COMP 4635 - W3 Lab 2: Configure VPC

--- tags: comp4635(2025) --- # COMP 4635 - W3 Lab 2: Configure VPC ## Code of Ethics :::danger * The lab exercises for the course should be attempted ONLY INSIDE THE SECLUDED LAB ENVIRONMENT documented or provided. Please note that most of the attacks described in the lab sheet would be ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. The university, course lecturer, lab instructors and teaching assistants assume no responsibility for any actions performed outside the secluded lab. * The lab network should be regarded as a hostile environment. No sensitive information should be stored on your virtual machine that someone is able to gain access to it. * Do not intentionally disrupt other students who are working in the labs or hack into other student's physical or virtual machines. ::: ## Method of Submission In the following lab, each checkpoint will require you to submit some files **with designated names**. Put all files into a folder and compress them into a ZIP archive named `w3lab2-<your-id>.zip`, where `<your-id>` should be replaced with your student ID. Submit the ZIP archive [on Canvas](https://canvas.ust.hk/courses/63913/assignments/385093). There are in total **11** checkpoints. The base mark is **22** points. ## Accessing the AWS Management Console 1. At the top of [the lab's Canvas page](https://awsacademy.instructure.com/courses/124953/modules/items/11835884) (login if necessary), click **Start Lab** to launch your lab. A Start Lab panel opens displaying the lab status. 2. Wait until you see the message "**Lab status: ready**", then click the **X** to close the Start Lab panel. 3. At the top of the lab page, click **AWS**. This will open the AWS Management Console in a new browser tab. The system will automatically log you in. **Tip**: If a new browser tab does not open, there will typically be a banner or icon at the top of your browser indicating that your browser is preventing the site from opening pop-up windows. Click on the banner or icon and choose "Allow pop-ups." 4. Arrange the AWS Management Console tab so that it displays alongside these instructions. Ideally, you will be able to see both browser tabs at the same time, to make it easier to follow the lab steps. ⚠ **Do not change the Region unless instructed to do so**. 5. The README provided in the lab's Canvas page may look similar, but submission details only exist in this one, and there may be changes that could affect your grading. Therefore, please refer to this lab sheet. 6. In the lab environments, access to AWS services and service actions might be restricted to the ones that are needed to complete the lab instructions. You might encounter errors if you attempt to access other services or perform actions beyond the ones that are described in the task. ## Objectives Traditional networking is hard — it involves equipment, cabling, complex configurations and specialist skills. Fortunately, Amazon VPC hides the complexity while making it easy to deploy secure private networks. This lab shows you how to build your own Virtual Private Cloud and deploy resources. After completing this lab, you should be able to do the following: - **Create** a Virtual Private Cloud (VPC) that contains a private and public subnet, an Internet Gateway (IGW), and a Network Translation (NAT) Gateway. - **Configure** Route Tables associated with a public subnet for internet-bound traffic to be directed to the IGW for direct internet access. - **Configure** Route Tables associated with a private subnet for isolated resources to securely connect to the internet through a NAT Gateway. - **Launch** a Bastion Host in a public subnet for resource-based secured access to the private subnet. - **Evaluate** the operation of the private subnet's ability to communicate with the internet. The diagram below shows what you will build. ![architecture](https://hackmd.io/_uploads/SJe0XIA7ge.png) ## Task 1: Create a VPC You will begin by creating a new **Virtual Private Cloud (VPC)**. A VPC is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud. You can launch AWS resources, such as Amazon EC2 instances, into the VPC. You can configure the VPC by modifying its IP address range, create subnets, and configure route tables, network gateways, and security settings. 