22/7/2021 AWS Labs

Architecting on AWS - Lab 3 -

Creating a Virtual Private Cloud
AWS Solutions Architect Labs

Main Page Lab 1 Lab 2 Lab 3 Lab 4 Lab 5 Lab 6

Open Console LAB OVERVIEW

Traditional networking is difficult it involves equipment, cabling,

Connection Details complex configurations, and specialist skills. Forntunately, Amazon
Virtual Private Cloud (Amazon VPC) hides the complexity while
Region (Oregon) making it easy to deploy secure private networks

us-west-2 This lab shows you how to build your own VPC, create subnets,
and direct traffic between VPC components. The following image
shows the final architecture:

An optional Challenge task is available. In the challenge task you

create a VPC peering connection to a shared services VPC. Then,

https://labs.netec.com/pages/lab3.html 1/17
22/7/2021 AWS Labs

you use an application and database to test connectivity between

the VPCs.

OBJECTIVES
After completing this lab, you will be able to:

Create a VPC
Create public and private subnets
Create an internet gateway
Configure a route table and associate it to a subnet

DURATION

This lab requires approximately 30 minutes to complete.

START LAB
This starts the process of provisioning your lab resources. An
estimated amount of time to provision your labs resources is
displayed. You must wait for your resources to be provisioned
before continuing.

Open the AWS Console with the green button to the left of
this page.

On the login page, place the User assigned for the course

In the Password section paste the password assigned for the

course

Click "Sign in"

Congratulations you have logged in.

Click on the only account that appears in the user interface.

Select the name of the account and the list of labs will appear.

NOTE: Don’t try to change the password or the user.

NOTE: Do not change the Region unless instructed.

TASK 1: Creating a VPC

In this task, you create a new VPC in the AWS Cloud.

A VPC is a virtual network dedicated to yor logically isolated from

other virtual networks in the AWS Cloud. you can launch AWS
resources, such as Amazon Elastic Compute Cloud (Amazon EC2)
instances, into the VPC. you can modify the VPC's IP Address

https://labs.netec.com/pages/lab3.html 2/17
22/7/2021 AWS Labs

range; create subnets; and configure route tables, network

gateways, and security settings.

1. In the AWS Management Console, on the Services menu,

click VPC.

2. If you see New VPC Experience at the top-left of your

screen, ensure New VPC Experience is selected. This lab is
designed to use the new VPC Console.

The VPC management console offers a VPC Wizard, which can

automatically create several VPC architectures. However, in this lab
you will create the VPC components manually.

3. In the left navigation pane click Your VPCs.

A list of your VPCs displays. A default VPC is provided so that you

can launch resources as soon as you start using AWS. There is
also a Shared VPC, which you will use later in the lab. However,
you will now create your own VPC.

The VPC will hve a CIDR range of 10.0.0/16, which includes all IP
address that starts with 10.0.x.x. This range contains over 65,000
addresses. your will later divide the addresses into separete
subnets

4. Click Create VPC and configure:

Name Tag: Lab VPC

IPv4 CIDR block: 10.0.0.0/16

5. Click Create VPC

Note: If these options do not appear, cancel and esure you clicked
Your VPCs in the left navigation pane. Then, CLick Create VPC
again.

6. In the lower half of the page, click the Tags tab.

Tags are useful for identifying resources. For example, a tag can be
used to identify dev/test/production environments or costs centers.

7. Above the list of VPCs, click Actions and select Edit DNS
hostnames

This option assigns a friendly DNS name to Amazon EC2 instances

in the VPC, such as the following:

ec2-52-42-133-255.us-west-2.compute.amazonaws.com

8. Select Enable
https://labs.netec.com/pages/lab3.html 3/17
22/7/2021 AWS Labs

9. Click Save Changes

Any Amazon EC2 instances launched into the VPC will now
automatixally receive a DNS hostname. you can also add a more
meaningful DNS name (for example, app.companny.com) later by
using Amazon Route 53.

