NW5-Testing VPC Connectivity
NW5-Testing VPC Connectivity
DIFFICULTY
Mildly Spicy
TIME
60 min
COST
$0
AWS SERVICES
Amazon VPC
Amazon EC2
What you've learnt from your first four networking projects of this series!
Now we're going to level up by testing our VPC's connectivity - you'll learn all about this in a minute!
Want a complete demo of how to do this project, from start to finish? Check out our 🎬 walkthrough
with Natasha 🎬
How much support and guidance do you want? There are two ✌️equally awesome ways you can
complete your project.
#1 - Low Touch
#2 - High Touch
Welcome to the high-touch guidance version of this project. We'll guide you through this project
step-by-step.
Let's go!
📣 If you're EVER stuck - ask the NextWork community. Students like you are already asking questions
about this project.
✍️Step #0
Fill out all the tasks in this project to get your own documentation automatically generated for you
(wooohoooo)!
1. Documentation is PERFECT for adding to your resume or LinkedIn to showcase your hands-
on experience.
2. You'll delete your AWS resources by the end of this project, so you need documentation
as proof of your work and learnings!
3. 💪 Writing documention is a highly valued skill that gets better with practise - start building
your documentation muscle now!
Your answers go directly into your documentation, so spend some time writing these out carefully if
you want your final document to look its best.
🔥 Hot tip
You can't edit your responses or screenshots once you submit them.
Double check your screenshots and proofread your work before clicking Done at the end of each task
box!
☁️Step #1
1. Set up your VPC, subnet, internet gateway, route table, security group, network ACLs.
Lucky for us, now that we've learnt about the VPC wizard, let's learn how to use it to set up our VPC
in minutes.
We previously stuck to creating a VPC only, but this time let's select VPC and more.
NextWork
If you type in
NextWork
, all your resources will have that in their name tags, making it super easy to track and manage
everything linked to your VPC. You'll see this in action soon!
10.0.0.0/16
For IPv6 CIDR block, we'll leave in the default option of No IPv6 CIDR block.
Default: Your instances share hardware with other AWS customers. This is the standard
option and is cost-effective because you’re sharing resources.
Dedicated: Your instances run on hardware that's dedicated to you only. For example,
imagine a healthcare company that needs to ensure the highest level of security for patient
data. They might choose dedicated tenancy to make sure their servers are completely
isolated from other customers, helping them meet compliance standards and keep sensitive
information secure. Dedicated does come at a higher cost!
For Number of Availability Zones (AZs), we'll use just 1 Availability Zone.
10.0.0.0/24
Update your private subnet CIDR block to
10.0.1.0/24
/8
: Provides 16,777,216 IP addresses (usually for very large networks, not subnets).
/16
/24
/32
The /20 size offers a balance between too few and too many IP addresses, making it useful
for most network setups without overwhelming you with an excessive number of IPs.
Next, for the NAT gateways ($) option, make sure you've selected None. As the dollar sign
suggests, NAT gateways cost money!
Step 1: Make sure you select None for NAT gateways!
💡 What are NAT gateways, how are they different from internet gateways?
NAT (Network Address Translation) gateways let instances in private subnets access the internet for
updates and patches, while blocking inbound traffic.
For example, NextWork Private Server in your private subnet might need to download security
updates. By using a NAT gateway, the server can access these updates securely while remaining
protected from external threats!
On the other hand, internet gateways let instances in public subnets communicate with the internet
both ways i.e. both inbound and outbound traffic.
But, VPC endpoints let you connect your VPC privately to AWS services without using the public
internet. This means your data stays within the AWS network, which can improve security and
reduce data transfer costs.
There are many types of VPC endpoints, and the S3 Gateway endpoint is the most common and
useful one - many applications need to access S3 for storing or retrieving data after all! The
endpoints for other AWS services can be added later, but this setup tool simplifies the initial setup by
focusing on S3.
