← Back to Labs
Intermediate01:00:00

Configure NAT Instance and Stream Web Logs to CloudWatch Using CloudWatch Agent

Task 1Task 2Task 3Task 4Task 5Task 6Task 7
Task 1

Task 1 : Sign in to AWS Management Console

↑ Top
  1. Click On the Open Console Button, And You Will Get Redirected To AWS Console In A New Browser Tab.
  2. On The AWS Sign-In Page,
  3. Leave The Account ID As Default. Never Edit/Remove The 12 Digit Account ID Present In the AWS Console. Otherwise, You Cannot Proceed with the Lab.
  4. Now Copy Your User Name And Password In the Lab Console to the IAM Username and Password In AWS Console and Click On the Sign in Button.
  5. Once Signed in to the AWS Management Console, Make the Default AWS Region As US East (N. Virginia) Us-East-1.
Task 2

Task 2 : VPC and Subnet Setup

↑ Top
  1. In the AWS Management Console, you can find the VPC service by clicking on the “Services” dropdown at the top and type VPC in the search bar. Then, select the VPC service from the search results.
  2. Task 2 : VPC and Subnet Setup
  3. Once you're in the VPC service, you'll see the option to create a new VPC on the side menu or by clicking on the create VPC button and VPC only.
  4. Create a new VPC: Name: Nat_vpc
  5. Specify an IPv4 CIDR block for your VPC (10.0.0.0/16) in the IPv4 CIDR block field.
  6. Task 2 : VPC and Subnet Setup
  7. Click on the Create VPC button.
  8. Task 2 : VPC and Subnet Setup
  9. Within your newly created VPC, you'll need to create two subnets: one public and one private.
  10. To create a subnet, go to the subnets section in the VPC service and click on the Create Subnet button.
  11. Task 2 : VPC and Subnet Setup
  12. Click the VPC which we created before i.e., Nat_vpc
  13. Specify the VPC you just created, the CIDR block for the subnet
  14. Subnet Name: PublicSubnet
  15. Choose Availability zone “us-east-1a”
  16. IPv4 subnet CIDR block: 10.0.1.0/24
  17. Task 2 : VPC and Subnet Setup
  18. scroll down click add “Add new Subnet”
  19. Task 2 : VPC and Subnet Setup
  20. Now we are going to create the same steps,
  21. Subnet name: PrivateSubnet
  22. Choose Availability zone “us-east-1a”
  23. subnet CIDR block: 10.0.2.0/24
  24. Click Create Subnet .
  25. Task 2 : VPC and Subnet Setup
  26. Configure the route tables and internet gateway for the public subnet
  27. For the public subnet to have internet access, you'll need to configure the route table and attach an internet gateway.
  28. Go to the Route Tables section in the VPC service and create a new route table for the public subnet.
  29. Route Table Name: “Nat_public_rt”
  30. Select vpc : “Nat_vpc”
  31. Task 2 : VPC and Subnet Setup
  32. Click Subnet associations then “Edit subnet associations”
  33. Task 2 : VPC and Subnet Setup
  34. Select PublicSubnet then click Save associations .
  35. Task 2 : VPC and Subnet Setup
  36. Next, go to the Internet Gateways section and create a new internet gateway.
  37. Task 2 : VPC and Subnet Setup
  38. Internet Gateway Name: My-Internet-Gateway
  39. Task 2 : VPC and Subnet Setup
  40. Once Internet gateway is created attach it the VPC that you have created.
  41. Task 2 : VPC and Subnet Setup
  42. In the ”Nat_public_rt“ route table, click on Edit routes, then add your internet gateway. The destination should be (0.0.0.0/0), and the target should be the internet gateway.
  43. Task 2 : VPC and Subnet Setup
  44. Again create a route table for “PrivateSubnet”
  45. Route Table Name: “private_rt”
  46. Select vpc : “Nat_vpc”
  47. Task 2 : VPC and Subnet Setup
  48. Click Subnet associations then “Edit subnet associations”
  49. Select PrivateSubnet then click Save associations.
  50. Task 2 : VPC and Subnet Setup
Task 3

