md shakil's Blog

Deploy a Highly available VPC Architecture with transit Gateway

md shakil's photo
md shakil
·

11 min read

Deploy a Highly available VPC Architecture with transit Gateway

Table of contents

TABLE OF CONTENTS

  1. Goal

  2. Pre-Requisites

  3. VPC Deployment

  4. Explore

  5. Validation

Solution:

Goal

Deploy a Modular, Highly Available AWS VPC Architecture with Transit Gateway

Pre-Requisites

  1. You must be having an AWS account to create infrastructure resources on AWS cloud.

  2. Custom Domain Name

  3. Create a SSL certificate.

VPC Deployment

VPC-1: US-EAST-1

Step 1: Navigate to the VPC Dashboard

  1. Open the AWS Management Console.

  2. Go to the "Services" dropdown and select "VPC" under the "Networking & Content Delivery" section.

Step 2: Create a VPC

  1. In the VPC Dashboard, click on "Create VPC."

  2. Fill in the following details:

    • Name tag: Provide a name for your VPC (e.g., hycloud-vpc-01).

    • IPv4 CIDR block: Enter 10.0.0.0/16.

  3. Click on "Create VPC."

Step 3: Create a Public Subnet

  1. In the VPC Dashboard, click on "Subnets" in the left navigation pane.

  2. Click on "Create subnet."

  3. Fill in the following details for your public subnet:

    • Name tag: Provide a name for your subnet (e.g., hycloud-PublicSubnet-01).

    • VPC: Select the VPC you created.

    • Availability Zone: Choose an availability zone (e.g., us-east-1a).

    • IPv4 CIDR block: Enter 10.0.1.0/24.

  4. Click on "Create subnet."

Step 4: Update Route Table for the Public Subnet

  1. In the VPC Dashboard, click on "Route Tables" in the left navigation pane.

  2. Find the main route table associated with your VPC.

  3. Click on the "Routes" tab.

  4. Add a new route to make the subnet public:

    • Click on "Edit routes."

    • Add a route with the destination 0.0.0.0/0 and the target as the Internet Gateway (IGW) ID. If you don't have an IGW, create one and attach it to your VPC.

  5. Save the changes.

Step 5: Create an Internet Gateway (IGW)

  1. In the VPC Dashboard, click on "Internet Gateways" in the left navigation pane.

  2. Click on "Create internet gateway."

  3. Attach the internet gateway to your VPC:

    • Select the IGW.

    • Click on "Attach to VPC."

    • Choose your VPC and click "Attach."

Step 6: Update Subnet Route Association

  1. In the VPC Dashboard, click on "Subnet Associations" in the left navigation pane.

  2. Select your public subnet and click on "Edit subnet associations."

  3. Associate the subnet with the custom route table.

  4. Save the changes.

VPC-2: US-EAST-1

Create a VPC

  1. Navigate to the VPC Dashboard in the AWS Management Console.

  2. Click on "Create VPC."

  3. Fill in the following details:

    • Name tag: Provide a name for your VPC (e.g., hycloud-vpc-02).

    • IPv4 CIDR block: Enter 192.0.0.0/16.

  4. Click on "Create VPC."

Step 2: Create Subnets

Public Subnets:

  1. In the VPC Dashboard, click on "Subnets" in the left navigation pane.

  2. Click on "Create subnet."

  3. Fill in the following details for the first public subnet:

    • Name tag: hycloud-public-subnet-01

    • VPC: Select the VPC you just created.

    • Availability Zone: Choose an availability zone (e.g., us-east-1a).

    • IPv4 CIDR block: Enter 192.0.1.0/24.

  4. Click on "Create subnet."

Repeat the process to create the second public subnet:

  1. Click on "Create subnet."

  2. Fill in the details for the second public subnet:

    • Name tag: hycloud-public-subnet-02

    • VPC: Select the VPC.

    • Availability Zone: Choose a different availability zone (e.g., us-east-1b).

