...
1.) Create a new VPC in the AWS Acount with a subnet of '172.16.0.0/16':
VPC ID: vpc-f67abf93 (172.16.0.0/16)
2.) After the VPC is created, create a new Internet Gateway and attach it to the new VPC:
Gateway ID: igw-a4c334c1
Name: CommIT-VPC-Internet-Default-Gateway
3.) Create a security group for a NAT instance that will be launched in the next ste (if you did not launch a NAT instance during the VPC creation). Instructions for how to set this group up can be found at: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#NATSG . Be sure to include your IP address initially to allow SSH access until a Bastion Server is configured. Using the default rules found on the instruction page will suffice for servers using this NAT instance to access the Internet.
4.) If you did not have the VPC creation launch a NAT instance for the Private subnet, please do so now. Instructions for completing this step can be found at: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
Note: As of 08-28-14 the AMI ID is 'ami-f032acc0'. It was launched as a t1.micro instance. Assign it to a Public Subnet that has been created (in this case the Development Zone A subnet). Enable termination protection for the instance. Do not assign public IP.
TAG: Name=CommIT VPC Default Nat Instance
KeyPair: commit-vpc-keypair
5.) After the NAT instance is launched, allocate an Elastic IP address to use for the new NAT instance and assign it to that instance. Be sure to allocate the Elastic IP address for the VPC and not EC2.
...
Route Table ID: rtb-4422e321
DestinationTargetStatusPropogated|
Destination | Target | Status | Propagated |
|---|---|---|---|
172.16.0.0/16 |
...
local |
...
Active |
...
No |
...
0.0.0.0/0 | i-11aefc1c | Active | No |
...
7.) Create a new route table for use by the Public subnets of the VPC. This will allow the instances in the Private VPC to use the NAT instance interface for initiating traffic to the Internet:
Name: CommIT-VPC-Public-Subnet-Route-Table
VPC: 172.16.0.0/16
Route Table ID: rtb-71a16214
DestinationTargetStatusPropogated|
Destination | Target | Status | Propagated |
|---|---|---|---|
172.16.0.0/16 |
...
local |
...
Active |
...
No |
...
0.0.0.0/0 | igw-a4c334c1 | Active | No |
...
9.) Prior to launching instances in the VPC, the proper Security groups should be defined, created, and associated with the VPC for use inside of the VPC. The table below is a list of security groups that have been created (the actual rules in the group are described in another area):
Security Group |
|---|
...
Name | Function |
|---|---|
commit-vpc-dev-idp-public-elb |
...
Allow traffic to the IDP Dev Public ELB |
...
commit-vpc-dev-cpr-public-elb | Allow traffic to the CPR Dev Public ELB |
commit-vpc-bastion-server | Allow traffic to the Bastion Server |
commit-vpc-dev-idp-servers | Allow traffic to/from the private Dev IDP instances |
commit-vpc-dev-cpr-servers | Allow traffic to/from the private Dev CPR instances |
commit-vpc-dev-ldap-servers | Allow traffic to/from the private Dev LDAP instances |
commit-vpc-dev-salt-master | Allow traffic to/from the Salt Master for the Dev environment |
commit-vpc-prod-salt-master | Allow traffic to/from the Salt Master for the Prod environment |
commit-vpc-dev-log-server | Allow traffic to/from the central Dev Rsyslog server |
commit-vpc-prod-log-server | Allow traffic to/from the central Prod Rsyslog server |
10.) Launch instances into the VPC to setup the proper environment (e.g. Dev, QA, Prod, etc.). This can be done maually, or through a CloudFormation template. Ensure that only the ELB and Bastion server reside in the Public Subnet. All other instances should reside in a private subnet. Instances should be launched in the 'CommIT VPC'. Details about each enviornment requirements are below:
General
AWS |
|---|
...
Resource | Tag: Name | Security Group | Subnet | Zone | Notes |
|---|---|---|---|---|---|
t2.micro |
...
CommIT-VPC-Bastion-Server |
...
commit-vpc-bastion-server |
...
172.16.0.0/24 |
...
us-west-2a |
...
This server is accessible via SSH key from anywhere and can connect to the private instances. Once launched and Elastic IP should be assigned to it for use by the server. |
...
Dev (only uses 1 AZ)
AWS |
|---|
...
Resource | Tag: Name | Security Group | Subnet | Zone | Notes |
|---|---|---|---|---|---|
m3.medium | CommIT-VPC-Dev-IDP-1 |
...
commit-vpc-dev-idp-servers |
...
172.16.100.0/24 |
...
us-west-2a |
...
ami-d13845e1 |
...
m3.medium | CommIT-VPC-Dev-IDP-2 | commit-vpc-dev-idp-servers | 172.16.100.0/24 | us-west-2a | ami-d13845e1 | ||||||
m3.medium | CommIT-VPC-Dev-CPR-1 | commit-vpc-dev-cpr-servers | 172.16.100.0/24 | us-west-2a | ami-d13845e1 | ||||||
m3.medium | CommIT-VPC-Dev-CPR-2 | commit-vpc-dev-cpr-servers | 172.16.100.0/24 | us-west-2a | ami-d13845e1 | ||||||
ELB | CommIT-VPC-Dev-IDP-ELB | commit-vpc-dev-idp-public-elb | 172.16.0.0/24 | us-west-2a | Listener for 80 and 443; Health thresholds are 2 each; Disable connection draining; Enable Cross-Zone Load balancing; Add Dev IDP instances | ||||||
ELB | CommIT-VPC-Prod-IDP-ELB | commit-vpc-dev-cpr-public-elb | 172.16.0.0/24 | us-west-2a | Listener for 80 and 443; Health thresholds are 2 each; Disable connection draining; Enable Cross-Zone Load balancin; Add Dev CPR instances | ||||||
m3.medium | CommIT-VPC-Dev-LDAP-1 | commit-vpc-dev-ldap-servers | 172.16.100.0/24 | us-west-2a | ami-d13845e1 | ||||||
m3.medium | CommIT-VPC-Dev-LDAP-2 | commit-vpc-dev-ldap-servers | 172.16.100.0/24 | us-west-2a | ami-d13845e1 | ||||||
m3.medium | CommIT-VPC-Dev-Salt-Master | commit-vpc-dev-salt-master | 172.16.100.0/24 | us-west-2a | ami-d13845e1 | m3.medium | CommIT-VPC-Dev-Rsyslog | commit-vpc-dev-log-server | 172.16.100.0/24 | us-west-2a | ami-d13845e1 |
Production (to be filled in when launched)
AWS |
|---|
...
Resource | Tag: Name | Security Group | Subnet | Zone | Notes |
|---|---|---|---|---|---|
|
|
|
|
|
|
11.) Configure the Bastion server to allow Agent Forwarding so that administrators do not need to store their private key on the server itself to communicate with the other systems.
- Edit /etc/ssh/sshd-config and uncomment the following line:
AllowAgentForwarding yes - Restart the SSH Daemon
- Ensure that your local machine is running the SSH daemon and that it has had the 'ForwardAgent yes' line uncommented for all hosts (or you can specify which hosts to use agent forwarding as well).
12.) InitallyInitially, no accounts will exist on the instances other than 'ec2-user'. To access the private servers you will need to add the SSH private key of the KeyPair that was launched with the instances (eg. for Dev this would be 'commit-vpc-keypair'). To add the key to your own local SSH so that the agent will recognize it for use in forwarding use this command on your local box:
ssh-add <private key name>
13.) Once you add the key, you should now SSH to the bastion server as the 'ec2-user' (no need to use a specific key file as you took care of that in the previous step).
...