TASK 2: CREATING SUBNETS

A subnet is a sub-range of IP addresses within the VPC. You can

launch AWS resources into a specific subnet. Use a public subnet
for resources that must be connected to the internet, and use a
private subnet for resources that are to remain isolated from the
internet.

In this task, you will create a public subnet and private subnet in the
LAB VPC, as shown in the following image:

Create a public subnet

The public subnet will be for internet-facing resources.

10. In the left navigation pane, click Subnets.

11. Click Create subnet and configure:

VPC: Lab VPC

https://labs.netec.com/pages/lab3.html 4/17
22/7/2021 AWS Labs

Subnet Name: Public Subnet

Availability Zone: Select the first Availability Zone in the list

(Do Not choose No Preference.)

IPv4 CIDR block: 10.0.0.0/24

12. Click Create subnet

Note The VPC has a CIDR range of 10.0.0.0/16, which includes all
10.0.x.x IP addresses. The subnet you just created has a CIDR
range 10.0.0.0/24, which includes all 10.0.0.x IP addresses. These
ranges may look similar, but the subnet is smaller than the VPC
because of the /24 in the CIDR range

Now, configure the subnet to automatically assign a public IP

address for all instances launched within it.

13. Select Public Subnet

14. Click Actions and select Modify auto-assign IP settings.

15. Select Enable auto-assign public IPv4 address.

16. Click Save

Note Even though this subnet is named Public Subnet, it is not yet
public. A public subnet must have an internet gateway. Which you
will create and attach later in the lab.

Create a private subnet

17. Use what you have just learned to create another subnet with
the following settings:

VPC: Lab VPC

Name Tag: Private Subnet

Availability Zone: Select the first Availability Zone in the list

(Do Not choose No Preference.)

IPv4 CIDR block: 10.0.2.0/23

Note The CIDR block of 10.0.2.0/23 includes all IP addresses that

start with 10.0.2.x and 10.0.3.x. This is twice as large as the public

https://labs.netec.com/pages/lab3.html 5/17
22/7/2021 AWS Labs

subnet because most resources should be kept private, unless they

specifically need to be accessible from the internet.

Your VPC now has two subnets. However, it is totally isolated and
cannot communicate with resources outside the VPC. You will next
configure the public subnet to connect to the internet via the
internet gateway.

TASK 3: CREATIN AN INTERNET GATEWAY

An internet gateway is a horizontally scaled, redundant, and highly

available VPC component that allows communication between
instances in a VPC and the internet. An internet gateway does not
impose availability risks or bandwidth constraints on network traffic.

An internet gateway serves two purposes:

To provide a target in route tables to connect to the internet

To perform network address translation (NAT) for instances
that have been assigned public IPv4 addresses

In this task, you will create an internet gateway so that internet

traffic can access the public subnet.

18. In the left navigation pane, click Internet Gateways.

19. Click Create internet gateway and configure:

Name Tag: Lab IGW

20. Click Create internet gateway

You can now attach the internet gateway to your Lab VPC.

21. Click Actions and select Attach to VPC

22. For VPC, select Lab VPC

23. Click Attach internet gateway

The internet gateway is now attached to your Lab VPC. Even

though you have created an internet gateway and attached it to
your VPC, you must also configure the route table of the public
subnet to use the internet gateway.

TASK 4: CONFIGURING ROUTE TABLES

https://labs.netec.com/pages/lab3.html 6/17
22/7/2021 AWS Labs

A route table contains a set of rules, called routes, which are used
to determine where network traffic is directed. Each subnet in a
VPC must be associated with a route table; the table controls the
routing for the subnet. A subnet can only be associated with one
route table at a time, but you can associate multiple subnets with
the same route table.

To use an internet gateway, a subnet's route table must contain a

route that directs internet-bound traffic to the internet gateway. If a
subnet is associated with a route table that has a route to an
internet gateway, it is known as a public subnet.