1. In the search box to the right of ᎒᎒᎒ **Services**, search for and choose **VPC** to open the VPC console. The VPC console offers a _VPC Wizard_ that can automatically create several VPC architectures. However, in this lab you will be creating the VPC components manually. 2. Observe the default VPC details. - In the left navigation pane, choose **Your VPCs**. A default VPC is provided so that you can launch resources as soon as you start using AWS. However, you will create your own _Lab VPC_. 3. Choose Create VPC and configure: - **Name tag:** `Lab VPC` - **IPv4 CIDR block:** `10.0.0.0/16` The VPC will have a CIDR range of **10.0.0.0/16**, which includes all IP address that start with **10.0.x.x** — containing over 65,000 addresses. You will later divide the addresses into separate _subnets_. [CIDR Calculators](https://www.subnet-calculator.com/cidr.php) can help determine the correct set of IP addresses. - Choose Create VPC 4. Choose Actions ⌄ and select **Edit VPC settings**. 5. Under **DNS settings**, select ☑ **Enable DNS hostnames**, then choose Save This option assigns a friendly DNS name to Amazon EC2 instances in the VPC, such as: _ec2-52-42-133-255.us-west-2.compute.amazonaws.com_ Any Amazon EC2 instances launched into the VPC will now automatically receive a DNS hostname. In a real world scenario, you could also later add a more meaningful DNS Name (for example, _app.anycompany.com_) by using Amazon Route 53. :::success ### Checkpoint 1 (2 marks) Submit a screenshot, named **`cp1.{png/jpg/jpeg}`**, showing the created VPC and its details. You can do so by simply checking the box next to the VPC's name. Make sure the screenshot shows the following: - The VPC's ID - The VPC's state (Available) - The correct VPC's state of DNS hostnames - The VPC's IPv4 CIDR ::: ## Task 2: Create Subnets A subnet is a sub-range of IP addresses within the VPC. AWS resources can be launched into a specified subnet. Use a _public subnet_ for resources that must be connected to the internet, and use a _private subnet_ for resources that are to remain isolated from the internet. In this task, you will create a public subnet and a private subnet: ![subnets](https://hackmd.io/_uploads/S1c07IAQgl.png)     ### Create a Public Subnet The public subnet will be used for internet-facing resources. 6. In the left navigation pane, choose **Subnets**. 7. Choose Create subnet and configure: - **VPC ID:** _Lab VPC_ - **Subnet name:** `Public Subnet` - **Availability Zone:** Select the _first_ AZ in the list - **IPv4 subnet CIDR block:** `10.0.0.0/24` - Choose Create subnet 🗨 The VPC has a CIDR of **10.0.0.0/16**, which includes all **10.0.x.x** IP addresses. The subnet you just created has a CIDR of **10.0.0.0/24**, which includes all **10.0.0.x** IP addresses. They might look similar, but the subnet is smaller than the VPC due to the _/24_ in the CIDR range. You will now configure the Public Subnet to automatically assign a public IP address for all Amazon EC2 instances launched within it. 8. Select ☑ **Public Subnet**. 9. Choose Actions ⌄ and select **Edit subnet settings**, then: - Select ☑ **Enable auto-assign public IPv4 address** - Choose Save 🗨 Even though this subnet has been named _Public Subnet_, it is not yet public. A public subnet must have an internet gateway, which you will attach in the next task.     ### Create a Private Subnet The private subnet will be used for resources that are to remain isolated from the internet. 10. Use what you have just learned to create another Subnet with: - **VPC ID:** _Lab VPC_ - **Subnet name:** `Private Subnet` - **Availability Zone:** Select the _first_ AZ in the list - **IPv4 subnet CIDR block:** `10.0.2.0/23` The CIDR block of **`10.0.2.0/23`** includes all IP addresses that start with **`10.0.2.x`** and **`10.0.3.x`**. This is twice as large as the public subnet because most resources should be kept in private subnets, unless they specifically need to be accessible from the internet. Your VPC now has two subnets. However, the VPC is totally isolated and cannot communicate with resources outside the VPC. You will next configure the Public Subnet to connect to the internet via an Internet Gateway. :::success ### Checkpoint 2 (2 marks) Submit a screenshot, named **`cp2.