← Back to Labs
Intermediate01:00:00

Understanding and Configuring Layered Security in an AWS VPC

Task 1Task 2Task 3Task 4Task 5Task 6Task 7Task 8Task 9Task 10
Task 1

Task 1: Sign in to AWS Management Console

↑ Top
  1. Click on the Open Console button, and you will get redirected to AWS Console in a new browser tab.
  2. On the AWS sign-in page, Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  3. On the AWS sign-in page,
  4. Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.
  5. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  6. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.
Task 2

Task 2: Creating a new VPC

↑ Top
  1. In this task, we are going to create a new VPC with the required configurations such as name, IPv4 CIDR block.
  2. Make sure to choose the N.Virginia region in the AWS Management Control dashboard, which is present in the top right corner.
  3. Navigate and click on VPC which will be available under the Networking & Content Delivery section of Services
  4. Click on Your VPCs from the left menu and Click on Create VPC button.
  5. Task 2: Creating a new VPC
  6. In Create VPC page fill the following details,
  7. Select VPC Only
  8. Name tag: Enter lab_VPC
  9. IPV4 CIDR Block: Enter 10.0.0.0/16
  10. IPV6 CIDR block: Select No IPV6 CIDR block
  11. Tenancy: Default
  12. Task 2: Creating a new VPC
  13. Click on Create VPC button.
  14. IP address ranges using CIDR blocks
  15. Subnets within the network
  16. Route tables to control traffic
  17. Security layers such as Security Groups and Network ACLs
Task 3

Task 3: Creating and attaching an Internet gateway

↑ Top
  1. In this task, we are going to create an internet gateway and will attach it to the created VPC.
  2. Click on Internet Gateways from the left menu and click on Create internet gateway button and enter the following details:
  3. Name tag: Enter lab_IGW
  4. Click on Create internet gateway button.
  5. Select the Internet gateway you created from the list.
  6. Click on Actions button.
  7. Click on Attach to VPC button.
  8. Task 3: Creating and attaching an Internet gateway
  9. Select MyVPC from the drop-down and click on Attach internet gateway button.
Task 4

Task 4: Creating two Subnets

↑ Top
  1. You will create 2 Subnets, one for public and another for private resources. First, we will create a public subnet.
  2. For the Public Subnet, click on Subnets from the left menu and click on Create subnet button.
  3. VPC ID: Select lab_VPC (Select the VPC which you created from the dropdown)
  4. Name tag: Enter public_subnet
  5. Availability zone: Select No Preference
  6. IPv4 CIDR block: Enter 10.0.1.0/24
  7. Task 4: Creating two Subnets
  8. Click on Create subnet button
  9. For Private Subnet, click on Create Subnet again.
  10. VPC ID: Select lab_VPC (Select the VPC which you created from the dropdown)
  11. Name tag: Enter private_subnet
  12. Availability zone: Select No Preference
  13. IPv4 CIDR block: Enter 10.0.2.0/24
  14. Click on Create subnet button.
  15. Public Subnet: Contains resources that must be accessible from the internet, such as web servers. These subnets typically have routes pointing to an Internet Gateway.
  16. Private Subnet: Contains internal resources such as application servers or databases that should not be directly accessible from the internet.
Task 5

Task 5: Creating Route tables, configuring routes and associating them with Subnets

↑ Top
  1. You will create 2 route tables, one for public routes and another for private routes.
  2. Go to Route Tables from the left menu and click on Create route table button.
  3. Name tag: Enter public_route
  4. VPC: Select lab_VPC (Select the VPC you created from the dropdown)
  5. Click on Create route table button.
  6. Similarly, go to Route Tables from the left menu and click on Create route table.
  7. Name tag: Enter private_route
  8. VPC: Select lab_VPC (Select the VPC you created from the dropdown)
  9. Click on Create route table button.
  10. Task 5: Creating Route tables, configuring routes and associating them with Subnets
  11. Now, you need to add routes to the Route Tables.
  12. Select public_route.
  13. Go to the Routes tab. Click on Edit routes. On the next page, click on Add route.
  14. Specify the following values: Destination: Enter 0.0.0.0/0 Target: Select Internet Gateway from the dropdown menu to select lab_IGW. Click on Save changes button.
  15. Specify the following values:
  16. Destination: Enter 0.0.0.0/0
  17. Target: Select Internet Gateway from the dropdown menu to select lab_IGW.
  18. Click on Save changes button.
  19. Next, you need to associate the public_subnet with this public_route. Select the public_route and go to the Actions and in that go to Edit Subnet Associations tab. Click on Edit Subnet Associations. Select public_subnet from the list. Click on Save Associations button.
  20. Next, you need to associate the public_subnet with this public_route. Select the public_route and go to the Actions and in that go to Edit Subnet Associations tab.
  21. Click on Edit Subnet Associations.
  22. Select public_subnet from the list.
  23. Click on Save Associations button.
  24. Task 5: Creating Route tables, configuring routes and associating them with Subnets
  25. Similarly, you need to associate the private_subnet with this private_route. Select the private_route and go to the Actions and in that go to Edit Subnet Associations tab. Click on Edit Subnet Associations. Select private_subnet from the list. Click on Save Associations button.
  26. Similarly, you need to associate the private_subnet with this private_route. Select the private_route and go to the Actions and in that go to Edit Subnet Associations tab.
  27. Click on Edit Subnet Associations.
  28. Select private_subnet from the list.
  29. Click on Save Associations button.
  30. Task 5: Creating Route tables, configuring routes and associating them with Subnets
  31. Destination – The IP address range for the traffic
  32. Target – Where the traffic should be directed (Internet Gateway, NAT Gateway, etc.)
  33. local route ? enables communication within the VPC
  34. 0.0.0/0 ? directs internet-bound traffic to the Internet Gateway
Task 6

