Creation of VPC with public, private subnets and Nat gateway

Task Description :-

• Create a Terraform code for the following :-

1. Create a VPC
2. Create two subnets in that VPC

a) Public subnet

b) Private subnet

3.Create one Internet Gateway and connect it to the public subnet.

4. Create a routing table for Internet Gateway, update and associate it with public subnet.

5. Create one Nat Gateway and connect it to the private subnet.

6. Create a routing table for Nat Gateway, update and associate it with private subnet.

7. Launch one ec2 instance in public subnet using Wordpress AMI having the security group which allowing port 80. Attach one key so that you can login to instance.

8. Launch other ec2 instance in private subnet using MYSQL AMI having the security group which allowing port 3306. Attach a key to that instance also.

NAT Gateway:-

• It is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Previously, you needed to launch a NAT instance to enable NAT for instances in a private subnet.

Elastic IP :-

• An Elastic IP address is a static IPv4 address designed f computing..With an Elastic IP software by rapidly remapping the address to another instance in your account. An Elastic IP address is a public IPv4 address, which is reachable from the internet.

Bastion Host :-

• A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.

Step1 :

• Provide your aws profile name for login .

provider "aws" {
  region = "ap-south-1"
  profile = "abhishek"
}

• Create VPC.

resource "aws_vpc" "myvpc" {
  cidr_block       = "192.168.0.0/16"
  instance_tenancy = "default"
  enable_dns_hostnames =  "true"tags = {
    Name = "myvpc"
  }
}

Step 2 :-

• Create two subnets and in that PVC ,one as public and other as private.

resource "aws_subnet" "mysubnet-1a" {
  vpc_id     = "${aws_vpc.myvpc.id}"
  cidr_block = "192.168.0.0/24"
  availability_zone = "ap-south-1a"
  map_public_ip_on_launch = "true"
tags = {
    Name = "mysubnet-1a"
  }
}
resource "aws_subnet" "mysubnet-1b" {
  vpc_id     = "${aws_vpc.myvpc.id}"
  cidr_block = "192.168.1.0/24"
  availability_zone = "ap-south-1b"
tags = {
    Name = "mysubnet-1b"
  }
}

Step 3 :-

• Create one Internet Gateway and connect it to the public subnet.

resource "aws_internet_gateway" "mygateway" {
  vpc_id = "${aws_vpc.myvpc.id}"
  
  tags = {
    Name = "mygateway"
  }
}

Step 4 :-

• Create a routing table for Internet Gateway, update and associate it with public subnet.

resource "aws_route_table" "myroute_table" {
  vpc_id = "${aws_vpc.myvpc.id}"
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = "${aws_internet_gateway.mygateway.id}"
  }
  
  tags = {
    Name = "myroute_table"
  }
}
resource "aws_route_table_association" "myroute_table_association" {
  subnet_id      = "${aws_subnet.mysubnet-1a.id}"
  route_table_id = "${aws_route_table.myroute_table.id}"
}

Step 5:-

• Create an Elastic IP.

resource "aws_eip" "my_eip" {
  vpc = true
}

Step 6:-

• Create one Nat Gateway and connect it to the private subnet.

resource "aws_nat_gateway" "natgw" {
  allocation_id = aws_eip.my_eip.id
  subnet_id = aws_subnet.mysubnet-1a.id
  depends_on = [aws_internet_gateway.mygateway]
}

Step 6:-

• Create a routing table for Nat Gateway, update and associate it with private subnet.

resource "aws_route_table" "myroute_table_natgw" {
  vpc_id = "${aws_vpc.myvpc.id}"
  route {
    cidr_block = "0.0.0.0/0"
    nat_gateway_id = "${aws_nat_gateway.natgw.id}"
  }
  
  tags = {
    Name = "myroute_table_natgw"
  }
}
resource "aws_route_table_association" "myroute_table_natgw_association" {
  subnet_id      = "${aws_subnet.mysubnet-1b.id}"
  route_table_id = "${aws_route_table.myroute_table_natgw.id}"
}

Step 7:-

• Create Security-groups for wordpress.

resource "aws_security_group" "wordpress-sg" {
  name        = "wordpress-sg"
  description = "Allow ssh and httpd inbound traffic"
  vpc_id      = "${aws_vpc.myvpc.id}"
ingress {
    description = "SSH"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = [ "0.0.0.0/0" ]
  }
ingress {
    description = "HTTP"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [ "0.0.0.0/0" ]
  }
egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
tags = {
    Name = "wordpress-sg"
  }
}

• Create Security-groups for mysql.

resource "aws_security_group" "mysql-sg" {
  name        = "mysql-sg"
  description = "Allow only ssh inbound traffic"
  vpc_id      = "${aws_vpc.myvpc.id}"
ingress {
    description = "MYSQL"
    from_port   = 3306
    to_port     = 3306
    protocol    = "tcp"
    cidr_blocks = [ "0.0.0.0/0" ]
    security_groups = [ aws_security_group.bastion-sg.id ]
}
egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
tags = {
    Name = "mysql-sg"
  }
}

• Create Security-groups for bastion-host.

resource "aws_security_group" "bastion-sg" {
  name        = "bastion-sg"
  description = "Allow bastion host"
  vpc_id      = "${aws_vpc.myvpc.id}"
ingress {
    description = "SSH"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = [ "0.0.0.0/0" ]
  }
egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
tags = {
    Name = "bastion-sg"
  }
}

Step 8:-

• Launch one ec2 instance in public subnet using Wordpress AMI having the security group which allowing port 80. Attach one key so that you can login to instance.

resource "aws_instance" "wordpress" {
  ami = "ami-0979674e4a8c6ea0c"
  instance_type = "t2.micro"
  key_name = "keycloudclass"
  vpc_security_group_ids = ["${aws_security_group.wordpress-sg.id}"]
  subnet_id = "${aws_subnet.mysubnet-1a.id}"
tags = {
    Name = "wordpress"
  }
}

• Launch other ec2 instance in public subnet for bastion-host. Attach a key to that instance also.

resource "aws_instance" "bastion_host" {
  ami = "ami-0732b62d310b80e97"
  instance_type = "t2.micro"
  key_name = "keycloudclass"
  vpc_security_group_ids = ["${aws_security_group.bastion-sg.id}"]
  subnet_id = "${aws_subnet.mysubnet-1a.id}"
tags = {
    Name = "bastion_host"
  }
}

• Launch other ec2 instance in private subnet using MYSQL AMI having the security group which allowing port 3306. Attach a key to that instance also.

resource "aws_instance" "mysql" {
  ami = "ami-08706cb5f68222d09"
  instance_type = "t2.micro"
  key_name = "keycloudclass"
  vpc_security_group_ids = [aws_security_group.mysql-sg.id,aws_security_group.bastion-sg.id]
  subnet_id = "${aws_subnet.mysubnet-1b.id}"
tags = {
    Name = "mysql"
  }
}

Step 9:-

• Now login to your Wordpress site :-

• This site is working fine.

Step 10 :-

• Now, login to the bastion host which will be used to the access mysql.
• First do ssh to login into bastion host, then copy .pem key into bastion-host using winscp software. After this do ssh from bastion host to mysql using private key. After all the setup you can do any update in mysql.

• Now, you are connected to the mysql(private subnet):-
• Now, you can update anything inside mysql.

Thanks, hope you guys will like my article. if you have any suggestion or query will free to ask.

#Happylearning #keepsharing #aws#Terraform