{png/jpg/jpeg}`**, showing the created subnets and their basic information. Make sure the screenshot shows the following: - The subnets' names - The subnets' IDs - The subnets' states (Available) - The VPC(s) the subnets belong to - The subnets' IPv4 CIDRs ::: ## Task 3: Create an Internet Gateway An **internet gateway** is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in a VPC and the internet. It imposes no availability risks or bandwidth constraints on network traffic. An internet gateway serves two purposes: - To provide a target for route tables to connect to the internet - To perform network address translation (NAT) for instances that have been assigned IPv4 Public IP addresses In this task, you will create an internet gateway so that internet traffic can access the public subnet. 11. In the left navigation pane, choose **Internet gateways**. 12. Choose Create internet gateway and configure: - **Name tag:** `Lab IGW` - Choose Create Internet gateway You can now attach the internet gateway to your _Lab VPC_. 13. Choose Actions ⌄ then **Attach to VPC** and configure: - Under **Available VPCs** choose **Lab VPC**. - Choose Attach Internet gateway Your Public Subnet now has a connection to the internet. However, to route traffic to the internet you must also configure the public subnet _route table_ so that it will use the internet gateway. :::success ### Checkpoint 3 (2 marks) Submit a screenshot, named **`cp3.{png/jpg/jpeg}`**, showing the created Internet gateway and its details. Make sure the screenshot shows the following: - The gateway's name - The gateway's ID - The gateway's state (Attached) - The VPC(s) the gateway is attached to ::: ## Task 4: Configure Route Tables A **route table** contains a set of rules, called ***routes***, that are used to determine where network traffic is directed. Each subnet in a VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table. To use an internet gateway, a subnet's route table must contain a route that directs internet-bound traffic to the internet gateway. If a subnet is associated with a route table that has a route to an internet gateway, it is known as a _public subnet_. In this task, you will: - Create a _public route table_ for internet-bound traffic - Add a _route_ to the route table to direct internet-bound traffic to the internet gateway - Associate the public subnet with the new route table 14. In the left navigation pane, choose **Route Tables**. Several route tables will be displayed, but there is only one route table associated with *Lab VPC*. This route table routes traffic locally, so it is called a _Private Route Table_. 15. Select ☑ the route table that shows **Lab VPC** in the **VPC** column. **Tip**: You may need to scroll right to see this. 16. Choose the **Name** column, enter a name of: `Private Route Table`, then choose Save 17. Choose the **Routes** tab in the lower half of the page. There is currently only one route. It shows that all traffic destined for _`10.0.0.0/16`_ (which is the range of the _`Lab VPC`_) will be routed _locally_. This allows all subnets within a VPC to communicate with each other. You will now create a new Public Route Table to send public traffic to the internet gateway. 18. Choose Create route table and configure: - **Name tag:** `Public Route Table` - **VPC:** _Lab VPC_ - Choose Create route table 19. In the **Routes** tab, choose Edit routes You will now add a route to direct internet-bound traffic (_0.0.0.0/0_) to the internet gateway. 20. Choose Add route then configure: - **Destination:** `0.0.0.0/0` - **Target:** Select _Internet Gateway_ then select _Lab IGW_ from the list - Choose Save changes The final step is to _associate_ this new Route Table with the Public Subnet. :::success ### Checkpoint 4 (2 marks) Submit a screenshot, named **`cp4.{png/jpg/jpeg}`**, showing the created public route table and its routes. You can do so by simply checking the box next to the public route table's name and choose the **Route** tab. Make sure the screenshot shows the following: - The route table's name - The VPC used for this route table - The 2 routes of this table - The Internet gateway targeted for the additional route ::: 21. Choose the **Subnet associations** tab. 22. Choose Edit subnet associations 23. Select ☑ the row with **Public Subnet**. 24. Choose Save associations The Public Subnet is now _public_ because it has a route table entry that sends traffic to the internet via the internet gateway. ![route-public](https://hackmd.io/_uploads/Sk2JNUA7gx.png) To summarize, you can create a public subnet as follows: - Create an _internet gateway_ - Create a _route table_ - Add a _route_ to the route table that directs _0.0.0.0/0_ traffic to the internet gateway - Associate the route table with a _subnet_, which therefore becomes a _public subnet_ :::success ### Checkpoint 5 (2 marks) Submit a screenshot, named **`cp5.