In this task, you will do the following:

Create a public route table for internet-bound traffic

Add a route to the route table to direct internet-bound traffic to
the internet gateway
Associate the public subnet with the new route table

22. In the left navigation pane, click Route Tables.

Several route tables are displayed, but there is only one route table
associated with Lab VPC. This route table routes traffic locally, so it
is called a private route table.

23. Select the route table that shows Lab VPC in the VPC ID
column. (You can expand the column to see the names.)

24. Hover in the Name column and click the pencil icon.

25. Enter a name of Private Route Table and then click the
check mark icon

26. In the lower half of the page, click the Routes tab.

There is only one route. It shows that all traffic destined for
10.0.0.0/16 (which is the range of the Lab VPC) will be routed
locally. This allows all subnets within a VPC to communicate with
each other.

Now, create a new public route table to send public traffic to the
internet gateway.

27. Click Create route table and configure:

Name Tag: Public Route Ta

VPC: Lab VPC

28. For Tags Click Add tag

https://labs.netec.com/pages/lab3.html 7/17
22/7/2021 AWS Labs

Key Name

Value Public Route Ta

29. Click Create and then click Close

30. Select Public Route Table, ensuring that it is the only route
table selected.

31. on the Routes tab, click Edit routes

Now, add a route to direct internet-bound traffic (0.0.0.0/0) to the

internet gateway.

32. Click Add Route and configure:

Destination: 0.0.0.0/0

Target: Select Internet Gateway Lab IGW

33. Click Save routes and then click Close

The last step is to associate this new route table with the public
subnet.

34. Click the Subnet Associations tab.

35. Click Edit subnet associations

36. Select the row with Public Subnet.

37. Click Save

The Public Subnet is now public because it has a route table entry
that sends traffic to the internet via the internet gateway.

To summarize, you can create a public subnet as follows:

Create an internet gateway

Create a route table
Add a route to the route table that directs 0.0.0.0/0 traffic to
the internet gateway
Associate the route table with a subnet, which therefore
becomes a public subnet

https://labs.netec.com/pages/lab3.html 8/17
22/7/2021 AWS Labs

TASK 5: CREATING A SECURITY GROUP FOR THE APP SERVER

A security group acts as a virtual firewall for instances to control

inbound and outbound traffic. Security groups operate at the instance
network interface level, not the subnet level. Therefore, each instance
can have its own firewall that controls traffic. If you do not specify a
particular security group at launch time, the instance is automatically
assigned to the default security group for the VPC.

In this task, you will create a security group that allows users to
access the App Server via HTTP.

38. In the left navigation pane, click Security Groups.

39. click Create security group and configure:

Security Group Name: App-SG

Description: Allow web acces

VPC: Lab VPC

40. For Inbound rules, click Add Rule and configure:

Type: HTTP

Source: Anywhere

41. For Tags Click Add new tag

Key Name

Value App-SG

42. At the bottom of the page, click Create security group

The inbound rules determine what traffic is permitted to reach the

instance. You have configured it to permit HTTP (port 80) traffic
coming from anywhere on the internet (0.0.0.0/0).

You will use this application security group in the next task.

https://labs.netec.com/pages/lab3.html 9/17
22/7/2021 AWS Labs

TASK 6: LAUNCHING AN APP SERVER IN THE PUBLIC SUBNET

To test that your VPC is correctly configured, you will now launch an
Amazon EC2 instance into the public subnet and confirm that the App
Server is accessible from the internet.

43. On the Services menu, click EC2.

44. At the top-left of the screen, ensure that New EC2 Experience
is selected. This lab is designed to work with the New EC2
Console.

