VPC MORE SECURE SETUP


TASK - 4 

Create/launch Application using Terraform.


1.  Write an Infrastructure as code using Terraform, which automatically creates a VPC.

2.  In that VPC we have to create 2 subnets:

    1.   Public subnet [ Accessible for Public World! ] 

    2.   private subnet [ Restricted for Public World! ]

3. Create a public-facing internet gateway to connect our VPC/Network to the internet world and

attach this gateway to our VPC.

4. Create a routing table for Internet gateway so that instance can connect to the outside world,

update and associate it with the public subnet.

5.  Create a NAT gateway to connect our VPC/Network to the internet world  and attach this gateway

to our VPC in the public network

6.  Update the routing table of the private subnet, so that to access the internet it uses the nat gateway

created in the public subnet

7.  Launch an ec2 instance that has WordPress setup already having the security group allowing port

80 so that our client can connect to our WordPress site. Also, attach the key to the instance for further

login into it.

8.  Launch an ec2 instance that has a MYSQL setup already with a security group allowing port 3306

in a private subnet so that our WordPress VM can connect with the same. Also, attach the key with

the same.


Note: WordPress instance has to be part of the public subnet so that our client can connect our site. 

MySQL instance has to be part of a private subnet so that the outside world can't connect to it.

Don't forget to add auto IP assign and auto DNS name assignment options to be enabled.


ABBREVIATIONS USED —


  1. AWS — Amazon Web Service

  2. EC2 — Elastic Compute Cloud

  3. IaaS — Infrastructure as a service

  4. PaaS — Platform as a service

  5. SaaS — Software as a service

  6. EBS - Elastic Block Storage

  7. VPC - Virtual Private Cloud

  8. AMI - Amazon Machine Image

  9. NAT - Network Address Translation

  10. ACL - Access Control List


NOTE -


Before starting check the environment variables that the path is given for:

  1. OpenSSH

  2. AWS

  3. Terraform




AWS — Amazon Web services is a Public Cloud that provides IaaS, PaaS, and SaaS services.


TERRAFORM — Terraform is created by HashiCorp.It is an open-source infrastructure as a code

service. It has its own language known as HashiCorp Configuration Language. Terraform is used to

make an application that is integrated with multiple clouds(like AWS, Azure, Openstack, etc).

It provides Standardisation.Terraform file extension is “file_name.tf”.


LOGIN TO AWS IAM ACCOUNT THROUGH CMD -


COMMAND- “ aws configure — profile iam_user_name ”

IAM user is used for the security purpose means when you share your code with others then no need

to give access key and secret key.


Image for post


TERRAFORM CODE -


VARIABLE SYNTAX -

variable “unique_name1” {

default = “name”

}

OUTPUT SYNTAX-

output “unique_name1” {

value = resource_name.unique_name

}



PROFILE - 

This code is used here so when working with the team and there if code needs to be shared then

just share this profile name , you need not share your access key and secret key.


provider "aws" {

  region = "ap-south-1"

   profile  = "mymanali"

}



KEY - 

AWS provides two types of key - 

PUBLIC KEY — It is seen by everyone just like a lock is seen by everyone.


PRIVATE KEY — It is like a key that unlocks a lock and this key is with only the owner means

the owner is the one who can open the lock. The private key is used to make a connection with the

instance so that only the owner can access the instance.

I used a pre-created key here

.



VPC -

When we create our own data center there we need a lot of things like land, electricity, security, etc

and this becomes so costly so the solution to this is AWS VPC which provides security and isolation.

AWS provides the pay-as-you-go Model means the services which are used by you just pay for that.

VPC is just like a land given to you and does your own setup without the interference of others.


resource "aws_vpc" "main" {

  cidr_block       = "192.168.0.0/16"

  instance_tenancy = "default"

  enable_dns_hostnames = true

  tags = {

    Name = "VPC"

  }

}


 OUTPUT-




SUBNET - 

A subnet is just like a lab where you can build your products.

Subnet uses a CIDR Block which resides in VPC and used to launch instances, servers, etc.


Here “subnet1” is a public subnet also it’s “  map_public_ip_on_launch ” is set to “true” and the

“subnet2” is private subnet and by default   “  map_public_ip_on_launch “ is “false”.


resource "aws_subnet" "subnet1" {

  vpc_id     = aws_vpc.main.id

  cidr_block = "192.168.0.0/24"

  availability_zone = "ap-south-1a"

  map_public_ip_on_launch = true

  tags = {

    Name = "publicsubnet"

  }

}

resource "aws_subnet" "subnet2" {

  vpc_id     = aws_vpc.main.id

  cidr_block = "192.168.1.0/24"

  availability_zone = "ap-south-1b"

  tags = {

    Name = "privatesubnet"

  }

}


OUTPUT - 


SECURITY GROUPS -

The security group works as a firewall which provides ingress and egress rules.


