
#### Table of Contents

1. Create Flow logs
2. Set up IAM role for flow logs
3. Policy Document

## Create Flow logs

Select the VPC to want to use flow logs, click action then click
**Create flow log**.

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/xnbezqoi0trexcc1tokk)

Setup Destination log group

If you choose to send to CloudWatch logs, you'll have to set up a destination
log group. Go to CloudWatch and choose
**Log groups**.

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/cys5v8t4cknnyzxtoyyx)

### Set up IAM role for flow logs

Click set up permission on the create VPC flow logs page, this UI will only
show on old UI, which will create the following policy to enable flow logs to
read and write to cloud watch.

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/vqxucobcf6pu3jmnmekx)

### Policy Document

```
{
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:PutLogEvents"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
```

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/bbm4ihsi8xa6ptjawos5)

After setup flow logs, when you hit the EC2 using the VPC, you should see the
following logs from log groups.

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/lcbrau7bqjp002gar9sx)


This blog shows how to set up VPC flow logs.

Use VPC Flow Logs


#### Table of Contents

1. Attach IAM role to private EC2 Instance
2. Create a new role and select the AmazonS3FullAccess.
3. enter the name and create the role
4. Attach the role to the private EC2 Instance
5. Create VPC EndPoint
6. Endpoints
7. SSH into Private EC2 Instance

This blog shows how to use VPC Endpoint from private EC2 Instance to S3
without going through the internet, with VPC Endpoint access s3 should be
within AWS service which will be no charge.

## Attach IAM role to private EC2 Instance

Since we'll need to access s3 from EC2 private instance, we'll need to set up
an s3 full access role for EC2 instance.

### Create a new role and select the AmazonS3FullAccess.

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/uupxrgghfivz1gfqrk65)

### enter the name and create the role

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/fseyxhqceun1jnyiklqc)

### Attach the role to the private EC2 Instance

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/bkpxw5dbuwhs5dx6zqwg)

## Create VPC EndPoint

### Endpoints

Go to VPC, click the **Endpoints** from Virtual private cloud. At
the Create Endpoint page, choose as following.

  - Service category: AWS services

  - Service name: choose s3, since we only want to access for s3 in this blog,
find the s3 from the list.

  - VPC: choose the VPC you created earlier.

  - Configure route tables: choose the private EC2 instance's route table,
should be the private route table

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/ongwitu8ubczp6uxxvol)

S3 full access role to private EC2

## SSH into Private EC2 Instance

Now, your private EC2 instance should be able to access to s3. Let's type ssh
into ec2 instance and type **aws s3 ls**. This command should
list of s3 buckets if has any.


VPC End Point - Use S3 from Private EC2 Instance


## Table of Contents

1. [Introduction](#introduction)
2. [Create a VPC](#create-a-vpc)
3. [Create 2 Subnets](#create-2-subnets)
4. [Create an Internet Gateway](#create-an-internet-gateway)
5. [Create NAT Gateway](#create-nat-gateway)
6. [Create and Update Route Tables](#create-and-update-route-tables)
7. [Create Public and Private EC2 Instances](#create-public-and-private-ec2-instances)
8. [SSH to Public EC2](#ssh-to-public-ec2)
9. [SSH to Private EC2](#ssh-to-private-ec2)
10. [Conclusion](#conclusion)

## Introduction

This blog shows how to create a VPC from scratch:

1. Create VPC
2. Create 2 Subnets — one for the public subnet and another for the private subnet
3. Create Internet Gateway
4. Create a Route Table
5. Create 2 EC2 Instances — one public instance and one private instance
6. Set up NAT Gateway for the private EC2 instance

## Create a VPC

Go to VPC and click create VPC, then enter the information to create the VPC.

- Enter any name for the name field

- IPv4 CIDR, enter IPv4 range as `10.0.0.0/16`

- Choose `Amazon provided IPv6 CIDR block`

- Tenancy, choose Default if you wish to use the default tenancy

After creating the VPC, AWS will generate the following default services:

- Default route table

- Network ACL

- Default Security Group

## Create 2 Subnets

Create a public subnet. Click the Subnets link, and click Create subnet.

- Name, enter any meaningful name.