💡 Why does traffic to some services like S3 go out to the public internet by default?
Not all AWS resources are automatically placed inside your VPC! While your compute resources (like
EC2 instances) reside within your VPC, S3 buckets and some other AWS services exist outside your
VPC because they're designed to be highly available and accessible from anywhere.
That's why VPC endpoints, like the S3 Gateway endpoint, exist to create a private connection
between your VPC and S3. Having a VPC endpoint means your instances can now access services like
S3 directly without routing through the public internet, which makes sure your data stays within the
AWS network for security.
That's your teaser on VPC endpoints, we will get into them in detail we learn about endpoints later in
this series! 👀
When you enable DNS resolution, AWS takes care of translating these hostnames to their
corresponding IP addresses so that network requests can find the correct instance. This is particularly
useful in environments where IP addresses might change - hostnames can stay consistent, so
references to your resource would still point to the right thing.
Note how name tag auto-generation, which you enabled in the set up page, is at work now -
all of your VPC's resources have
NextWork
VPC
NextWork VPC
Select Save.
Route tables
Internet gateway
NextWork IG
Network ACLs
🧠 Hint: the other network ACL with just 1 subnet associated is your VPC's default network ACLs!
Observe the Inbound rules and Outbound rules tabs for your private network ACL.
Step 1: All inbound and outbound traffic is denied for your Private NACL!
Security groups
Yay default security groups have already been set up for us! Their names
are default and... default. 😅
Select either one of the two and observe its inbound rules.
Hmmm these default security groups don't quite have the same inbound rules as the
ones we used to set up ourselves.
Let's create new security groups instead of using these default ones.
Description:
Type:
HTTP
Source:
Anywhere-IPv4
WOOO! Well done on setting up your VPC. Now it's time to see your VPC in action...
Let's kick things off by launching an EC2 instance in your public subnet.
EC2
Since your first EC2 instance will be launched in the public subnet, let's name it
For the Amazon Machine Image, select Amazon Linux 2023 AMI.
For the Key pair (login) panel, select NextWork key pair.
NOTE: If you've never created NextWork key pair, or you've deleted it, all you have
to do is:
How key pairs work is that they consist of two cryptographic keys: one private and one public. The
public key is installed on the virtual machine, and the private key remains with the user. When you
attempt to connect, the machine uses the public key to create an encrypted challenge that can only
be decrypted with the private key, ensuring secure and authenticated access.
You might've launched an EC2 instance before without ever needing a key pair, and that would be
because your interactions were managed through higher-level AWS services e.g. AWS Lambda, AWS
CodeBuild that take care of accessing your EC2 instance for you!
In this project, we're needing to directly access this EC2 instance because we are running
connectivity tests in the next step. Direct access to the instance is required to run our tests directly
on the instance's terminal.
At the Network settings panel, select Edit at the right hand corner.
For the Firewall (security groups) setting, we've already created a security group - let's use
that!
Select the checkbox next to your instance, and a Details panel pops up!
Notice how NextWork Public Server has a Public IPv4 address, a subnet, an Availability zone,
and a VPC ID.
The Availability Zone is the specific area within your AWS Region that your instance is
hosted.
The VPC ID identifies that within the AWS Region you're using, the Public Server belongs in
your NextWork VPC.
The NextWork Public Subnet determines the range of IP addresse within NextWork VPC that
can be assigned to your EC2 instance. Because this subnet has a route to an internet
gateway, your VPC has opened up communication between all resources in the subnet and
the internet.
The Public IPv4 address is the external IP address assigned to your EC2 instance. This
address is globally unique, so no other server has the same public IPv4 address on the
internet! Having a public IPv4 address means your instance can communicate with the
internet and be accessible from outside your private AWS network.
Name:
Notice that under the Inbound Security Group Rules section, there is a rule
with Type set to ssh.
💡 What is SSH?
