Open in app

Sign in

Write

Sign in

Network As A Service in Aws using Terraform

Rupali Gurjar
10 min readSep 11, 2020

AWS VPC

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

Subnet

Subnet is “part of the network”, in other words, part of entire availability zone. Each subnet must reside entirely within one Availability Zone and cannot span zones.

A subnet is a range of IP addresses in your VPC

  1. Public Subnet :- If a subnet’s traffic is routed to an internet gateway, the subnet is known as a public subnet.
  2. Private Subnet :- If a subnet doesn’t have a route to the internet gateway, the subnet is known as a private subnet.

Route Table

A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.

Internet Gateway

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.

An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

An internet gateway supports IPv4 and IPv6 traffic.

Nat Gateway

NAT Gateway, also known as Network Address Translation Gateway, is used to enable instances present in a private subnet to help connect to the internet or AWS services. In addition to this, the gateway makes sure that the internet doesn’t initiate a connection with the instances. NAT Gateway service is a fully managed service by Amazon, that doesn’t require any efforts from the administrator.

They don’t support IPV4 traffic. In the case of IPV4 traffic, an egress-only internet gateway needs to be used (which is another service).

Task Overview

Perform task-3 with an additional feature to be added that is NAT Gateway to provide the internet access to instances running in the private subnet.

Performing the following steps:

1. Write an Infrastructure as code using terraform, which automatically create a VPC.

2. In that VPC we have to create 2 subnets:

1. public subnet [ Accessible for Public World! ]

2. private subnet [ Restricted for Public World! ]

3. Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.

4. Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.

5. Create a NAT gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC in the public network

6. Update the routing table of the private subnet, so that to access the internet it uses the nat gateway created in the public subnet

7. Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 so that our client can connect to our wordpress site. Also attach the key to instance for further login into it.

8. Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same. Also attach the key with the same.

Note: Wordpress instance has to be part of public subnet so that our client can connect our site.

mysql instance has to be part of private subnet so that outside world can’t connect to it.

Don’t forgot to add auto ip assign and auto dns name assignment option to be enabled.

Task Description

Let’s begin the task !

For the better understanding of this Task , you can have a look of my task 3

Web Portal Using Personal VPC

VIRTUAL PRIVATE CLOUD ( VPC ) A virtual private cloud (VPC) is an on-demand configurable pool of shared comping…

www.linkedin.com

First of all , it is always a good practice to make a separate workspace so that we can manage the things easily .

Now let’s write a terraform code for this whole setup ..

To use aws resources by writing terraform code , we have to do authentication using IAM user of aws . I have explained it in very detail , how to create an IAM user and profile in my task 3 .

Now we will use that profile here

provider "aws" {
  region = "ap-south-1"
  profile = "vaishali"
}

Step 1 : Write an Infrastructure as code using terraform, which automatically create a VPC.

Here we have to give a range of IP Address that is known as “CIDR” .

resource "aws_vpc" "main" {
  cidr_block       = "192.168.0.0/16"
  instance_tenancy = "default"tags = {
    Name = "rupsvpc"
  }
}

It will create a vpc in the aws cloud ..

Step 2: . In that VPC we have to create 2 subnets:

1. public subnet [ Accessible for Public World! ]

2. private subnet [ Restricted for Public World! ]

public Subnet :- we have created this subnet in ap-south-1a zone with a range of ip addresses “192.168.0.0/24”

resource "aws_subnet" "subnet1" {
  vpc_id     =  aws_vpc.main.id
  cidr_block = "192.168.0.0/24"
  availability_zone = "ap-south-1a"
  map_public_ip_on_launch = truetags = {
    Name = "public_subnet"
  }
}

private subnet :- we have created this subnet in ap-south-1b with the range of ip addresses “192.168.1.0/24” .

resource "aws_subnet" "subnet2" {
  vpc_id     =  aws_vpc.main.id
  cidr_block = "192.168.1.0/24"
  availability_zone = "ap-south-1b"tags = {
    Name = "private_subnet"
  }
}

Step 3 : Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.

we have created an internet gateway and attached this to our VPC .

resource "aws_internet_gateway" "gw" {
  vpc_id =  aws_vpc.main.idtags = {
    Name = "in_gateway"
  }
}

Step 4 : Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.

