# Amazon Certificate Training Labs # Lab 1: Exploring and Interacting with the AWS Management Console and AWS CLI # Lab overview The Amazon Web Services (AWS) environment is an integrated collection of hardware and software services designed to provide quick and inexpensive use of resources. The AWS API sits atop the AWS environment. An API represents a way to communicate with a resource. There are different ways to interact with AWS resources, but all interaction uses the AWS API. The AWS Management Console provides a simple web interface for AWS. The AWS Command Line Interface (AWS CLI) is a unified tool to manage your AWS services through the command line. Whether you access AWS through the AWS Management Console or using the command line tools, you are using tools that make calls to the AWS API. This lab follows the Architecting Fundamentals module, which focuses on the core requirements for creating workloads in AWS. This lab reinforces module discussions on the what, where, and how of building AWS workloads. Students first explore the features of the AWS Management Console and then use the Amazon Simple Storage Service (Amazon S3) API to deploy and test connectivity to an Amazon S3 bucket using two different methods: - AWS Management Console - AWS CLI ### OBJECTIVES After completing this lab, you should be able to do the following: - Explore and interact with the AWS Management Console. - Create resources using the AWS Management Console. - Explore and interact with the AWS CLI. - Create resources using the AWS CLI. ### ICON KEY Various icons are used throughout this lab to call attention to different types of instructions and notes. The following list explains the purpose for each icon: - **Note:** A hint, tip, or important guidance. - **Learn more:** Where to find more information. - **Caution:** Information of special interest or importance (not so important to cause problems with the equipment or data if you miss it, but it could result in the need to repeat certain steps). - **WARNING:** An action that is irreversible and could potentially impact the failure of a command or process (including warnings about configurations that cannot be changed after they are made). - **Expected output:** A sample output that you can use to verify the output of a command or edited file. - **Command:** A command that you must run. - **Consider:** A moment to pause to consider how you might apply a concept in your own environment or to initiate a conversation about the topic at hand. # Scenario The lab environment provides you with the following resources to get started: an Amazon Virtual Private Cloud (Amazon VPC), the necessary underlying network structure, a security group allowing the HTTP protocol over port 80, an Amazon Elastic Compute Cloud (Amazon EC2) instance with the Amazon CLI installed, and an associated Amazon EC2 instance profile. The instance profile contains the permissions necessary to allow Session Manager, a capability of AWS Systems Manager, to access the Amazon EC2 instance. The following diagram shows the interactive flow of the AWS API for creating AWS services and resources used in the lab through the AWS Management Console and AWS CLI. ![Lab-1-Overview.png](https://bookstack.iguazoft.com/uploads/images/gallery/2024-04/lab-1-overview.png) ### AWS SERVICES NOT USED IN THIS LAB AWS services not used in this lab are deactivated in the lab environment. In addition, the capabilities of the services used in this lab are limited to only what the lab requires. Expect errors when accessing other services or performing actions beyond those provided in this lab guide. # Steps ## Task 1: Explore and configure the AWS Management Console In this task, you explore the AWS Management Console and the unified search tool. You then configure the Region, widgets, and services. **Learn more:** The AWS Management Console provides secure sign-in using your AWS account root user credentials or AWS Identity and Access Management (IAM) account credentials. When you first sign in, the user credentials are authenticated and the home page is displayed. The home page provides access to each service console and offers a single place to access the information you need to perform your AWS related tasks. For more information, see [What is the AWS Management Console?](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/learn-whats-new.html). ### TASK 1.1: CHOOSE AN AWS REGION In this task, you choose an AWS Region that specifies where your resources are managed. Regions are sets of AWS resources located in the same geographical area. 3. On the navigation bar, choose the **Region** selector displayed at the top-right corner of the console, and then choose the Region to which you want to switch. The Region on the console home page is now changed to the Region you chose. **Caution:** If the chosen Region opens up a different webpage instead of the console home page, choose Cancel and try to choose a different Region. Next, you configure the default Region. 4. To open the General Settings page, click gear icon from menu bar. 5. Click on **More user settings**. The **Unified Settings** page is displayed. 6. In the **Localization and default Region** section, choose Edit. 7. For **Default Region**, select any *Region* from the dropdown menu. 8. Choose Save settings. A **Successfully updated localization and Region settings** message is displayed on top of the screen. **Caution:** If the current Region shown on the Region selector in the top-right corner is the same Region you choose in the default Region dropdown list, you will not see the success message with Go to new default Region. Try choosing a different Region from the dropdown menu to see this message and complete the next step. 9. Choose Go to new default Region. The **Unified Settings** page is displayed with the Region set to the **Default Region** you chose. **Note:** If you do not choose a default Region, the last Region you visited becomes your default. 10. Choose the **AWS logo** displayed in the upper-left-hand corner to return to the console home page. 11. On the navigation bar, choose the **Region selector** displayed at the top-right corner of the console, and then choose the **Region** that matches the **LabRegion** value located to the left of these instructions. **Caution:** Verify that you are in the **correct region** that matches to the **LabRegion** value located to the left of these instructions. ### TASK 1.2: SEARCH WITH THE AWS MANAGEMENT CONSOLE In this task, you explore the search box on the navigation bar, which provides a unified search tool for locating AWS services and features, service documentation, and the AWS Marketplace. 12. To open a console for a service, go to the *Search* box in the navigation bar of the AWS Management Console, and enter . The more characters you type, the more the search refines your results. 13. To narrow the results to the type of content that you want, choose one of the categories on the left navigation pane. 14. To quickly navigate to a service or popular features of a service, in the **Services** section, hover over the **AWS Cloud Map** service name in the results and choose the link. The **AWS Cloud Map console** page is displayed. **Note:** For more details about a documentation result or AWS Marketplace result, hover on the result title and choose a link. 15. Choose the **AWS logo** displayed in the upper-left-hand corner to return to the console home page. ### TASK 1.3: ADD AND REMOVE FAVORITES In this task, you explore the AWS Management Console to add AWS services to your Favorites list and remove added services from the Favorites list. #### Add a service to the list of favorites 16. On the navigation bar, choose Services to open a full list of services. 17. From the left navigation menu, choose **All services** or **Recently visited**, and then choose a service from the list that you want to add as a favorite. 18. To the left of the service name, select the **star**. **Note:** Repeat the previous step to add more services to your Favorites list. 19. To view the list of favorite services, from the left navigation menu, choose **Favorites**. **Note:** Alternatively, Favorites are pinned and visible on the navigation bar at the top of the console window. #### Remove a service from the list of favorites 20. On the navigation bar, choose Services to open a full list of services. 21. In the **Favorites** list, deselect the star next to the name of a service you wish to remove. **Note:** Alternatively, in the **Recently visited** list or **All services** list, deselect the star next to the name of a service that is in your Favorites list. ### TASK 1.4: OPEN A CONSOLE FOR A SERVICE 22. On the navigation bar, choose Services to open a full list of services. 23. Choose a service under **Favorites** or **Recently visited** or **All services** to quickly navigate to a specific service. The chosen **service console** page is displayed. 24. Choose the **AWS logo** displayed in the upper-left-hand corner to return to the AWS Management Console home page. ### TASK 1.5: CREATE AND USE DASHBOARD WIDGETS In this task, you learn about the widgets that display important information about your AWS environment and provide shortcuts to your services. You can customize your experience by adding and removing widgets, rearranging them, or changing their size. 25. To add a widget, choose + Add widgets. The **Add widgets** window is displayed. 26. In the **Add widgets** menu, choose the **title bar** at the top of the widget that you want to add and then drag the widget on the console page. 27. To rearrange a widget, configure the following: - Choose the **title bar** at the top of the widget, for example, Favorites, and then drag the widget to a new location on the console page. 28. To resize a widget, configure the following: - Choose the **Recently Visited** widget. - Drag the bottom-right corner of the widget to resize. **Note:** You cannot adjust the size of the Welcome to AWS, Explore AWS, and AWS Health widgets. 