SSH, or Secure Shell, is the protocol we use for secure access to a remote machine. When you
connect to the instance, SSH verifies you possess the correct private key corresponding to the public
key on the server, ensuring only authorized users can access the instance.
In terms of network communication, SSH is also as a type of network traffic. Once SSH has
established a secure connection between you and the EC2 instance, all data transmitted (including
your commands and the responses from the instance) is encrypted. This encryption makes SSH an
ideal method for securely exchanging confidential data e.g. login credentials!
More and more organizations try to reduce the use of SSH and prefer infrastructure as code (IaC) and
automated deployments to reduce the need for direct access (and minimize human error and
security risks), but SSH access is still essential for many administrative, testing, and troubleshooting
scenarios. For example, developers today use SSH to troubleshoot a live issue, perform manual
updates, or configure system settings that are not easily automated.
AWS is concerned that the default security rule, i.e. with the source being
0.0.0.0/0
0.0.0.0/0
for our public subnet, but the private subnet is a different story!
In the Source drop down, scroll down and select NextWork Public Security Group.
💡What does it mean to select NextWork Public Security Group instead of Anywhere as our source?
Choosing the NextWork Public Security Group as the source means only resources that are part of
the NextWork Public Security Group can communicate with your instance. This restricts access to a
much smaller group of trusted resources, rather than allowing potentially any IP address on the
internet (
0.0.0.0/0
⬆️Step #2
Step 2: Let's test the connectivity from you to your Public Server.
Still in your EC2 console, select Instances from the left hand navigation panel.
Select Connect.
💡 What does connectivity mean? Why is it important?
Connectivity is all about how well different parts of your network talk to each other and with
external networks. It's essential because connectivity is how data flows smoothly across your
network, powering everything from simple web hosting on the Internet to complex operations e.g.
Netflix using over 100,000 EC2 instances to power its streaming platform. Solid connectivity is the
backbone of any system that relies on network interactions, making every communication and
operation reliable and efficient.
When you use SSH to connect to an EC2 instance, you usually have to:
Set up an SSH client (a software that can handle the SSH protocol, such as Terminal on a Mac
or Linux computer), provide it your private key, and establish a secure connection to your
EC2 instance.
EC2 Instance Connect is an alternative way to use SSH - Instance Connect lets you securely connect
to your EC2 instances directly using the AWS Management Console. You're still using SSH, but with all
the key management handling it for you. This takes away a lot of the complexity of setting up SSH.
It generates a one-time-use SSH key pair on your behalf when you initiate a connection.
It allows the key to be used for a short period (typically 60 seconds), after which it is
automatically deleted.
Step 2: EC2 Instance Connect manages key pairs for us.
💡 What do Public IP address and Username mean on the Instance Connect set up page?
Username: This is the user account that you will log into on your EC2 instance. It's just like a
physical computer - when you switch on your laptop, you usually have to enter a password to
log into a specific user account! The default username is usually "ec2-user".
Public IP address: This is the external IP address assigned to your EC2 instance! You'll use this
address to tell EC2 Instance Connect the destination when setting up your SSH connection.
Having a Public IP address is a must when connecting to an EC2 instance over Instance
Connect - that's why it was so important to enable automatically assigning a public address
to your Public Subnet's resources!
Select Connect.
Take a screenshot 📸
1/3
Return to later
Look at you go, this is an iconic move for anyone testing their VPC's connectivity!
Hmm let's take a look! Investigate the Route table and Network ACL tabs - what do you see?
Step 2: Your public subnet's route table.
💡 Everything looks good! Our Network ACL allows all traffic in and out, and our route table is
correctly setting up a route to the Internet Gateway.
Head into the Security groups page from the left hand navigation bar.
💡 Mystery solved?! How are our inbound rules the cause of our connectivity issue?
The security group associated with NextWork Public Server lets in all inbound HTTP traffic, but this is
not how we're trying to access our Public Server!