    • IPv4 CIDR block: Enter 192.0.2.0/24.

  3. Click on "Create subnet."

Private Subnets:

Now, let's create two private subnets:

  1. Click on "Create subnet."

  2. Fill in the details for the first private subnet:

    • Name tag: hycloud-private-subnet-01

    • VPC: Select the VPC.

    • Availability Zone: Choose an availability zone (e.g., us-east-1a).

    • IPv4 CIDR block: Enter 192.0.3.0/24.

  3. Click on "Create subnet."

Repeat the process to create the second private subnet:

  1. Click on "Create subnet."

  2. Fill in the details for the second private subnet:

    • Name tag: hycloud-private-subnet-02

    • VPC: Select the VPC.

    • Availability Zone: Choose a different availability zone (e.g., us-east-1b).

    • IPv4 CIDR block: Enter 192.0.4.0/24.

  3. Click on "Create subnet."

Step 3: Update Route Tables and Internet Gateway

Follow the steps mentioned in the previous response to update route tables, create an Internet Gateway (IGW), and associate subnets with the main route table.

Step 4: Create a Private Route Table

  1. In the VPC Dashboard, click on "Route Tables" in the left navigation pane.

  2. Click on "Create Route Table."

  3. Fill in the following details:

    • Name tag: hycloud-private-rt-01

    • VPC: Select the VPC you created.

  4. Click on "Create."

Step 2: Associate Private Subnets with the Private Route Table

  1. Still in the "Route Tables" section, select the newly created hycloud-private-rt-01.

  2. Click on the "Subnet Associations" tab.

  3. Click "Edit subnet associations."

  4. Select both private subnets (hycloud-private-subnet-01 and hycloud-private-subnet-02).

  5. Click on "Save."

Step 3: Add a Route for Private Subnet Traffic

  1. Select the hycloud-private-subnet.

  2. Click on the "Routes" tab.

  3. Click "Edit routes."

  4. Add a route for your private subnet traffic:

    • Click "Add route."

    • For the destination, enter 0.0.0.0/0 (which represents all traffic).

    • For the target, you'll later associate this route with the NAT Gateway. Leave it blank for now.

  5. Click "Save routes."

Step 4: Create and Associate a NAT Gateway

  1. In the VPC Dashboard, click on "Nat Gateways" in the left navigation pane.

  2. Click on "Create Nat Gateway."

  3. Fill in the following details:

    • Subnet: Choose one of the public subnets (e.g., hycloud-public-subnet-01).

    • Elastic IP Allocation ID: Choose an existing Elastic IP or create a new one.

  4. Click on "Create Nat Gateway."

  5. Wait for the NAT Gateway to become available.

  6. Once the NAT Gateway is available, go back to the hycloud-private-rt-01.

  7. In the "Routes" tab, click "Edit routes."

  8. Add a route for internet traffic:

    • For the destination, enter 0.0.0.0/0.

    • For the target, select the NAT Gateway you just created.

  9. Click "Save routes."

VPC-3: US-WEST-2

Now, follow the same steps and create another VPC in different region,CIDR-172.0.0.0/16 with public and private subnet, create a NAT Gateway.

Its time to connect all three vpc using transit gateway.

Step 1: Create a Transit Gateway in us-east-1

  1. In the AWS Management Console, navigate to the "Transit Gateways" section.

  2. Click on "Create Transit Gateway."

  3. Fill in the required details:

    • Name: Provide a name for your Transit Gateway.

    • Amazon side ASN: Choose a unique Autonomous System Number (ASN). You can use the default provided by AWS.

    • Description: Optionally, add a description.

  4. Click on "Create Transit Gateway."

Step 2: Attach VPCs to the Transit Gateway

  1. In the Transit Gateway Dashboard, select your newly created Transit Gateway.

  2. Go to the "Attachments" tab.

  3. Click on "Create Transit Gateway Attachment."

  4. Fill in the required details:

    • Transit Gateway Attachment Name: Provide a name for the attachment.