29. To remove a widget, configure the following: - Choose the **Welcome to AWS** widget. - In the upper-right corner of the widget, choose the widget actions **ellipsis icon**, represented by three vertical dots. - Choose **Remove widget**. Congratulations! You have explored the AWS Management Console and learned to customize your console home screen. --- ## Task 2: Create an Amazon S3 bucket using the AWS Management Console In this task, you create and configure a new Amazon S3 bucket in the *LabRegion* using the AWS Management Console. **Caution:** Verify that you are in the **correct region** that matches to the **LabRegion** value located to the left of these instructions. **Learn more:** Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. Customers can use Amazon S3 to store and protect any amount of data for a range of use cases, such as data lakes, websites, mobile applications, backup and restore, archive, enterprise applications, Internet of Things (IoT) devices, and big data analytics. For more information, see [What is Amazon S3?](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html). ![Task2.png](https://bookstack.iguazoft.com/uploads/images/gallery/2024-04/task2.png) 30. On the Services menu, choose **All Services**. 31. On the left navigation menu, scroll down the list and choose **Storage**. 32. From the **Storage** list, choose **S3**. **Note:** You can also search for in the search bar *Search* at the top of the console.
33. In the navigation pane on the left-hand side of the console, choose **Buckets**. 34. Choose Create bucket. The **Create bucket** page is displayed. 35. In the **General configuration** section, for **Bucket name**, enter . **Note:** Replace *NUMBER* in the bucket name with a random number. This ensures that you have a unique name. - Example bucket name: **Note:** Amazon S3 bucket names must be globally unique and Domain Name System (DNS) compliant. 36. The **AWS Region** should match the *LabRegion* value found to the left of these lab instructions. 37. Leave all other settings on this page as the default configurations. 38. Choose Create bucket at the bottom of the screen. In terms of implementation, you can create a bucket using the Amazon S3 API, but you performed the same operation using the Amazon S3 console instead. The console uses the Amazon S3 APIs to send requests to Amazon S3. A **Successfully created bucket "labbucket-xxxxx"** message is displayed on top of the screen. The S3 console is displayed. The newly created bucket is displayed among the list of all the buckets for the account. Congratulations! You have created a new Amazon S3 bucket with the default configuration. --- ## Task 3: Upload an object into the Amazon S3 bucket using the S3 console In this task, you upload an object into the previously created S3 bucket using the S3 console. 39. To open the context (Right-click) menu, choose this [image link](https://us-west-2-tcprod.s3.us-west-2.amazonaws.com/courses/ILT-TF-200-ARCHIT/v7.7.1.prod-ac6a334e/lab-1-Explore/instructions/en_us/images/HappyFace.jpg) and choose the option to save the image to your computer. - Name your file similar to *HappyFace.jpg*. **Note:** The method to save files varies by web browser. Choose the appropriately worded option from your context menu. 40. In the **Amazon S3** console, choose the **labbucket-xxxxx** bucket. 41. Choose Upload. The **Upload** page is displayed. 42. Choose Add files. 43. Browse to and choose the **HappyFace.jpg** picture you downloaded. 44. Choose Upload. A **Upload succeeded** message is displayed on top of the screen. 45. Choose Close. Congratulations! You have uploaded an object into the Amazon S3 bucket. --- ## Task 4: Create an Amazon S3 bucket and uploading an object using the AWS CLI In this task, you use the AWS CLI to create an Amazon S3 bucket. The AWS CLI is an open-source tool that you can use to interact with AWS services using commands in your command line shell. ### TASK 4.1: CREATE A CONNECTION TO THE COMMAND HOST USING SESSION MANAGER An Amazon EC2 instance pre-configured with the AWS CLI has been provided for you to use in this lab. It has the name *Command Host*. ![Task4.png](https://bookstack.iguazoft.com/uploads/images/gallery/2024-04/task4.png) 46. At the top of the AWS Management Console, in the search box, search for and choose . 47. In the navigation pane on the left-hand side of the console, choose **Instances**. 48. Select **Command Host**. 49. Choose Connect. The **Connect to instance** page is displayed. 50. Choose the **Session Manager** tab. **Learn more:** With Session Manager, you can connect to Amazon EC2 instances without having to expose the SSH port on your firewall or Amazon VPC security group. For more information, see [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html). 51. Choose Connect. **Note:** Alternatively, you can copy the **CommandHostSessionUrl** value from the left side of these lab instructions and paste it in a new browser tab. The terminal for the Command Host instance opens. A new browser tab or window opens with a connection to the Command Host instance. ### TASK 4.2: USE HIGH-LEVEL S3 COMMANDS WITH THE AWS CLI In this task, you access the high-level features of Amazon S3 using the AWS CLI. 52. **Command:** Enter the following command in your Command Host session: **Tip:** To copy the command, hover on it and choose the copy icon. Paste the command in the Command Host session. **Note:** The following **ls** command lists all of the buckets owned by the user. ``` aws s3 ls ``` 53. **Command:** Copy the following command to a text editor, replace *NUMBER* with the random number you chose for your bucket, and paste the command in the Command Host session. **Note:** The following **mb** command creates a bucket. ``` aws s3 mb s3://labclibucket-NUMBER ``` - Example bucket name: ** 54. To run the modified command in your Command Host session, press Enter. **Expected output:** ``` make_bucket: labclibucket-xxxxx ``` **Note:** To simplify the instructions in this lab, this newly created bucket will be referred to as the **labclibucket-NUMBER** for the remainder of the instructions, regardless of what bucket name you actually choose in this step. 55. **Command:** Enter the following command in your Command Host session: ``` aws s3 ls ``` Notice the newly created bucket in the output list. 56. **Command:** Copy the following command to a text editor, replace *labclibucket-NUMBER* with the name of the S3 bucket you created in the previous step, and paste the command in the Command Host session. **Note:** The following **cp** command copies a single file to a specified bucket. ``` aws s3 cp /home/ssm-user/HappyFace.jpg s3://labclibucket-NUMBER ``` 57. To run the modified command in your Command Host session, press Enter. **Expected output:** ``` upload: ../../home/ssm-user/HappyFace.jpg to s3://labclibucket-xxxxx/HappyFace.jpg ``` 58. **Command:** Copy the following command to a text editor, replace *labclibucket-NUMBER* with the name of the S3 bucket you created in the previous step, and paste the command in the Command Host session. **Note:** The following **ls** command lists objects under a specified bucket. ``` aws s3 ls s3://labclibucket-NUMBER ``` Notice the uploaded object in the newly created bucket in the output list. You can close the browser tab. As demonstrated in this task, the high-level Amazon S3 commands simplify managing Amazon S3 objects. Using these commands, you can manage the contents of Amazon S3 within itself and with local directories. The S3 commands are built on top of the operations found in the S3 API commands. Congratulations! You have used the AWS CLI to create, list, and copy objects into the Amazon S3 bucket. # Conclusion Congratulations! You now have successfully: - Explored and interacted with the AWS Management Console. - Created resources using the AWS Management Console. - Explored and interacted with the AWS CLI. - Created resources using the AWS CLI. # Lab 2: Building your Amazon VPC Infrastructure # Lab overview As an AWS solutions architect, it is important that you understand the overall functionality and capabilities of Amazon Web Service (AWS) and the relationship between the AWS networking components. In this lab, you create an Amazon Virtual Private Cloud (Amazon VPC), a public and a private subnet in a single Availability Zone, public and private routes, a NAT gateway, and an internet gateway. These services are the foundation of networking architecture inside of AWS. This architecture design covers concepts of infrastructure, design, routing, and security. The following image shows the final architecture for this lab environment: ![Lab2-Overview.png](https://bookstack.iguazoft.com/uploads/images/gallery/2024-04/lab2-overview.png) ### OBJECTIVES After completing this lab, you should know how to do the following: - Create an Amazon VPC. - Create public and private subnets. - Create an internet gateway. - Configure a route table and associate it to a subnet. - Create an Amazon Elastic Compute Cloud (Amazon EC2) instance and make the instance publicly accessible. - Isolate an Amazon EC2 instance in a private subnet. - Create and assign security groups to Amazon EC2 instances. - Connect to Amazon EC2 instances using Session Manager, a capability of AWS Systems Manager. ### ICON KEY Various icons are used throughout this lab to call attention to different types of instructions and notes. The following list explains the purpose for each icon: - **Command:** A command that you must run. - **Expected output:** A sample output that you can use to verify the output of a command or edited file. - **Note:** A hint, tip, or important guidance. - **Learn more:** Where to find more information. - **Security:** An opportunity to incorporate security best practices. - **Caution:** Information of special interest or importance (not so important to cause problems with the equipment or data if you miss it, but it could result in the need to repeat certain steps). - **WARNING:** An action that is irreversible and could potentially impact the failure of a command or process (including warnings about configurations that cannot be changed after they are made). # Scenario Your team has been tasked with prototyping an architecture for a new web-based application. To define your architecture, you need to have a better understanding of public and private subnets, routing, and Amazon EC2 instance options. # Steps ## Task 1: Create an Amazon VPC in a Region In this task, you create a new Amazon VPC in the AWS Cloud. **Learn more:** With Amazon VPC, you can provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address ranges, creation of subnets, and configuration of route tables and network gateways. You can also use the enhanced security options in Amazon VPC to provide more granular access to and from the Amazon EC2 instances in your virtual network. ![Lab2-VPC.png](https://bookstack.iguazoft.com/uploads/images/gallery/2024-04/lab2-vpc.png) 3. At the top of the AWS Management Console, in the search bar, search for and choose . **Caution:** Verify that the Region displayed in the top-right corner of the console is the same as the **Region** value on the left side of this lab page. **Note:** The VPC management console offers a VPC Wizard, which can automatically create several VPC architectures. However, in this lab you create the VPC components manually. 