Blog

At first, getting started with AWS is pretty straight forward. They provide some sensible defaults that allow you to launch your first EC2 instance without thinking much about your Virtual Private Cloud (VPC) settings. VPCs are the virtual networking component of your infrastructure and they contain things such as your subnets across multiple Availability Zones (AZ), NAT, Internet gateways and security groups.

Once you get a little more savvy about deploying into AWS, you will quickly realize that you are going to need to customize the layout of your VPC to meet your applications needs from a security and availability standpoint. Diving in and building them yourself can be tricky, but there are some nice tools available to help you build out your VPCs.

Wizard vs Manual VPC creation

Let's start in the AWS web console. If you want to get started, probably the easiest way is to use the "Start VPC Wizard" from the VPC dashboard. It will give you some common default configurations that you can use to build your VPC with. Here are the stock configurations that Amazon provides out of the box:

• VPC with a Single Public Subnet
• VPC with Public and Private Subnets
• VPC with Public and Private Subnets and Hardware VPN Access
• VPC with a Private Subnet Only and Hardware VPN Access

This will take care of configuring your VPC and adding the subnets, Internet Gateways, NAT Gateways, routing tables, keys and security groups. If you choose the manual route, you will have to put all of these pieces in place yourself and that requires a bit of knowledge on how networking actually works.

Following the example to build a public and private subnet into a VPC, you will have to have an Elastic IP already created so you can use it with the NAT Gateway (for your private subnets).

AWS Web Console vs CLI

If, like me, you aren't into clicking through GUIs to set up your systems, you can use the AWS CLI to create your network. This is nice if you are going to do it multiple times, such as creating the same network VPC structure across multiple regions. You can easily throw these commands into a shell script and just point it at a region and let it build the same network each time.

$ aws ec2 create-vpc --cidr-block 172.20.0.0/16
{
 "Vpc": {
 "VpcId": "vpc-28683d4c",
 "InstanceTenancy": "default",
 "Tags": [],
 "Ipv6CidrBlockAssociationSet": [],
 "State": "pending",
 "DhcpOptionsId": "dopt-431e1421",
 "CidrBlock": "172.20.0.0/16",
 "IsDefault": false
 }
}

The return of the CLI gives you some vital information that you will need in future steps. I'd recommend installing jmespath from homebrew for parsing the response and grabbing needed variables for future use. At this point, you have a VPC created, but you will still need to create the subnets and all the other pieces as if you had gone through the manual process via the web console.

For example, to add a subnet and attach an internet gateway to this new VPC, you can use the following commands:

$ aws ec2 create-subnet --cidr-block 172.20.1.0/24 --vpc-id vpc-28683d4c
{
 "Subnet": {
 "AvailabilityZone": "us-west-1b",
 "AvailableIpAddressCount": 251,
 "DefaultForAz": false,
 "Ipv6CidrBlockAssociationSet": [],
 "VpcId": "vpc-28683d4c",
 "State": "pending",
 "MapPublicIpOnLaunch": false,
 "SubnetId": "subnet-85d521e2",
 "CidrBlock": "172.20.1.0/24",
 "AssignIpv6AddressOnCreation": false
 }
}
$ aws ec2 create-internet-gateway
{
 "InternetGateway": {
 "Tags": [],
 "Attachments": [],
 "InternetGatewayId": "igw-e7dd2483"
 }
}
# Now use the ID of the gateway and VPC to attach it
$ aws ec2 attach-internet-gateway --vpc-id vpc-28683d4c --internet-gateway-id igw-e7dd2483

You can now deploy EC2 instances into this public subnet in your brand new VPC.

Tip: if you want to use the delete-vpc command to remove what you have created, you will have to delete and detach all of its dependencies such as the subnet and the internet gateway before it will allow you to complete the 'delete' command. Sometimes this can take a few extra seconds and the GUI and CLI don't really give great feedback that anything is actually happening. Just be patient and try again in a few seconds.

Stay tuned for the next chapter of this post as we dive into AWS deployment with Salt.