Task 3 : Launch EC2 instance within this VPC

↑ Top
  1. Navigate to EC2 by clicking on the Services menu in the top, then click on EC2 in the Compute section.
  2. In the EC2 service, you'll see a left-hand side menu. Click on the Instances option, and then click on the Launch Instances button to start the process of creating a new EC2 instance.
  3. Name: Enter NAT_instance
  4. Choose “Amazon Linux 2023 AMI”
  5. Task 3 : Launch EC2 instance within this VPC
  6. For Instance Type: Select t2.micro
  7. Task 3 : Launch EC2 instance within this VPC
  8. You'll need to create a key pair to securely connect to your EC2 instances. Select the Create a new key pair option.
  9. For Key pair(login): Select Create a new key pair Button
  10. Key pair name: WhizKey
  11. Key pair type: RSA
  12. Private key file format: .pem
  13. Task 3 : Launch EC2 instance within this VPC
  14. Make sure to select the Nat_vpc and public subnet we created earlier.
  15. In Network Settings Click on Edit Button:
  16. Auto-assign public IP: Enable
  17. Select Create security group
  18. Security group name: “NaT_ins_sg”
  19. Description: “Security Group to allow traffic to EC2 “
  20. Task 3 : Launch EC2 instance within this VPC
  21. We will now add the security group rules. SSH will already be present there.
  22. Click to add rules: For HTTP: Set the Source type to 0.0.0.0 (Anywhere) For HTTPS: Set the Source to 10.0.0.0/16 For All ICMP-IPv4: Set the Source to 10.0.0.0/16
  23. For HTTP: Set the Source type to 0.0.0.0 (Anywhere)
  24. For HTTPS: Set the Source to 10.0.0.0/16
  25. For All ICMP-IPv4: Set the Source to 10.0.0.0/16
  26. Task 3 : Launch EC2 instance within this VPC
  27. Click Launch Instance.
  28. Repeat the steps to launch another instance, ensuring it's in the same VPC but in the private subnet.
  29. To create the second EC2 instance, repeat the same steps 2-7 and make sure to select the key pair which we created before.
  30. Name: Enter “Private_ins”
  31. Select the Same VPC and choose private subnet.
  32. Auto assign Public IP - Disable
  33. Create a new security group for this instance as private_ins_sg, allowing inbound traffic from the first instance's security group.
  34. Task 3 : Launch EC2 instance within this VPC
  35. In the Inbound Security Group Rules, leave the default settings as they are and add new rule For HTTP: Set the Source to 10.0.0.0/16
  36. Task 3 : Launch EC2 instance within this VPC
  37. Click Launch Instance.
Task 4

Task 4 : Enable NAT Configuration for EC2 Instance

↑ Top
  1. In this task, we will convert a normal EC2 instance into a NAT instance.
  2. Select the NAT instance, go to the Actions menu, then choose Networking and click on Change Source/Destionation Check. Enable the Save option and Click on Save Opti.
  3. Task 4 : Enable NAT Configuration for EC2 Instance
  4. Open your Local terminal and navigate to the location where your .pem file is stored.
  5. Task 4 : Enable NAT Configuration for EC2 Instance
  6. Then, Upload your .pem key from your local machine to the EC2 NAT instance using the following
  7. Command:
  8. Replace the <ec2-Nat-instance-public-ip> and the Key pair name accordingly.
  9. Task 4 : Enable NAT Configuration for EC2 Instance
  10. Navigate to VPC and Go to Route table Section. Select private_rt.
  11. Select Routes Option and click Edit Routes Option.
  12. Task 4 : Enable NAT Configuration for EC2 Instance
  13. Click Add route
  14. Destination : 0.0.0.0/0
  15. Target : Instance - Choose Nat instance
  16. Click “Save changes “
  17. Task 4 : Enable NAT Configuration for EC2 Instance
  18. Now, Navigate to EC2, Connect the Nat_instance
  19. Task 4 : Enable NAT Configuration for EC2 Instance
  20. Copy paste the command on NAT instance :
  21. Enable IP forwarding :
  22. Setting up ip-tables for NAT (correct interface!)
  23. Check correct interface by the below command:
  24. Task 4 : Enable NAT Configuration for EC2 Instance
  25. Note : Replace enX0 with your actual network interface (e.g., enX0, ens5,..). Run ip a to confirm your interface name before applying the below code.
  26. Ensure iptables FORWARD chain is ACCEPT :
  27. Task 4 : Enable NAT Configuration for EC2 Instance
  28. Paste and run each command one at a time to see where it might hang or fail.
  29. Again go to Instance Page and Select Nat_Instance. Click on Connect and Open new tab.
  30. Task 4 : Enable NAT Configuration for EC2 Instance
  31. Now we doing, Private instance via ssh command which is running inside NAT instance
  32. Command : ssh -i "WhizKey.pem" ec2-user@<Private_ins-Private-IP-Address>
  33. Task 4 : Enable NAT Configuration for EC2 Instance
  34. Check the internet connectivity in the private_instance
  35. ping google.com or ping 8.8.8.8
  36. Task 4 : Enable NAT Configuration for EC2 Instance
Task 5