4. In the left navigation pane, choose **Your VPCs**. The console displays a list of your currently available VPCs. A default VPC is provided so that you can launch resources as soon as you start using AWS. 5. Choose Create VPC and configure the following: - **Resources to create:** Choose *VPC only*. - **Name tag - *optional*:** Enter - **IPv4 CIDR:** Enter 6. Choose Create VPC. A You successfully created vpc-xxxxxxxxxx / Lab VPC message is displayed on top of the screen. The **VPC Details** page is displayed. 7. Verify the state of the **Lab VPC**. **Expected output:** It should display the following: - **State:** Available The lab VPC has a Classless Inter-Domain Routing (CIDR) range of **10.0.0.0/16**, which includes all IP addresses that start with **10.0.x.x**. This range contains over 65,000 addresses. You later divide the addresses into separate subnets. 8. From the same page, choose Actions and choose **Edit VPC settings**. The **Edit VPC settings** page is displayed. 9. From the **DNS settings** section, select **Enable DNS hostnames**. This option assigns a friendly Domain Name System (DNS) name to Amazon EC2 instances in the VPC, such as the following: *ec2-52-42-133-255.us-west-2.compute.amazonaws.com* 10. Choose Save. A You have successfully modified the settings for vpc-xxxxxxxxxx / Lab VPC. message is displayed on top of the screen. Any Amazon EC2 instances launched into this Amazon VPC now automatically receive a DNS hostname. You can also create a more meaningful DNS name (for example, *app.company.com*) using records in Amazon Route 53. Congratulations! You have successfully created your own VPC and now you can launch the AWS resources in this defined virtual network. --- ## Task 2: Create public subnets and private subnets In this task, you create a public subnet and a private subnet in the lab VPC. To add a new subnet to your VPC, you must specify an IPv4 CIDR block for the subnet from the range of your VPC. You can specify the Availability Zone in which you want the subnet to reside. You can have multiple subnets in the same Availability Zone. ![Lab2-Subnets.png](https://bookstack.iguazoft.com/uploads/images/gallery/2024-04/lab2-subnets.png) **Note:** A *subnet* is a sub-range of IP addresses within a network. You can launch AWS resources into a specified subnet. Use a *public subnet* for resources that must be connected to the internet, and use a *private subnet* for resources that are to remain isolated from the internet. ### TASK 2.1: CREATE YOUR PUBLIC SUBNET The public subnet is for internet-facing resources. 11. In the left navigation pane, choose **Subnets**. 12. Choose Create subnet and configure the following: - **VPC ID:** Select **Lab VPC** from the dropdown menu. - **Subnet name:** Enter . - **Availability Zone:** Select the **first** Availability Zone in the list. (Do **not** choose *No Preference*.) - **IPv4 CIDR block:** Enter . 13. Choose Create subnet. A You have successfully created 1 subnet: subnet-xxxxxx message is displayed on top of the screen. 14. Verify the state. **Expected output:** It should display the following: - **State:** Available **Note:** The VPC has a CIDR range of **10.0.0.0/16**, which includes all **10.0.x.x** IP addresses. The subnet you just created has a CIDR range of **10.0.0.0/24**, which includes all **10.0.0.x** IP addresses. These ranges might look similar, but the subnet is smaller than the VPC because of the **/24** in the CIDR range. Now, configure the subnet to automatically assign a public IP address for all instances launched within it. 15. Select **Public Subnet**. 16. Choose Actions and choose **Edit subnet settings**. The **Edit subnet settings** page is displayed. 17. From the **Auto-assign IP settings** section, select **Enable auto-assign public IPv4 address**. 18. Choose Save. A **You have successfully changed subnet settings:** Enable auto-assign public IPv4 address message is displayed on top of the screen. **Note:** Even though this subnet is named **Public Subnet**, it is not yet public. A public subnet must have an internet gateway and route to the gateway. You create and attach the internet gateway and route tables in this lab. ### TASK 2.2: CREATE YOUR PRIVATE SUBNET The private subnet is for resources that are to remain isolated from the internet. 19. Choose Create subnet, and then configure the following: - **VPC ID:** Select **Lab VPC** from the dropdown menu. - **Subnet name:** Enter . - **Availability Zone:** Select the **first** Availability Zone in the list. (Do **not** choose *No Preference*.) - **IPv4 CIDR block:** Enter . 20. Choose Create subnet. A You have successfully created 1 subnet: subnet-xxxxxx message is displayed on top of the screen. 21. Verify the state. **Expected output:** It should display the following: - **State:** Available **Note:** The CIDR block of **10.0.2.0/23** includes all IP addresses that start with **10.0.2.x** and **10.0.3.x**. This is twice as large as the public subnet because most resources should be kept private, unless they specifically need to be accessible from the internet. Your VPC now has two subnets. However, these subnets are isolated and cannot communicate with resources outside the VPC. Next, you configure the public subnet to connect to the internet through an internet gateway. Congratulations! You have successfully created a public subnet and a private subnet in the lab VPC. --- ## Task 3: Create an internet gateway In this task, you create an internet gateway so that internet traffic can access the public subnet. To grant access to or from the internet for instances in a subnet in a VPC, you create an internet gateway and attach it to your VPC. Then you add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway. **Learn more:** An internet gateway serves two purposes: To provide a target in your VPC route tables for internet-bound traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. 22. In the left navigation pane, choose **Internet gateways**. 23. Choose Create internet gateway and configure the following: - **Name tag:** Enter . 24. Choose Create internet gateway. A The following internet gateway was created: igw-xxxxxx - Lab IGW. You can now attach to a VPC to enable the VPC to communicate with the internet. message is displayed on top of the screen. You can now attach the internet gateway to your Lab VPC. 25. From the same page, choose Actions and choose **Attach to VPC**. 26. For **Available VPCs**, select **Lab VPC** from the dropdown menu. 27. Choose Attach internet gateway. A Internet gateway igw-xxxxx successfully attached to vpc-xxxxx message is displayed on top of the screen. 28. Verify the state. **Expected output:** It should display the following: - **State:** Attached The internet gateway is now attached to your Lab VPC. Even though you have created an internet gateway and attached it to your VPC, you must also configure the route table of the public subnet to use the internet gateway. Congratulations! You have successfully created an internet gateway so that internet traffic can access the public subnet. --- ## Task 4: Route internet traffic in the public subnet to the internet gateway In this task, you create a route table and add a route to the route table to direct internet-bound traffic to your internet gateway and associate your public subnets with your route table. Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table. **Learn more:** A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. To use an internet gateway, your subnet’s route table must contain a route that directs internet-bound traffic to the internet gateway. You can scope the route to all destinations not explicitly known to the route table (0.0.0.0/0 for IPv4 or ::/0 for IPv6), or you can scope the route to a narrower range of IP addresses. If your subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet. 29. In the left navigation pane, choose **Route tables**. There is currently one default route table associated with the VPC, **Lab VPC**. This routes traffic locally. You now create an additional route table to route public traffic to your internet gateway. 30. Choose Create route table, and then configure the following: - **Name - *optional*:** Enter . - **VPC:** Select **Lab VPC** from the dropdown menu. 31. Choose Create route table. A Route table rtb-xxxxxxx | Public Route Table was created successfully. message is displayed on top of the screen. 32. Choose the **Routes** tab in the lower half of the page. **Note:** There is one route in your route table that allows traffic within the 10.0.0.0/16 network to flow within the network, but it does not route traffic outside of the network. You now add a new route to permit public traffic. 33. Choose Edit routes. 34. Choose Add route, and then configure the following: - **Destination:** Enter . - **Target:** Choose **Internet Gateway** in the dropdown menu, and then choose the displayed internet gateway ID. 35. Choose Save changes. A **Updated routes for rtb-xxxxxxx / Public Route Table successfully** message is displayed on top of the screen. 