I want to set up a VPC for my Elastic Beanstalk web app and RDS postgres db. I tried creating a VPC but ran into problems:
I went to VPC on AWS -> Launch VPC Wizard -> VPC with Public and Private Subnets. I am not sure what configurations to use. For example, what should I set Elastic IP Allocation ID? Do I need to set the VPC name?
After I create this, am I ready to just add it in EBS and RDS, or is there something else I need to do? Thanks!
Do I need to set the VPC name?
Its optional, but you can use, e.g. MyVPCforEB or what you want. It easier to find your vpc by name, than by cryptic vpc-id.
what should I set Elastic IP Allocation ID
You have to create EIP first. Its done in VPC -> Elastic IP addresses menu. This is required for NAT gateway, so that instances in private subnet can access the internet.
After I create this, am I ready to just add it in EBS and RDS, or is there something else I need to do?
Not really. To do it properly, you would need to add one more private subnet. The VPC wizard will create only one private subnet. For RDS, to create a subnet group, you need to have at least two private subnets in different Availability Zones.
Thus, once you have two private subnets in two different AZs, then you can create new Subnet Group in RDS with the subnets. Having this, you can create the RDS in these two subnets.
Related
We have an EKS cluster running in a VPC and we are thinking of extending this VPC or creating another VPC with a different subnet IP range. EKS nodes (EC2 instances) are running with multiple ENIs, that is, with multiple private IPs.
We wonder if it is possible to make these EC2 instances which serve as EKS nodes automatically get an IP from this new subnet within current VPC or on the other VPC when they are getting instantiated. If the subnet is on another VPC, should we have a VPC peering connection between two VPCs? Can it be doable by Cloud Formation templates on EKS? What is the best practice here? Thanks.
The option to extend VPC in EKS is via adding secondary CIDR block and configure CNI plugin to use the subnets created in the secondary CIDR block. CNI is ultimately responsible to assign the ip addresses available through the subnet cidr to the pods.
To use the correct CIDR range for VPC extension and to configure the CNI please use the below article :
https://aws.amazon.com/premiumsupport/knowledge-center/eks-multiple-cidr-ranges/
I made a Django app and deployed it on Elastic Beanstalk. I made a Postgres DB with RDS as well. I want to add both of these to a VPC.
I created the VPC using the VPC wizard (VPC with Public and Private Subnets): which created, as the name suggests, one public and one private VPC.
I was told here that I need to add a second private subnet for RDS. Now I have:
1 public subnet (10.0.0.0/24)
2 private subnets (10.0.1.0/24 and 10.0.10.0/24)
I also know that from here that I needed to "modify the route table of the new private subnet to point to the NAT gateway". However, I am not sure what that means. Right now, here is what my route tables look like:
One for the public subnet
One for the private subnet (main)
Also, after configuring this, what do I need to do to add my RDS to this? Should I just make a subnet group with these 2 private subnets and set it when configuring the RDS? I think I know how to do EBS using CLI.
Please let me know if you need any more information! Thanks!
For the private subnets your route tables should point 0.0.0.0/0 to NAT gateway, as shown on the screenshot:
Example SG for RDS for testing:
I'm trying to use CDK (Typescript) to create an RDS (Postgres) instance within an ISOLATED subnet. As far as I understood, the default VPC created automatically in each of my account regions only has Public Subnets.
If I then want to launch a Fargate instance on top of one of those Public Subnets, do I need to create a VPC Peering between the ISOLATED subnet and the default VPC?
Any idea how to create that using CDK?
"Any idea how to create that using CDK?" -> yes:
Use AWS CDK to provision a new VPC similar to this. As you can see, there are subnets for public, applicational and database layers;
[OPTIONAL] For a better AWS CDK project organization, you can use multiple stacks like network (VPC resources), compute (Fargate resources), and database (RDS). You can pass the vpc on network stack to compute & database stacks;
Be sure that you set vpc on the ECS cluster and at load-balanced level (if applicable) and put RDS database in the isolated/database by using vpcSubnets attribute
To sum up, one VPC. No applicational or database exposed to the public. I have a git repo in case you want to look for sample code/template
VPC peering is when you have two VPC with different CIDR ranges. You have one VPC hence no need to use VPC peering.
I want to have different VPC for dev/test/prod and one separate VPC for share services like jenkins. I'll use VPC peering between the Shared Services VPC and each of the environments VPCs
Each environment will have its own RDS instance.
RDS setup has this option about instance public accesibily, and I'm confused about the "No EC2 instance or devices outside of the VPC will be able to connect" statement.
If I choose "no" will I still be able to connect to the dev RDS instance from the shared services VPC by using VPC peering?
Yes you will be able to access from your 'shared services' VPC if you've peered the two VPCs.
Be sure to follow the VPC peering guide. The biggest thing is to make sure the CIDR block ranges do not overlap and you'll have to set the security groups on each RDS instance to allow traffic from the Jenkins instance in the 'shared services' VPC
I was setting up an environment using Elastic Beanstalk and I wanted the hosts to be apart of the default VPC for my account. I didn't really understand what the options meant. See the below image for an example:
Associate Public IP Address - How does this differ from the ELB visibility?
Subnets for ELB and EC2 - What do these do? The set-up wizard requires at least one box is selected. During my setup I selected all of the boxes.
VPC Security Group - How does this differ from the security group of the EC2 hosts. I use the security groups to SSH onto the hosts. Why does the VPC need a security group?
If selected, the ELB will be created with a public IP address associated to it (or the EC2 instance will if you select single instance instead of load balanced during the setup). Visibility is just for ACLs, and won't actually give it a publically accessible IP.
In a common VPC setup, you'll have both public and private subnets with a NAT in between them. Things in the public subnet can usually access the Internet and private subnet. Private subnet can usually just access the local subnet. In a load balanced EB environment, you'd typically place the ELB in the public subnet and the EC2 instance(s) in the private subnet.
VPC security groups are for your resources (anything in your VPC). They're just prefixed with the term VPC so as to distinguish between VPC security groups and legacy EC2 security groups (for EC2 instances that are not part of any VPC). The option in the UI only affects the EC2 resources in your VPC though I believe...not the ELB.