
<h2>Create Flow logs</h2>
<p>
  Select the VPC to want to use flow logs, click action then click
  <strong>Create flow log</strong>.
</p>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/xnbezqoi0trexcc1tokk"
  />Setup Destination log group
</p>
<p>
  If you choose to send to CloudWatch logs, you'll have to set up a destination
  log group. Go to CloudWatch and choose
  <strong>Log groups</strong>.
</p>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/cys5v8t4cknnyzxtoyyx"
  />
</p>
<h3>Set up IAM role for flow logs</h3>
<p>
  Click set up permission on the create VPC flow logs page, this UI will only
  show on old UI, which will create the following policy to enable flow logs to
  read and write to cloud watch.
</p>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/vqxucobcf6pu3jmnmekx"
  />
</p>
<h3>Policy Document</h3>
<pre><code> 
{
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:PutLogEvents"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
</code>
</pre>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/bbm4ihsi8xa6ptjawos5"
  />
</p>
<p>&nbsp;</p>
<p>
  After setup flow logs, when you hit the EC2 using the VPC, you should see the
  following logs from log groups.
</p>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/lcbrau7bqjp002gar9sx"
  />
</p>


This blog shows how to set up VPC flow logs.

Use VPC Flow Logs


<p>
  This blog will show how to create an AWS application load balancer with custom
  VPC's EC2 instances.
</p>
<h2>Setup Custom VPC</h2>
<h3>Create VPC</h3>
<p>Go to VPC and click create VPC, enter the VPC field as below example.</p>
<ul>
  <li>Name tag: enter your VPC name</li>
  <li>IPv4 CIDR block: enter your CIDR block IP range</li>
  <li>IPv6 CIDR block: choose IPv6</li>
  <li>Network Border Group</li>
  <li>
    Tenancy: Default (you can choose if you want to single-tenant, dedicated
    hardware or not)
  </li>
</ul>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/nuz1eaznan55ydjdddu7"
  />
</p>
<h3>Create Subnet</h3>
<p>We'll need 2 subnets to create the Application Load Balancer.</p>
<ul>
  <li>Name tag: enter any name</li>
  <li>VPC: choose the VPC just created</li>
  <li>Availability Zone: choose the availability zone</li>
  <li>IPv4 CIDR block: 172.0.1.0/24</li>
  <li>IPv6 CIDR block: don't assign IPv6 (don't need IPv6 for this blog)</li>
</ul>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80/aggjgcq8l3r1bwcph1tx"
  />
</p>
<p>
  Create the second subnet, for creating Application Load balancer, you'll need
  at least 2 subnets.
</p>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/ghlpqgdiuqnatp4ny9ay"
  />set auto-assign IP, so EC2 instance will get the public IP address.
</p>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/xg8k03u4q3dgungcdoxn"
  />
</p>
<h3>Create Internet Gateway</h3>
<p>Create an internet gateway and attach the custom VPC.</p>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/i6iajudvzm9jz30wo1fk"
  />
</p>
<h3>Setup Route Table</h3>
<p>Create a route table for the subnet</p>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/dzm3594cl2omwejqms3h"
  />associate subnet to the route table
</p>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/vgcmhjrsooaksk2t1ln3"
  />set route table to use the internet gateway for internet, enter the routes
  as following
</p>
<p>Destination: 0.0.0.0/0 (for IPv4 Access)</p>
<p>Target: choose the Internet gateway</p>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/krwph6pibjm8zbxyg6xn"
  />
</p>
<p>
  Now, VPC setup is done, we can use this custom VPC to create your own EC2.
</p>
<h2>Setup EC2</h2>
<p>
  We'll set up EC2 with simple Php code, let's leave everything as a default
  setting and create 2 EC2 Instance.
</p>
<ul>
  <li>Choose AMI (For example, choose Amazon AMI)</li>
  <li>Choose General Purpose: t2.micro</li>
  <li>Configure Instance Details</li>
  <ul>
    <li>Network: choose the VPC just created</li>
    <li>Subnet: choose the subnet just created</li>
    <li>Leave everything as default</li>
    <li>
      Put following to User Data field,&nbsp;this will&nbsp;start PHP simple
      site.
    </li>
    <li>
      <pre><code>#!/bin/bash