36. Choose the **Subnet associations** tab. 37. Choose Edit subnet associations. 38. Select **Public Subnet** 39. Choose Save associations. A You have successfully updated subnet associations for rtb-xxxxxxx / Public Route Table. message is displayed on top of the screen. **Note:** The subnet is now *public* because it has a route to the internet through the internet gateway. Congratulations! You have successfully configured the route table. --- ## Task 5: Create a public security group In this task, you create a security group so that users can access your Amazon EC2 instance. Security groups in a VPC specify which traffic is allowed to or from an Amazon EC2 instance. **Learn more:** You can use Amazon EC2 security groups to help secure instances within an Amazon VPC. By using security groups in a VPC, you can specify both inbound and outbound network traffic that is allowed to or from each Amazon EC2 instance. Traffic that is not explicitly allowed to or from an instance is automatically denied. **Security:** It is recommended to use *HTTPS* protocol to improve web traffic security. However, to simplify this lab, only *HTTP* protocol is used. 40. In the left navigation pane, choose **Security groups**. 41. Choose Create security group, and then configure the following: - **Security group name:** Enter . - **Description:** Enter . - **VPC:** Select **Lab VPC** from the dropdown menu. 42. In the **Inbound rules** section, choose Add rule and configure the following: - **Type:** Select **HTTP** from the dropdown menu. - **Source:** Select **Anywhere-IPv4** from the dropdown menu. 43. In the **Tags - *optional*** section, choose Add new tag and configure the following: - **Key:** Enter . - **Value:** Enter . 44. Choose Create security group. A **Security group (sg-xxxxxxx | Public SG) was created successfully** message is displayed on top of the screen. Congratulations! You have successfully created a security group that allows HTTP traffic. You need this in the next task when you launch an Amazon EC2 instance in the public subnet. --- ## Task 6: Launch an Amazon EC2 instance into a public subnet In this task, you launch an Amazon EC2 instance into a public subnet. To activate communication over the internet for IPv4, your instance must have a public IPv4 address that’s associated with a private IPv4 address on your instance. By default, your instance is only aware of the private (internal) IP address space defined within the VPC and subnet. ![Lab2-EC2instance.png](https://bookstack.iguazoft.com/uploads/images/gallery/2024-04/lab2-ec2instance.png) **Learn more:** The internet gateway that you created logically provides the one-to-one NAT on behalf of your instance. So when traffic leaves your VPC subnet and goes to the internet, the reply address field is set to the public IPv4 address or Elastic IP address of your instance, and not its private IP address. 45. At the top of the AWS Management Console, in the search bar, search for and choose . The **Amazon EC2 Management Console** is displayed. ### TASK 6.1: BEGIN THE INSTANCE CONFIGURATION 46. From the console navigation menu on the left, choose **EC2 Dashboard**. 47. From the **Launch instances** section, choose Launch instances. The **Launch an instance** page is displayed. ### TASK 6.2: ADD TAGS TO THE INSTANCE You can use tags to categorize your AWS resources in different ways, such as by purpose, owner, or environment. You can apply tags to most AWS Cloud resources. Each tag consists of a *key* and a *value*, both of which you define. One use of tags is for when you must manage many resources of the same type. You can quickly search for and identify a specific resource by the tag you have applied to it. In this task, you add a tag to the Amazon EC2 instance. 48. Locate the **Name and tags** section. 49. In the **Name** field, enter . **Note:** No additional instance tags are required for this lab. ### TASK 6.3: SELECT AN AMI In this task, you choose an Amazon Machine Image (AMI). The AMI contains a copy of the disk volume used to launch the instance. 50. Locate the **Application and OS Images (Amazon Machine Image)** section. 51. Ensure that **Amazon Linux** is selected as the OS. 52. Ensure that **Amazon Linux 2023 AMI** is selected in the dropdown menu. ### TASK 6.4: CHOOSE THE AMAZON EC2 INSTANCE TYPE Each instance type allocates a specific combination of virtual CPUs (vCPUs), memory, disk storage, and network performance. For this lab, use a **t3.micro** instance type. This instance type has 2 vCPUs and 1 GiB of memory. 53. Locate the **Instance type** section. 54. From the **Instance type** dropdown menu, choose **t3.micro**. ### TASK 6.5: CONFIGURE KEY PAIR FOR LOGIN 55. Locate the **Key pair (login)** section. 56. From the **Key pair name - *required*** dropdown menu, choose Proceed without a key pair (Not recommended) . ### TASK 6.6: CONFIGURE INSTANCE NETWORKING 57. Locate the **Network settings** section. 58. Choose Edit. 59. Configure the following settings from the dropdown menus: - **VPC - *required:*** Select **Lab VPC**. - **Subnet:** Select **Public Subnet**. - **Auto-assign public IP:** Select **Enable**. ### TASK 6.7: CONFIGURE INSTANCE SECURITY GROUPS You can use security groups to define both the allowed/denied and the inbound/outbound traffic for the elastic network interface. The network interface is attached to an Amazon EC2 instance. Port 80 is the default port for HTTP traffic, and it is necessary for the web server you launch in this lab to work correctly. 60. For **Firewall (security groups)**, choose Select existing security group. 61. From the **Common security groups** dropdown menu, choose the security group that has a name like **Public SG**. ### TASK 6.8: ADD STORAGE You can use the **Configure storage** section to specify or modify the storage options for the instance and add additional Amazon Elastic Block Store (Amazon EBS) disk volumes attached to the instance. The EBS volumes can be configured in both their size and performance. In this lab, the default storage settings are all that is needed. No changes are required. ### TASK 6.9: CONFIGURE USER DATA 62. Locate and expand the **Advanced details** section. 63. From the **IAM instance profile** dropdown menu, select the role that has a name like **EC2InstProfile**. **Note:** To install and configure the new instance as a web server, you provide a user data script that automatically runs when the instance launches. 64. In the **User data - *optional*** section, copy and paste the following: ``` #!/bin/bash # To connect to your EC2 instance and install the Apache web server with PHP yum update -y yum install -y httpd php8.1 systemctl enable httpd.service systemctl start httpd cd /var/www/html wget https://us-west-2-tcprod.s3.amazonaws.com/courses/ILT-TF-200-ARCHIT/v7.7.1.prod-ac6a334e/lab-2-VPC/scripts/instanceData.zip unzip instanceData.zip ``` The remaining settings on the page can be left at their default values. ### TASK 6.10: REVIEW THE INSTANCE LAUNCH Take a moment to review that the configuration for the Amazon EC2 instance you are about to launch is correct. 65. Locate the **Summary** section. 66. Choose Launch instance. The **Launch an instance** page is displayed. Your Amazon EC2 instance is now launched and configured as you specified. 67. Choose View all instances. The **Amazon EC2 console** is displayed. 68. Occasionally choose the console refresh button and wait for **Public Instance** to display the **Instance state** as Running and wait for Status check to pass 2/2 checks passed. **Note:** The Amazon EC2 instance named Public Instance is initially in a *Pending* state. The instance state then changes to Running indicating that the instance has finished booting. Congratulations! You have successfully launched an Amazon EC2 instance into a public subnet. --- ## Task 7: Connect to a public instance through HTTP In this task, you connect to the public instance and launch the basic Apache web server page. The inbound rules added earlier that allow HTTP access (port 80) allow you to connect to the web server running Apache. 69. In the left navigation pane, choose **Instances**. 70. Select **Public Instance**. 71. Choose the **Networking** tab in the lower pane. **Note:** If you need to make any section of the console larger, you can resize the horizontal edges of the containers displayed on the console. 72. Locate the **Public IPv4 DNS** value. 73. Copy the public DNS value. Do not choose the open address option, because HTTPS is not set up for this lab environment. 74. Open a new browser tab and paste the public DNS value for *Public Instance* in the URL address bar. The web page hosted on the Amazon EC2 instance is displayed. The page displays the instance ID and the AWS Availability Zone where the Amazon EC2 instance is located. 75. Close the browser tab and return to the console. Congratulations! You have successfully launched an Apache web server in the public subnet and tested the HTTP connection. You can safely close the tab and return to the console. --- ## Task 8: Connect to the Amazon EC2 instance in the public subnet through Session Manager In this task, you connect to your Amazon EC2 instance in the public subnet using Session Manager. **Learn more:** Session Manager is a fully managed AWS Systems Manager capability that you use to manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS Command Line Interface (AWS CLI). You can use Session Manager to start a session with an Amazon EC2 instance in your account. After starting the session, you can run bash commands as you would through any other connection type. 76. At the top of the AWS Management Console, in the search bar, search for and choose . 77. In the left navigation pane, choose **Instances**. 78. Select **Public Instance** and choose Connect. The **Connect to instance** page is displayed. 79. Choose the **Session Manager** tab. **Learn more:** With Session Manager, you can connect to Amazon EC2 instances without needing to expose the SSH port on your firewall or Amazon VPC security group. For more information, see [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html). 