WORDPRESS - 

It allows HTTP and SSH requests.


resource "aws_security_group" "wordpress" {

  name        = "wp"

  description = "Public subnet instance wordpress"

  vpc_id      = aws_vpc.main.id

 

  ingress {

    description = "HTTP"

    from_port   = 80

    to_port     = 80

    protocol    = "tcp"

    cidr_blocks = ["0.0.0.0/0"]

  }

 ingress {

    description = "SSH"

    from_port   = 22

    to_port     = 22

    protocol    = "tcp"

    cidr_blocks = ["0.0.0.0/0"]

  }

  egress {

    from_port   = 0

    to_port     = 0

    protocol    = "-1"

    cidr_blocks = ["0.0.0.0/0"]

  }

 

  tags = {

    Name = "WORDPRESS"

  }

}

 



MYSQL

It allows database entry from wordpress and ssh from bastion host.

resource "aws_security_group" "mysql" {

  name        = "mysqlsg"

  description = "private subnet instance Mysql"

  vpc_id      = aws_vpc.main.id

  ingress {

    description = "SQL"

    from_port   = 3306

    to_port     = 3306

    protocol    = "tcp"

    security_groups  = [aws_security_group.wordpress.id]

  }

 ingress {

    description = "SSH"

    from_port   = 22

    to_port     = 22

    protocol    = "tcp"

    security_groups = [aws_security_group.bastion.id]

  }

  egress {

    from_port   = 0

    to_port     = 0

    protocol    = "-1"

    cidr_blocks = ["0.0.0.0/0"]

  }

 

  tags = {

    Name = "MYSQL"

  }

}

 



BASTION HOST -

It allows SSH.

resource "aws_security_group" "bastion" {

  name        = "Bastionsg"

  description = "bastion host do ssh in mysql"

  vpc_id      = aws_vpc.main.id

 ingress {

    description = "ssh"

    from_port   = 22

    to_port     = 22

    protocol    = "tcp"

    cidr_blocks = ["0.0.0.0/0"]

  }

  egress {

    from_port   = 0

    to_port     = 0

    protocol    = "-1"

    cidr_blocks = ["0.0.0.0/0"]

  }

 

  tags = {

    Name = "bastionsg"

  }

}

 


OUTPUT - 



EC2 INSTANCES -

Instances are the operating system that can be launched within some time.EC2 uses AMI ID to launch

the instance which is pre-created and we can add the features according to our need.

Here I have created WordPress and bastion host instances in the public subnet and MySQL instance

in the private subnet.

In WordPress and bastion hosts the public IP is enabled but in MySQL public IP is not enabled as we

want nobody from the outside world can access it.


resource "aws_instance" "wp" {

  ami           = "ami-000cbce3e1b899ebd"

  instance_type = "t2.micro"

  key_name = "mykey12"

  associate_public_ip_address = true

  subnet_id = aws_subnet.subnet1.id

  availability_zone = "ap-south-1a"

  vpc_security_group_ids = [aws_security_group.wordpress.id]

 

  tags = {

    Name = "wordpress"

  }

}

 

 

resource "aws_instance" "Mysql" {

  ami           = "ami-0b5bff6d9495eff69"

  instance_type = "t2.micro"

  key_name = "mykey12"

  associate_public_ip_address = false

  subnet_id = aws_subnet.subnet2.id

  availability_zone = "ap-south-1b"

  vpc_security_group_ids = [aws_security_group.mysql.id]

  tags = {

    Name = "mysql"

  }

}

 

resource "aws_instance" "Bastion" {

  ami = "ami-0ebc1ac48dfd14136"

  instance_type = "t2.micro"

  key_name = "mykey12"

  associate_public_ip_address = true

  subnet_id = aws_subnet.subnet1.id

  availability_zone = "ap-south-1a"

  vpc_security_group_ids = [aws_security_group.bastion.id]

 

  tags = {

    Name = "bastion"

  }

}

 


 OUTPUT - 



VOLUME - 


INTERNET GATEWAY - 

It helps to connect the instance from the outside world means it connects the nodes which exist in different networks.


resource "aws_internet_gateway" "gw" {

  vpc_id = aws_vpc.main.id

  tags = {

    Name = "VPC_ig"

  }

}

 


OUTPUT - 


ELASTIC IP -

When the instance is launched it has IP but when the instance is failed due to any reason the IP is lost

and then a new IP comes means it always gives a dynamic IP so to overcome this we need a static IP

which remains the same even when the instance fails.


resource "aws_eip" "elasticip" {

  vpc      = true

}


OUTPUT - 



NAT GATEWAY - 

It helps private subnet instances to connect to the outside world but nobody can access the private

subnet instance.


resource "aws_nat_gateway" "natgw" {

  allocation_id = aws_eip.elasticip.id

  subnet_id     = aws_subnet.subnet1.id

  tags = {

    Name = "mynatgateway"

  }

}


OUTPUT - 


ROUTE TABLE - 

It contains source and destination address and according to that it works.