yum update -y
yum install httpd -y
chkconfig httpd on
service httpd start
cd /var/www/html
echo "hi, server-01" &gt; index.html
</code></pre>
    </li>
  </ul>
  <li>Configure Security Group</li>
  <ul>
    <li>add port 80 so it will be accessible from the browser.</li>
  </ul>
</ul>
<p>
  Now, let's create another EC2 instance. Setup everything as the first one,
  except the User data, change to server-02 as following
</p>
<pre><code>#!/bin/bash
yum update -y
yum install httpd -y
chkconfig httpd on
service httpd start
cd /var/www/html
echo "hi, server-02" &gt; index.html
</code></pre>
<h2>Create Target Groups</h2>
<p>
  Let's create a target group for Application Load Balancer, this blog only
  trying to set up HTTP only.
</p>
<ul>
  <li>Target type choose Instances</li>
  <li>Enter any name for the target group name</li>
  <li>Protocol - Http - 80</li>
  <li>Choose the VPC</li>
  <li>Health checks</li>
  <ul>
    <li>Enter the path</li>
  </ul>
  <li>Choose available instances</li>
  <li>Click Create Target Group</li>
  <li>Creating a target is done and associated with a list of instances.</li>
</ul>
<h2>Create Registered targets</h2>
<p>
  Click registered targets and add EC2 instance by choose 2 EC2 instance and
  click include as pending&nbsp;
</p>
<p>
  &nbsp;<img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/p18kpugbrz9g2tyeekvt"
  />&nbsp;
</p>
<h2>Create Application Load Balancer</h2>
<p>&nbsp;</p>
<ul>
  <li>Click Create Load Balancer</li>
  <li>Choose Application Load Balancer</li>
  <li>Enter Name</li>
  <li>Use default Http - 80</li>
  <li>Choose VPC</li>
  <li>Choose subnet (here you'll need at least 2 subnet)</li>
  <li>Choose Security Groups</li>
  <li>Configure Routing (here, select the target group created earlier)</li>
  <li>Now, Load Balancer is creating</li>
  <li>Should be able to see application load between 2 instances</li>
</ul>
<p>
  After Application Load Balancer become <strong>active</strong>, copy the dns
  name to the browser you should see the site will change between the two
  server.Now, this is how you can simple provision application load balancer
  with AWS.
</p>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/rja3y1cqjllbypjmetsl"
  />
</p>


This blog will show how to create an AWS application load balancer with custom VPC's EC2 instances.

How to Setup AWS Application Load Balancer


<p>
  This blog shows how to use VPC Endpoint from private EC2 Instance to S3
  without going through the internet, with VPC Endpoint access s3 should be
  within AWS service which will be no charge.
</p>
<h2>Attach IAM role to private EC2 Instance</h2>
<p>
  Since we'll need to access s3 from EC2 private instance, we'll need to set up
  an s3 full access role for EC2 instance.
</p>
<p>&nbsp;</p>
<h3>Create a new role and select the AmazonS3FullAccess.</h3>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/uupxrgghfivz1gfqrk65"
  />
</p>
<h3>enter the name and create the role</h3>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/fseyxhqceun1jnyiklqc"
  />
</p>
<h3>Attach the role to the private EC2 Instance</h3>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/bkpxw5dbuwhs5dx6zqwg"
  />
</p>
<h2>Create VPC EndPoint</h2>
<h3>Endpoints</h3>
<p>
  Go to VPC, click the <strong>Endpoints</strong> from Virtual private cloud. At
  the Create Endpoint page, choose as following.
</p>
<ul>
  <li>Service category: AWS services</li>
  <li>
    Service name: choose s3, since we only want to access for s3 in this blog,
    find the s3 from the list.
  </li>
  <li>VPC: choose the VPC you created earlier.</li>
  <li>
    Configure route tables: choose the private EC2 instance's route table,
    should be the private route table
  </li>
</ul>
<p>
  <img
    src="http://res.cloudinary.com/dmwrakaup/image/upload/c_fit,h_600,q_80,w_900/ongwitu8ubczp6uxxvol"
  />S3 full access role to private EC2
</p>
<p>&nbsp;</p>
<h2>SSH into Private EC2 Instance</h2>
<p>
  Now, your private EC2 instance should be able to access to s3. Let's type ssh
  into ec2 instance and type <strong>aws s3 ls</strong>. This command should
  list of s3 buckets if has any.
</p>


