© 2022 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.

Note: Do not include any personal, identifying, or confidential information into the lab environment. Information entered may be visible to others.

Corrections, feedback, or other questions? Contact us at AWS Training and Certification.

Objectives

After completing this lab, you will be able to:

• Navigate to the Amazon Virtual Private Cloud (Amazon VPC) Dashboard
• Set up a new Amazon VPC with four subnets (two public and two private)
• Set up two route tables (one public and one private)
• Launch an Amazon Elastic Compute Cloud (Amazon EC2) instance inside the new VPC

Prerequisites

This lab requires:

• Notebook computer with Wi-Fi and Microsoft Windows, macOS, or Linux (Ubuntu, SuSE, or Red Hat)
• Administrator access (Microsoft Windows users)
• Internet browser, such as Chrome, Firefox, or Internet Explorer 9 or later

Note: Tablet devices cannot access the lab environment, although they can display student guides.

Duration

This lab requires 30 minutes to complete.

Scenario

In this scenario, you will create the underlying network architecture needed to run an Amazon EC2 instance in a web application.

Start lab

1. To launch the lab, at the top of the page, choos Start Lab.

This starts the process of provisioning the lab resources. An estimated amount of time to provision the lab resources is displayed. You must wait for the resources to be provisioned before continuing.

If you are prompted for a token, use the one distributed to you (or credits you have purchased).

2. To open the lab, choose Open Console.

The AWS Management Console sign-in page opens in a new web browser tab.

3. On the Sign in as IAM user page:

• For IAM user name, enter .
• For Password, copy and paste the Password value listed to the left of these instructions.
• Choose Sign in.

Do not change the Region unless instructed.

Common sign-in errors

Error: You must first sign out

If you see the message, You must first log out before logging into a different AWS account:

• Choose the click here link.
• Close your Amazon Web Services Sign In web browser tab and return to your initial lab page.
• Choose Open Console again.

Error: Choosing Start Lab has no effect

In some cases, certain pop-up or script blocker web browser extensions might prevent the Start Lab button from working as intended. If you experience an issue starting the lab:

• Add the lab domain name to your pop-up or script blocker's allow list or turn it off.
• Refresh the page and try again.

Task 1: Create a Virtual Private Cloud

In this task, you will use the Amazon VPC Wizard to create a VPC, an internet gateway, and two subnets in a single Availability Zone (AZ). An internet gateway is a VPC component that allows communication between instances in your VPC and the internet.

Note: You must use the same Region throughout the lab.

After creating a VPC, you can add subnets. Each subnet resides entirely within one Availability Zone and cannot span zones. If a subnet's traffic is routed to an internet gateway, the subnet is known as a public subnet. If a subnet does not have a route to the internet gateway, the subnet is known as a private subnet.

The wizard also creates a NAT gateway, which provides internet connectivity to Amazon EC2 instances in private subnets.

Before you can provision your VPC using the wizard, you must first create an Elastic IP address.

An Elastic IP address is a static, publicly routable, IPv4 address designed for dynamic cloud computing. An Elastic IP address is allocated to your AWS account, and it is yours until you release it. By using an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. Alternatively, you can specify the Elastic IP address in a DNS record for your domain, so your domain points to your instance.

Having an Elastic IP address is a requirement for the creation of the NAT gateway — the VPC Wizard needs it to create the VPC.

To create an Elastic IP address, do the following:

4. In the AWS Management Console, on the Services menu, choose EC2.

5. In the left navigation pane, locate the Network & Security section, and choose Elastic IPs.

6. Choose Allocate Elastic IP address.

7. Choose Allocate.

Next, you will create a VPC using the VPC Wizard.

8. In the AWS Management Console, choose the Services menu, and choose VPC.

9. Choose Launch VPC Wizard.

10. To create a VPC workflow, on the Create VPC page, under VPC settings section, configure the following:

Important! Do not modify any other fields.