80. Choose Connect. A new browser tab or window opens with a connection to the **Public Instance**. **Note:** The Session Manager service is not updated in real time. If you experience errors with Session Manager connecting to an Amazon EC2 instance you just launched, ensure that you have given the instance a few minutes to launch, pass health checks, and communicate with the Session Manager service before trying to open a session connection again. 81. **Command:** Enter the following command to change to the home directory (/home/ssm-user/) and test web connectivity using the cURL command: ``` cd ~ curl -I https://aws.amazon.com/training/ ``` **Expected output:** ``` HTTP/2 200 content-type: text/html;charset=UTF-8 server: Server date: Wed, 19 Apr 2023 14:43:47 GMT x-amz-rid: 6HVPS1JY1XW2S1K34Q3Z set-cookie: aws-priv=eyJ2IjoxLCJldSI6MCwic3QiOjB9; Version=1; Comment="Anonymous cookie for privacy regulations"; Domain=.aws.amazon.com; Max-Age=31536000; Expires=Thu, 18-Apr-2024 14:43:47 GMT; Path=/; Secure set-cookie: aws_lang=en; Domain=.amazon.com; Path=/ x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block strict-transport-security: max-age=63072000 x-content-type-options: nosniff x-amz-id-1: 6HVPS1JY1XW2S1K34Q3Z last-modified: Thu, 30 Mar 2023 15:58:02 GMT content-security-policy-report-only: default-src *; connect-src *; font-src * data:; frame-src *; img-src * data:; media-src *; object-src *; script-src *; style-src 'unsafe-inline' *; report-uri https://prod-us-west-2.csp-report.marketing.aws.dev/submit vary: accept-encoding,Content-Type,Accept-Encoding,User-Agent x-cache: Miss from cloudfront via: 1.1 88c333921d5c405e037b84bb8c2dc33e.cloudfront.net (CloudFront) x-amz-cf-pop: GRU3-P1 x-amz-cf-id: 89R1wtM9vYV0kIQXrEVkcoNzg_C3UfQJIEVkC5BA3xiIH3FD0nVnYw== ``` Congratulations! You have successfully connected to your public instance using Session Manager. You can safely close the tab and return to the console. --- ## Task 9: Create a NAT gateway and configuring routing in the private subnet In this task, you create a NAT gateway and then create a route table to route non-local traffic to the NAT gateway. You then attach the route table to the private subnet. You can use a NAT gateway to allow instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. **Note:** To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside. You must also specify an Elastic IP address to associate with the NAT gateway when you create it. You cannot change the Elastic IP address after you associate it with the NAT gateway. After you’ve created a NAT gateway, you must update the route table associated with one or more of your private subnets to point internet-bound traffic to the NAT gateway. This allows instances in your private subnets to communicate with the internet. 82. Return to the AWS Management Console browser tab. 83. At the top of the AWS Management Console, in the search box, search for and choose . 84. In the left navigation pane, choose **NAT gateways**. 85. Choose Create NAT gateway and configure the following: - **Name - *optional*:** Enter . - **Subnet:** Select **Public Subnet** from the dropdown menu. - For **Elastic IP allocation ID**, choose Allocate Elastic IP. 86. Choose Create NAT gateway. A NAT gateway nat-xxxxxxx | Lab NGW was created successfully. message is displayed on top of the screen. In the next step, you create a new route table for a private subnet that redirects non-local traffic to the NAT gateway. 87. In the left navigation pane, choose **Route tables**. 88. Choose Create route table and configure the following: - **Name - *optional*:** Enter . - **VPC:** Select **Lab VPC** from the dropdown menu. 89. Choose Create route table. A Route table rtb-xxxxxxx | Private Route Table was created successfully. message is displayed on top of the screen. The private route table is created and the details page for the private route table is displayed. 90. Choose the **Routes** tab. There is currently one route that directs all traffic *locally*. You now add a route to send internet-bound traffic through the NAT gateway. 91. Choose Edit routes. 92. Choose Add route and then configure the following: - **Destination:** Enter . - **Target:** Choose **NAT Gateway** in the dropdown menu, and then choose the displayed NAT Gateway ID. 93. Choose Save changes. A **Updated routes for rtb-xxxxxxx / Private Route Table successfully** message is displayed on top of the screen. 94. Choose the **Subnet associations** tab. 95. Choose Edit subnet associations. 96. Select **Private Subnet**. 97. Choose Save associations. A You have successfully updated subnet associations for rtb-xxxxxxx / Private Route Table. message is displayed on top of the screen. This route sends internet-bound traffic from the private subnet to the NAT gateway that is in the same Availability Zone. Congratulations! You have successfully created the NAT gateway and configured the private route table. --- ## Task 10: Create a security group for private resources In this task, you create a security group that allows incoming HTTP traffic from resources assigned to the public security group. In a multi-tiered architecture, resources in a private subnet are should not directly accessible from the internet, however their is a common use case to route web traffic from publicly accessible resources to private resources. **Learn more:** When you specify a security group as the source for a rule, traffic is allowed from the network interfaces that are associated with the source security group for the specified port and protocol. Incoming traffic is allowed based on the private IP addresses of the network interfaces that are associated with the source security group (and not the public IP or Elastic IP addresses). Adding a security group as a source does not add rules from the source security group. 98. In the left navigation pane, choose **Security groups**. 99. Choose Create security group, and then configure the following: - **Security group name:** Enter . - **Description:** Enter . - **VPC:** Select **Lab VPC** from the dropdown menu. 100. In the **Inbound rules** section, choose Add rule and configure the following: - **Type:** Select **HTTP**. - **Source:** Select **Custom**. - In the box to the right of Custom, type . - Choose **Public SG** from the list. 101. In the **Tags - *optional*** section, choose Add new tag and configure the following: - **Key:** Enter . - **Value:** Enter . 102. Choose Create security group. A **Security group (sg-xxxxxxx | Private SG) was created successfully** message is displayed on top of the screen. Congratulations! You have successfully created the private security group. --- ## Task 11: Launch an Amazon EC2 instance into a private subnet In this task, you launch an Amazon EC2 instance into a private subnet. **Learn more:** Private instances can route their traffic through a NAT gateway or a NAT instance to access the internet. Private instances use the public IP address of the NAT gateway or NAT instance to traverse the internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the internet to initiate a connection to the privately addressed instances. 103. At the top of the AWS Management Console, in the search bar, search for and choose . The **Amazon EC2 console** is displayed. ### TASK 11.1: BEGIN THE INSTANCE CONFIGURATION 104. Choose **EC2 Dashboard** from the console navigation menu on the left. 105. Choose Launch instance from the **Launch instance** section. The **Launch an instance** page is displayed. In this task, you add a tag to the Amazon EC2 instance. 106. Locate the **Name and tags** section. 107. Enter in the **Name** field. **Note:** No additional instance tags are required for this lab. ### TASK 11.3: SELECT AN AMI In this task, you choose an AMI. The AMI contains a copy of the disk volume used to launch the instance. 108. Locate the **Application and OS Images (Amazon Machine Image)** section. 109. Ensure that **Amazon Linux** is selected as the OS. 110. Ensure that **Amazon Linux 2023 AMI** is selected in the dropdown menu. ### TASK 11.4: CHOOSE THE AMAZON EC2 INSTANCE TYPE Each instance type allocates a specific combination of vCPUs, memory, disk storage, and network performance. For this lab, use a **t3.micro** instance type. This instance type has 2 vCPUs and 1 GiB of memory. 111. Locate the **Instance type** section. 112. Choose **t3.micro** from the **Instance type** dropdown menu. ### TASK 11.5: CONFIGURE KEY PAIR FOR LOGIN 113. Locate the **Key pair (login)** section. 114. Choose Proceed without a key pair (Not recommended) from the **Key pair name - *required*** dropdown menu. ### TASK 11.6: CONFIGURE INSTANCE NETWORKING 115. Locate the **Network settings** section. 116. Choose Edit and configure the following settings from the dropdown menus: - **VPC - *required:*** Select **Lab VPC**. - **Subnet:** Select **Private Subnet**. - **Auto-assign public IP:** Select **Disable**. ### TASK 11.7: CONFIGURE INSTANCE SECURITY GROUPS 117. For **Firewall (security groups)**, choose Select existing security group 118. Choose the security group that has a name like **Private SG** from the **Common security groups** dropdown menu. ### TASK 11.8: ADD STORAGE You can use the **Configure storage** section to specify or modify the storage options for the instance and add additional Amazon Elastic Block Store (Amazon EBS) disk volumes attached to the instance. The EBS volumes can be configured in both their size and performance. In this lab, the default storage settings are all that is needed. No changes are required. ### TASK 11.9: CONFIGURE THE IAM INSTANCE PROFILE 119. Locate and expand the **Advanced details** section. 120. Choose the **EC2InstProfile** role from the **IAM instance profile** dropdown menu. The remaining settings on the page can be left at their default values. ### TASK 11.10: CONFIGURE USER DATA 121. Locate and expand the **Advanced details** section. 122. From the **IAM instance profile** dropdown menu, select the role that has a name like **EC2InstProfile**. **Note:** To install and configure the new instance as a web server, you provide a user data script that automatically runs when the instance launches. 