Amazon AWS SysOps – Networking – VPC part 2
- Subnet Overview and Hands On
So next, here comes the time to add subnets. Now, subnets are going to be tied to specific Availability Zones. In this diagram, I’m just doing one AZ. But in practice, we’ll do two AZ just to have some kind of high availability. And so within each AZ, our goal is to create different subnets. And so we’ll create a public subnet and a private subnet, and we’ll see how to make one public and how to make one private in the future, hands on. But for now, basically we’ll create two subnets per AZ that will give us four subnets, and some of them will be public and some of them will be private. Let’s get started. So coming back to this, we’re going to go to subnets, and in subnets we’re going to be able to define subnets.
So the trick is we’re going to define public subnet and private subnets and we’re going to make them different size because usually a public submitted subnet is much smaller than the private subnets because in the public subnet you would put your load balancers only, whereas in the private subnet you would put all your applications, et cetera, et cetera. So let’s go ahead and just create a first subnet. This one, I’ll call it Public Subnet A because it’s going to be an Aza. And the Vpc I’m going to choose is my demo Vpc. And it looks like we have this Cider right here that’s available for us. So 100 zero zero slash 16. Now the AZ as a preference will choose us one A and the iPV four Cider block.
Well, it’s up to you, but I’ll just choose 100 00:24 and that will give us 256 IP. So I’ll keep this. And if we can check again, that Cider block right here, we can calculate it and see that it started at 100 zero zero and ends at 255. So 256 IP. That’s good. So I’ll keep this and say create. And this is our first subnet, which worked. And now I’ll create a second subnet called public subnet B. We’ll choose the same Vpc. And then in terms of AZ, I’ll put it in EU one B. The IP before Cider block will have this one. But this time I’m going to increase the third IP to one, because remember, this last IP we had was 100 zero 255. So the next one is going to be one in here.
So I’ll choose this one. And this is going to be good. We have a public subnet B that looks perfect. So the subnet was being created. So here we go. Now we have two subnets, so we can filter by Vpc in here, so we can filter by the demo V PC. Sorry, let me refresh this page to show you. We’re in the subnet right here. And here you can filter by demo Vpc and just see the subnets you created. So we’ve created two public subnets and I’m going to create a private subnet. So private subnet a and this time for the AZ, I’m going to eus one. But the Cider block, I’m going to make this much bigger. I will choose ten 00:16 00:20.
And if you go and just type this out, it’s just me who determine this ahead of time. So if you go and calculate this, this gives you the first IP to be ten, last IP to be ten 00:31, 255. And that’s about 4000 IPS. So that’s perfect. I’ll create this as my private subnet A, create it, and finally I’ll create a last subnet. So I’ll create my private subnet B, and the AZ is going to be an eus one B. And the Cider block, I’m going to increase from 16 to 32 because the last one I had right here was 31 255. So that’s perfect. Click on Create and here we go. So now we have created four subnets and there are different size.
My public subnets have way less IP, so it’s 24 24, whereas my private subnets have 20, which is about 4000 IPS. And I’ve created them in two AZ so that we have some kind of high availability, but so far we have defined nothing. So that one is going to be private and one is going to be public. We don’t know how this works yet, and we’ll see this very soon. So one last thing we notice is that the number available IP is not really what we expect it to be. For example, when we have a slash 20, we expect 4096 IP and we get 4091. And when we have a slash 24, we expect 256 IP, but we get 251. So this is a bit odd, right? It seems like there’s a number of five as a difference between the available IPS and the provisioned IP.
So why is that? Well, AWS will reserve five IP addresses, the first four and the last one in each subnet. And so that means every time you create a subnet, you’re going to lose five IP addresses. These five IP addresses will not be available and cannot be assigned to an instance. And for example, if you get a Cider block of 100 zero 00:24, the reserved IP is going to be the first one for the network address, the second one reserved by AWS for the Vpc router, the third one for the mapping to the Amazon provided DNS. The fourth one is for future use, so it’s not used just yet. And the last one is the network broadcast address. That because AWS does not support broadcast in a VPC.
Then the address is reserved and you cannot use it anyway. So there is a very common exam questions, and here’s an exam tip. And it says, oh, we need 29 IP addresses for easy two instances. What subnet size can you choose? Well, you cannot choose a subnet size of 27 because that is 32 IPS. What you need to do is select a subnet size of slash 26, which will give you 64 IPS, because if you do 32 minus five, you get 27. And that is less than the 29 IP addresses required for your EC. Two instances. So that is a very, very common exam questions. And now you’re ready for it, so hope that’s good. I will see you in the next lecture.
- Internet Gateways & Route Tables
Okay, so our subnets are created. So why don’t we go ahead and try to create an easy two instance. So we go to EC Two and we want to create an easy two instance, maybe in one of our public subnets. So we’ll create one in public subject A. So I’ll go to EC. Two instances. Launch instance. And here I’m going to choose the Amazon Linux. Mi. Two t, two micro. This is great instance details. So here we go. This is where we’re going to change something. So here, here in Network, we’re going to choose our Demo V PC. And then for subnets we get to choose which subnet we want. So we’ll choose a public subnet Aeus One. And it says there’s 251 IP addresses available.
So that’s great. For Oto assigned public IP. It says, Use subnet setting disable. So it turns out that in subnets you have a setting and you can right click and modify the Oto IP setting. So because these are public subnets, we want our instances to have a public IP. So I’ll modify this setting and enable Auto assign Public iPV four address, click on Save and I’ll do the same for public subnet B. This way when we create an instance automatically by default, it should get an iPV four address. Okay, so this is done. Now we go back to our EC Two console. We’re just going to refresh select our Demo V PC and I’ll select my public subnet A. And now you see oto assigned public IP is enable.