VPC End Point - Use S3 from Private EC2 Instance


<p>This blog shows how to create VPC in scratch</p>
<ol>
  <li>Create VPC</li>
  <li>Create 2 Subnets</li>
  <ul>
    <li>one for public Subnet and another for a private Subnet</li>
  </ul>
  <li>Create Internet Gateway</li>
  <li>Create a Route Table</li>
  <li>Create 2 EC2 Instances</li>
  <ul>
    <li>one public instance and another one is a private instance</li>
  </ul>
  <li>Setup NAT Gateway for private EC2 instance</li>
</ol>
<h2>Create a VPC</h2>
<p>Go to VPC and click create VPC, start to enter information to create VPC.</p>
<ul>
  <li>Enter any name for the name field</li>
  <li>IPv4 CIDR, enter IPv4 range as <code>10.0.0.0/16</code></li>
  <li>Choose <code>Amazon provided IPv6 CIDR block</code></li>
  <li>Tenancy, choose Default if wish to use as Tenancy</li>
</ul>
<p>after creating VPC, AWS will generate following AWS default services.</p>
<ul>
  <li>Default route table</li>
  <li>Network ACL</li>
  <li>Default Security Group</li>
</ul>
<h2>Create 2 Subnets</h2>
<p>Create a public subnet, click the Subnets link, and click Create subnet.</p>
<ul>
  <li>Name, enter any meaningful name.</li>
  <li><strong>VPC</strong>, choose the VPC just created</li>
  <li><strong>Availability Zone</strong>, choose the AZ for this subnet</li>
  <li>
    <strong>IPv4 CIDR block</strong>, enter <strong>10.0.1.0/24</strong> as IPv4
    CIDR block
  </li>
  <li>
    <strong>Modify auto-assign IP settings</strong>, enable auto-assign IP
    address for the public subnet
  </li>
</ul>
<p>
  Create a private subnet, by click the <strong>Create subnet</strong> button.
</p>
<ul>
  <li>Name, enter any meaningful name.</li>
  <li><strong>VPC</strong>, choose the VPC just created</li>
  <li><strong>Availability Zone</strong>, choose the AZ for this subnet</li>
  <li>
    <strong>IPv4 CIDR block</strong>, enter <strong>10.0.2.0/24</strong> as IPv4
    CIDR block
  </li>
  <li>
    <strong>Modify auto-assign IP settings</strong>, private subnet doesn't need
    to enable public IP address
  </li>
</ul>
<h2>Create an Internet gateway</h2>
<p>
  Create Internet gateway so public subnet is able to access to the Internet.
  Click the <strong>Internet Gateways</strong> and click the Create Internet
  gateway button.
</p>
<ul>
  <li>Name, enter any value for this internet gateway.</li>
  <li>Attach this internet gateway to the <strong>VPC</strong> just created</li>
</ul>
<h2>Create NAT Gateway</h2>
<p>
  Create NAT Gateway so private EC2 will be able to connect to the Internet and
  download software if need. Click
  <strong>Create NAT Gateway</strong> button
</p>
<ul>
  <li>Click <strong>Create NAT Gateway</strong> button</li>
  <li><strong>Subnet</strong>, choose the public subnet</li>
  <li>click allocate the IP address</li>
  <li>Click <strong>Edit route table</strong></li>
  <li>Click <strong>Add route</strong></li>
  <li><strong>Destination</strong>, enter <strong>0.0.0.0/0</strong></li>
  <li><strong>Target</strong>, choose NAT Gateway just create</li>
</ul>
<h2>Create and Update Route Tables</h2>
<p>
  Use default route table as default main route table, and associate to the
  private subnet.
</p>
<ul>
  <li>
