somecallmetom / project2 Goto Github PK

Launch a NAT Server Instance (We’ll use an instance rather than the NAT Gateway service as the AWS Educate accounts don’t allow for the Gateway service at this point in time). AWS has some prepackaged AMI types with the NAT function preconfigured that you can use for launching the EC2 instance for NAT purposes.

• Read the NAT instance documentation completely: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
• Amazon provides pre-packaged ready to go Nat Instance AMIs. All have this in their name if you search for them in the AMI list: amzn-ami-vpc-nat
• In the docs take note of what an EC2 instance does when launched with a NAT Instance AMI !
• More on the preferred NAT AMI for each region – MAKE SURE to use the suggested AMI for your region (see table at bottom of page): https://aws.amazon.com/amazon-linux-ami/
• You WILL have to create a NAT Security Group for use with the NAT Instance – that should be created in Template #1.
• In template #1 you’ll either need to create a private route table with private routes setup as needed – which would include the default route (0.0.0.0/0) going to the Nat Instance or modify the main route table associate with the VPC to include the NAT Instance. These new tables need to be associate with the WEB INSTANCES as that gives them a route out to the Internet when the communications is initiated from the Web Instance itself.
• Normally the Web Instances down in the private subnets respond back to requests coming from the load balancer in the public subnet – since all are in the SAME VPC that traffic is allowed. Now however we are talking about a request to an outside website coming from the web instance in the private subnet – hence the need for the change to the routing table.
• The NAT instance itself should be built in Template #1 as we are considering it part of the networking infrastructure.
• The NAT instance should reside in the first public subnet.
• You will need to turn off Source/Destination Check in your template ( SourceDestCheck will be set to false )
• Use a T2 Micro instance type
• To test the NAT server you will need to also construct the Bastion host below so you can login to it and then SSH on to one of the Web Servers and see if you can pull updates or simply access the web from one of the web instances.

• You should be able to SSH to the Bastion Host Instance.
• Then SSH from the Bastion Host Instance to either of the Web Instances.
• From the Web Instance perform a YUM update or simply ping an address on the Internet.
• You launch the complete setup of both stacks from executing one template.

Launch a Linux AMI based Bastion Host in one of the public subnets to allow for communication via SSH from the outside to itself and then to further SSH to the web instances in the private subnet or the NAT instance.

• Use the Amazon Linux 2 AMI
• Use a T2 Micro Instance Type
• Create an appropriate security group for use with the Bastion Host
• The existing public route table should suffice
• You will also need to add an ingress rule to the security group associated with your web instances in the private subnets that allows in SSH from 10.0.0.0/16 (or you can reference the bastion host security group as where the traffic originates from but setting that up in Cloud Formation is a little more complicated).