Okay, because we changed the subnet setting. Great. So we have this ready. All this is good. Nothing has changed. I’m not going to set any user data for now. And I’ll click on Add Storage. Add storage is fine.
Add tags configure security group will allow port 22 in from anywhere. Review and launch and launch and here we say, yes, I do have my key pair launch my instances. And here we go. So my instance is now starting. And as we can see, it has a private IP of 100 zero 108. So it is within our Cider for our subnet. And the iPV four public IP is this one. Now I’m going to pause until it is started. So my instance has been created. It’s running, it has an IP address. So why don’t I try to Ssh into it.
And so I’m going to type my Ssh command, press Enter and nothing happens. This is sort of a timeout. So this is weird, right? Timeout means security group issues. But I’m pretty sure my security group does allow port 22. So if you look at Inbound rules, port 22 is open and it has a public iPV four. So what’s happening? Well, what’s happening is that it doesn’t have an Internet connection. So this goes into this second lecture where we’re going to set up an Internet gateway. So Internet gateways, they will help our instances in our Vpc connect with the Internet and they will scale horizontally. There will be high availability and redundant and they will be created separately from our Vpc.
So this is something we have to do in the UI from a separate way. Now one Vpc can only be attached to one Internet gateway and vice versa. And it turns out the Internet gateway is also a net device for the instances that have a public iPV four, which is exactly what we need. Okay, on their own though, internet gateways do not allow Internet access. We’ll also have to edit route tables. So first let’s take a look at our diagram. We’re going to add an Internet gateway at the very top of our Vpc and this should provide Internet access for our instances. So let’s do this right now. So back into my subnets console, I’m going to go to the left hand side and click on Internet Gateways.
I’m going to create an Internet gateway. Name tag is going to be demo igw for Internet gateway, click on create. It was being created. Excellent. So I’m just going to remove the filter by Vpc. So I can see two internet gateways. One is attached to my default Vpc and one that I’ve just created is currently detached. So for it I rightclick and attach to Vpc, I’ll select the Vpc ID this one. And if you wanted, here is the command line to do it. If you wanted to do it from the cli. Okay, click on attach. And now my internet gateway is attached. And VPCs can only have one Internet gateway attached to them. So if you try to create a new Internet gateway and attach to the Vpc, it will just not work.
So one Internet gateway per Vpc, that is a common exam question. Okay, so we have attached our Internet gateway to our Vpc and it looks like it should work right now. So let’s go to our Ssh, try again and still nothing happens. So what happens? We’ve created an Internet gateway, but it still cannot Ssh into our instance. Well, it turns out if you do did follow my slide that I said that we also have to change the root tables. So let’s go ahead and change the root tables. Now if we take a look at what we have, we have our EC Two instance. It’s public, it has a security group attached to it. But what we have to do is edit the root table for our subnet and make sure that it points to the Internet gateway for a specific IP range.
And then from there our EC Two will get routed directly into the Internet gateway and we’ll be able to access the Internet Www. And so we’ll be able hence to Ssh into our public EC Two. So let’s give it this a try. So back into our UI, we’re going to go to route table and we see that if we select our Vpc demo Vpc, we have one route table, and this is the main table. Now I don’t really like the main table. This is basically the default. And anytime you create a subnet and you don’t associate it with a route table, it will directly go within the main route table. And I don’t like to edit this main route table. I’ll just leave it as is. I’m going to create two route tables. The first one is going to be public route table.
So this one is going to be For Public for my demo Vpc and click on Create. And I’m also going to create a private route table for my private subnets in the same Vpc. And the reason I’m doing this is because I don’t personally like having a main default table. But it’s up to you to keep this main and not have a private route. Anyway, for this public route table, we basically want to associate it with our public subnets. So this one is my public and this one is my public. So I’ve associated my public subnet with my public route table. And then for my private route table, I also edit the Summit Association. And I basically associate my privates here and here with my private route table.
Okay, so everything is associated. And now we have to take care of roots. So root table is to reduce routing. And so in the root tab, we basically see how things work. So it says that any IP that has a destination 100 zero 00:16. So anytime I hit an IP within this Cider, which is my whole Vpc Cider, the target is going to be local. That means that, well, it turns out that we know that all this IP belongs to this network. So this is a local network. And for Private Route table, this is fine because we don’t want them to be accessible from the Internet. But for Public Route table, we need to add another route. So I click on public route table. I click on Edit Roots.
And here I’m going to add a root and this one is going to be zero, zero, zero slash zero, which means any IP. So if you talk to any IP, then the target is going to be and here we get a lot of choice. We’re going to choose an Internet gateway. And this is the one we’ve created. So we’re saying, okay, anytime you hit a private IP in this Cider, then this is the local network. But anytime you hit any other IP, then definitely talk to the Internet gateway because it will know what to do for you. So we save the roots. And now we should be able to have given access to our EC two instance Internet. So if we look at it, this public root table is associated with our public subnets. Our instance has been launched into our public subnet and so now it should be accessible from the Internet.
So if we go back to our Ssh command. Try it. Here we go. Now it works. I’ve just basically logged into my EC two instance and if I do a pseudo yum update, let’s see if it can connect to the Internet. Yes, it’s getting some information and there is no update available for me. But here we go. We’ve basically given access to the Internet to our EC two instance that go into the public subnets. Right now, the private subnet instances will not get any Internet access either. So we’ve solved part of the problem. This is great. And I will see you in the next lecture to keep on building our Vpc to be really solid.