Extra Networking Lab 1

Multi-VPC Account Architecture

 1. Create VPCs, IGWs, and EC2 instances
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of
the AWS Cloud where you can launch AWS resources in a virtual network that you define. You
have complete control over your virtual networking environment, including selection of your
own IP address range, creation of subnets, and configuration of route tables and network
gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to
resources and applications.

An internet gateway (IGW) is a horizontally scaled, redundant, and highly available VPC
component that allows communication between instances in your VPC and the internet. It
therefore imposes no availability risks or bandwidth constraints on your network traffic.

In this lab, we will create three VPC’s with Internet Gateways, and EC2 instances - one per
VPC. We will observe that by default, EC2 instances in different VPCs are not able to
communicate with each other using private IP addresses.
2.1 Navigate to VPC Dashboard
To get started, navigate to VPC Dashboard Services:
https://console.aws.amazon.com/vpc/home?region=us-east-1#vpcs:

In every region, a default VPC has already been created for you. So, even if you haven’t created
anything in your account yet, you will see some VPC resources already there.

2.2 Create VPCs with subnets and EC2 instances

In this lab, we will be creating three VPC with private subnets. Each VPC will have subnets in
two Availability Zones within the Region. We will deploy one EC2 instance per VPC and
demonstrate that, by default, VPCs provide network isolation.

Table 1. IPv4 CIDR allocations for VPCs and AZs.

VPC Availability Availability Zone

VPC Name
CIDR block Zone CIDR block
us-east-1a 10.0.0.0/24
VPC A 10.0.0.0/16
us-east-1b 10.0.1.0/24
us-east-1a 10.1.0.0/24
VPC B 10.1.0.0/16
us-east-1b 10.1.1.0/24
us-east-1a 10.2.0.0/24
VPC C 10.2.0.0/16
us-east-1b 10.2.1.0/24

2.2.1 Create VPCs

Our first step is to create VPCs with non-overlapping CIDR blocks.
Figure 1. Three VPCs with unique CIDR ranges.

Navigate to “Your VPCs” tab and click “Create VPCs” button.

● Create “VPC A”, specifying 10.0.0.0/16 as IPv4 CIDR block. Do not enable IPv6. Select “Default”
Tenancy. Accept proposed Tags:
 ● Follow the same steps to create “VPC B” and “VPC C”.

After completing these steps, you should have three new VPCs and default listed under “Your
VPCs:”

2.2.2 Create Subnets

For each VPC, we will create two subnets – one per availability zone.
Figure 2. Allocating Subnets to AZs.

Navigate to “Subnets” panel:

Click on “Create subnet” button, create subnets with names that reflect VPC and AZ
placement, such as “VPC A – AZ 1a”:
Creating Subnet in AZ2 for VPC A:

On your own, create subnets for “VPC B” and “VPC C”; refer to Table 1 for CIDR allocations.
After you finish the task, 6 new subnets should be available:
2.2.3 Deploy Internet Gateways
In this section, we will deploy one Internet Gateway (IGW) per VPC. We need an Internet
Gateway in order to establish outside connectivity to EC2 instances in VPCs.

Navigate to “Internet Gateways” and click on “Create internet gateway”

Select Internet Gateway for “VPC A”, such as “VPC A – IGW”. Click “Create”

Select newly created IGW and click on “Attach to VPC”:

Attach this IGW to “VPC A:”

Repeat these steps to create and attach IGWs in “VPC B” and “VPC C”

You should now have an IGW for the default VPC and three newly created IGWs available:

2.2.4 Update Routing Tables

In order to utilize newly created Internet Gateways, you need to update VPC routing tables to
point the default routes to these IGWs.

In VPC Dashboard, navigate to “Route Tables:”

Assign Names to the Route Tables by identifying what VPC a given Route Table belongs to:

Repeat for the remaining Route Tables.

Navigate to “VPC A” Route Table and click on “Routes” tab. Click on “Edit Routes:”

Modify Route Table to add the default route 0.0.0.0/0 pointing to the Internet Gateway.
Repeat these steps for “VPC B” and “VPC C” route tables.

2.2.5 Deploy EC2 instances in VPC’s.

Navigate to EC2 Dashboard Services.

https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#Instances:

2.2.5.1 Launch EC2 Instances

Click on “Launch Instances”.

Choose “Amazon Linux 2 AMI (HVM), SSD Volume Type” 64-bit x86 and click “Select.”

We will use Free tier eligible “t2.micro” instance type. Click on “Next: Configure Instance
Details.”

Deploy the first instance to AZ1 of “VPC A” by choosing them from the network and the subnet
dropdowns.

We will be assigning Public IP to this instance. Without this step, we will not be able to connect
to the instance remotely.
Click on “Review and Launch.” Click on “Launch.” Select the “ee-default-keypair” ssh key pair
that was pre-generated by the Event Engine. Launch Instance. Select “I acknowledge that I
have access to the selected private key file…” and click on “Launch Instances.”

While instance is being launched, assign it a name that reflects VPC and AZ placements, such
as “EC2 VPC A – AZ1”

Launch two more EC2 instances – one in “VPC B” AZ1 and the other one in “VPC C” AZ1.
Assign names.

After few minutes, you should have 3 EC2 instances in the “running” state.

For each EC2 instance, update the Security Group rules under the Security tab to allow ICMP
traffic (SSH on port 22 should already be open):
Modify the Inbound Rules on the Security Group to permit SSH and ICMP traffic from any
address:

Repeat these steps for EC2 instances in “VPC B – AZ 1” and “VPC C – AZ1”.