{png/jpg/jpeg}`**, showing the subnet associations of the public route table. You can do so by simply checking the box next to the public route table's name and choose the **Route** tab. Make sure the screenshot shows the following: - The route table's name - The VPC used for this route table - The 2 subnet associations of this table - The associations' IPv4 CIDR ::: ## Task 5: Launch a Bastion Server in the Public Subnet A Bastion Server (also known as a _Jump Box_) is an Amazon EC2 instance in a Public Subnet that is securely configured to provide access to resources in a Private Subnet. Systems Operators can connect to the Bastion Server and then _jump into_ resources in the Private Subnet. ![bastion](https://hackmd.io/_uploads/rkUlE8Rmxg.png) 25. In the search box to the right of ᎒᎒᎒ **Services**, search for and choose **EC2** to open the EC2 console. 26. From the Launch Instance menu, choose **Launch instance** and configure: - Name and tags: - **Name:** `Bastion Server` - Application and OS Images: - **Quick Start**: Amazon Linux - **AMI:** Amazon Linux 2023 AMI (HVM) - Instance Type: - **Instance Type:** t2.micro - Key pair (login): - **Key pair name**: vockey - Network settings: - Choose **Edit** - **VPC:** Lab VPC - **Subnet:** Public Subnet - **Auto-assign public IP**: Enable - **Security group name**: `BastionSG` - **Description**: `BastionSG` - **Inbound security groups rules**: Keep the default setting which will provide SSH access. - Configure Storage: - Use the default settings (no changes) - Review the **Summary** displayed on the right of the screen and choose Launch instance - On the next page, choose View all instances The Bastion Server will be launched in the Public Subnet. Continue with the next task — there is no need to wait for the instance to be running. :::success ### Checkpoint 6 (2 marks) Submit a screenshot, named **`cp6.{png/jpg/jpeg}`**, showing the Bastion server instance and its details. Make sure the screenshot shows the following: - The instance's name - The instance's ID - The instance is in running state - The instance has passed the status checks - The instance's public IPv4 address - The instance's public DNS hostname - The instance's VPC ID ::: ## Task 6: Create a NAT Gateway Resources in a _private subnet_ do not have internet connectivity. This is intentional because it protects the resources from being accessed from the internet. However, sometimes resources in a private subnet need to communicate with the internet to download software updates and access internet services. Thus, you will want to give resources _outbound connectivity_ to the internet while keeping them protected from _inbound_ access. This can be accomplished with a **NAT Gateway** that is launched in the public subnet: ![nat-gateway](https://hackmd.io/_uploads/SJfW4LCQle.png) In this task, you will launch a NAT Gateway and configure the Private Route Table to send traffic to the NAT Gateway. 27. Use the search box to the right of ᎒᎒᎒ **Services** to search for and open the **VPC** console. 28. In the left navigation pane, choose **NAT gateways**. 29. Choose Create NAT gateway then configure: - **Name**: (leave blank) - **Subnet:** choose **Public Subnet** - **Connectivity type**: Public - Choose Allocate Elastic IP - Choose Create NAT gateway You will now configure the Private Subnet to send internet-bound traffic to the NAT Gateway. The Route Tables will already be displayed. :::success ### Checkpoint 7 (2 marks) Submit a screenshot, named **`cp7.{png/jpg/jpeg}`**, showing the NAT gateway and its details. Make sure the screenshot shows the following: - The gateway's ID - The gateway's connectivity type - The subnet the gateway is in ::: 30. In the left navigation pane, choose **Route tables**. 31. Select ☑ **Private Route Table**. 32. Choose the **Routes** tab in the lower half of the page. The route table is currently showing only a single entry, which will route traffic locally within the VPC. You will add an additional route to send internet-bound traffic via the NAT Gateway. 33. Choose Edit routes 34. Choose Add route then configure: - **Destination:** `0.0.0.0/0` - **Target:** Select _NAT Gateway_ then select _nat-_ from the list - Choose Save changes Resources in the Private Subnet that wish to communicate with the internet will now have their network traffic directed to the NAT Gateway, which will forward the request to the internet. Responses will flow through the NAT Gateway back to the Private Subnet. ![route-private](https://hackmd.io/_uploads/S1nWE8A7ee.png) :::success ### Checkpoint 8 (2 marks) Submit a screenshot, named **`cp8.{png/jpg/jpeg}`**, showing the private route table and its routes. Make sure the screenshot shows the following: - The route table's name - The route table's ID - The route table's routes - The target of the table's routes ::: ## Task 7: Test the Private Subnet In this challenge, you will launch an Amazon EC2 instance in the Private Subnet and confirm that it can communicate with the internet. ![architecture](https://hackmd.io/_uploads/H1KM4UC7gl.png) ### Launch an Instance in the Private Subnet First, you will launch an Amazon EC2 instance in the Private Subnet. 35. On the ᎒᎒᎒ **Services** menu, choose **EC2**. 36. From the Launch Instance menu, choose **Launch instance** and configure: - Name and tags: - **Name:** `Private Instance` - Application and OS Images: - **Quick Start**: Amazon Linux - **AMI:** Amazon Linux 2023 AMI (HVM) - Instance Type: - **Instance Type:** t2.micro - Key pair (login): - **Key pair name**: vockey - Network settings: - Choose **Edit** - **VPC:** Lab VPC - **Subnet:** Private Subnet (**Not** the Public Subnet!) - **Auto-assign public IP**: Disable - **Security group name**: `PrivateSG` - **Description**: `PrivateSG` - **Inbound security groups rules**: Keep the default setting which will provide SSH access. - Configure Storage: - Use the default settings (no changes) - Expand the Advanced details panel. - Scroll down to the User data area. - Paste in this script: ```bash #!/bin/bash # Turn on password authentication for lab challenge echo 'lab-password' | passwd ec2-user --stdin sed -i 's|[#]*PasswordAuthentication no|PasswordAuthentication yes|g' /etc/ssh/sshd_config systemctl restart sshd.service ``` - Review the **Summary** displayed on the right of the screen and choose Launch instance - On the next page, Choose View all instances :::success ### Checkpoint 9 (2 marks) Submit a screenshot, named **`cp9.{png/jpg/jpeg}`**, showing the created private instance and its details. You can do so by simply checking the box next to the instance's name. Make sure the screenshot shows the following: - The instance's name - The instance is in running state - The instance's private IPv4 address - The instance's VPC ID ::: ### Log into the Bastion Server The instance you just launched is in the Private Subnet, so it is not possible to directly log into the instance. Instead, you will first log into the _Bastion Server_ in the Public Subnet and then log into the _Private Instance_ from the _Bastion Server_. ![architecture](https://hackmd.io/_uploads/BJE74I07le.png) 37. Select ☑ the _Bastion Server_ and copy the address shown under **Public IPv4 address** (shown in the lower half of the page) to your clipboard. 38. In the **AWS Management Console**, on the Services ⌄ or ᎒᎒᎒ menu, choose **Compute**, then **EC2**. 39. In the left navigation pane, choose **Instances**. 40. Select the **Bastion Host**. 41. Copy the address shown under **Public IPv4 address** from the Description in the lower pane. 42. Do the following. * Choose the Details drop down menu near the top of the lab's Canvas page, then choose Show. A Credentials window will open. * Choose the **Download PEM** button and save the **labsuser.pem** file. * Then exit the Details panel by choosing the **X**. :::spoiler For Linux / MacOS users 43. Open a terminal window, and change directory `cd` to the directory where the `labsuser.pem` file was downloaded. For example, run this command, if it was saved to your `Downloads` directory: ```bash cd ~/Downloads ``` 44. Change the permissions on the key to be read only, by running this command: ```bash chmod 400 labsuser.pem ``` 45. Return to the terminal window and run this command (replace **<public-ip\>** with the **Public IPv4** value you copied to your clipboard earlier in the lab): ```bash ssh -i labsuser.pem ec2-user@<public-ip> ``` 46. Type `yes` when prompted to allow a first connection to this remote SSH server. Because you are using a key pair for authentication, you will not be prompted for a password. ::: :::spoiler For Windows users 43. If you are using the latest version of Windows 10 or Windows 11, it should include a built-in SSH server and client that are based on OpenSSH. If SSH is not pre-installed in your Windows machine, visit this link and follow the same process as installing SSH on "Windows Server 2022" in your Windows 10/11 machine: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell&pivots=windows-server-2022 44. Open a Powershell window, and change directory `cd` to the directory where the `labsuser.pem` file was downloaded. For example, run this command, if it was saved to your `Downloads` directory: ```bash cd .