Here we create a routing table in public subnet and set some route so that it can connect to outside world .

resource "aws_route_table" "public_route_table" {
  vpc_id =  aws_vpc.main.id
  
  tags = {
    Name = "rupspublic_route_table"
  }
}resource "aws_route_table_association" "a1" {
  subnet_id      = aws_subnet.subnet1.id
  route_table_id = aws_route_table.public_route_table.id
}resource "aws_route" "r1" {
  route_table_id            =   aws_route_table.public_route_table.id
  destination_cidr_block    = "0.0.0.0/0"
  gateway_id =  aws_internet_gateway.gw.id
  
}

Step 5 : Create a NAT gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC in the public network

To create a Nat Gateway , first we have to associate an Elastic IP in this VPC .

resource "aws_eip" "eip" {
  vpc      = true
}

Nat Gateway :- We allocate that Elastic IP to it and create this gateway in the public subnet so that it connect to internet .

resource "aws_nat_gateway" "nat_gw" {
  allocation_id = aws_eip.eip.id
  subnet_id     = aws_subnet.subnet1.idtags = {
    Name = "NAT gw"
  }
}

Step 6 : Update the routing table of the private subnet, so that to access the internet it uses the nat gateway created in the public subnet

resource "aws_route_table" "private_route_table" {
  vpc_id =  aws_vpc.main.id
  
  tags = {
    Name = "rupsprivate_route_table"
  }
}resource "aws_route_table_association" "a2" {
  subnet_id      = aws_subnet.subnet2.id
  route_table_id = aws_route_table.private_route_table.id
}resource "aws_route" "r2" {
  route_table_id            =   aws_route_table.private_route_table.id
  destination_cidr_block    = "0.0.0.0/0"
  nat_gateway_id  =   aws_nat_gateway.nat_gw.id
  
}

Step 7 : Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 so that our client can connect to our wordpress site. Also attach the key to instance for further login into it.

Let’s write code for key and Security Group

Key :- To create key , we use RSA Algorithm .

resource "tls_private_key" "this" {
  algorithm = "RSA"
}module "key_pair" {
  source = "terraform-aws-modules/key-pair/aws"key_name   = "rups-deployer-key"
  public_key = tls_private_key.this.public_key_openssh
}

Security Group :- we have to allow traffic for Port No 80 and 22 .

resource "aws_security_group" "sg1" {
  name        = "sg_wordpress"
  description = "Allow TLS inbound traffic"
  vpc_id      =   aws_vpc.main.idingress {
    description = "ssh"
    from_port   = 0
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    description = "http"
    from_port   = 0
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  tags = {
    Name = "sg_wordpress"
  }
}

Now write code for Wordpress Instance

resource "aws_instance" "wordpress" {
  ami                  = "ami-7e257211"
  instance_type  = "t2.micro"
  key_name        = "rups-deployer-key"
  vpc_security_group_ids =  [  aws_security_group.sg1.id  ]
  subnet_id =  aws_subnet.subnet1.id
  
  tags = {
    Name = "wordpress-os"
  }
}

Step 8 : Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same. Also attach the key with the same.

Security group :-

resource "aws_security_group" "sg2" {
  name        = "sg_mysql"
  description = "Allow MYSQL"
  vpc_id      =   aws_vpc.main.idingress {
    description = "MYSQL/Aurora"
    from_port   = 0
    to_port     = 3306
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
   
   ingress {
    description = "ssh"
    from_port   = 0
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  tags = {
    Name = "sg_mysql"
  }
}

Now write code for Mysql instance .

resource "aws_instance" "mysql" {
  ami                  = "ami-08706cb5f68222d09"
  instance_type  = "t2.micro"
  key_name        = "rups-deployer-key"
  vpc_security_group_ids =  [  aws_security_group.sg2.id  ]
  subnet_id =  aws_subnet.subnet2.idtags = {
    Name = "mysql-os"
  }
}

Before running Terraform Code , we need to initialize the plugins using this command

terraform init

To check whether there is any syntax error or not , we can use this comand

terraform validate

Now to create this whole infrastructure , we need to run this single command

terraform apply -auto-approve

Now let’s configure the wordpress site using public ip .

Here we have to give instance ID for verification .

Here we can some password for wordpress . we will use this password for login .

now login to create a web page ..

Here we will use “Aurora” as user name and the password that we have set .

Now we can write a new blog here

Here is the final Outcome !!

To destroy this setup , again we need to write a single command

terraform destroy -auto-approve

Hope you enjoy this Article !!

Here is My Github Link :- https://github.com/rups04/HybridCloud_Task4.git

Thanks for Reading :)

Vpc
WordPress
MySQL
Nat Gateway
Terraform

--

--

Rupali Gurjar

Written by Rupali Gurjar

21 Followers

https://www.linkedin.com/in/rupali-gurjar-10a273194/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams