IT Knowledgebase
< All Topics
Print

Getting Started with Amazon VPC

Step 1: Create the VPC

In this exercise, you’ll create a VPC and subnet, and launch a public-facing instance into your subnet. Your instance will be able to communicate with the Internet, and you’ll be able to access your instance from your local computer using SSH (if it’s a Linux instance) or Remote Desktop (if it’s a Windows instance). In your real world environment, you can use this scenario to create a public-facing web server; for example, to host a blog.

Note

This exercise is intended to help you set up your own nondefault VPC quickly. If you already have a default VPC and you want to get started launching instances into it (and not creating or configuring a new VPC), see Launching an EC2 Instance into Your Default VPC.

To complete this exercise, you’ll do the following:

  • Create a nondefault VPC with a single public subnet. Subnets enable you to group instances based on your security and operational needs. A public subnet is a subnet that has access to the Internet through an Internet gateway.
  • Create a security group for your instance that allows traffic only through specific ports.
  • Launch an Amazon EC2 instance into your subnet.
  • Associate an Elastic IP address with your instance. This allows your instance to access the Internet.

Before you can use Amazon VPC for the first time, you must sign up for Amazon Web Services (AWS). When you sign up, your AWS account is automatically signed up for all services in AWS, including Amazon VPC. If you haven’t created an AWS account already, go to http://aws.amazon.com, and then choose Create a Free Account.

Note

This exercise assumes that your account supports the EC2-VPC platform only. If your account also supports the older EC2-Classic platform, you can still follow the steps in this exercise; however, you will not have a default VPC in your account to compare against your nondefault VPC. For more information, 

Step 2: Create a Security Group

A security group acts as a virtual firewall to control the traffic for its associated instances. To use a security group, you add the inbound rules to control incoming traffic to the instance, and outbound rules to control the outgoing traffic from your instance. To associate a security group with an instance, you specify the security group when you launch the instance. If you add and remove rules from the security group, we apply those changes to the instances associated with the security group automatically.

Your VPC comes with a default security group. Any instance not associated with another security group during launch is associated with the default security group. In this exercise, you’ll create a new security group,WebServerSG, and specify this security group when you launch an instance into your VPC.

Topics

Rules for the WebServerSG Security Group

The following table describes the inbound and outbound rules for the WebServerSG security group. You’ll add the inbound rules yourself. The outbound rule is a default rule that allows all outbound communication to anywhere – you do not need to add this rule yourself.

Inbound
Source IPProtocolPort RangeComments
0.0.0.0/0TCP80Allows inbound HTTP access from anywhere.
0.0.0.0/0TCP443Allows inbound HTTPS access from anywhere.
Public IP address range of your home networkTCP22Allows inbound SSH access from your home network to a Linux/UNIX instance.
Public IP address range of your home networkTCP3389Allows inbound RDP access from your home network to a Windows instance.
Outbound
Destination IPProtocolPort RangeComments
0.0.0.0/0AllAllThe default outbound rule that allows all outbound communication.

Creating Your WebServerSG Security Group

You can create your security group using the Amazon VPC console.

To create the WebServerSG security group and add rules

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Security Groups.
  3. Choose Create Security Group.
  4. In the Group name field, enter WebServerSG as the name of the security group, and provide a description. You can optionally use the Name tag field to create a tag for the security group with a key of Name and a value that you specify.
  5. Select the ID of your VPC from the VPC menu, and then choose Yes, Create.
  6. Select the WebServerSG security group that you just created (you can view its name in the Group Namecolumn).
  7. On the Inbound Rules tab, choose Edit and add rules for inbound traffic as follows, and then choose Savewhen you’re done:
    1. Select HTTP from the Type list, and enter 0.0.0.0/0 in the Source field.
    2. Choose Add another rule, then select HTTPS from the Type list, and enter 0.0.0.0/0 in the Sourcefield.
    3. Choose Add another rule. If you’re launching a Linux instance, select SSH from the Type list, or if you’re launching a Windows instance, select RDP from the Type list. Enter your network’s public IP address range in the Source field. If you don’t know this address range, you can use 0.0.0.0/0 for this exercise. CautionIf you use 0.0.0.0/0, you enable all IP addresses to access your instance using SSH or RDP. This is acceptable for the short exercise, but it’s unsafe for production environments. In production, you’ll authorize only a specific IP address or range of addresses to access your instance. Inbound rules for security groupStep 3: Launch an Instance into Your VPCWhen you launch an EC2 instance into a VPC, you must specify the subnet in which to launch the instance. In this case, you’ll launch an instance into the public subnet of the VPC you created. You’ll use the Amazon EC2 launch wizard in the Amazon EC2 console to launch your instance.The following diagram represents the architecture of your VPC after you’ve completed this step.Getting started: Launch instanceTo launch an EC2 instance into a VPC
      1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
      2. In the navigation bar, on the top-right, ensure that you select the same region in which you created your VPC and security group.
      3. From the dashboard, choose Launch Instance.
      4. On the first page of the wizard, choose the AMI that you want to use. For this exercise, we recommend that you choose an Amazon Linux AMI or a Windows AMI.
      5. On the Choose an Instance Type page, you can select the hardware configuration and size of the instance to launch. By default, the wizard selects the first available instance type based on the AMI you selected. You can leave the default selection, and then choose Next: Configure Instance Details.
      6. On the Configure Instance Details page, select the VPC that you created from the Network list, and the subnet from the Subnet list. Leave the rest of the default settings, and go through the next pages of the wizard until you get to the Tag Instance page.
      7. On the Tag Instance page, you can tag your instance with a Name tag; for example Name=MyWebServer. This helps you to identify your instance in the Amazon EC2 console after you’ve launched it. Choose Next: Configure Security Group when you are done.
      8. On the Configure Security Group page, the wizard automatically defines the launch-wizard-x security group to allow you to connect to your instance. Instead, choose the Select an existing security group option, select the WebServerSG group that you created previously, and then choose Review and Launch.
      9. On the Review Instance Launch page, check the details of your instance, and then choose Launch.
      10. In the Select an existing key pair or create a new key pair dialog box, you can choose an existing key pair, or create a new one. If you create a new key pair, ensure that you download the file and store it in a secure location. You’ll need the contents of the private key to connect to your instance after it’s launched. To launch your instance, select the acknowledgment check box, and then choose Launch Instances.
      11. On the confirmation page, choose View Instances to view your instance on the Instances page. Select your instance, and view its details in the Description tab. The Private IPs field displays the private IP address that’s assigned to your instance from the range of IP addresses in your subnet.
      Step 4: Assign an Elastic IP Address to Your InstanceIn the previous step, you launched your instance into a public subnet – a subnet that has a route to an Internet gateway. However, the instance in your subnet also needs a public IP address to be able to communicate with the Internet. By default, an instance in a nondefault VPC is not assigned a public IP address. In this step, you’ll allocate an Elastic IP address to your account, and then associate it with your instance. For more information about Elastic IP addresses, see Elastic IP Addresses.The following diagram represents the architecture of your VPC after you’ve completed this step.Getting started: Assign an Elastic IP address to your instanceTo allocate and assign an Elastic IP address
      1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
      2. In the navigation pane, choose Elastic IPs.
      3. Choose Allocate New Address, and then Yes, Allocate. NoteIf your account supports EC2-Classic, first select EC2-VPC from the Network platform list.
      4. Select the Elastic IP address from the list, choose Actions, and then choose Associate Address.
      5. In the dialog box, choose Instance from the Associate with list, and then select your instance from theInstance list. Choose Yes, Associate when you’re done.
      Your instance is now accessible from the Internet. You can connect to your instance through its Elastic IP address using SSH or Remote Desktop from your home network. For more information about how to connect to a Linux instance, see Connecting to Your Linux Instance in the Amazon EC2 User Guide for Linux Instances. For more information about how to connect to a Windows instance, see Connect to Your Windows Instance Using RDP in theAmazon EC2 User Guide for Microsoft Windows Instances.This completes the exercise; you can choose to continue using your instance in your VPC, or if you do not need the instance, you can terminate it and release its Elastic IP address to avoid incurring charges for them. You can also delete your VPC – note that you are not charged for the VPC and VPC components created in this exercise (such as the subnets and route tables).Step 5: Clean UpBefore you can delete a VPC, you must terminate any instances that are running in the VPC. If you delete a VPC using the VPC console, it also deletes resources that are associated with the VPC, such as subnets, security groups, network ACLs, DHCP options sets, route tables, and Internet gateways.To terminate your instance, release your Elastic IP address, and delete your VPC
      1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
      2. In the navigation pane, choose Instances.
      3. Select your instance, choose Actions, then Instance State, and then select Terminate.
      4. In the dialog box, expand the Release attached Elastic IPs section, and select the check box next to the Elastic IP address. Choose Yes, Terminate.
      5. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
      6. In the navigation pane, choose Your VPCs.
      7. Select the VPC, choose Actions, and then choose Delete VPC.
      8. When prompted for confirmation, choose Yes, Delete.
Messenger