How to Create and Manage an AWS VPC
This how-to assumes:
- Basic familiarity with System Initiative
- Are familiar with AWS VPC
It will teach you how to create a best practice AWS VPC and manage it with System Initiative.
We will cover:
- The creation of a highly available VPC that spans multiple availability zones.
- A VPC configured with public and private subnets.
- The networking required to allow outbound traffic for resources on the private subnets.
- The networking required for the communication with the internet.
What it will look like when completed
When you have completed this guide, you should have Components that look like this in your Grid:
and like this in your Map:
Create a Change Set
Create a Change Set named How-to VPC
.
Create AWS Credentials
Press N
(or click Add a component
) search for AWS Credential
, select it then hit Enter
to create an AWS Credential
Component.
Now configure your AWS Credentials to a valid AWS account, and press Add Secret
, hit Esc
to return to the Grid. You now have a valid AWS Credential component to use for this VPC.
Select an AWS Region
Press N
, then search for, select and add an AWS Region
to your Change Set. Name the Component, AWS Region
, set the region
property tous-east-1
and Subscribe the credential property to your AWS Credential. Hit Esc
to return to the Grid.
Create a VPC Component
Press N
, then search for, select and add an AWS::EC2::VPC
Component.
Set the Component name to be How to VPC
.
Set the CidrBlock
property to 10.0.0.0/16
Set EnableDnsHostnames
to true.
Set EnableDnsSupport
to true.
Subscribe the region
property to your AWS Region.
Subscribe the credential
property to your AWS Credential.
Press Esc
to return to the Grid.
Create the Public Subnet Components
This VPC will span multiple availability zones in our AWS Region. Add a AWS::EC2::Subnet
Component to your Change Set, then right click it, and press D
to duplicate the Component (add a prefix to each duplicate of Public
if you like) until you have 3 of them.
Then Configure them as follows:
Component Name | CidrBlock | AvailabilityZone | MapPublicIpOnLaunch |
---|---|---|---|
Public 1 | 10.0.128.0/20 | us-east-1a | true |
Public 2 | 10.0.144.0/20 | us-east-1b | true |
Public 3 | 10.0.160.0/20 | us-east-1c | true |
Subscribe the VpcId property to your AWS::EC2::VPC
Component named How to VPC
, for each of the Subnets.
Subscribe to your Region
and AWS Credential
properties for each of the Subnets. When you are done with Subnet 3, press Esc
to return to the Grid.
Create the Elastic IP Components
Add an AWS::EC2::EIP
Component to the Grid, hit Esc
then duplicate (D
) until you have 3 of them.
Set the names of the Components to be NAT Gateway EIP (1|2|3)
- the index should align with each of the Subnets, and match the corresponding NAT Gateway
Components.
Set the Domain
of each of the Elastic IP Components to be vpc
.
Subscribe to your Region
and AWS Credential
properties for each of the NAT Gateway EIP Components.
Press Esc
to return to the Grid.
Create the NAT Gateway Components
Add an AWS::EC2::NATGateway
Component to the Grid, hit Esc
then duplicate (D
) until you have 3 of them.
Set name names of each of the Components to be NAT Gateway (1|2|3)
- the index should align with each subnet.
In NatGateway 1, subscribe the SubnetId
property to your AWS::EC2::Subnet
Component named Public 1
. Repeat this for NatGateway 2 and 3 to subscribe to the matching SubnetId
properties.
In NatGateway 1, subscribe the AllocationId
property to your AWS::EC2::EIP
Component named NAT Gateway EIP 1
. Repeat this for NatGateway 2 and 3 to subscribe to the matching AllocationId
properties.
Set the ConnectivityType
of each of the NAT Gateway Components to be public
.
Subscribe to your Region
and AWS Credential
properties for each of the NAT Gateway Components.
Press Esc
to return to the Grid.
Create the Internet Gateway and VPCGatewayAttachment Components
Add an AWS::EC2::InternetGateway
Component to the Grid.
Set the name to be IGW
.
Subscribe to your Region
and AWS Credential
properties
Press Esc
to return to the Grid.
Add an AWS::EC2::VPCGatewayAttachment
Component to the Grid.
Set the name to be Gateway VPC Attachment
.
Subscribe to your VPCs VpcId
and your InternetGateways InternetGatewayId
.
Subscribe to your Region
and AWS Credential
properties.
Press Esc
to return to the Grid.
Create the Public Route Table and Subnet Route Table Association Components
Add an AWS::EC2::RouteTable
Component to the Grid.
Set the Component name to be Public Route Table
.
In the VpcId
property subscribe to your VPCs VpcId
.
Subscribe to your Region
and AWS Credential
properties.