Task 6: Creating Security Group

↑ Top
  1. In this task, we are going to create a security group for the EC2 Instance.
  2. Go to Security Group from the left menu and click on Create security group button and then provide the following details:
  3. Security group name: Enter lab_securitygroup
  4. Description: Enter Security group for multilayered VPC
  5. VPC: Select lab_VPC (select from the dropdown)
  6. Task 6: Creating Security Group
  7. Under Inbound Rules, click on Add Rule button.
  8. To add SSH, Choose Type: Select SSH Source: Anywhere-IPv4
  9. To add SSH,
  10. Choose Type: Select SSH
  11. Source: Anywhere-IPv4
  12. To add All ICMP - IPv4, Click on Add Rule Choose Type: Select All ICMP - IPv4 Source: Anywhere IPv4
  13. To add All ICMP - IPv4,
  14. Click on Add Rule
  15. Choose Type: Select All ICMP - IPv4
  16. Source: Anywhere IPv4
  17. Task 6: Creating Security Group
  18. Click on Create security group button.
  19. Stateful – If inbound traffic is allowed, the response is automatically allowed.
  20. Instance-level security – Applied directly to EC2 instances.
  21. Rule-based filtering – Controls traffic based on ports, protocols, and IP ranges.
Task 7

Task 7: Creating and configuring Network ACL

↑ Top
  1. Network Access Control Lists (ACLs) in AWS are used to control inbound and outbound traffic at the subnet level. They act as virtual firewalls that provide an additional layer of security for your Amazon Virtual Private Cloud (VPC). In this task, we are going to create and configure Network ACL by adding required inbound and outbound rules.
  2. Go to Network ACLs from the left menu and click on Create network ACL. Provide the following details:
  3. Name tag: Enter lab_NACL
  4. VPC: Select lab_VPC (Select the VPC which you created from the dropdown)
  5. Click on Create network ACL button.
  6. Task 7: Creating and configuring Network ACL
  7. Select lab_NACL and go to Inbound rules tab. Click on Edit inbound rules and then click on the Add new rule.
  8. Add the following rules:
  9. For SSH, click on Add new rule, Rule number : Enter 100 Type: Choose SSH (22) Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow
  10. For SSH, click on Add new rule,
  11. Rule number : Enter 100
  12. Type: Choose SSH (22)
  13. Source: Enter 0.0.0.0/0
  14. Allow / Deny: Select Allow
  15. For ALL ICMP- IPv4, click on Add new rule, Rule number : Enter 200 Type: Choose ALL ICMP - IPv4 Source: Enter 0.0.0.0/0 Allow / Deny: Select Allow
  16. For ALL ICMP- IPv4, click on Add new rule,
  17. Rule number : Enter 200
  18. Type: Choose ALL ICMP - IPv4
  19. Source: Enter 0.0.0.0/0
  20. Allow / Deny: Select Allow
  21. Click on Save changes button.
  22. Task 7: Creating and configuring Network ACL
  23. NACLs are stateless. You need to add the rules in Outbound rules too.
  24. Select lab_NACL and go to Outbound rules tab. Click on Edit Outbound rules and then click on the Add Rule button.
  25. For ALL ICMP- IPv4, click on Add new rule, Rule# : Enter 100 Type: Choose ALL ICMP - IPv4 Destination: Enter 0.0.0.0/0 Allow / Deny: Select Allow
  26. For ALL ICMP- IPv4, click on Add new rule,
  27. Rule# : Enter 100
  28. Type: Choose ALL ICMP - IPv4
  29. Destination: Enter 0.0.0.0/0
  30. Allow / Deny: Select Allow
  31. For Custom TCP Rule, click on Add new rule, Rule# : Enter 200 Type: Choose Custom TCP Rule Port Range: Enter 1024 - 65535 Destination: Enter 0.0.0.0/0 Allow / Deny: Select Allow
  32. For Custom TCP Rule, click on Add new rule,
  33. Rule# : Enter 200
  34. Type: Choose Custom TCP Rule
  35. Port Range: Enter 1024 - 65535
  36. Destination: Enter 0.0.0.0/0
  37. Allow / Deny: Select Allow
  38. Click on Save changes button.
  39. You need to associate both public and private subnets with the NACL.
  40. Select lab_NACL and go to the Subnet associations tab. Click on Edit subnet associations.
  41. Choose all the available subnets and then click on Save changes button.
  42. Task 7: Creating and configuring Network ACL
  43. Stateless filtering – Return traffic must be explicitly allowed.
  44. Subnet-level control – Applied to entire subnets instead of individual instances.
  45. Rule numbering system – Lower rule numbers are evaluated first.
Task 8

