Date: Fri, 29 Mar 2024 10:08:17 +0000 (UTC) Message-ID: <1488113083.7819.1711706897346@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7818_358365473.1711706897344" ------=_Part_7818_358365473.1711706897344 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
This page describes the steps to setup from scratch the VPC for the Comm=
IT environment. A lot of these steps do not need to be repeated again=
once it is setup. However, it is provided as a record of what is nee=
ded in order to setup the VPC for CommIT.
=
1.) Create a new VPC in the AWS Acount with a subnet of '172.16.0.0/16':=
VPC ID: v=
pc-f67abf93 (172.16.0.0/16)
2.) After the VPC is created, create a new Internet Gateway and attach i= t to the new VPC:
Gateway I= D: igw-a4c334c1
Name: Com=
mIT-VPC-Internet-Default-Gateway
=
3.) Create a security group for a NAT instance that will be launched in th=
e next ste (if you did not launch a NAT instance during the VPC creation).&=
nbsp; Instructions for how to set this group up can be found at: http://docs.aws.amazon.com/AmazonVPC/lat=
est/UserGuide/VPC_NAT_Instance.html#NATSG . Be sure to include your IP =
address initially to allow SSH access until a Bastion Server is configured.=
Using the default rules found on the instruction page will suffice f=
or servers using this NAT instance to access the Internet.
4.) If you did not have the VPC creation launch a NAT instance for the P= rivate subnet, please do so now. Instructions for completing this ste= p can be found at: http://docs.aws.ama= zon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
Note: As of 08-28-14 the AM= I ID is 'ami-f032acc0'. It was launched as a t1.micro instance. = Assign it to a Public Subnet that has been created (in this case the Devel= opment Zone A subnet). Enable termination protection for the instance= . Do not assign public IP.
TAG: Name=3DCommIT VPC Defa= ult Nat Instance
KeyPair: commit-vpc-keypair=
5.) After the NAT instance is launched, allocate an Elastic IP address t=
o use for the new NAT instance and assign it to that instance. Be sur=
e to allocate the Elastic IP address for the VPC and not E=
C2.
6.) Edit the 'Main' route table for the new VPC and add a default gatewa= y for the route table to use the NAT Instance created in step #4. Thi= s will be the default route table used by instances in the private subnets.=
Tag: Name=3DCommIT-VPC-Main-Route-Table
Route Table ID: rtb-4422e321
Destination |
Target |
Status |
Propagated |
---|---|---|---|
172.16.0.0/16 |
local |
Active |
No |
0.0.0.0/0 |
i-11aefc1c |
Active |
No |
** Note: when adding this route, you will need to use a Target=3D<ins=
tance id of NAT instance>. When you view the table, it will =
also add in the Elastic Network interface of the instance.
7.) Create a new route table for use by the Public= subnets of the VPC. This will allow the instances in the Private VPC= to use the NAT instance interface for initiating traffic to the Internet:<= /p>
Name: CommIT-VPC-Public-Sub= net-Route-Table
VPC: 172.16.0.0/16=
Route Table ID: rtb-71a1621= 4
Destination |
Target |
Status |
Propagated |
---|---|---|---|
172.16.0.0/16 |
local |
Active |
No |
0.0.0.0/0 |
igw-a4c334c1 |
Active |
No |
8.) Next, assign the proper subnets to the one of the two routing tables= created above. Public subnets should use the 'Public' route table, a= nd the Private subnets should use the 'Main' route table. Note that t= his simply defines the routing for a subnet and not the act of allowing/blo= cking traffic between the subnets.
