Problem Statement:

You work for XYZ Corporation and based on the expansion requirements of your
corporation you have been asked to create and set up a distinct Amazon VPC for the
production and development team. You are expected to perform the following tasks
for the respective VPCs.
Production Network:
1. Design and build a 4-tier architecture.
2. Create 5 subnets out of which 4 should be private named app1, app2,
dbcache and db and one should be public, named web.
3. Launch instances in all subnets and name them as per the subnet that they
have been launched in.
4. Allow dbcache instance and app1 subnet to send internet requests.
5. Manage security groups and NACLs.
Development Network:
1. Design and build 2-tier architecture with two subnets named web and db and
launch instances in both subnets and name them as per the subnet names.
2. Make sure only the web subnet can send internet requests.
3. Create peering connection between production network and development
network.
4. Setup connection between db subnets of both production network and
development network respectively.

Production Network Tasks

1. Design and Build a 4-Tier Architecture
 Components: Web (public), Application (private), Cache (private), Database
(private).
 AWS Services:
o Amazon VPC

o Subnets

o Internet Gateway

o NAT Gateway (for outgoing internet traffic in private subnets)

2. Create Subnets
1. Create a VPC:
o Go to VPC Console → Create VPC.

o Provide a CIDR block (e.g., 10.0.0.0/16).

2. Create Subnets:
o Public Subnet (Web): CIDR 10.0.1.0/24.

o Private Subnets:

 App1: CIDR 10.0.2.0/24.

 App2: CIDR 10.0.3.0/24.
 DB Cache: CIDR 10.0.4.0/24.
 DB: CIDR 10.0.5.0/24.

3. Launch Instances
 Launch EC2 instances in each subnet and name them:
o Web: web-instance.

o App1: app1-instance.

o App2: app2-instance.

o DB Cache: dbcache-instance.

o DB: db-instance.

4. Configure Internet Access

1. Attach an Internet Gateway:
o Create an Internet Gateway.

o Attach it to the VPC.

2. Public Subnet (Web):

o Update the route table for the Web subnet to include a route to the
Internet Gateway.
3. Private Subnets:
o Create a NAT Gateway in the Web subnet.
 o Update the route tables of App1 and DB Cache subnets to use the NAT
Gateway for outgoing internet traffic.

5. Manage Security Groups and NACLs

1. Security Groups:
o Web Instance:

 Allow inbound HTTP (80), HTTPS (443), and SSH (22) from the
internet.
o App Instances:

 Allow inbound traffic from the Web instance (port 8080 or app-
specific).
 Deny all other inbound traffic except necessary ports.
o DB Cache and DB Instances:

 Allow inbound traffic only from App instances and DB Cache for
specific ports (e.g., 3306 for MySQL).
2. NACLs:
o Public Subnet: Allow inbound/outbound HTTP/HTTPS and SSH traffic.

o Private Subnets: Restrict inbound traffic to specific subnets (App, DB

Cache, DB).

Development Network Tasks

1. Design and Build a 2-Tier Architecture
 Components: Web (public) and Database (private).

2. Create Subnets
1. Create a VPC:
o CIDR block: 10.1.0.0/16.

2. Create Subnets:
o Web Subnet: CIDR 10.1.1.0/24 (public).

o DB Subnet: CIDR 10.1.2.0/24 (private).

3. Launch Instances
 Launch EC2 instances in each subnet and name them:
o Web: dev-web-instance.

o DB: dev-db-instance.

4. Configure Internet Access

1. Web Subnet:
o Attach an Internet Gateway to the Development VPC.

o Update the Web subnet's route table to allow internet access.

2. DB Subnet:
o No internet access is configured for this subnet.

Peering Connection Between Networks

1. Create Peering Connection
1. Go to VPC Console → Peering Connections → Create Peering
Connection.
o VPC1: Production VPC.

o VPC2: Development VPC.

2. Accept the Peering Connection.

2. Update Route Tables
 Add routes in the Production VPC to Development VPC CIDR (10.1.0.0/16).
 Add routes in the Development VPC to Production VPC CIDR (10.0.0.0/16).

Connection Between DB Subnets

1. Security Group Rules
1. In the DB Security Group of both VPCs:
o Allow inbound traffic from the DB subnet of the other VPC.

o Specify port numbers for database communication (e.g., 3306 for

MySQL).
Verification
1. Testing Internet Access:
o Test that Web instances in both VPCs can access the internet.

o Verify that App1 and DB Cache instances in Production VPC can send
outbound requests.
2. Peering Connection:
o Ensure instances in the DB subnets of both VPCs can communicate.

3. Security Rules:
o Test security groups and NACLs to ensure proper access restrictions.