Guide on creating an Internal Application Server that could reach the internet via a NAT Instance and allowed to communicate a Bastion Box via ssh on port 22
Below is the is the Network Architectural diagram:
The design implementation is to enable us securely deployed our Application layer securely in our private cloud space in AWS, without undue exposures of the application layer to the public internet.
- Virtual Private Cloud (VPC) with an attached Internet GateWay (IGW)
- One public and private Subnet
- Two Elastic IPs
- Three EC2 Instances (NAT Instance, Application Server, and The Bastion Box)
- Security Groups for the NAT Instance, Application Server and Bastion Box)
- From aws console navigate to Services click Network & Content Delivery and then VPC
On the left pane, select Your VPC then Create VPC - Give a suitable name to your VPC e.g. 'MY VPC' and on the IPv4 CIDR block type: 192.168.0.0/16 and then create
- On the left pane, select Subnets and then Create Subnets
- In the Name Tag field type: My Public Subnet, select your newly created VPC, choose an Availability Zone (AZ) and on the IPv4 CIDR block type: `92.168.0.0/24 and then create
- Repeat the step above for the private subnet with Name Tag My private Subnet and IPv4 CIDR block in the same AZ.
- From the left pane, select Internet Gateways
- Click Create Internet Gateways; give a suitable name to your IGW and then create
- Select your just created IGW and click Action and Attach to your VPC
- From the Left pane, select Security Groups and Create Security group
- Create SG_NAT, SG_BB and SG_APP for the NAT Instance, Bastion Box and Application Servers respectively.
- On the SG_BB, click on Inbound Rules and Edit and Add Rule:
Rule: ssh; Port: 22 Source IP: <your work station public ip>
- On the SG_NAT click on Inbound Rules and Edit and Add Rule:
Rule: ssh; Port: 22 Source IP: SG_BB
Rule: http; Port: 80 Source IP: 192.168.1.0/24
Rule: https; Port: 443 Source IP: 192.168.1.0/24
- On the SG_APP click on Inbound Rules and Edit and Add Rule:
Rule: ssh; Port: 22 Source IP: SG_BB
- Navigate to Services and click EC2
- Select Instances and click Launch Instance
- Click on Community AMIs and search for 'ami-00a9d4a05375b2763' in the search bar
- Select the AMI then Click Configure Instance Details
- Choose My VPC in the Network field
- Select My Public Subnet in the Subnet field
- Click Add Storage and optionally add tags for ease of referencing
- Click Configure Security Group, choose existing Security Group and select SG_NAT
- Review and Lauch