Task 5 : Install Nginx (Webpage) in the Private Instance

↑ Top
  1. On Private EC2 Instance,
  2. Install Nginx ,Copy paste the command
  3. Task 5 : Install Nginx (Webpage) in the Private Instance
  4. Set up a Simple Web Page
  5. This replaces the default NGINX homepage with a custom message
  6. Enable and Start NGINX
  7. You should see output like active (running)
  8. Task 5 : Install Nginx (Webpage) in the Private Instance
  9. Now, Again Login NAT_instance, Click Connect, Use EC2 Instance Connect (Browser-based SSH), You're now inside the NAT instance terminal.
  10. Task 5 : Install Nginx (Webpage) in the Private Instance
  11. We will now create a configuration file that tells NGINX to forward requests it receives to the private EC2 instance where the actual web page is hosted.
  12. The NAT instance will use NGINX to act as a reverse proxy, forwarding requests to the private instance.
  13. Install NGINX :
  14. Configure NGINX as a Reverse Proxy
  15. Open a new NGINX configuration file
  16. Paste the following configuration
  17. Replace 10.0.1.10 with the private IP address of your private_ins.
  18. Task 5 : Install Nginx (Webpage) in the Private Instance
  19. Save and exit the file .
  20. Press “CTRL + X” to save. Press “Y”
  21. Press Enter to confirm the file name.
  22. Test the new configuration for syntax errors
  23. You should see:
  24. Task 5 : Install Nginx (Webpage) in the Private Instance
  25. Reload NGINX to apply the changes
  26. Disable Firewalld and Flush IPTables Rules
  27. Run these commands on the NAT instance to stop firewalld and flush iptables
  28. Task 5 : Install Nginx (Webpage) in the Private Instance
  29. This will allow traffic on port 80, which is necessary for NGINX reverse proxy to work.
  30. Any requests made to the NAT instance's public IP on port 80 will be forwarded to the private instance's web server.
  31. Copy the NAT instance's public IP and open it in your web browser.
  32. Task 5 : Install Nginx (Webpage) in the Private Instance
  33. You should see the page served from the private EC2 instance, like:
  34. Task 5 : Install Nginx (Webpage) in the Private Instance
  35. Again run this commands, which Setup iptables NAT:
Task 6

Task 6 : Install and Configure CloudWatch Agent

↑ Top
  1. Go to the EC2 section in the AWS Management Console, open the Instances page, and select your private_ins instance.
  2. Then open the Actions menu, navigate to the Security settings, choose Modify IAM Role, select the EC2_CloudWatch_Agent_policy from the list of available roles, and confirm the update to attach the role to your instance.
  3. Task 6 : Install and Configure CloudWatch Agent
  4. Now we going to Connect to your private EC2 instance again,
  5. Go to EC2 Instance page, Select Nat_instance, and click on Connect.
  6. Now we doing, Private instance via ssh command which is running inside NAT instance
  7. Command : ssh -i "WhizKey.pem" ec2-user@<Private_ins-Private-IP-Address>
  8. Install CloudWatch Agent
  9. Create agent config file
  10. Paste this config (for monitoring NGINX logs)
  11. Save the file
  12. Press “CTRL + X” to save. Press “Y”
  13. Press Enter to confirm the file name.
  14. Start the agent with your config
  15. Confirm Logs in CloudWatch :
  16. Go to AWS Console, Search for CloudWatch, Select Log Groups in the left panel.
  17. Task 6 : Install and Configure CloudWatch Agent
  18. Open the log groups in the CloudWatch console and view the log streams associated with your EC2 instance ID.
  19. Check whether logs from your EC2 instance are being successfully delivered and displayed in the selected log streams.
  20. Task 6 : Install and Configure CloudWatch Agent
Task 7

Task 7: Validation of the Lab

↑ Top
  1. Once the lab steps are completed, please click on the Validation button on the left side panel.
  2. This will validate the resources in the AWS account and shows you whether you have completed this lab successfully or not.
  3. Task 7: Validation of the Lab
  4. You have successfully created an VPC
  5. You have converted an EC2 instance into a NAT Instance
  6. You have successfully pinged Google from the private instance via the NAT instance.
  7. You have installed Nignx , Cloud Watch Agent on the private instance
  8. You have connected Cloud Watch Agent to AWS CloudWatch,
  9. Sign out of AWS Account.
  10. You have successfully completed the lab.
  11. Once you completed the steps, click on End Lab from your lab lab console and wait till the process gets completed.
← Back to Labs