We're trying to access NextWork Public Server using SSH through EC2 Instance Connect, which is a
different traffic type.
It's generally not best practise to set SSH access to "Anywhere-IPv4" due to security risks - this setup
exposes your server to potential unauthorized access from any location.
But, we're using it in this instance (pun intended) as EC2 Instance Connect picks from various IP
address ranges (not just a single IP) to initiate SSH access. Setting the source to Anywhere-
IPv4 makes sure that EC2 Instance Connect will be successful, no matter which IP address it's using.
If this was a long-term project, we'd search for the specific CIDR block of IP addresses that EC2
Instance Connect uses and restrict inbound SSH traffic to that range.
Step 2: Select Anywhere IPv4.
Phew! Success.
💡 Wow this is my first time connecting to an EC2 instance! What am I seeing here?
Woohooo welcome to your very first peek into an Amazon EC2 instance connection! Let’s break
down what you’re seeing here.
This screen with text and a blinking cursor is called a terminal or command line interface (CLI). Think
of it as a way to talk directly to your computer using text commands, like you're texting with your
computer!
Historically, before we had the colorful icons and windows that you can click on with a mouse,
everyone used terminals like this to interact with computers. Now, we use the terminal for
specific/advanced tasks (beyond opening folders or renaming files), especially when dealing with
servers or programming. Using the terminal/CLI can be much faster and more powerful than clicking
through menus, and it's absolutely used by engineers today.
The text ec2-user@ip-10-x-x-xxx on the screen tells you who you are (the ec2-user) and where you
are (on a computer with the address 10.0.0.xxx). Bonus points to you if you can figure out where you
can find this IP address in your EC2 console!
Take a screenshot 📸
Take a screenshot of EC2 Instance Connect's successful connection to your Public Server.
1/4
Return to later
🤝 Step #3
Awesome, we've figured out how to connect with our Public Server!
Let's see if we can connect with our Private Server from here.
💡 What does it mean to connect to our Private Server from our Public Server?
When our servers "talk" or connect, it usually means the public server is sending or requesting data
from the private server.
This could be for various reasons, such as fetching private information (e.g. retrieving screenshots
that a NextWork student uploaded into a project guide), or updating databases (e.g. a student
updates their profile photo in the NextWork community).
Step 3: Let's test the connectivity from your Public Server to your Private Server.
Leave open the EC2 Instance Connect tab, but head back to your EC2 console in a new tab.
Run
in terminal.
ping 10.0.1.227
sign at the bottom line of the black window, and type in your command after the $ sign.
Think of it like sending a tiny message that says "hello, are you there?" to another computer, or like
checking if someone's home by ringing their doorbell.
When you "ping" a specific IP address address (i.e. another server's address), your server (in this
case, NextWork Public Server) sends a small packet of data to that address (NextWork Private
Server), asking for a response. Ping will tell you whether you get a response back and how long it
took to get a response.
If you receive a response quickly, it means the connection between your computer and the other
computer is good. If it takes a long time or you get no response, there might be a problem with the
connection!
Take a screenshot 📸
Return to later
Usually, when you ping another computer successfully, you should see several replies back instantly.
Each reply tells you how long it took for the message to go to the Private Server and come back.
If you don't get any replies (that's our situation right now), or if the replies stop suddenly, it's usually
a sign that there's a problem with the connection.
Step 3: Your Public Subnet isn't hearing a response back
Blocking ICMP traffic is often done to prevent network attacks, like attackers can overwhelming a
server with ping messages so it can't respond to real users wanting to use your application. Fair
enough that ICMP traffic is blocked by default!
To resolve this connectivity error, let's investigate whether NextWork Private Server is
allowing in ICMP traffic.
Pause and have a think - where do you think you can investigate this?
Up til now, you've learnt about internet gateways, subnets, route tables, IPv4 addressing, security
groups and route tables...
Which of these would you need to configure for NextWork Private Server to receive ICMP traffic?
