T.Y.B.Tech.

(CSE) –II Subject: Cloud Computing Lab (CSP352)

Experiment No.:04

Title: Demonstration of AWS VPC and Launch a Web Server.

Objectives: After completing this lab, you should be able to do the following:

 Create a VPC.
 Create subnets.
 Configure a security group.
 Launch an EC2 instance into a VPC

Theory and Lab overview:

In this lab, you will use Amazon Virtual Private Cloud (VPC) to create your own VPC and
add additional components to produce a customized network. You will also create a security
group. You will then configure and customize an EC2 instance to run a web server and you
will launch the EC2 instance to run in a subnet in the VPC.
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon Web Services
(AWS) resources into a virtual network that you defined. This virtual network closely
resembles a traditional network that you would operate in your own data center, with the
benefits of using the scalable infrastructure of AWS. You can create a VPC that spans
multiple Availability Zones.

AWS service restrictions:

In this lab environment, access to AWS services and service actions might be restricted to the
ones that are needed to complete the lab instructions. You might encounter errors if you
attempt to access other services or perform actions beyond the ones that are described in this
lab.
Scenario: In this lab you build the following infrastructure:

Architecture

Department of Computer Science and Engineering. Page 4.1

Textile and Engineering Institute, Ichalkaranji.
Experiment No.: 04 Subject: Cloud Computing Lab (CSP352)
Title: Demonstration of AWS VPC and Launch a Web Server.

VPC component brief in the LAB

Looking at this LAB, in summery of VPC component that need to make web servers
accessible publicly while keeping application and database servers are private are,

1) One VPC with public subnet for web servers and private subnet for database or app
servers.

2) In order to communicate with these two subnets you need a router. router in AWS direct
communicate within subnets. Implied router term in AWS means routing table. it is a
gatekeeper in vpc networking denote how traffic flows in and out subnet in the VPC. implied
router does not make intelligent routing decision hence we need to configure routing decision
manually.

3) In order get internet access for these subnets we need a internet gateway. Internet gateways
is highly available component in the VPC that connects vpc to the internet.

4) If private subnet need to access internet (such as host update patches etc…) we need to
configure NAT gateway which is a VPC service reside in public subnet. however, in order
make this work, it is recommended to configure route tables for each and every subnet that
point interested traffic whether to internet gateway or NAT gateway.

5) If private subnet need to access vpc services such as S3 bucket, we need to set up a vpc
endpoint that makes private subnet to connect S3 services in AWS backbone directly rather
than using internet gateway (saves cost for egress traffic)

6) Security within the VPC provided by Network access control list and security groups.
NACL secure inbound and out bound traffic for subnets and Security groups provide secure
access to the EC2 instance

Department of Computer Science and Engineering. Page 4.2

Textile and Engineering Institute, Ichalkaranji.
Experiment No.: 04 Subject: Cloud Computing Lab (CSP352)
Title: Demonstration of AWS VPC and Launch a Web Server.

Little thing about VPC Peering and transit VPC

In summary of VPC peering is a network terminology in AWS which enables instance to

instance connection between two VPCs. suppose if we really concern about host vulnerability
of one of the instance in above example then we’ll need to separate DB and WEB subnet over
two VPC. To enable communication between these instances we’ll need vpc peering.
however, VPC peering cannot be used for transit network traffic which means instance in one
VPC cannot be used internet gateway in an another VPC in order to reach out internet.

if you really need to enable transit traffic (typically hub and spoke design) then you need to
define a new VPC dedicated for transit traffic which also has a router software as a instance
that can peer with other instance (eventually connect to their implied routing tables) and
install static or dynamic routing protocol to route traffic. this type of scenario will be used
hybrid cloud environment when multiple AWS VPCs in a single or multi region need to
connect to On premises network. Site-to site VPN connectivity would be involved in this type
of VPC design.

Conclusion Note: (Student write their understanding and findings in this lab demonstration)

Department of Computer Science and Engineering. Page 4.3

Textile and Engineering Institute, Ichalkaranji.