- **VPC**, choose the VPC just created

- **Availability Zone**, choose the AZ for this subnet

- **IPv4 CIDR block**, enter **10.0.1.0/24** as IPv4
  CIDR block

- **Modify auto-assign IP settings**, enable auto-assign IP
  address for the public subnet

Create a private subnet by clicking the **Create subnet** button.

- Name, enter any meaningful name.

- **VPC**, choose the VPC just created

- **Availability Zone**, choose the AZ for this subnet

- **IPv4 CIDR block**, enter **10.0.2.0/24** as IPv4
  CIDR block

- **Modify auto-assign IP settings**, the private subnet doesn't need
  to enable a public IP address

## Create an Internet Gateway

Create an Internet gateway so the public subnet is able to access the Internet.
Click **Internet Gateways** and click the Create Internet
gateway button.

- Name, enter any value for this Internet gateway.

- Attach this Internet gateway to the **VPC** just created

## Create NAT Gateway

Create a NAT Gateway so the private EC2 will be able to connect to the Internet and
download software if needed. Click the
**Create NAT Gateway** button.

- Click **Create NAT Gateway** button

- **Subnet**, choose the public subnet

- Click allocate the IP address

- Click **Edit route table**

- Click **Add route**

- **Destination**, enter **0.0.0.0/0**

- **Target**, choose the NAT Gateway just created

## Create and Update Route Tables

Use the default route table as the main route table, and associate it with the
private subnet.

- Choose the main route table and click
  **Subnet Associations**

- Choose the private subnet

**Create a route table** to use as a public route.

- Name, enter any name for this new route table

- Choose the VPC created earlier

- Click subnet associations and choose the public subnet

- **Click Edit routes** and click **Add route**

- Destination, enter `0.0.0.0/0` for IPv4 address

- Target, choose the **Internet gateway created earlier**

That's all for setting up public and private subnets for the VPC. Now we'll need to
create EC2 instances and attach them to this VPC.

## Create Public and Private EC2 Instances

Let's create the public EC2 instance first. Go to EC2 and click instance to
create a new EC2 instance.

- Enter configure instance details

- **Network**, choose the custom VPC just created

- **Subnet**, choose the public subnet created earlier

- Leave the rest as default settings and create a new instance

Let's create the private EC2 instance. Go to EC2 and click instance to create a
new EC2 instance.

- Enter configure instance details

- **Network**, choose the custom VPC just created

- **Subnet**, choose the private subnet created earlier

- Leave the rest as default settings and create a new instance

## SSH to Public EC2

Test the EC2 by SSHing into the public EC2 instance and downloading software from the
Internet. The following are examples of how to SSH into EC2 from macOS.

- cd to the location that has the **private key**, something
  that looks like **mykey.pem**.

- `chmod 400 {your_private_key.pem}`

- SSH into EC2 by
  `ssh ec2-user@{ec2 public IP address} -i {your_private_key.pem}`

- Run `sudo yum update` to download software

- If you are able to download the software, then this EC2 can connect to the
  Internet

## SSH to Private EC2

Test the EC2 by SSHing into the private EC2 instance and downloading software from
the Internet. The following is an example of how to SSH into EC2 from macOS.

- SSH into the public EC2 instance

- Download the private key

- SSH into the private EC2 by using the private IP

- `chmod 400 {your_private_key.pem}`

## Conclusion

In this blog, we walked through how to create an AWS VPC from scratch with public and private subnets. We set up an Internet gateway for public access, a NAT gateway for private subnet Internet access, configured route tables, and created EC2 instances in both subnets. With this setup, you have a secure network architecture where public-facing resources are in the public subnet and internal resources are isolated in the private subnet.


This blog shows how to create an AWS VPC from scratch with public and private subnets, internet gateway, NAT gateway, and EC2 instances.

How to Create VPC with Public and Private Subnet


## Table of Contents

1. [Introduction](#introduction)
2. [Setup Custom VPC](#setup-custom-vpc)
3. [Setup EC2](#setup-ec2)
4. [Create Target Groups](#create-target-groups)
5. [Create Registered Targets](#create-registered-targets)
6. [Create Application Load Balancer](#create-application-load-balancer)
7. [Conclusion](#conclusion)

## Introduction

This blog will show how to create an AWS Application Load Balancer with custom
VPC's EC2 instances.

## Setup Custom VPC

### Create VPC

Go to VPC and click create VPC. Enter the VPC fields as in the example below.