Write down the private IPv4 addresses assigned to EC2 instances by clicking on an Instance
and navigating to the Networking tab:
Populate the following table with IP information.
Table 2. EC2 instances' private IP Addresses

VPC EC2 instance Private IP Address

VPC A 10.0.0.[………]
VPC B 10.1.0.[………]
VPC C 10.2.0.[………]

2.2.6 Test inter-VPC communication

Select “EC2 VPC A – AZ1” and click “Connect”.

Click “Connect” to connect using EC2 Instance Connect and user name ec2-user:
SSH session should open in a new browser tab. From the EC2 instance in “VPC A” try pinging
the private IP addresses of EC2 instances in “VPC B” and “VPC C”. Are those addresses
pingable?
 2. VPC Peering
A VPC peering connection is a networking connection between two VPCs that enables you to
route traffic between them using private IPv4 addresses or IPv6 addresses.
In this lab, we will establish VPC peering links between “VPC A” and “VPC B”, as well as “VPC
A” and “VPC C”.

2.1 Setup VPC Peering

Navigate to VPC panel:
https://console.aws.amazon.com/vpc/home?region=us-east-1#PeeringConnections:sort=vpcP
eeringConnectionId

Click on “Create Peering Connection”

Specify “Peering connection name tag”, “VPC A” as Requester, “VPC B” as an Accepter.

Click on “Create Peering Connection:”

Newly created peering connection will be in “Pending Acceptance” state.

Select the connection, navigate under “Actions” and click “Accept Request”

Repeat these steps to create “VPC A” to “VPC C” peering connection.

You should now have two active peering connections as shown below:
3.2 Update Route Tables
Navigate to “Route Tables”:
https://console.aws.amazon.com/vpc/home?region=us-east-1#RouteTables:sort=desc:routeTa
bleId, select “VPC A Route Table”, click on “Routes” tab and click “Edit routes:”

Add route entries for “VPC B” and “VPC C” using their CIDR ranges (10.1.0.0/16 and
10.2.0.0/16 respectively)

Update Route Tables for “VPC B”

Update Route Table for “VPC C:”

Connect to the EC2 instance in “VPC A” using EC2 Instance Connect (refer to section 2.2.6).

Try pinging EC2 instances in “VPC B” and “VPC C”. Use private Addresses of the Instances.

If peering and routing are configured correctly, you should be able to ping both instances.

SSH to EC2 instance in “VPC B”. Can you ping the instance in “VPC C”?

4 Transit Gateway
In the previous lab, we created VPC Peering Links in order to facilitate connectivity between
two VPCs. While this approach can be used to interconnect larger number of VPCs, managing
many point-to-point connections can be cumbersome. A more scalable approach is to utilize
AWS Transit Gateway.

In this lab, we will remove point-to-point peering connections between “VPC A” and “VPC B”,
“VPC A” and “VPC C.” We will setup Transit Gateway (TGW) and use it to interconnect “VPC A”,
“VPC B”, and “VPC C.”
4.1 Delete VPC Peering Connections
Navigate to VPC Dashboard:
https://console.aws.amazon.com/vpc/home?region=us-east-1#PeeringConnections:sort=vpcP
eeringConnectionId

Click on “Peering Connections”, select “VPC A 🡨🡪 VPC C” and delete peering connection.

Select the checkbox to delete relate route table entries to avoid traffic blackholing scenario:
Repeat for “VPC A 🡨🡪 VPC B” connection.

4.2 Create Transit Gateway

Navigate to Transit Gateways console:
https://console.aws.amazon.com/vpc/home?region=us-east-1#TransitGateways:sort=transitGa
tewayId and click on “Create Transit Gateway:”
Create Transit Gateway using default settings. Please note that configuration options cannot be
changed after the transit gateway is created.

A few moments later, TGW will transition from “pending” to “available” state.

Under “VPC Dashboard” – “Transit Gateways”, navigate to “Transit Gateway Attachments” and
click on “Create Transit Gateway Attachment.”

Create the VPC attachment for both availability zones in “VPC A:”
Repeat these steps to create attachments for “VPC B” and “VPC C.”

Upon completion, you should see three Transit Gateway attachments:

Navigate to “VPC Dashboard” – “Transit Gateways” – “Transit Gateway Route Tables”.

You should see one Route Table, click on it. Click on “Routes” tab. Your routing table should
be populated with “VPC A”, “VPC B”, “VPC C” routes:

4.3 Update Route Tables of VPCs

Navigate to “Route Tables”, select “VPC A Route Table”, click on “Routes” tab and click “Edit
routes:”
Add route entries for “VPC B” and “VPC C”. To simplify the configuration, create a single
“10.0.0.0/8” route pointing to the Transit Gateway. You can do this because the local route is
more specific and therefore in this instance 10.0.0.0/16 will traverse the more specific local
route and anything else in the 10.0.0.0/8 will traverse the less specific route to the transit
gateway.

Repeat these steps for “VPC B’s” and VPC C’s” routing tables.
Connect to EC2 instance in “VPC A”.

Try pinging private IPs of instances deployed in “VPC B” and “VPC C”. Ping should be
successful.
Connect to EC2 instance in “VPC B”. Try pinging private IPs of instances deployed in “VPC A”
and “VPC C”. Ping should be successful.

You validated that EC2 instances in all three VPCs can reach each other using Transit Gateway.