123. In the **User data - *optional*** section, copy and paste the following: ``` #!/bin/bash # To connect to your EC2 instance and install the Apache web server with PHP yum update -y yum install -y httpd php8.1 systemctl enable httpd.service systemctl start httpd cd /var/www/html wget https://us-west-2-tcprod.s3.amazonaws.com/courses/ILT-TF-200-ARCHIT/v7.7.1.prod-ac6a334e/lab-2-VPC/scripts/instanceData.zip unzip instanceData.zip ``` The remaining settings on the page can be left at their default values. ### TASK 11.11: REVIEW THE INSTANCE LAUNCH Take a moment to review that the configuration for the Amazon EC2 instance you are about to launch is correct. 124. Locate the **Summary** section. 125. Choose Launch instance. The **Launch an instance** page is displayed. Your Amazon EC2 instance is now launched and configured as you specified. 126. Choose View all instances. The **Amazon EC2 console** is displayed. The Amazon EC2 instance name Private Instance is initially in a *Pending* state. The state then changes to *Running*, indicating that the instance has finished booting. 127. Occasionally choose the console refresh button and wait for the **Instance state** to change to Running. Congratulations! You have successfully launched an Amazon EC2 instance into a private subnet. --- ## Task 12: Connect to the Amazon EC2 instance in the private subnet In this task, you connect to the Amazon EC2 instance in the private subnet using Session Manager. 128. In the left navigation pane, choose **Instances**. 129. Select **Private Instance** and choose Connect. The **Connect to instance** page is displayed. 130. Choose the **Session Manager** tab. 131. Choose **Connect**. A new browser tab or window opens with a connection to the **Private Instance**. **Note:** The Session Manager service is not updated in real time. If you experience errors with Session Manager connecting to an Amazon EC2 instance you just launched, ensure that you have given the instance a few minutes to launch, pass health checks, and communicate with the Session Manager service before trying to open a session connection again. 132. **Command:** Enter the following command to change to the home directory (/home/ssm-user/) and test web connectivity using the cURL command: ``` cd ~ curl -I https://aws.amazon.com/training/ ``` **Expected output:** ``` HTTP/2 200 content-type: text/html;charset=UTF-8 server: Server date: Wed, 19 Apr 2023 14:59:09 GMT x-amz-rid: AZPXJ57K93ERATZV588Z set-cookie: aws-priv=eyJ2IjoxLCJldSI6MCwic3QiOjB9; Version=1; Comment="Anonymous cookie for privacy regulations"; Domain=.aws.amazon.com; Max-Age=31536000; Expires=Thu, 18-Apr-2024 14:59:08 GMT; Path=/; Secure set-cookie: aws_lang=en; Domain=.amazon.com; Path=/ x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block strict-transport-security: max-age=63072000 x-content-type-options: nosniff x-amz-id-1: AZPXJ57K93ERATZV588Z last-modified: Thu, 30 Mar 2023 15:58:02 GMT content-security-policy-report-only: default-src *; connect-src *; font-src * data:; frame-src *; img-src * data:; media-src *; object-src *; script-src *; style-src 'unsafe-inline' *; report-uri https://prod-us-west-2.csp-report.marketing.aws.dev/submit vary: accept-encoding,Content-Type,Accept-Encoding,User-Agent x-cache: Miss from cloudfront via: 1.1 fb6a4eca9caced7b791557c24b8c6606.cloudfront.net (CloudFront) x-amz-cf-pop: GRU3-P1 x-amz-cf-id: Tjphb1UhSXmtyHvybuq4QIFwzTurEI0g_saLB2nLjlYRiBbHbqn85Q== ``` 133. Close the Session Manager tab and return to the console. Congratulations! You have successfully connected to a private instance using Session Manager. # Optional Steps ## Task 1: Troubleshooting connectivity between the private instance and the public instance In this optional task, you use the Internet Control Message Protocol (ICMP) to validate a private instance’s network reachability from the public instance. **Note:** This task is **optional** and is provided in case you have lab time remaining. You can complete this task or skip to the [end](https://us-east-1.durian.bkr.team.aws.training/session/8EbsdpwLaNcZeZgYjmdzvr?locale=en-US&reference=wDd9KFmKCDK2x8tifh4WFu%3A%3A44f534f1-7b32-464b-88da-8df283f68842#conclusion) of the lab. 134. Return to the AWS Management Console browser tab. 135. In the left navigation pane, choose **Instances**. 136. Select **Private Instance**. 137. On the **Details** tab, copy the value of **Private IPv4 addresses** to your clipboard. **Note:** To copy the private IPv4 address, hover over it and choose the copy icon. 138. Unselect **Private Instance**. 139. Select **Public Instance**. 140. Choose Connect. The **Connect to instance** page is displayed. 141. Choose the **Session Manager** tab. 142. Choose Connect. A new browser tab or window opens with a connection to the **Public Instance**. First, use a *curl* command to retrieve a header file and confirm is the web app hosted on the private instance is reachable from the public instance. 143. **Command:** Copy the following command to your notepad. Replace **PRIVATE\_IP** with the value of the **Private IPv4 address** for the **Private Instance**: ``` curl PRIVATE_IP ``` **Expected output:** ```

It works!

``` 144. **Command:** Copy the following command to your notepad. Replace **PRIVATE\_IP** with the value of the **Private IPv4 address** for the **Private Instance**: ``` ping PRIVATE_IP ``` 145. **Command:** Copy and paste the updated command in your terminal and press **Enter**. **This is a sample command only.** Do not use the following command. ``` ping 10.0.2.131 ``` 146. After a few seconds, stop the ICMP ping request by pressing CTRL+C. **The ping request to the private instance fails**. Your challenge is to use the console and figure out the correct *inbound rule* required in the **Private SG** to be able to successfully ping the private instance. If you have trouble completing the optional task, refer to the [Optional Task Solution](https://us-east-1.durian.bkr.team.aws.training/session/8EbsdpwLaNcZeZgYjmdzvr?locale=en-US&reference=wDd9KFmKCDK2x8tifh4WFu%3A%3A44f534f1-7b32-464b-88da-8df283f68842#optional-solution) section at the end of the lab. --- ## Task 2: Retrieving instance metadata In this optional task, you run instance metadata commands on AWS CLI using a tool such as cURL. Instance metadata is available from your running Amazon EC2 instance. This can be helpful when you write scripts to run from your Amazon EC2 instance. **Note:** This task is **optional** and is provided in case you have lab time remaining. You can complete this task or skip to the [end](https://us-east-1.durian.bkr.team.aws.training/session/8EbsdpwLaNcZeZgYjmdzvr?locale=en-US&reference=wDd9KFmKCDK2x8tifh4WFu%3A%3A44f534f1-7b32-464b-88da-8df283f68842#conclusion) of the lab . 147. Return to the browser tab with the AWS Management Console open. 148. In the left navigation pane, choose **Instances**. 149. Select **Public Instance**. 150. Choose Connect. The **Connect to instance** page is displayed. 151. Choose the **Session Manager** tab. 152. Choose Connect. A new browser tab or window opens with a connection to the **Public Instance**. 153. **Command:** To view all categories of instance metadata from within a running instance, run the following command: ``` TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \ && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/ ``` 154. **Command:** Run the following command to retrieve the public-hostname (one of the top-level metadata items that were obtained in the preceding command): ``` curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/public-hostname ``` **Note:** The IP address 169.254.169.254 is a link-local address and is valid only from the instance. You have successfully learned how to retrieve instance metadata from your running Amazon EC2 instance. # Conclusion Creating a VPC with both public and private subnets provides you the flexibility to launch tasks and services in either a public or private subnet. Tasks and services in the private subnets can access the internet through a NAT gateway. Congratulations! You now have successfully: - Created an Amazon VPC. - Created public and private subnets. - Created an internet gateway. - Configured a route table and associated it to a subnet. - Created an Amazon EC2 instance and made the instance publicly accessible. - Isolated an Amazon EC2 instance in a private subnet. - Created and assigned security groups to Amazon EC2 instances. - Connected to Amazon EC2 instances using Session Manager. # Lab 3: Creating a Database Layer in Your Amazon VPC Infrastructure # Lab overview A backend database plays an important role in any environment, and the security and access control to this critical resource is vital to any architecture. In this lab, you create an Amazon Aurora database (DB) cluster to manage a MySQL database and an Application Load Balancer (ALB). The Amazon Web Services (AWS) Security pillar of the Well-Architected Framework recommends keeping people away from data; as such, the database is separated from the front end using the Application Load Balancer. The Application Load Balancer routes traffic to healthy Amazon Elastic Compute Cloud (Amazon EC2) instances that hosts the front-end application. This provides high availability and allow communication to the database to happen behind the Application Load Balancer in a private subnet. ### OBJECTIVES By the end of this lab, you will be able to do the following: - Create an Amazon Relational Database Service (Amazon RDS) database instance. - Create an Application Load Balancer. - Create an HTTP listener for the Application Load Balancer. - Create a target group. - Register targets with a target group. - Test the load balancer and the application connectivity to the database. - Review the Amazon RDS DB instance metadata using the console. - Optional Task: Create an Amazon RDS read replica in a different AWS Region. ### PREREQUISITES This lab requires the following: - Access to a notebook computer with Wi-Fi and Microsoft Windows, macOS, or Linux (Ubuntu, SuSE, or Red Hat) - An internet browser, such as Chrome, Firefox, or