9.) Prior to launching instances in the VPC, the proper Security groups = should be defined, created, and associated with the VPC for use inside of t= he VPC. The table below is a list of security groups that have been c= reated (the actual rules in the group are described in another area):
Security Group Name |
Function |
---|---|
commit-vpc-dev-idp-public-elb |
Allow traffic to the IDP Dev Public ELB = td> |
commit-vpc-dev-cpr-public-elb |
Allow traffic to the CPR Dev Public ELB = td> |
commit-vpc-bastion-server |
Allow traffic to the Bastion Server |
commit-vpc-dev-idp-servers |
Allow traffic to/from the private Dev IDP ins= tances |
commit-vpc-dev-cpr-servers |
Allow traffic to/from the private Dev C= PR instances |
commit-vpc-dev-ldap-servers |
Allow traffic to/from the private Dev LDAP in= stances |
commit-vpc-dev-salt-master |
Allow traffic to/from the Salt Master for the= Dev environment |
commit-vpc-prod-salt-master |
Allow traffic to/from the Salt Master for the= Prod environment |
commit-vpc-dev-log-server |
Allow traffic to/from the central Dev Rsyslog= server |
commit-vpc-prod-log-server |
Allow traffic to/from the central Prod Rsyslo= g server |
10.) Launch instances into the VPC to setup the proper environment (e.g.= Dev, QA, Prod, etc.). This can be done maually, or through a CloudFo= rmation template. Ensure that only the ELB and Bastion server reside = in the Public Subnet. All other instances should reside in a private = subnet. Instances should be launched in the 'CommIT VPC'. Det= ails about each enviornment requirements are below:
General
AWS Resource |
Tag: Name |
Security Group |
Subnet |
Zone |
Notes |
---|---|---|---|---|---|
t2.micro |
CommIT-VPC-Bastion-Server |
commit-vpc-bastion-server |
172.16.0.0/24 |
us-west-2a |
This server is accessible via SSH key from an= ywhere and can connect to the private instances. Once launched and El= astic IP should be assigned to it for use by the server. |
Dev = (only uses 1 AZ)
AWS Resource |
Tag: Name |
Security Group |
Subnet |
Zone |
Notes |
---|---|---|---|---|---|
m3.medium |
CommIT-VPC-Dev-IDP-1 |
commit-vpc-dev-idp-servers |
172.16.100.0/24 |
us-west-2a |
ami-d13845e1 |
m3.medium |
CommIT-VPC-Dev-IDP-2 |
commit-vpc-dev-idp-servers |
172.16.100.0/24 |
us-west-2a |
ami-d13845e1 |
m3.medium |
CommIT-VPC-Dev-CPR-1 |
commit-vpc-dev-cpr-servers |
172.16.100.0/24 |
us-west-2a |
ami-d13845e1 |
m3.medium |
CommIT-VPC-Dev-CPR-2 |
commit-vpc-dev-cpr-servers |
172.16.100.0/24 |
us-west-2a |
ami-d13845e1 |
ELB |
CommIT-VPC-Dev-IDP-ELB |
commit-vpc-dev-idp-public-elb |
172.16.0.0/24 |
us-west-2a |
Listener for 80 and 443; Health thresholds ar= e 2 each; Disable connection draining; Enable Cross-Zone Load balancing; Ad= d Dev IDP instances |
ELB |
CommIT-VPC-Prod-IDP-ELB |
commit-vpc-dev-cpr-public-elb |
172.16.0.0/24 |
us-west-2a |
Listener for 80 and 443; Health thresholds ar= e 2 each; Disable connection draining; Enable Cross-Zone Load balancin; Add= Dev CPR instances |
m3.medium |
CommIT-VPC-Dev-LDAP-1 |
commit-vpc-dev-ldap-servers |
172.16.100.0/24 |
us-west-2a |
ami-d13845e1 |
m3.medium |
CommIT-VPC-Dev-LDAP-2 |
commit-vpc-dev-ldap-servers |
172.16.100.0/24 |
us-west-2a |
ami-d13845e1 |
m3.medium |
CommIT-VPC-Dev-Salt-Master |
commit-vpc-dev-salt-master |
172.16.100.0/24 |
us-west-2a |
ami-d13845e1 |
m3.medium |
CommIT-VPC-Dev-Rsyslog |
commit-vpc-dev-log-server |
172.16.100.0/24 |
us-west-2a |
ami-d13845e1 |
Production (to be fi= lled in when launched)
AWS Resource |
Tag: Name |
Security Group |
Subnet |
Zone |
Notes |
---|---|---|---|---|---|
|
|
|
|
|
|
11.) Configure the Bastion server to allow Agent Forwarding so that admi= nistrators do not need to store their private key on the server itself to c= ommunicate with the other systems.
12.) Initially, no accounts will exist on the instances other than 'ec2-= user'. To access the private servers you will need to add the SSH pri= vate key of the KeyPair that was launched with the instances (eg. for Dev t= his would be 'commit-vpc-keypair'). To add the key to your ow= n local SSH so that the agent will recognize it for use in forward= ing use this command on your local box:
ssh-add <private k=
ey name>
13.) Once you add the key, you should now SSH to the bastion server as t=
he 'ec2-user' (no need to use a specific key file as you took care of that =
in the previous step).
14.) Once you are logged into the bastion server, you can SSH to the pri= vate instances as 'ec2-user' using their Private IP address. Later on= , after the Salt Master has deployed accounts users can use their regular a= ccount name and key as they will then exist on the servers.