In this demonstration, I provide the steps for deploying a multi-vpc architecture on the Amazon Web Services (AWS) cloud. This architecture will consist of the resources that are illustrated in the topology diagram below:
Table of Contents
- Create three (3) Amazon Virtual Private Clouds (VPCs)
- Create two (2) private subnets within each VPC
- Create three (3) Internet Gateways
- Create three (3) Route Tables to define the routing rules that will determine where network traffic is directed
- Create the IAM role to allow the EC2 Instances to call AWS Services
- Launch three (3) Amazon Elastic Compute Clouds (EC2s)
- Configure EC2 Network Settings and Security Groups
- Assign the EC2 IAM role to the instance profile
- Test Connectivity Between the VPC Resources
Step 1: Create the VPCs
In step one we create three (3) Amazon Virtual Private Clouds (VPCs) deployed within the East US Region — VPC A (10.0.0.0/16), VPC B (10.1.0.0/16), VPC C (10.2.0.0/16). These AWS VPCs allow you to create and manage isolated private networks within the Amazon Web Services (AWS) cloud where resources can be deployed.
In the top search field, enter VPC and then navigate to the VPC dashboard where you can proceed by clicking on the “Create VPC” button.
Next, enter the following information into each of the fields for the VPC settings:
- Resources to create: VPC only
- Name tag: VPC A
- IPv4 CIDR manual input
- IPv4 CIDR: 10.0.0.0/16
- IPv6 CIDR block: No IPv6 CIDR block
- Tenancy: Default
Finally, click on Create VPC.
Repeat the steps above to create 2 additional VPCs (VPC B and VPC C).
Step 2: Create the Subnets
In step 2, we create two (2) private subnets within each VPC, each deployed into a different Availability Zone (AZ) to help protect applications from the failure of a single Availability Zone. The address range of each subnet is taken from the address range of its respective VPC.
The following subnets are created within each respective VPC and AZ:
- VPC A — AZ1 (10.0.0.0/24) and VPC A — AZ2 (10.0.1.0/24)
- VPC B — AZ1 (10.1.0.0/24) and VPC B — AZ2 (10.1.1.0/24)
- VPC C — AZ1 (10.2.0.0/24) and VPC C — AZ2 (10.2.1.0/24)
From the previous screen, click on “Subnets” located on the left-hand side menu, then click on “Create subnet”
Enter the following information to create a subnet on VPC A:
Subnet 1 of 1
- VPC ID: Select VPC A
- Subnet Settings: VPC A — AZ1
- Availability Zone: Select us-east-1a
- IPv4 CIDR block: 10.0.0.0/24
<Click on Add new subnet button>
Subnet 2 of 2
- Subnet name: subnet A — AZ2
- Availability Zone: us-east-1b
- IPv4 CIDR block: 10.0.1.0/24
Click on the “Create Subnet” button
Repeat the steps above to create additional subnets in VPC B and VPC C:
Step 3: Create the Internet Gateways
In Step 3 we create three (3) Internet Gateways (IGWs) to allow communication between instances that live in the VPCs and the Internet. Each Internet Gateway that is created will be attached to a VPC in this demonstration to enable inbound and about connectivity between the resources in the VPCs and the Internet.
From the previous screen, click on “Internet Gateway” on the left-hand side menu then click on the “Create internet gateway” button.
Enter the following information into the required fields:
Internet Gateway Settings
- Name tag: VPC A — IGW
Next, click on the “Create internet gateway” button below:
Once the Internet Gateway has been created and you see the green confirmation banner, attach the Internet Gateway to a VPC by either clicking on Actions > Attach to a VPC or you can simply click the button that appears on the green confirmation banner “Attach to a VPC”.
On the next screen, select the applicable VPC that this Internet Gateway needs to attach to, here select VPC A from the drop-down list. Then, click on the “Attach internet gateway” button.
Repeat the steps above to create two additional IGWs and attach each of them to their respective VPCs.
Step 4: Create the Route Tables
In Step 4, we modify the main route tables so that the VPCs will now have a default route (0.0.0.0/0) that directs all Internet-bound traffic to the Internet. From the previous screen, click on Route tables to reach the route tables menu. Here I have modified the name of each default route table so that it is labeled according to its VPC association.
Next, we can add a default route to the Internet within each of the route tables by clicking on “Routes” tab and then clicking on the “Edit routes” button.
