The Amazon Virtual Private Cloud (Amazon VPC) feature lets you define a virtual network in the cloud that you can launch AWS resources into. An Amazon VPC is dedicated to your AWS account and is logically isolated from other virtual networks in the AWS cloud. You can configure your VPC to suit your particular needs by defining its IP address range, subnets, route tables, network (Internet) gateways, and other security settings.
An Amazon VPC offers the benefit of a scalable infrastructure while providing capabilities similar to a traditional network that you would operate in your own premises. Before proceeding with VPC setup in RightScale, we recommend you review the following documentation on the Amazon AWS website.
This document describes how to set up a Virtual Private Cloud (VPC) in Amazon Web Services (AWS) using the RightScale Network Manager. It is important to note that the network scenario described below has been simplified for demonstration purposes and that your particular VPC requirements may differ. For instance, only a single public subnet is included in this example, whereas multiple subnets (both public and private) may be required for your needs. In addition, AWS network Access Control Lists (ACLs) are not discussed or included in this example. We encourage you to examine the various scenarios documented by AWS in determining the proper configuration for your VPC.
The following sections outline the procedure for creating and configuring a simple Amazon VPC using RightScale.
The first step in setting up an Amazon VPC using RightScale is to create a network using the Network Manager. Creating a VPC includes specifying the set of IP addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block (for example, 10.0.0.0/16).
Next, we create an internet gateway and attach it to the network you created in the previous step. The role of the internet gateway is to enable your servers to connect to the Internet from within the VPC.
A subnet is a range of IP addresses within your VPC. When you configure a server in your VPC using RightScale, you specify a subnet into which that server will launch. You should create a public subnet for resources that must have access to the Internet, and a private subnet for resources that will not be connected to the Internet.
A security group can be thought of as a firewall for the RightScale servers running in your VPC. Security groups control inbound as well as outbound traffic at the instance level. Here we create a security group for the Network Address Translation (NAT) server that we will launch in a subsequent step.
NOTE: In addition to the above-mentioned security group rules, you may wish to temporarily add inbound/outbound rules for the Internet Control Message Protocol (IMCP) which will allow you to use tools like PING for testing and diagnostic purposes. For example, if you add an outbound ICMP rule with a CIDR of '0.0.0.0/0' to the NAT security group, you can then log in to the NAT server using SSH from RightScale and then use PING to determine accessibility to the internet from the NAT. Additionally, you could add an inbound rule for TCP port 22 (SSH) with an IP range that includes your corporate network as a source. This would allow inbound SSH access directly from your network. Finally, to handle inbound traffic from other instances assigned to this security group you will need to create a rule for all inbound traffic for all protocols originating from the 'my-nat-secg' security group ID.
Next, we modify the default route table to route traffic through the internet gateway.
Next, we create an Elastic IP address, which enables the NAT instance to be reached from the Internet.
We now need to create and launch a NAT host within the public subnet so we can test our VPC and communicate with the external world.
Now that you have the basic VPC set up and configured, you can add additional resources to the public subnet such as a web application server. Or, you can expand your VPC to include a private subnet for securing additional back-end resources such as non-publicly accessible database servers. We encourage you to explore the variety of VPC scenarios documented on the AWS site.
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.