Add 3 AWS::EC2::SubnetRouteTableAssociation
components to the Grid, remember you can duplicate using D
.
Set the Component names to be Public Subnet (1|2|3) Association
.
Subscribe the RouteTableId
property to the Public Route Table
Component.
Subscribe the SubnetId
to the corresponding Subnet (1|2|3)
Component.
Subscribe to your Region
and AWS Credential
properties.
Press Esc
to return to the Grid.
Create a Route Component
Add an AWS::EC2::Route
Component to the Grid.
Set the Component name to be Route to Internet
.
Subscribe the RouteTableId
property to the Public Route Table
Component.
Set DestinationCidrBlock
to be 0.0.0.0/0
.
Subscribe the GatewayId
property to the Internet Gateway
Component.
Subscribe to your Region
and AWS Credential
properties.
Press Esc
to return to the Grid.
Current State of Play
Let's take a look at what we have in our Workspace so far.
You can see all the components you have created so far in descending order. In the Actions panel on the right hand side you can see there are 17 Actions queued - these are all the real world resources that will be created once you apply your change set.
If you click the Map
button in the top left of the Grid, you seen the visual relationship between the components are creating:
Where the Components are placed on this Map is determined by the dependant property Subscriptions.
Create the Private Subnet Components
On the Map, press the N
key, search for Subnet, select AWS::EC2::Subnet
and press Enter
.
As we need 3 Private Subnets, press Esc
to return to the Map from the Component editor, right click the new Subnet Component and Duplicate it twice.
Add 3 AWS::EC2::Subnet
Components to your VPC frame and configure them as follows:
Component name | CidrBlock | AvailabilityZone |
---|---|---|
Private 1 | 10.0.0.0/19 | us-east-1a |
Private 2 | 10.0.32.0/19 | us-east-1b |
Private 3 | 10.0.64.0/19 | us-east-1c |
Subscribe the VpcId
property to the VpcId
of the How to VPC Component for each Private Subnet.
Subscribe the Region
and AWS Credential
properties in each Private Subnet.
Here you can see the 3 Private Subnet components and their property Subscriptions. Click the Grid button in the top left of the screen to return to the Grid.
Create the Private Route Table Components
For each of the Private
Subnets, we will need to create an AWS::EC2::RouteTable
Component.
Set the names to be Private Route Table 1(2|3)
- the index should align with the subnet.
Subscribe the VpcId
property to the VpcId
of the How to VPC Component for each Private Route table.
Subscribe the Region
and AWS Credential
properties in each Private Route table.
Create the Private Route Components
Add a AWS::EC2::Route
Component for each of the Private Route Table
Components.
Set the Component name to be Route to Internet (1|2|3)
- the index should align with the Private Route Tables you just created.
Subscribe the RouteTableId
property to the RouteTableId
of the corresponding Private Route Table Component.
Set DestinationCidrBlock
to be 0.0.0.0/0
.
Subscribe to the corresponding NATGatewayId
property of each existing NAT Gateway
Component. E.g. Route to Internet 1
subscribes to the NatGatewayId
of the NAT Gateway 1 Component.
Subscribe to the Region
and AWS Credential
properties.
Press Esc
to return to the Grid.
Create the Private Subnet Route Table Associations
Add a AWS::EC2::SubnetRouteTableAssociation
Component for each of the Private Route Table
Components.
Set the name of each of the association components to be Private (1|2|3) Assocation
.
Subscribe the RouteTableId
property to the RouteTableId
of the corresponding Private Route Table Component.
Subscribe the SubnetId
property to the SubnetId
of the corresponding Private Subnet Component.
Subscribe to the Region
and AWS Credential
properties.
Press Esc
to return to your Grid.
Apply your Change Set
Now you can see a scrollable list of 29 pending Create Actions, and all of the individual Components on the Grid required for you to create your How to VPC!
You can also view the Map to see all of your Components:
Now click the Apply Change Set
button to:
- Create a VPC Component
- Create 6 Subnets
- Create an Internet Gateway and the VPC Association
- Create 3 Elastic IPs and 3 NAT Gateways
- Create 4 Route Tables and the subnet associations and 4 Routes
Explore your resources
You can review the completed AWS resources by clicking into your Components and viewing the Resource
sub-panel for each of your new resources.
Clean Up
Create a new Change Set called Clean up VPC How-to
Cmd/Ctrl + A
on the grid to select all Components, then click Delete
.
Click Apply Change Set
.
All your new resources should be deleted from your AWS account.
Vocabulary
In this guide bits of System Initiative Vocabulary will be shown with a capital letter. All definitions for these can be found here: System Initative - Vocabulary