Click on the “Add route” button and enter the following information into the fields:
- Destination: 0.0.0.0/0
- Target: Internet Gateway
Next, click on the “Save Changes” button.
Complete the steps above to enter a default route to the Internet into each of the other two route tables. Note that each route table has a pre-existing default route for intra-VPC communication to route any traffic with a destination of 10.0.0.0/16 to a target of local network (VPC). This local route cannot be modified.
Due to the absence of subnet-specific route tables, the subnets will utilize the main VPC route tables that are in place for making traffic routing decisions.
Step 5: Create the EC2 IAM role
In Step 5, will create the IAM role needed to allow the EC2 instances to call AWS services. This role will later be assigned as the IAM Instance Profile to each ECS2. This profile will apply the appropriate permission to the EC2 instances so that they will have access to System Manager services and can be reached over the Internet using Session Manager. This will allow us to access the command line interface of each EC2 instance over the Public Internet using a web browser, allowing us to bypass the need to create a key-pair for access over SSH.
Navigate to “Roles” in the IAM Dashboard:
Search for “IAM” the list of services and select it.
From the IAM dashboard, click on “Roles” under the Access management” section of the left-side menu. Then, click on the “Create role” button on the right.
Select the following options in this first section:
- Trusted entity type: AWS service
- Use Case: EC2
Then, click on Next.
On the “Permissions policies” section of the next page, search for and select the following policies: AmazonSSMManagedInstanceCore and AmazonS3FullAccess. Then, click on the “Next” button.
On the Review and Create Page, enter a name for the role and click on the “Create role” button on the bottom right.
Step 6: Launch the EC2 Instances
In Step 6, we launch three (3) Amazon Elastic Compute Clouds (EC2s). These EC2s are scalable compute resources such as virtual machines that can be used for a variety of different purposes.
To begin, search for EC2 in the list of services in the top search bar and select EC2.
Enter the following information into the fields that follow:
- Name: EC2 VPC A — AZ1
- Application and OS Images (Amazon Machine Image): Quick Start > Amazon Linux
- AMI: Amazon Linux 2 AMI SSD Volume Type
- Architecture: 64-bit
- Instance Type: t2.micro
- Key-Pair: Proceed without a key-pair
Step 7: Configure EC2 Network Settings and Security Groups
Scrolling further down on the EC2 creation page, we find the Network settings that can be configured for the EC2 instance. Enter the following information into the following fields to configure the network settings for the EC2:
- VPC: Select VPC A (10.0.0.0/16)
- Subnet: VPC A — AZ1
- Auto-assign public IP: Enable
The Security Group works like a firewall to control access to the EC2 through the use of inbound and outbound rules that specify IP addresses, ports, and protocols. Here, we will create a new Security Group named VPC A EC2 Security Group. We will add a rule that contains the following information:
- Type: All ICMP — IPv4
- Source type: custom
- Source: 10.0.0.0/8
This rule will allow any inbound ICMP (Ping) that are sourced from any device on the 10.0.0.0/8 address space.
Step 8: Assign IAM Instance profile
In Step 8, we scroll further down the EC2 instance creation page to modify the Advanced details section where we can apply the role that was created in a previous step to be used as the IAM instance profile for this EC2. Here I have selected the role that I named: Ec2SsmIamRole.
Scrolling further down below we can select the Launch EC2 Instance button to initiate the deployment of this EC2.
Repeat Steps 6–8 to create additional EC2s for VPC B and VPC C.
Step 9: Test Connectivity Between the VPC Resources
In the final step of this demonstration, we will use Ping to send ICMP echo requests from each EC2 to other EC2 instances that have been deployed into the VPCs to verify network connectivity between them.
We can use Session Manager to connect to each EC2 by selecting the EC2 instance and clicking on the Connect button:
Next, click on the Session Manager tab and click on Connect.
When initiating a ping test from the EC2 instance on VPC A, there were no ping replies received from the instances that reside on VPCs B and C. 100% packet loss!
When initiating a ping test from the EC2 instance on VPC B, there were no ping replies received from the instances that reside on VPCs A and C. 100% packet loss!
When initiating a ping test from the EC2 instance on VPC C, there were no ping replies received from the instances that reside on VPCs A and B. 100% packet loss!
Can you guess why the EC2 instances are unable to successfully complete pings to each other’s internal/private interfaces?
Stay tuned for the next article to find out!
Thank you for reading!
Connect with me on LinkedIn: https://www.linkedin.com/in/nishaprudhomme/