    • Attachment Type: Choose "VPC."

    • VPC ID: Select the first VPC you want to connect.

    • Subnet IDs: Choose the subnets within the VPC that should be part of this attachment.

  5. Click on "Create attachment."

  6. Repeat the process to attach the second VPC to the Transit Gateway.

Step 3: Update VPC Route Tables

  1. In the VPC Dashboard, go to "Route Tables."

  2. For each VPC:

    • Select the VPC's main route table.

    • Add a route for the Transit Gateway:

      • Destination: Enter the CIDR block of the other VPC.

      • Target: Choose the Transit Gateway ID.

Step 4: Propagate Routes (Optional)

  1. In the Transit Gateway Dashboard, go to the "Route Tables" tab.

  2. Select the default route table.

  3. Click on "Associations" and associate the route table with the VPC attachments.

  4. Enable route propagation for the route table.

Go to the different region 9 us-west-2) and create another transit gateway.

Next , we will have to create transit gateway attachment with type peering to connect 2 transit gateway.

Create a Transit Gateway Attachment with Type Peering

  1. In the AWS Management Console, navigate to the "Transit Gateways" section.

  2. Select the first Transit Gateway.

  3. Go to the "Attachments" tab.

  4. Click on "Create Transit Gateway Attachment."

  5. Fill in the required details:

    • Transit Gateway Attachment Name: Provide a name for the attachment.

    • Attachment Type: Choose "Peering."

    • Peer Transit Gateway ID: Select the ID of the second Transit Gateway.

    • Routing Options: Choose the appropriate routing option based on your requirements.

    • Association Default Route Table: Choose whether to associate the default route table.

  6. Click on "Create attachment."

Step 3: Accept Peering Attachment Requests

  1. Go to the "Transit Gateways" section.

  2. Select the second Transit Gateway.

  3. Go to the "Attachments" tab.

  4. You should see a pending attachment request from the first Transit Gateway.

  5. Click on "Accept attachment."

Step 4: Update Route Tables (Optional)

You may need to update the route tables associated with the Transit Gateways to enable routing between attached VPCs.

Now we have to update the transit gateway to route to route traffic between two transit gateway in different region.

To create a static route between two Transit Gateways for traffic between the 10.0.0.0/16 and 192.0.0.0/16 CIDR blocks, you'll need to update the route tables associated with the Transit Gateways. Here's a general guide:

Step 1: Identify the Transit Gateways and Route Tables

  1. In the AWS Management Console, navigate to the "Transit Gateways" section.

  2. Identify the two Transit Gateways you want to connect.

  3. For each Transit Gateway, note the associated route table ID.

Step 2: Update Route Tables

For Transit Gateway 1:

  1. Go to the "Transit Gateways" section.

  2. Select Transit Gateway 1.

  3. Go to the "Route Tables" tab.

  4. Select the route table associated with Transit Gateway 1.

  5. Click on "Edit routes."

  6. Add a static route for the 192.0.0.0/16 CIDR block:

    • Destination: 192.0.0.0/16

    • Target: Transit Gateway 2 Attachment ID or Peer Transit Gateway ID

  7. Save the changes.

For Transit Gateway 2:

  1. Go to the "Transit Gateways" section.

  2. Select Transit Gateway 2.

  3. Go to the "Route Tables" tab.

  4. Select the route table associated with Transit Gateway 2.

  5. Click on "Edit routes."

  6. Add a static route for the 10.0.0.0/16 CIDR block:

    • Destination: 10.0.0.0/16

    • Target: Transit Gateway 1 Attachment ID or Peer Transit Gateway ID

  7. Save the changes.

Now, its time to deploy bastion host in VPC-1, two web-server gateway, ALB and NAT in VPC-2 . Also, App-server and NAT gateway in VPC-3

Create bastion host in VPC-1 public subnet. Please follow the below docs to create ec2 .