Task 8: Launching 2 EC2 Instances

↑ Top
  1. Navigate to Services and choose EC2 under Compute
  2. Navigate to Instances on the left panel and click on Launch Instances button.
  3. Name : Enter public_instance
  4. For Amazon Machine Image (AMI): Search for Amazon Linux 2023 AMI in the search box and click on the select button.
  5. Task 8: Launching 2 EC2 Instances
  6. For Instance Type: Select t2.micro
  7. Task 8: Launching 2 EC2 Instances
  8. For Key pair: Select Create a new key pair Button Key pair name: WhizKey Key pair type: RSA Private key file format: .pem
  9. For Key pair: Select Create a new key pair Button
  10. Key pair name: WhizKey
  11. Key pair type: RSA
  12. Private key file format: .pem
  13. Select Create key pair Button.
  14. In Network Settings Click on Edit button: VPC: Select lab_VPC Subnet: Select public_subnet Auto-assign public IP: Enable Choose Select an existing security group and remove default one then select lab_securitygroup
  15. In Network Settings Click on Edit button:
  16. VPC: Select lab_VPC
  17. Subnet: Select public_subnet
  18. Auto-assign public IP: Enable
  19. Choose Select an existing security group and remove default one then select lab_securitygroup
  20. Task 8: Launching 2 EC2 Instances
  21. Keep Rest thing Default and Click on Launch Instance Button.
  22. Select View all Instances to View Instance you Created
  23. Similar to the above, launch another EC2 instance:
  24. Name the instance as private_instanceInstance type: t2.micro
  25. Name the instance as private_instance
  26. Instance type: t2.micro
  27. Key pair : Select the existing one (WhizKey)
  28. VPC: Select lab_VPC
  29. Subnet: Select private_subnet
  30. Auto-assign public IP: Disable
  31. Choose Select an existing security group and remove default one then select lab_securitygroup
  32. Task 8: Launching 2 EC2 Instances
  33. Keep Rest thing Default and Click on Launch Instance Button.
  34. Select View all Instances to View Instance you Created.
  35. Public Layer – Web servers accessible from the internet
  36. Application Layer – Backend services in private subnets
  37. Database Layer – Databases isolated from direct internet access
Task 9

Task 9: Testing the EC2 instances

↑ Top
  1. Now you'll be able to see both the Instances.
  2. Copy the Private IPv4 Address of the private_instance.
  3. Task 9: Testing the EC2 instances
  4. SSH into public_instance EC2 Instance.
  5. Please follow the steps in SSH into EC2 Instance.
  6. Ping the private IP of your private_instance by using the below command: ping <your Private EC2 IPv4 address>
  7. Ping the private IP of your private_instance by using the below command:
  8. ping <your Private EC2 IPv4 address>
  9. Once you execute this command, you will receive a response from the IP.
  10. Task 9: Testing the EC2 instances
  11. Press [Ctrl] + C to cancel the process.
  12. Security groups are applied at the instance level and provide stateful control over traffic, while NACLs are applied at the subnet level and provide stateless control over traffic.
Task 10

Task 10 : Validation of the Lab

↑ Top
  1. Once the lab steps are completed, please click on the Validation button on the left side panel.
  2. This will validate the resources in the AWS account and displays whether you have completed this lab successfully or not.
  3. Sample output :
  4. Task 10 : Validation of the Lab
  5. You have successfully created a new VPC.
  6. You have successfully created and attached an Internet Gateway.
  7. You have successfully created two subnets for public and private AWS instances.
  8. You have successfully created and configured the Route Table.
  9. You have successfully created a Security Group.
  10. You have successfully created and configured Network ACL.
  11. You have successfully launched 2 EC2 instances (one in a public subnet and one in a private subnet).
  12. You have successfully tested the EC2 instance.
  13. Sign out from the AWS Account.
  14. You have successfully completed the lab.
  15. Once you have completed the steps click on End Lab from the lab console.
← Back to Labs