- Name tag: enter your VPC name

- IPv4 CIDR block: enter your CIDR block IP range

- IPv6 CIDR block: choose IPv6

- Network Border Group

- Tenancy: Default (you can choose if you want single-tenant, dedicated
  hardware or not)

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/nuz1eaznan55ydjdddu7)

### Create Subnet

We'll need 2 subnets to create the Application Load Balancer.

- Name tag: enter any name

- VPC: choose the VPC just created

- Availability Zone: choose the availability zone

- IPv4 CIDR block: 172.0.1.0/24

- IPv6 CIDR block: don't assign IPv6 (not needed for this blog)

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80/aggjgcq8l3r1bwcph1tx)

Create the second subnet. For creating an Application Load Balancer, you'll need
at least 2 subnets.

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/ghlpqgdiuqnatp4ny9ay)

Set auto-assign IP so EC2 instances will get a public IP address.

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/xg8k03u4q3dgungcdoxn)

### Create Internet Gateway

Create an Internet gateway and attach it to the custom VPC.

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/i6iajudvzm9jz30wo1fk)

### Setup Route Table

Create a route table for the subnet.

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/dzm3594cl2omwejqms3h)

Associate the subnet to the route table.

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/vgcmhjrsooaksk2t1ln3)

Set the route table to use the Internet gateway for internet access. Enter the routes
as follows:

Destination: 0.0.0.0/0 (for IPv4 access)

Target: choose the Internet gateway

![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/krwph6pibjm8zbxyg6xn)

Now the VPC setup is done. We can use this custom VPC to create our EC2 instances.

## Setup EC2

We'll set up EC2 with simple PHP code. Let's leave everything as default
and create 2 EC2 instances.

- Choose AMI (for example, choose Amazon AMI)

- Choose General Purpose: t2.micro

- Configure Instance Details

      - Network: choose the VPC just created

      - Subnet: choose the subnet just created

      - Leave everything as default

      - Put the following in the User Data field. This will start a simple PHP

  site.

      - ```

  #!/bin/bash
  yum update -y
  yum install httpd -y
  chkconfig httpd on
  service httpd start
  cd /var/www/html
  echo "hi, server-01" > index.html

```



  Configure Security Group

    - Add port 80 so it will be accessible from the browser.




Now, let's create another EC2 instance. Set up everything the same as the first one,
  except the User Data — change it to server-02 as follows:


```

#!/bin/bash
yum update -y
yum install httpd -y
chkconfig httpd on
service httpd start
cd /var/www/html
echo "hi, server-02" > index.html

```


## Create Target Groups


Let's create a target group for the Application Load Balancer. This blog only
  covers setting up HTTP.


  - Target type: choose Instances

  - Enter any name for the target group name

  - Protocol: HTTP - 80

  - Choose the VPC

  - Health checks

    - Enter the path

  - Choose available instances

  - Click Create Target Group

  - Creating a target group is done and associated with a list of instances.

## Create Registered Targets


Click registered targets and add EC2 instances by choosing 2 EC2 instances and
  clicking "Include as pending."


![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/p18kpugbrz9g2tyeekvt)


## Create Application Load Balancer


  - Click Create Load Balancer

  - Choose Application Load Balancer

  - Enter a name

  - Use default HTTP - 80

  - Choose VPC

  - Choose subnets (you'll need at least 2 subnets here)

  - Choose Security Groups

  - Configure Routing (select the target group created earlier)

  - Now the Load Balancer is being created

  - You should be able to see the application load balance between 2 instances


After the Application Load Balancer becomes **active**, copy the DNS
  name to the browser. You should see the site alternate between the two
  servers. This is how you can simply set up an Application Load Balancer
  with AWS.


![](http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/rja3y1cqjllbypjmetsl)

## Conclusion

In this blog, we walked through creating a custom VPC with subnets, Internet gateway, and route tables. We then set up two EC2 instances and configured an Application Load Balancer to distribute traffic between them. This setup provides basic high availability and load distribution for your web application.
```


This blog will show how to create an AWS Application Load Balancer with custom VPC's EC2 instances.

VPC

Use VPC Flow Logs

VPC End Point - Use S3 from Private EC2 Instance

How to Create VPC with Public and Private Subnet

How to Setup AWS Application Load Balancer