Creating a Private Instance in a Private Subnet in AWS
In this Level Up in Tech project, I have been tasked with setting up the architecture for the team to have a private instance in a private subnet for only our team to have access.
The requested architecture should include the following elements:
- One custom virtual private cloud (VPC)
- A public subnet
- A private subnet
- Launching an EC2 t2 or t3 nano instance in the private subnet with only a private IP address
- Creation of a bastion host in the public subnet with a public IP address
We will need all of these items to successfully connect to the private instance from the bastion host in the VPC!
Now that we know our purpose and instructions, let’s begin!
Step One: Build a custom VPC with a CIDR of 10.0.0.0/16
Step Two: Create a public subnet with a CIDR of 10.0.1.0/24
Step Three: Create a private subnet with a CIDR of 10.0.2.0/24
Success! Now, we have two new subnets: one public, the other one, private.
We need to take some additional steps. Unfortunately, the public subnet is not “public” just because we titled it that way. We will have to complete more tasks to make the “public” subnet actually public. Next, we will set up our Internet Gateway and attach it to the VPC we generated.
Generate, then configure the route tables.
Here’s what we have for our networking setup so far. Per our given instructions, the public subnet is explicitly attached to the 10.0.1.0/24 IPv4 CIDR, to allow access to the Internet. In contrast, the private subnet has no explicit associations to IPv4.
We should also set up auto-assign for our IPv4 address.
Step Four: Launch an EC2 t2 or t3 nano instance in the private subnet with only a private IP address
Step Five: You will need to create a Bastion Host in the public subnet with a public IP address
Let’s transition over to the EC2 section of the AWS Management Console. For this project, I actually created the Bastion Host before building the private EC2 instance in the private subnet. According to AWS, the Bastion Host is a server whose purpose is to provide access to a private network from an external network, such as the Internet.
In our security group set- up for this instance, we’ll deviate a little from the usual EC2 process. For the Bastion Host, change your source to “My IP.”
Let’s go back to EC2 and select, “Launch Instances” again to launch a private instance.
For your private instance’s security group, be sure to select, “Custom” and the Security Group you’ve already set in place for creating the Bastion Host.
We’ll need to set up key pairs for both the Bastion Host and the private instance. The key pairs will allow us to safely SSH into our instances.
Alright, we’ve set up the VPC, a private instance, and the Bastion Host! Now, let’s see what we’ve done so far and SSH into the Bastion Host.
Success! Now, let’s try logging to our private instance!
Access Denied! We’ll regroup and go over all of our steps.
After a few minutes, we’ve done some double — checking and see that we’ve used the same .ppk file for access and have registered it in Pageant. After tracing our steps, let’s implement one of my favorite troubleshooting techniques: restarting the computer!
Finally, we connected into the private instance from the Bastion Host. We even managed to “cat” out a file created before we SSH’ed into the private instance. In another verification method, we halted and exited out from the private instance and back into the Bastion Host. Most importantly, we completed step six of the assignment, “You will need to connect ‘successfully’ to the private instance from the Bastion Host in your VPC!”
One project down, more to go. Onto the next challenge!