• Resources to create: Choose VPC, subnets, etc.
• Under Name tag auto-generation: De-select Auto-generate
• Availability Zones (AZs): Choose 1
• Number of public subnets: Choose 1 and expand Customize public subnets CIDR blocks and replace 10.0.0.0/20 with
• Number of private subnets: Choose 1 and expand Customize private subnets CIDR blocks and replace 10.0.128.0/20 with
• NAT gateways ($): Choose In 1 AZ
• VPC endpoints: Choose None

11. Choose Create VPC.

The wizard will create your VPC.

12. Keep a note of the VPC ID.

Note: The VPC creation might take a few minutes. Wait until the VPC is successfully created before continuing.

13. Choose View VPC.

The VPC Wizard should have provisioned a VPC with a public subnet and a private subnet in the same Availability Zone, with route tables for each subnet, as shown.

Public Subnet 1 has a CIDR of 10.0.0.0/24, which means that it contains all IP addresses starting with 10.0.0.x.

Private Subnet 1 has a CIDR of 10.0.1.0/24, which means that it contains all IP addresses starting with 10.0.1.x.

14. Once the VPC is created, in the left navigation section, locate the VIRTUAL PRIVATE CLOUD section, and select Your VPCs.

15. Search for the VPC ID which was saved in a previous step.

16. Locate the Name column for your VPC ID, choose the pencil icon, type .

17. Choose Save to confirm the input.

18. In the left navigation pane, locate the VIRTUAL PRIVATE CLOUD section, and choose Subnets.

19. Select subnet for Lab VPC and that has the IPV4 CIDR = 10.0.0.0/24. If necessary, expand the VPC column to view the VPC's full names.

20. Locate subnet's Name column, choose the pencil icon, type .

21. Choose Save to confirm the input.

22. Select the subnet for Lab VPC and that has the IPV4 CIDR = 10.0.1.0/24. If necessary, expand the VPC column to view the VPC's full names.

23. Locate subnet's Name column, choose the pencil icon, type .

24. Choose Save to confirm the input.

    Task 2: Create Additional Subnets

In this task, you will create two additional subnets in a second Availability Zone. You will then be able to create resources in multiple Availability Zones to provide high availability.

To start, you will create a second public subnet.

25. In the left navigation pane, locate the VIRTUAL PRIVATE CLOUD section, and choose Subnets.

26. In the top-right area of your window, choose Create subnet.

27. For the VPC ID option, choose .

28. Next, configure the following subnet settings:

• Subnet name:
• Availability Zone: Select the second Availability Zone
• IPv4 CIDR block:

Public Subnet 2 will have IP addresses that start with 10.0.2.x.

You will now create a second private subnet.

29. Choose Create subnet.

30. In the top-right area of your window, choose Create subnet.

31. For the VPC ID option, choose .

32. Next, configure the following subnet settings:

• Subnet name:
• Availability Zone: Select the second Availability Zone
• CIDR block:

Private Subnet 2 will have IP addresses that start with 10.0.3.x.

33. Choose Create subnet.

You will now configure the private subnets to route internet-bound traffic to the NAT gateway. This will enable the resources in the private subnets to connect to the internet, while keeping the resources private. To do this, you configure a route table.

A route table contains a set of rules, called routes, that determine where network traffic is directed. Each subnet in a VPC must be associated with a route table. The route table controls routing for the subnet.

34. In the left navigation pane, locate the VIRTUAL PRIVATE CLOUD section, and choose Route Tables.

35. Expand the Explicit subnet associations column to view the subnet associations.

36. Select the route table with Explicit subnet association subnet containing Private Subnet 1.

37. In the lower pane, choose the Routes tab.

Destination 0.0.0.0/0 is set to Target nat-xxxxxxxx. This means that traffic destined for the internet (0.0.0.0/0) will be sent to the NAT gateway. The NAT gateway will then forward the traffic to the internet. This route table is being used to route traffic from private subnets.

You will now add a name to the route table so you can recognize it later.