Step 2: Create your EC2 resources and launch your EC2 instance - Amazon Elastic File System

Now, create ALB and attach targets. We will be using listeners and port 80 and 443. I'll be using ACM for SSL certificate.

Step 1: Create an Application Load Balancer (ALB)

  1. In the AWS Management Console, navigate to the "EC2" service.

  2. In the left navigation pane, under "Load Balancing," select "Load Balancers."

  3. Click on "Create Load Balancer."

  4. Choose "Application Load Balancer" and click "Create."

  5. Configure the ALB settings:

    • Name: Provide a name for your ALB.

    • Scheme: Choose "internet-facing" for a public-facing ALB.

    • Listeners: Add a listener (e.g., HTTP on port 80 and 443).

  6. Create a New Target Group

    1. Click on the "Create Target Group" button.

    2. Configure the target group settings:

      • Name: Provide a name for your target group.

      • Protocol: Choose the protocol for your target group (e.g., HTTP or HTTPS).

      • Port: Specify the port (e.g., 80 for HTTP).

      • VPC: Select the VPC in which your ALB and instances are located.

    3. Click on "Next" to proceed to the Health checks configuration.

Step 3: Configure Health Checks

  1. Configure the health check settings:

    • Protocol: Choose the protocol for health checks (e.g., HTTP or HTTPS).

    • Path: Specify the health check path.(index.html)

    • Port: Specify the port for health checks.

    • Healthy threshold: Set the number of consecutive successful health checks required to consider an instance healthy.

    • Unhealthy threshold: Set the number of consecutive failed health checks required to consider an instance unhealthy.

    • Timeout: Set the amount of time to wait when receiving a response to a health check.

    • Interval: Set the time between health checks.

  2. Click on "Next" to proceed to the Targets configuration.

Proceed without targets.

Step 2: Create EC2 Instances in Private Subnets

  1. In the AWS Management Console, navigate to the "EC2" service.

  2. Launch two EC2 instances in your private subnets.

  3. While launching instances, configure the following:

    • AMI: Choose an Amazon Linux 2 AMI or any other suitable AMI.

    • Instance Type: Choose an appropriate instance type.

    • Network: Select the VPC and private subnet for each instance.

    • Security Group: Allow incoming traffic on port 80 and 443 (HTTP & HTTPS)

      for httpd.

  4. Under "Advanced Details" or "User Data," provide the following user data script:

  5.      #!/bin/bash
     yum update -y
     yum install -y httpd
     systemctl start httpd
     systemctl enable httpd
     echo "<html><body><h1>Hello from EC2</h1></body></html>" > /var/www/html/index.html
     echo "ServerName $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)" >> /etc/httpd/conf/httpd.conf

Step 3: Attach EC2 Instances to ALB

  1. Once the EC2 instances are running, go back to the ALB configuration.

  2. In the ALB menu, select the "Target Groups" tab.

  3. Click on "Create Target Group."

    • Name: Provide a name for the target group.

    • Protocol: Choose "HTTP" or "HTTPS" based on your needs.

    • Port: Set to 80

    • VPC: Select the VPC.

  4. In the "Targets" tab, register your EC2 instances.

  5. Go back to the "Listeners" tab, edit the listener, and associate the target group with the listener.

Similarly, please launch another ec2 in us-west-2 region VPC.

Test Connectivity:

Login to Bastion host with public IP:

Try to telnet and ssh to one of the server in private subnet

We noticed that telnet and SSH is successful. Please make sure that you add the key-pair in bastion host before proceeding with SSH.

And, also telnet from private ec2 to private ec2 in different region is successful.

Create a SSL certificate in ACM and update the route53 records. We need to have a custom domain to get the SSL.

I have copied and static html file into the /var/www/html folder .

Now, open the web browser and enter hycloud.in.

Please follow the page for more AWS and DevOps Project articles. Also, connect on LinkedIn- Md Shakil | LinkedIn

AWSAWS VPC#aws #Cloud