Microsoft Edge - A plaintext editor ### ICON KEY Various icons are used throughout this lab to call attention to different types of instructions and notes. The following list explains the purpose for each icon: - **Note:** A hint, tip, or important guidance. - **Learn more:** Where to find more information. - **Caution:** Information of special interest or importance (not so important to cause problems with the equipment or data if you miss it, but it could result in the need to repeat certain steps). - **WARNING:** An action that is irreversible and could potentially impact the failure of a command or process (including warnings about configurations that cannot be changed after they are made). - **Expected output:** A sample output that you can use to verify the output of a command or edited file. - **Command:** A command that you must run. - **Consider:** A moment to pause to consider how you might apply a concept in your own environment or to initiate a conversation about the topic at hand. # Scenario Your team has been tasked with prototyping an architecture for a new web-based application. To define your architecture, you need to have a better understanding of load balancers and managed databases, such as Amazon RDS. ### LAB ENVIRONMENT The lab environment provides you with the following resources to get started: an Amazon Virtual Private Cloud (Amazon VPC), underlying necessary network structure, three security groups to control inbound and outbound traffic, two EC2 instances in a private subnet, and an associated EC2 instance profile. The instance profile contains the permissions necessary to allow the AWS Systems Manager Session Manager feature to access the EC2 instance. The following diagram shows the expected architecture of the important lab resources you build and how they should be connected at the end of the lab. ![Lab3-overview.png](https://bookstack.iguazoft.com/uploads/images/gallery/2024-04/lab3-overview.png) ### AWS SERVICES NOT USED IN THIS LAB AWS services not used in this lab are turned off in the lab environment. In addition, the capabilities of the services used in this lab are limited to only what the lab requires. Expect to receive errors when accessing other services or performing actions beyond those provided in this lab guide. # Steps ## Task 1: Create an Amazon RDS database In this task, you create an Aurora DB cluster that is compatible with MySQL. An Aurora DB cluster consists of one or more DB instances and a cluster volume that manages the data for those DB instances. **Learn more:** Amazon Aurora is a fully managed relational database engine that is compatible with MySQL and PostgreSQL. Aurora is part of the managed database service, Amazon RDS. Amazon RDS is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. For more information, see [What is Amazon Aurora?](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_AuroraOverview.html). 3. At the top of the AWS Management Console, in the search bar, search for and choose . 4. In the left navigation pane, choose **Databases**. 5. Choose Create database. The **Create database** page is displayed. 6. In the **Choose a database creation method** section, select **Standard create**. 7. In the **Engine options** section, configure the following: - **Engine type:** Select **Aurora (MySQL Compatible)**. 8. In the **Templates** section, select **Dev/Test**. 9. In the **Settings** section, configure the following: - **DB cluster identifier:** Enter . - **Master username:** Enter . - **Master password**: Paste the **LabPassword** value from the left side of these lab instructions. - **Confirm master password**: Paste the **LabPassword** value from the left side of these lab instructions. 10. In the **Instance configuration** section, configure the following: - **DB instance class:** Select **Burstable classes (includes t classes)**. - From the dropdown menu, choose the **db.t3.medium** instance type. 11. In the **Availability & durability** section, for **Multi-AZ deployment**, select **Don’t create an Aurora Replica**. **Learn more:** Amazon RDS Multi-AZ deployments provide enhanced availability and durability for DB instances, making them a natural fit for production database workloads. When you provision a Multi-AZ DB instance, Amazon RDS automatically creates a primary DB instance and synchronously replicates the data to a standby instance in a different Availability Zone. For more information, see [Amazon RDS Multi-AZ](https://aws.amazon.com/rds/features/multi-az/). **Note:** Since this lab is about knowing the resources required to build a multi-tier architecture, you do not need to perform a Multi-AZ deployment. You learn how to deploy a Multi-AZ architecture in the next lab. 12. In the **Connectivity** section, configure the following: - **Virtual private cloud (VPC):** Select **LabVPC** from the dropdown menu. - **DB subnet group:** Select **labdbsubnetgroup** from the dropdown menu. - **Public access:** Select **No**. - **VPC security group (firewall):** Select **Choose existing**. - **Existing VPC security groups:** - To remove the **default** security group from the **Existing VPC security groups** field, select the **X**. - In the **Existing VPC security groups** dropdown menu, enter to choose this option. **Learn more:** *Subnets* are segments of an IP address range in an Amazon VPC that you designate to group your resources based on security and operational needs. A DB subnet group is a collection of subnets (typically private) that you create in an Amazon VPC and then designate for your DB instances. With a DB subnet group, you can specify an Amazon VPC when creating DB instances using the command line interface or API. If you use the console, you can just select the Amazon VPC and subnets you want to use. For more information, see [Working with DB subnet groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Subnets). **Learn more:** With Amazon VPC, you can launch AWS resources into a virtual network that you have defined. This virtual network closely resembles a traditional network that you would operate in your own data center, with the benefits of using the scalable infrastructure of AWS. For more information, see [Amazon VPC VPCs and Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html). 13. In the **Monitoring** section, de-select **Enable Enhanced monitoring** 14. Expand the **Additional configuration** main section at the end of the page. 15. In the **Database options** section, configure the following: - **Initial database name:** Enter - **DB cluster parameter group:** Choose the value from the dropdown menu that matches the **DBClusterParameterGroup** value from the left side of this page. **Caution:** Ensure the correct value for **DB cluster parameter group** is selected from the dropdown menu. An incorrect value results in errors when building the database replicas. 16. In the **Encryption** section, unselect **Enable encryption**. **Learn more:** You can encrypt your Amazon RDS instances and snapshots at rest by activating the encryption option for your Amazon RDS DB instance. Data that is encrypted at rest includes the underlying storage for a DB instance, its automated backups, read replicas, and snapshots. For more information, see [Encrypting Amazon RDS resources](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html). 17. In the **Maintenance** section, unselect **Enable auto minor version upgrade**. **Note:** Because the nature of this lab is short lived there is no need to set up a maintenance schedule for the database. 18. Scroll to the bottom of the screen, then choose Create database. 19. On the **Suggested add-ons for aurora** pop-up window, choose Close. A **Successfully created database aurora** message is displayed on top of the screen. Your Aurora MySQL DB cluster is in the process of launching. The Amazon RDS database can take up to 5 minutes to launch. However, you can continue to the next task. **Congratulations!** You have successfully created an Amazon RDS database. --- ## Task 2: Create and configure an Application Load Balancer In this task, you create an Application Load Balancer in the public subnets to access the application from a browser. You navigate to the Amazon EC2 console and create an Application Load Balancer into the existing Amazon VPC infrastructure and add the private EC2 instances as a target. A load balancer serves as the single point of contact for clients. Clients send requests to the load balancer, and the load balancer sends them to targets, such as EC2 instances. To configure your load balancer, you create target groups and then register targets with your target groups. ![Lab3-ALB.png](https://bookstack.iguazoft.com/uploads/images/gallery/2024-04/lab3-alb.png) ### TASK 2.1 : CREATE A TARGET GROUP In this task, you create a target group and register your targets with the target group. By default, the load balancer sends requests to registered targets using the port and protocol that you specified for the target group. 20. At the top of the console, in the search bar, search for and choose . 21. In the left navigation pane, expand the **Load Balancing** section and choose **Target Groups**. 22. Choose Create target group. The **Specify group details** page is displayed. 23. In the **Basic configuration** section, configure the following: - **Choose a target type**: Select **Instances**. - **Target group name**: Enter . - **VPC**: Select **LabVPC** from the dropdown menu. The remaining settings on the page can be left at their default values. 24. Choose Next. The **Register targets** page is displayed. 25. In the **Available instances** section, configure the following: - Select the EC2 instance named **AppServer1** and **AppServer2**. - Choose Include as pending below. The instance appears under the **Targets** section of the page. 26. Choose Create target group. A Successfully created target group: ALBTargetGroup message is displayed on top of the screen. ### TASK 2.2 : CREATE AN APPLICATION LOAD BALANCER In this task, you create an Application Load Balancer. To do that, you must first provide basic configuration information for your load balancer, such as a name, scheme, and IP address type. Then, you provide information about your network and one or more listeners. 