Hmmm!
🤔
🤔
🤔
Leave open the EC2 Instance Connect tab, but head back to your VPC console in a new tab.
Let's investigate the Route tables and Network ACL tabs for your private subnet.
💡 Mystery solved?! How are the Route tables and Network ACLs the cause of our connectivity
issue?
Our route table is set up perfectly (zero issues there!), but the Network ACL tab shows us
that all traffic inbound and outbound are denied.
This means even if our route table correctly directs the ping to NextWork Private Server, the network
ACL is checking the ping traffic at the entrance of your private subnet. If it finds that ICMP traffic is
not allowed, it stops the ping there.
This blockage could be the reason why you observed only one line in the ping response - the single
line records NextWork Public Server's first attempt to communicate (i.e. a ping message is sent), but
there are no replies back from NextWork Private Server.
Let's resolve that by clicking on the link to your NextWork Private NACL.
Let's add a new rule to let NextWork Public Server ping NextWork Private Server.
Assign
100
You might notice that ICMP is not limited to IPv4; there is also ICMP for IPv6 , which functions
similarly but is tailored specifically for IPv6 networks.
10.0.0.0/24
Rule number:
100
Source:
10.0.0.0/24
Before we finish, let's check the security groups! Select Security groups from the left hand
navigation panel.
Check your Inbound rules tab - does this security group allow ICMP traffic? (Nope!)
Step 3: NextWork Private Server's security group's inbound rules.
💡 Why does it matter whether my security group is allowing ICMP traffic too?
Now that your private network ACLs allow ICMP traffic, ICMP messages can enter your public subnet.
However, these messages still need to be let in by your NextWork Private Security Group to reach
your private server.
Imagine the ICMP ping as a delivery car that needs to deliver the ping message to a specific house
(NextWork Private Server) in a gated neighbourhood (your private subnet). It's allowed through the
big security checkpoint (the network ACL) into the neighbourhood, but it still needs to pass a final
check with the security guard (security group) at the house's door.
So if your security group isn't allowing in ICMP traffic too, the ping message wouldn't reach your
private server!
Step 3: If your Private Security Group wasn't allowing inbound ICMP traffic too.
💡 Hmmm, we didn't pick NextWork Public Security Group as the source for the network ACL... why
is the source different here?
Good catch! Notice how we can select traffic from the NextWork Public Security Group as a source
here, which is much more granular and exclusive than the private NACL, which allows in all traffic
from your public subnet.
NACLs typically have a broader scope since its settings would affect all resources in your subnet.
We can also illustrate this with an example scenario. How should you set up your private network
ACLs and security groups if you had two servers in each subnet, and each public server only needs to
talk to one of the private servers?
Your private network ACL is on the subnet level so it would need to allow in traffic from both public
servers. However, since security groups are only on the instance level, it can have much more
granular inbound rules.
Step 3: The difference in scope between NACLs and security groups for larger networks.
Revisit the EC2 Instance Connect tab that's connected to NextWork Public Server.
Each line represents a reply from the ping command you sent. This means that the ICMP (Internet
Control Message Protocol) traffic is now successfully reaching the private server, thanks to the
adjustments you made in the network ACLs and Security Groups. Nice!
Step 3: Your Public Server now gets replies from the Private Server!
Extra for Experts: Curious about what each part of the ping message means? The output typically
shows several pieces of information:
Time: Each line includes the time in milliseconds it took for the ping message to travel from
your server to the target and back. This is a measure of the latency or delay in the network
communication.
TTL (Time to Live): This value indicates the lifespan of the packet as it travels; it decreases by
one for each router it passes through. Once TTL reaches zero, the data packet containing the
ping message is automatically dropped from the network.
Sequence number: This helps in identifying each ping request and matching it to its
corresponding reply, ensuring that the responses correspond to the specific requests sent.