\Downloads ``` 45. Run this command (replace **<public-ip\>** with the **Public IPv4** value you copied to your clipboard earlier in the lab): ```bash ssh -i .\labsuser.pem ec2-user@<public-ip> ``` 46. Type `yes` when prompted to allow a first connection to this remote SSH server. Because you are using a key pair for authentication, you will not be prompted for a password. ::: ### Log into the Private Instance You should now be logged into the _Bastion Server_, which is located in the Public Subnet. You will now connect to the _Private Instance_, which is located in the Private Subnet. 47. In the EC2 console, select ☑ **Private Instance** (and deselect any other instances). 48. Copy the address shown under **Private IPv4 addresses** (shown in the lower half of the page) to your clipboard. Note that this IP address is a _private IP address_ starting with **10.0.2.x** or **10.0.3.x**. This address is not reachable directly from the internet, which is why you first logged into the _Bastion Server_. You will now log into the _Private Instance_. 49. Run this command into the `ssh` session, **replacing _\<private-ip\>_ with the IP Address you just copied to your clipboard**: ```bash ssh <private-ip> ``` The command you run should look similar to : _ssh 10.0.2.123_ 50. If you are prompted with _"Are you sure"_, enter: `yes` 51. When prompted for a password, enter: `lab-password` You should now be connected to the Private Instance. This was accomplished by first connecting to the Bastion Server (in the Public Subnet), then connecting to the Private Instance (in the Private Subnet). :::success ### Checkpoint 10 (2 marks) Submit a screenshot, named **`cp10.{png/jpg/jpeg}`**, showing the output after connecting to the Bastion Server and the private instance. The screenshot should be of a terminal. Make sure the screenshot includes the following: - **Both** `ssh` commands, including the IPv4 addresses used. - The outputs after the two `ssh` commands. Note: If the commands cannot be contained in one screenshot, you are welcome to split this checkpoint into 2 images, **`cp10p1.{png/jpg/jpeg}`** and **`cp10p2.{png/jpg/jpeg}`**. ::: ### Test the NAT Gateway The final part of this challenge is to confirm that the _Private Instance_ can access the internet. You will do this by running the **ping** command. 52. Paste this command: ```bash ping -c 3 amazon.com ``` You should see a result similar to: ```bash PING amazon.com (176.32.98.166) 56(84) bytes of data. 64 bytes from 176.32.98.166 (176.32.98.166): icmp_seq=1 ttl=222 time=79.2 ms 64 bytes from 176.32.98.166 (176.32.98.166): icmp_seq=2 ttl=222 time=79.2 ms 64 bytes from 176.32.98.166 (176.32.98.166): icmp_seq=3 ttl=222 time=79.0 ms ``` This indicates that the _Private Instance_ successfully communicated with _amazon.com_ on the internet. The _Private Instance_ is in the Private Subnet, so the only way this was possible was by connecting to it via the NAT Gateway. This confirms that your network configuration was successful! :::success ### Checkpoint 11 (2 marks) Submit a screenshot, named **`cp11.{png/jpg/jpeg}`**, showing the output after connecting to the Bastion Server and the private instance. The screenshot should be of a terminal. Make sure the screenshot includes the following: - The `ping` command, including your IP, which should show you're in the private instance. (e.g. `[ec2-user@ip-10-0-2-123 ~]$ ping -c 3 amazon.com`) - The full output of the `ping` command, which should include statistics. ::: ## Lab Complete Congratulations! You have completed the lab. Remember to submit the necessary files [on Canvas](https://canvas.ust.hk/courses/63913/assignments/385093). 53. Choose End Lab at the top of this page and then choose Yes to confirm that you want to end the lab. A panel will appear, indicating that "DELETE has been initiated... You may close this message box now." 54. Choose the **X** in the top right corner to close the panel.