38. In the lower pane, choose the Subnet associations tab.

You will now associate the route table to the private subnets.

39. In the lower pane, locate the Explicit subnet associations section, choose Edit subnet associations.

40. Select both Private Subnet 1 and Private Subnet 2.

You can expand the Subnet ID column to view the subnets' full names.

41. Choose Save associations.

You will now configure the route table used by the public subnets.

42. At the top of the screen, select the route table with Explicit subnet association subnet containing Public Subnet 1. (If necessary, expand the Explicit subnet associations column to view the subnet associations.)

43. In the lower pane, choose the Routes tab.

Destination 0.0.0.0/0 is set to Target igw-xxxxxxxx, which is the internet gateway. This means that internet-bound traffic will be sent straight to the internet through the internet gateway.

You will now associate the route table to the public subnets.

44. In the lower pane, choose the Subnet associations tab.

45. In the lower pane, locate the Explicit subnet associations section, choose Edit subnet associations.

46. Select both Public Subnet 1 and Public Subnet 2.

47. Choose Save associations.

Your VPC now has public and private subnets configured in two Availability Zones, as shown.

Task 3: Create a VPC Security Group

In this task, you will create a VPC security group, which acts like a virtual firewall. When you launch an instance, you associate one or more security groups with the instance. You can add rules to each security group that allow traffic to or from its associated instances.

48. In the left navigation pane, locate the Security section, and choose Security Groups.

49. In the top-right area of your window, choose Create security group, and then configure the following:

• Security group name:
• Description:
• VPC: Lab VPC

You will now add a rule to the security group to allow inbound web requests.

50. In the Inbound rules section, choose Add rule, and then configure the following:

• Type: HTTP
• Source: Anywhere-IPv4
• Description:

51. Scroll to the bottom, and choose Create security group.

You will use this security group in the next task when you launch an Amazon EC2 instance.

Task 4: Launch Your Amazon EC2 Instance

In this task, you will start your EC2 instance and provide bootstrap information for the web application to launch. You will also enable SSH (Secure Shell) access to the instance.

Step 1: Choose an Amazon Machine Image (AMI)

52. In the AWS Management Console, choose the Services menu, and then choose EC2. Alternatively, you can type the service name in the Search box to access it.

53. In the left navigation pane, in the Instances section, choose Instances.

54. Choose Launch instances drop-down, and then select Launch instances.

55. At the top right of the screen, choose Opt-out to the old experience button to use the old launch instances UI.

56. At the top of the list, find Amazon Linux 2 AMI (HVM), SSD Volume Type, make sure the 64-bit(x86) option is selected, and choose Select.

Step 2: Choose an Instance Type

57. Select (make sure it is ). By default, this should be selected. This instance type has one virtual CPU and 1 GiB of memory.

Note: If is not available, choose or .

58. Choose Next: Configure Instance Details.

Step 3: Configure Instance Details

This page contains settings that help you configure instance requirements, including networking and monitoring settings.

The Network setting specifies the VPC in which an instance will be launched. You can have multiple networks, such as networks for development, testing, and production.

59. For Network, select .
60. For Subnet, select (not Private).

61. For Auto-assign Public IP, select . This setting assigns a public IP address to the instance, so you can access the application in your browser.

62. Scroll down to the Advanced Details section, and locate the User data field.

When you launch an instance, you can pass user data to the instance. The data can be used to run common automated configuration tasks and scripts.

Your instance runs Amazon Linux, so you will provide a shell script that will run when the instance starts. This script installs the application's required dependencies. It also launches the application, so you can access it in your browser.

63. Copy the following script, and paste it into the User data field. To copy the script, you can use the Clipboard button, located in the top-right corner of the code box.