    Choose the main route table and click the
    <strong>Subnet Associations</strong>
  </li>
  <li>Choose the private subnet</li>
</ul>
<p><strong>Create a route table</strong> to use as a public route.</p>
<ul>
  <li>Name, enter any name for this new route table</li>
  <li>Choose the VPC just created earlier</li>
  <li>Click subnet associations and choose the public subnet</li>
  <li>
    <strong>Click Edit routes</strong> and click <strong>Add route</strong>
  </li>
  <li>Destination, enter <code>0.0.0.0/0</code> for IPv4 address</li>
  <li>Target, choose the <strong>Internet gateway created earlier</strong></li>
</ul>
<p>
  That's all for set up public and a private subnet for VPC, now we'll need to
  create EC2 and attach to use this VPC
</p>
<h2>Create public and private EC2 Instance</h2>
<p>
  Let's create public EC2 instance first, go to EC2, and click instance to
  create a new EC2 instance.
</p>
<ul>
  <li>Enter configure instance details</li>
  <li><strong>Network</strong>, choose the custom VPC just created</li>
  <li><strong>Subnet</strong>, choose the public subnet created earlier</li>
  <li>The rest just using the default settings and create a new instance</li>
</ul>
<p>
  Let's create private EC2 instance, go to EC2, and click instance to create a
  new EC2 instance.
</p>
<ul>
  <li>Enter configure instance details</li>
  <li><strong>Network</strong>, choose the custom VPC just created</li>
  <li><strong>Subnet</strong>, choose the private subnet created earlier</li>
  <li>The rest just using the default settings and create a new instance</li>
</ul>
<h2>SSH to public EC2</h2>
<p>
  Testing the EC2 by SSH into Public EC2 instance and download software from the
  internet. The following are examples of how to SSH into EC2 from Mac OS.
</p>
<ul>
  <li>
    cd to the location has the&nbsp;<strong>private key</strong>, something
    looks like <strong>mykey.pem</strong>.
  </li>
  &lt;
  <li><code>chmod 400 {your_private_key.pem}</code></li>
  <li>
    SSH into EC2 by
    <code>ssh ec2-user@{ec2 public IP address} -i {your_private_key.pem}</code>
  </li>
  <li>run <code>sudo yum update</code> to download software</li>
  <li>
    if able to download the software then this EC2 is able to connect to the
    Internet
  </li>
</ul>
<h2>SSH to private EC2</h2>
<p>
  Testing the EC2 by SSH into private EC2 instance and download software from
  the internet. Following is an example of how to SSH into EC2 from Mac OS.
</p>
<ul>
  <li>ssh into the public EC2 instance</li>
  <li>download the private key</li>
  <li>ssh into the private EC2 by using the private IP</li>
  <li><code>chmod 400 {your_private_key.pem}</code></li>
  <li>
    SSH into EC2 by
    <code>ssh ec2-user@{ec2 private IP address} -i {your_private_key.pem}</code>
  </li>
  <li>run <code>sudo yum update</code> to download software</li>
  <li>
    if able to download the software then this EC2 is able to connect to the
    Internet
  </li>
</ul>


This blog shows how to create AWS VPC from scratch.

Category VPC

Use VPC Flow Logs

How to Setup AWS Application Load Balancer

VPC End Point - Use S3 from Private EC2 Instance

How to Create VPC with Public and Private Subnet