27. In the left navigation pane, expand the **Load Balancing** section and choose **Load Balancers**. 28. Choose Create load balancer. The **Select load balancer type** page is displayed. 29. In the **Load balancer types** section, for **Application Load Balancer** card, choose Create. The **Create Application Load Balancer** page is displayed. 30. In the **Basic configuration** section, configure the following: - **Load balancer name**: Enter . 31. In the **Network mapping** section, configure the following: - **VPC**: Select **LabVPC** from the dropdown menu. - **Mappings**: - Select the check box for the first Availability Zone listed, and select **PublicSubnet1** from the Subnet list dropdown menu. - Select the check box for the second Availability Zone listed, and select **PublicSubnet2** from the Subnet list dropdown menu. 32. In the **Security groups** section, configure the following: - Select the **X** to remove the default security group. - Select **LabALBSecurityGroup** from the dropdown menu. 33. In the **Listeners and routing** section, configure the following: - For **Listener HTTP:80**: From the Default action dropdown menu, select **ALBTargetGroup**. 34. Choose Create load balancer. A **Successfully created load balancer: LabAppALB** message is displayed on top of the screen. 35. Choose View load balancer. The load balancer is in the *Provisioning* state for few minutes and then changes to *Active*. In this task, you created an Application Load Balancer and you added EC2 instances as a target to the load balancer. This task provides a demonstration on how to register a target with a load balancer. In addition to individual EC2 instances, Auto Scaling groups can also be registered as targets for the load balancer. When you use Auto Scaling groups as targets for load balancing, the instances that are launched by the Auto Scaling group are automatically registered with the load balancer. Likewise, EC2 instances that are ended by the Auto Scaling groups are automatically unregistered from the load balancer. Using Auto Scaling groups with a load balancer is demonstrated in the next lab. **Congratulations!** You have successfully created a load balancer, created target groups, and registered the EC2 instances with the target group. --- ## Task 3: Review the Amazon RDS DB instance metadata through the console In this task, you navigate through the Amazon RDS console to ensure the instance created in Task 1 has completed and is active. You explore the console to learn how to find the connection information for a DB instance. The connection information for a DB instance includes its endpoint, port, and a valid database user. 36. At the top of the console, in the search bar, search for and choose . 37. In the navigation pane, choose **Databases**. 38. From the list of DB identifiers, select the hyperlink for the cluster named **aurora**. A page with details about the database are displayed. 39. On the **Connectivity & security** tab, you can find the endpoint and port number for the database cluster. In general, you need the endpoints and the port number to connect to the database. 40. Copy and paste the **Endpoint name** of the **writer instance** value to a notepad. You need this value later in the lab. It should look similar to *aurora.cluster-crwxbgqad61a.us-west-2.rds.amazonaws.com*. **Tip:** To copy the **writer instance** endpoint, hover on it and choose the copy icon. ![Lab3-WriterInstance.png](https://bookstack.iguazoft.com/uploads/images/gallery/2024-04/lab3-writerinstance.png) Notice that the status for the **endpoints** is Available. 41. On the **Configuration** tab, you can find details regarding how the database is currently configured. 42. On the **Monitoring** tab, you can monitor metrics for the following items of your database: - The number of connections to a database instance - The amount of read and write operations to a database instance - The amount of storage that a database instance is currently using - The amount of memory and CPU being used for a database instance - The amount of network traffic to and from a database instance **WARNING:** Wait for the *Status* of the **aurora DB instance** to show as Available before continuing to the next task. **Congratulations!** You have successfully reviewed the Amazon RDS DB instance metadata through the console. --- ## Task 4: Test the application connectivity to the database In this task, you identify the Application Load Balancer URL and run a basic HTTP request through the load balancer. You launch the web application installed on the EC2 instances and test the application connectivity to the database. 43. At the top of the console, in the search bar, search for and choose . 44. In the left navigation pane, choose **Target Groups**. 45. Select **ALBTargetGroup**. 46. In the **Targets** tab, wait until the instance status is displayed as healthy. **Learn more:** Elastic Load Balancing periodically tests the ping path on your web server instance to determine health. A 200 HTTP response code indicates a healthy status, and any other response code indicates an unhealthy status. If an instance is unhealthy and continues in that state for a successive number of checks (unhealthy threshold), the load balancer removes it from service until it recovers. Fore more information, see [Health checks for your target groups](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html). 47. In the left navigation pane, choose **Load Balancers**. The **Load balancers** page is displayed. 48. Copy the **DNS name** and paste the value in a new browser tab to invoke the load balancer. **Tip:** To copy the *DNS name*, hover on it and select the copy icon. **Expected output:** A web page like this is displayed. ![application.png](https://bookstack.iguazoft.com/uploads/images/gallery/2024-04/application.png) 49. Choose the **Settings** tab and then configure the following: - **Endpoint:** Paste the *writer instance endpoint* you copied earlier. - **Database:** Enter . - **Username:** Enter . - **Password:** Paste the **LabPassword** value from the left side of these lab instructions. 50. Choose **Save**. The application connects to the database, loads some initial data, and displays information. With this application, you can add, edit, or delete an item from a store’s inventory. The inventory information is stored in the Amazon RDS MySQL-compatible database you created earlier in the lab. This means that if the web application server fails, the data won’t be lost. It also means that multiple application servers can access the same data. **Congratulations!** You have successfully accessed the web application installed on the EC2 instance through the load balancer. --- ## Optional Task: Creating an Amazon RDS read replica in a different AWS Region In this challenge task, you create a cross-Region read replica from the source DB instance. You create a read replica in a different AWS Region to improve your disaster recovery capabilities, scale read operations into an AWS Region closer to your users, and to make it easier to migrate from a data center in one AWS Region to a data center in another AWS Region. **Note:** This challenge task is optional and is provided in case you have lab time remaining. You can complete this task or skip to the end of the lab [here](https://us-east-1.durian.bkr.team.aws.training/session/ceahfsgjwnfL4riQroNS2j?locale=en-US&reference=wDd9KFmKCDK2x8tifh4WFu%3A%3A44f534f1-7b32-464b-88da-8df283f68842#conclusion). 51. Switch back to the browser tab open to the AWS Management Console. 52. At the top of the console, in the search bar, search for and choose . 53. In the left navigation pane, choose **Databases**. 54. Select **aurora** DB instance as the source for a read replica. 55. Choose Actions and select **Create cross-Region read replica**. The **Create cross region read replica** page is displayed. For **Multi-AZ deployment**: Select **Don’t create an Aurora Replica**. The remaining settings in this section can be left at their default values. 56. In the **Connectivity** section, configure the following: - **Destination Region:** From the dropdown menu, select the region that matches the **RemoteRegion** value from the lab instructions. - **Virtual private cloud (VPC):** *LabVPC* - **Public access:** Select **No**. - For **Existing VPC security groups:** - To remove the *default* security group, select the **X**. - From the dropdown menu, enter to choose this option. The remaining settings in this section can be left at their default values. 57. In the **Settings** section, configure the following: - **DB instance identifier:** Enter . The remaining settings in this section can be left at their default values. 58. Choose Create. A **Your Read Replica creation has been initiated**. message is displayed on the screen. 59. To review the cross-Region read replica in the destination region, choose the hyperlink on the same page labeled here. 60. Otherwise, choose Close. **Congratulations!** You have successfully completed the optional task and started the creation of a cross-Region read replica for the Amazon RDS database. # Conclusion **Congratulations!** You have now successfully completed the following: - Created an Amazon RDS DB instance. - Created an Application Load Balancer. - Created an HTTP listener for the Application Load Balancer. - Created a target group. - Registered targets with a target group. - Tested the load balancer and the application connectivity to the database. - Reviewed the Amazon RDS DB instance metadata using the console. In this lab, you learned how to deploy various resources needed for a prototype web application in your Amazon VPC. However, the architecture that was created in this lab does not meet AWS Cloud best practices because it is not an elastic, durable, highly available design. By relying on only a single Availability Zone in the architecture, there is a single point of failure. You learn how to configure your architecture for redundancy, failover, and high availability in the next lab