#!/bin/bash -ex

# Update yum
yum -y update

# Add node's source repo
curl -sL https://rpm.nodesource.com/setup_15.x | bash -

#Install nodejs
yum -y install nodejs

# Create a dedicated directory for the application
mkdir -p /var/app

# Get the app from S3
wget https://aws-tc-largeobjects.s3-us-west-2.amazonaws.com/ILT-TF-100-TECESS-5/app/app.zip

# Extract it to the desired folder
unzip app.zip -d /var/app/
cd /var/app/

# Install dependencies
npm install

# Start the app
npm start

content_copy

This script performs the following tasks:

• Installs system updates
• Installs a source repository so the Node.js installer can be downloaded
• Installs Node.js
• Downloads the application code
• Creates a dedicated directory for the web application
• Downloads and deploys (extracts) the application into the specified directory
• Installs the application dependencies
• Sets the port that the application listens to
• Starts the web application

64. Choose Next: Add Storage.

Step 4: Add Storage

Amazon EC2 stores data on a network-attached virtual disk called Amazon Elastic Block Store (Amazon EBS).

You will launch the Amazon EC2 instance using a default 8-GiB disk volume. This will be your root volume, also known as a boot volume.

65. Choose Next: Add Tags.

Step 5: Add Tags

Tags can categorize AWS resources in various ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type — you can identify a specific resource based on its tags. For each tag, you define a key and a value.

66. Choose Add Tag, and then add the following key and value text:

• Key:
• Value:

67. Choose Next: Configure Security Group.

Step 6: Configure a Security Group

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify security group rules at any time. New rules automatically apply to all instances that are associated with the security group.

68. Configure the following fields as shown:

• Assign a security group: .
• Select for the security group you created in the previous task. (The one with the name: .)

69. Choose Review and Launch.

Note: A warning states that you will not be able to connect to the instance because inbound traffic on port 22 is not enabled in your security group. In this task, you don't need to connect to the instance, so you can ignore the warning.

70. Choose Continue.

Step 7: Review Instance Launch

The Review page displays the configuration for the instance you are about to launch.

71. Choose Launch.

A Select an existing key pair or create a new key pair window will appear.

Amazon EC2 uses public key cryptography to encrypt and decrypt login information. To log in to your instance, you must create a key pair, specify the name of the key pair when you launch the instance, and provide the private key when you connect to the instance.

In this lab, you will not need to connect to the instance.

72. In the Choose an existing key pair dropdown, select Proceed without a key pair.

73. Select the following option:

I acknowledge that without a key pair, I can connect to this instance only by using EC2 Instance Connect or if I know the password built into the AMI.

74. Choose Launch Instances.

Your instance will launch.

75. Choose View Instances.

The instance should appear in a Pending or Initializing state, which means it is being launched. When its state changes to Running, the instance is booting. After a short time, you can access the instance.

76. To see the details, choose your Web Application instance.

To show more or less information in the Details tab, drag the window divider.

77. Review the instance's details, including the instance type, security settings, network settings, and so forth.

78. Wait for your instance to display the following:

• Instance state: Running
• Status check: 2/2 checks passed

Note: You might need to choose the Refresh button at the top to see the status changes.

79. In the Details tab, locate the Public IPv4 address section, and copy the IP address.

80. In a new browser tab, type in the address bar, and then paste the IP address you copied in the previous step. You should see the following application screen.

Note: If you use the open address link, your browser might try to browse to the application using , which won't work. The application can only be accessed using on port .

Lab Complete

Congratulations! You completed the lab.

End lab

Follow these steps to close the console, end your lab, and evaluate your lab experience.

81. Return to the AWS Management Console.

82. At the upper-right corner of the page, choose awsstudent@<AccountNumber>, and then choose Sign out.

83. Choose End Lab.

84. Choose OK.

85. (Optional):

• Select the applicable number of stars to rate your lab experience.
  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied
• Enter a comment.
• Choose Submit.

You can close the window if you don't want to provide feedback.

Additional Resources

• For more information about Amazon VPCs, see Amazon Virtual Private Cloud.
• For more information about AWS Training and Certification, see http://aws.amazon.com/training/.