 bits memory.8(blocks)*16(bits)=128.That’s why it is called 128 bit ip address.

The cost of the public IPV6 addresses in AWS is currenly free,due to their huge availability 

VPC (Elastic Ips,NAT Gateways,VPC Peering ,Security groups)

Elastic Ip: It fixed IP giving to you instead of floating ip.

An Elastic IP address is a static public IPv4 address associated with you AWS account in a specific region.

Unlike an auto-assigned public IP address, an Elastic IP address is preserved after you stop and start you instance in a virtual private cloud(VPC).

It is associated with you AWS account,not a specific instance.you can reassign an Elastic IP address from one instance to another

Useful for maintaining a consistent IP address for external resources to reach your instances.

An Elastic IP address is for use in a specific region only, and canot be moved to a different region

The default quota of Elastic IPs per region is 5 and it is adjustable

 AWS charges $0.005 per/hour/elastic or public IP.

this Elastic IP to create >allocate IP Address click allote.


Nat Gateway: (using nat gateway able to connect internet in private instance, with that 

A Nat gateway is a network Address translation (NAT)service.

You can user a NAT gateway so that instance in a private subnet can connect to services outside you VPC but external service cannot initiate a connection with those instances


Step5: Create one NAT GATE it is chargeable click Allocate elastic IP after allocated created NAT gateway

Step6: Your private route table  attach the nat gateway ip click save
Step7:After attached Private instance also internet will coming .




--Thanks 







by at No comments:

Tuesday, June 10, 2025

VPC part1

 VPC part1

Class 41th AWS VPC June10th

Virtual Private cloud (Network protocol)

AWS managed service :(Simple storage s3,Dynamo db,IAM..etc)

Customer managed service: (Ec2,ELB..etc)(network support required to connect the user)

What is the VPC ?

Amazon Virtual Private cloud(VPC) allow you to create a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define.

For ex: Total house is the one network room divided into subnet ,if subnet public access ,so the instance public else private.Region(Compound wall)

Two different network combined we called as peering 

Application servers (All Public subnets)

Database servers(All private subnets)


VPC Components 

CIDR Block    (Classless inter domain range)

Specifies the IP address range for the VPC (eg.,10.0.0.0/16)

Subnet 

 Definition: A range of IP Address in your VPC. subnets allow you to partition the VPC's IP address range into smaller segments

 Public subnet: Has a route  to the internet via an internet gateway.

Private subnet:No direct route to the internet 

Route tables

Definition: Contains a set of rules(routes)that determine where network traffic is directed 

Main route table :Default route table for the VPC 

Custom route table :Additional route tables that can be associated with one or more subnets.

Internet Gateways

Definition: A horizontally scaled, redundant, and highly available VPC components that allows communication between instances in your VPC and the internet.

Usage:Attach an IGW to your VPC to enable internet access for instances in a public subnet.

NAT Gateway

Definition:A managed network address translation(NAT)service that enables instances in a private subnet to connect to the internet or other AWS service while preventing the internet from initiating connections with those instances,

Usage :Deploy in  a public subnet to provide outbound internet access for instances in private subnets.

VPC Peering 

Definition: A networking connection between two VPCs that enables you to route traffic between them privately.

Usage:Can peer VPCs within the same AWS region or Across  different regions (inter-region VPC peering)

Security Group

Definition:Acts as a stateless firewall at the subnet level to control inbound and outbound traffic.

Usage:State filters traffic based on specified rules.

Network ACLS

Definition :Acts as a stateless firewall at the subnet level to control inbound and outbound traffic.

Usage:Provides an additional layer of allowing or denying specific IP traffic to subnets

Elastic IP address

Definition :a statis IPV4 address designed for dynamic cloud computing.

Usage:can be associated with instances in you VPC to allow incoming internet traffic

Two Ip's address 

Public ip address

Private ip address(internal purpose subnet)

CDIR Range (Classless inter domain range)


10.0.0.0/n,  n= net mask  16 to 32 (32 is MaxNetmask number- Which Netmask you have provided)

32-30= 2 power(2,2)=4 ip's will come

32-31=1 power(2,1)=2 ip's will come

32-32=0 powner(2,0)=1 ip's will come

32-29=3 power(2,3)=8 ip's will come

As see above some the ip's are marked red color and yellow color  those ip's are reserved requirementd not provided ,one subnet has maximum 255 only.

Practical 

Step1: Create one vpc ccitsubnet1vpc


here 10.0.1.0/25 means  32-25=7 power(2,7)=128 ip's will come

Step2: Create subnet for the VPC 

We plan to divided 128 /2 for 64 for 1 subnet and 64 for 2 subnet

As you see gvien below 59 ips are allotted only out 64, because 5 were reserved ips for internal usee

Step3: create other subnet2 for same vpc, see below same vpc first vpc 

 subnet1 10.0.1.0/26  =64 ips  (10.0.1.0)..(10.0.1.64)

 subnet2 10.0.1.65/26 =64 ips (10.0.1.65)..(10.0.128)


--Thanks 

by at No comments:
Subscribe to: Posts (Atom)