Take a screenshot 📸
1/5
Return to later
🛜 Step #4
Test VPC connectivity with the internet
Since your NextWork Public Route Table has a route from the NextWork Public Subnet to an internet
gateway, you can validate that resources in NextWork Public Subnet can access the internet!
Step 4: Let's test the connectivity from your Public Server to the public internet!
Control + C
on your keyboard.
Type in
curl example.com
in the prompt, i.e. right after the $ sign at the bottom line of the black window.
curl
example.com
, the command sends an HTTP request to the server that hosts the website. This request tells the
server that you want to retrieve the HTML content of the website. The website's server then
processes this request and sends back the data as a response.
The curl command outputs this data to your terminal, so what you're seeing is the raw HTML from
the server!
This output confirms that your Public Sever instance can talk with the internet.
This wouldn't be possible if NextWork Public Subnet, your internet gateway and your security
settings weren't set up properly... nice work!
curl nextwork.org
nextwork.org
currently redirects requests to the first project on our web app, which has a different URL!
Now let's try running curl with the URL that your terminal returned. Run
curl https://learn.nextwork.org/projects/aws-host-a-website-on-s3
Step 4: The response from running curl https://learn.nextwork.org/projects/...
💡 Woah that's heaaaaps more data coming through now! What does this response say?
Just like the previous example using curl
example.com
, curl has fetched the complete HTML content of NextWork's web app (specifically, the first project
on the web app), which is why you now see a large amount of HTML data.
Nice work, you've just used your Public Server to fetch all the HTML code necessary to render a
webpage!
Take a screenshot 📸
1/5
Congratulations!! That was a massive success in testing your VPC's connectivity between your
subnets and with the external internet.
Nice work!
You've just completed today's project and set up your very own VPC AND tested VPC connectivity.
Autosaved
1/4
Return to later
Step #6
✋ STOP
Before diving into the steps for deleting your resources, why not challenge yourself to delete
everything in this project on your own?
Keeping track of your resources, and deleting them at the end, is absolutely a skill that will help you
reduce waste in your account.
🛑 STEPS BELOW:
Select Terminate.
Step 6: Delete your EC2 instances.
VPC:
If you get stopped from deleting your VPC because network interfaces are still attached to
your VPC - delete all the attached network interfaces first!
Type
delete
Select Delete.
Step 6: Delete your VPC.
Refresh your the page before checking if the resource you created today is still in your account. They
should be automatically deleted with your VPC, but it's always a good idea to check anyway:
1. Subnets
2. Route tables
3. Internet gateways
4. Network ACLs
5. Security groups
Now it's time to share and let people know just what an amazing job you've done.
Select the
at the bottom of the post - it's blocking you from uploading documentation!
Then you select this page icon, which helps you Add a document.
Voilà! Upload your document and give it a nice title that relates to your project.
Share your PDF in the NextWork community. Completing a project is literally one of the
biggest achievements and milestones that everyone celebrates. Show us your amazing work.
👀
OMG
DONE!!!!! 🥳
Your amazing work today!
⬆️Connect to your Public Server with EC2 Instance Connect: You used EC2 Instance Connect
in your AWS Management Console to securely SSH into your EC2 instance without the hassle
of managing SSH keys. This also required a cheeky update to your Public Server's security
group settings.
🤝 Test EC2 connectivity with ping: You made sure that your public and private servers can
communicate with each other using the ping command. You also had to update your Private
Server's NACL settings to make this work!
🛜 Verify VPC internet access with curl: You confirmed that your virtual network can reach
the internet by using the curl command to fetch data directly from web servers, even
grabbing entire HTML files in the process.
It's wild that all these learnings are packed in one project. Great work and we'll see you in the next
one!
To commemorate this very special occasion, we've created a one-of-a-kind trophy just for you.
🚀 p.s. Does it say "Still tasks to complete!" at the bottom of the screen? This means you still have
screenshots left to upload, or questions left to answer!