45. Scroll down the page, click Launch instance and select Launch
Instance.

46. Configure the following:

STEP 1: CHOOSE AMI

AMI: Amazon Linux 2

STEP 2: CHOOSE INSTANCE TYPE

Instance Type: (If youe are unable to launch t3.micro, try

using t2.micro. This is because all instance types are not

available in all regions/AZs.) t3.micro

STEP 3: CONFIGURE INSTANCE

Network: Lab VPC

Subnet: Public Subnet

IAM role: Inventory-App-

47. Scroll down to and expand the Advanced Details. Copy

and paste the following into User data:

Copy Code

https://labs.netec.com/pages/lab3.html 10/17
22/7/2021 AWS Labs

#!/bin/bash

# Install Apache Web Server and PHP

yum install -y httpd mysql

amazon-linux-extras install -y php7.2

# Download Lab files

wget https://us-west-2-
tcprod.s3.amazonaws.com/courses/ILT-TF-200-
ARCHIT/v6.8.21/lab-2-webapp/scripts/inventory-app.zip

unzip inventory-app.zip -d /var/www/html/

# Download and install the AWS SDK for PHP

wget https://github.com/aws/aws-sdk-
php/releases/download/3.62.3/aws.zip

unzip aws -d /var/www/html

# Turn on web server

chkconfig httpd on

service httpd start

STEP 4: ADD STORAGE

48. Use default settings (no changes)

STEP 5: ADD TAGS

49. Click Add Tag

Key: Name

Value: App Server

STEP 6: CONFIGURE SECURITY GROUP

50. Click Select an existing security group

51. Select App-SG

52. Click Review and Launch

You receive a warning that you will not be able to connect to the
instance. This is acceptable because you will not be connecting
to the instance. All configuration is done via the user data script.

53. Click Continue

STEP 7: REVIEW

54. Click Launch

55. Select Proceed without a key pair

56. Select I acknowledge that...

https://labs.netec.com/pages/lab3.html 11/17
22/7/2021 AWS Labs

57. Click Launch Instances

A status page notifies you that your instances are launching

58. Click View Instances

Before continuing, wait for the instance state to display

Running.

TIP To update the display, click the refresh icon occasionally.

59. Once the instance is running, select App Server

60. In the Details tab, copy the IPv4 Public IP address.

61. Open a new web browser tab, paste the IP address into
the address bar, and press ENTER.

If your VPC was configured correctly, you should see the

Inventory application and the message Please configure
Settings to connect to database. No database settings have
been configured yet, but the appearance of the Inventory
application proves that the public subnet has been correctly
configured.

Note If the Inventory application does not appear, wait 60

seconds and refresh the browser tab to try again. It can take a
couple of minutes for the EC2 instance to boot and run the script
that installs software.

IMPORTANT: If you do not wish to continue with the OPTIONAL

CHALLENGE. Proceed to the task of Cleaning Resources
Click here from steps 92 to 102 only.

CHALLENGE: CONFIGURING VPC PEERING (OPTIONAL)

Note This challenge task is optional and is provided in case you have
lab time remaining.

Another VPC called Shared VPC has been provided as part of this
lab. Your task is to create a peering connection between your Lab
VPC and the Shared VPC, as shown in the following architecture
diagram:

https://labs.netec.com/pages/lab3.html 12/17
22/7/2021 AWS Labs

A VPC peering connection is a networking connection between two

VPCs that enables you to route traffic between them privately.
Instances in either VPC can communicate with each other as if they
are within the same network. You can create a VPC peering
connection between your own VPCs, with a VPC in another AWS
account, or with a VPC in a different AWS Region.

A database has already been provisioned in the Shared VPC. Once

you have configured VPC peering, you will connect the database to
the Inventory application to confirm that the peering has been correctly
configured.

CREATE A PEERING CONNECTION

62. In the AWS Management Console, on the Services menu, click

VPC.

63. In the left navigation pane, click Peering Connections.

First, create a peering connection, which is th VPC component that

links two VPCs together.

64. Click Create Peering Connection and configure:

Peering connection name tag: Lab-Peer

https://labs.netec.com/pages/lab3.html 13/17
22/7/2021 AWS Labs

VPC (Requester): Lab VPC

VPC (Accepter): Shared VPC

65. Click Create Peering Connection and then click OK

When a peering connection is created, the target VPC must accept it.
This is because the target VPC might be owned by a different account,
or the user creating the peering connection might not have permission
to accept the connection for the target VPC. However, in this lab, you
will accept the connection yourself.