INTERNET GATEWAY ROUTE TABLE - 


resource "aws_route_table" "igroute" {

  vpc_id = aws_vpc.main.id

 

  route{

    cidr_block = "0.0.0.0/0"

    gateway_id = aws_internet_gateway.gw.id

  }

   tags = {

    Name = "routetableforig"

  }

}

resource "aws_route_table_association" "a" {

  subnet_id      = aws_subnet.subnet1.id

  route_table_id = aws_route_table.igroute.id

}



NAT GATEWAY ROUTE TABLE - 


resource "aws_route_table" "ngroute" {

  vpc_id = aws_vpc.main.id

 

  route{

    cidr_block = "0.0.0.0/0"

    gateway_id = aws_nat_gateway.natgw.id

  }

   tags = {

    Name = "routetableforng"

  }

}

resource "aws_route_table_association" "a1" {

  subnet_id      = aws_subnet.subnet2.id

  route_table_id = aws_route_table.ngroute.id

}


OUTPUT - 


NETWORK ACL - 

It set in and out access rules.


NETWORK INTERFACE - 

It is generally known as NIC card i.e, Network Interface Card which connects computers with the public

or private subnet.


WINSCP -

 It is a tool which can transfer files from one operating system to another.

Here I am connecting bastion host instance with windows so that I can transfer my key into bastion host.







WORDPRESS LINK - 


BASTION HOST SSH - 

  1. Enter into a bastion host by SSH.

  2. Transfer key by WINSCP Tool.

  3. Access MySQL instances through a bastion host.

  4. MySQL instance can ping to google as we have attached NAT Gateway to it.




MY FILES - 


TERRAFORM COMMANDS - 







TERRAFORM COMMANDS -

“terraform init” -> install the required plugins and initialize the terraform.


“Terraform validate” -> Terraform provides a validate command which validates the terraform files.


“Terraform plan” ->“terraform plan” command is a very useful command because launching the services

you can check your code working.


“terraform apply” -> run the program.


“terraform destroy” -> delete all the things that are running.


“terraform apply --auto-approve” -> run the program without asking yes/no.


“terraform destroy --auto-approve” -> delete all the things that are running without asking yes/no.


THANK YOU FOR READING.


GITHUB URL - https://github.com/manali1230/BastionHost.git


Comments

Post a Comment

Popular posts from this blog

HOW GOOGLE USES MACHINE LEARNING ??

Image
πŸ‘‰ MACHINE LEARNING  Humans have brains which means they can answer that question also whose answer is not known to them but how a human is able to answer it's just because he has a natural intelligence and past experience which helps them to predict the answer but the computer is hardware then how to give the brain to it ?? What do humans have? πŸ‘‰ Brain πŸ‘‰ Experience πŸ‘‰ Lots of data πŸ‘‰ Prediction power πŸ‘‰ The habit of not saying “no” What computers do not have? πŸ‘‰ Brain πŸ‘‰ Prediction Power πŸ‘‰ the answer to that question whose data does not exist. MACHINE LEARNING - It is an application of ARTIFICIAL INTELLIGENCE which provides machines to automatically learn and improve through experience. The more data brings more experience to the robot without explicitly programmed. It is of four types -   πŸ‘‰ SUPERVISED LEARNING - Supervisor means an instructor who instructs to do something. In supervised learning, the labeled data is used to train the computer for future predicti...
Read more

AWS CLOUDFRONT SETUP

Image
  AWS NEW BLOG πŸ‘‰ Everything is done by AWS CLI πŸ‘‰ Each change is shown in this Blog. πŸ”° Create High Availability Architecture with AWS CLI πŸ”° πŸ”…The architecture includes-  - Web Server configured on EC2 Instance - Document Root(/var/www/html) made persistent by mounting on EBS Block Device. - Static objects used in code such as pictures stored in S3 - Setting up a Content Delivery Network using CloudFront and using the origin domain as an S3 bucket.  - Finally, place the CloudFront URL on the web app code for security and low latency. AWS - Amazon Web Services is a Public Cloud Service by Amazon Company. πŸ‘‰ AWS provides Infrastructure As A Service, Platform As A Service, and Software As A Service. πŸ‘‰ In This Task, I am going to use AWS CLI, EC2, EBS, S3, Cloudfront. πŸ‘‰ AWS Provides High Availability, Isolation, and Security of services used by us. πŸ‘‰ AWS Provides each service with minimal cost. πŸ‘‰ AWS works on a pay-as-we-go model. PUBLIC CLOUD - Public cloud allows us t...
Read more