66. Select Lab-Peer.

67. Click Actions and select Accept Request.

68. Click Yes, Accept and Close

CONFIGURE ROUTE TABLES

Now, update the route tables in both VPCs to send traffic from the Lab
VPC to the peering connection, as shown in the following image:

69. In the left navigation pane, click Route Tables.

70. Select Public Route Table.

You will configure the public route table that is associated with the Lab
VPC to send traffic to the peering connection if the destination IP
address falls within the range of the Shared VPC.

71. On the Routes tab, click Edit routes

72. Click Add route and configure:

https://labs.netec.com/pages/lab3.html 14/17
22/7/2021 AWS Labs

Destination: (This is the CIDR range of the Shared VPC.)

10.5.0.0/16

Target: Select Peering Connection and then

Lab-Peer

73. Click Save routes and then click Close

Now, configure the reverse flow for traffic coming from Shared VPC
and going to the Lab VPC.

74. Select Shared-VPC Route Table, ensuring that it is the only

route table selected

This is the route table for the Shared VPC. You will configure it to to
send traffic to the peering connection if the destination IP address falls
within the range of the Lab VPC.

75. On the Routes tab, click Edit routes

76. Click Add route and configure:

Destination: (This is the CIDR range of the Lab VPC.)

10.0.0.0/16

Target: Select Peering Connection and then

Lab-Peer

77. Click Save routes and then click Close

The route tables have now been configured to send traffic via the
peering connection when the traffic is destined for the other VPC.

TEST PEERING CONNECTION

A database has already been provisioned in the Shared VPC. You will
now test the peering connection by configuring the Inventory
application to access that database across the peering connection.

78. Go to Services, search and click on RDS

79. Click in the left panel on the Databases option

80. Click on the identifier of the database "inventory-db"

81. Click on the Connectivity & security option.

https://labs.netec.com/pages/lab3.html 15/17
22/7/2021 AWS Labs

82. In the Endpoint & port section copy the name of the Endpoint
similar to this value: inventory-
db.crwxbgqad61a.rds.amazonaws.com (DO NOT copy this
value)

83. Return to the web browser tab with the Inventory application.

84. Click Settings and configure:

Endpoint: Paste the endpoint you copied earlier. (Step 82)

Database: inventory

Username: dbadmin

Password: lab-password

85. Click Save

The application should now show data from the database.

This proves that the peering connection is working because the

Shared VPC does not have an internet gateway. The only way to
access the database is via the peering connection.

CLEAN UP RESOURCES

86. Go to Services and click on VPC

87. Click in the left panel on Peering Connections.

88. Select the unique Peering Connection called Lab-Peer.

89. Click on Actions and Delete VPC Peering Connection.

90. Select the Delete Related Route Table entries box.

91. Click Yes, Delete.

92. Go to Services and click on EC2 Instances

93. Select the instance named App Server in the box

94. At the top select Instance State and click Terminate Instance

95. Click on Terminate

96. In the left panel go to Network & Security click on the Security
Groups option.
https://labs.netec.com/pages/lab3.html 16/17
22/7/2021 AWS Labs

97. Select in the box the name of the security group called App-SG.

98. Click on Actions and click on Delete security Groups(if it

cannot be deleted, wait for the EC2 instance to be finished)

99. Click on the left panel on Your VPCs

100. Select in the box the VPC named Lab VPC

101. Click on Actions and Delete VPC (If it still cannot be deleted,
wait for the Peering Connection to be deleted)

102. Type delete in the text box and click Delete

IMPORTANT: Notify your instructor that you have

finished cleaning up the resources.

CONCLUSION

¡Congratulations! You now have successufully:

Created a VPC
Created public and private subnets
Created an internet gateway
Configured a route table and associated it to a subnet

END LAB

Click to go up

https://labs.netec.com/pages/lab3.html 17/17