Emx xubi
How to implement end to end VPC Endpoint service

How to implement end to end VPC Endpoint service

muhammad zubair's photo
muhammad zubair
·

14 min read

Table of contents

Lab Steps

Task 1: Sign in to AWS Management Console

  1. Click on the Open Console button, and you will get redirected to AWS Console in a new browser tab.

  2. On the AWS sign-in page,

    • Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.

    • Now copy your User Name and Password in the Lab Console to the IAM Username and Password in the AWS Console and click on the Sign in button.

  3. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.

Task 2: Create a service provider VPC

  1. Make sure you are in the N.Virginia Region.

  2. Navigate to VPC by clicking on the Services menu in the top, then click on VPC in the Networking & Content Delivery section.

  3. Navigate to Your VPCs on the left panel and click on the Create VPC.

    • Name tag: Enter Service_Network

    • IPv4 CIDR block: Enter 20.0.0.0/16

  4. Leave everything else as default and click on the Create VPC.

  5. You have successfully created the VPC

Task 3: Create and attach an Internet Gateway

  1. Navigate to the Internet Gateways from the left side menu and click on the Create Internet Gateway.

    • Name tag : Enter Service_IGW
  1. Click on the Create Internet Gateway.

  1. Now click on the Actions button and select Attach to VPC.

    • Available VPCs: Select Service_Network from the list.

  2. Now click on the Attach Internet Gateway.

Task 4: Create a Public subnet

  1. Navigate to Subnets from the left side menu and click on Create Subnet.

    • VPC ID: Select the Service_Network VPC from the list.

    • Subnet name: Enter Service_Public_subnet

    • Availability Zone: Select us-east-1a

    • IPv4 CIDR block: Enter 20.0.1.0/24

  2. Now click on the Create Subnet.

Task 5: Create a Public Route Table and associate it with the subnet

  1. Navigate to Route Tables on the left side panel and click on the Create route table button.

    • Name tag : Enter Service_PublicRT

    • VPC*: Select the Service_Network from the list.

  2. Now click on the Create Route Table.

  3. Select the Service_PublicRT from the list and go to the Subnet Associations tab in below.

  4. Click on the Edit Subnet Associations.

  5. Now select the subnet and click on Save Associations.

Task 6: Add public Route in the Route table

  1. Navigate to Route Tables on the left side panel and select the Service_PublicRT from the list.

  2. Go to the Routes tab below and click on the Edit routes button.

  3. Now click on the Add routes button.

    • Destination: Enter 0.0.0.0/0

    • Target: Select Internet Gateway and then select the Internet Gateway ID.

  1. Click on the Save Changes.

Task 7: Create an EC2 Instance

  1. Make sure you are in the N.Virginia Region.

  2. Navigate to EC2 by clicking on the Services menu in the top, then click on EC2 in the Compute section.

  3. Navigate to Instances from the left side menu and click on the Launch Instances button.

  4. Under the Name and tags section :

  • Name: Webserver1

  1. Under the Application and OS Images (Amazon Machine Image) section :

  • Select the Quick Start tab and Amazon Linux under it

  • Amazon Machine Image (AMI): select Amazon Linux 2 AMI

Note: If there are two AMIs present for Amazon Linux 2 AMI, choose any of them.

  1. Under the Instance Type section :

    • Instance Type: Select t2.micro

  1. Under the Key Pair (login) section :

    • Click on Create new key pair hyperlink

    • Key pair name: public-key

    • Key pair type: RSA

    • Private key file format: .pem or .ppk

    • Click on Create key pair and select the created key pair

  1. Under the Network Settings section :

    • Click on the Edit button

    • VPC: Select Service_Network from the list.

    • Subnet: Select Service_Public_subnet

    • Auto-assign public IP: Select Enable

    • Firewall (security groups): Select Create a new security group

    • Security group name: Enter Webserver_sg

    • Description: Enter Security group for Webserver

    • To add SSH:

      • Choose Type: SSH

      • Source: Anywhere (From ALL IP addresses accessible).

    • For HTTP, click on Add security group rule,

      • Choose Type: HTTP

      • Source: Anywhere (From ALL IP addresses accessible).

    • For HTTPS, click on Add security group rule,

      • Choose Type: HTTPS

      • Source: Anywhere (From ALL IP addresses accessible).

  1. Under the Advanced details section :

    • Under the User data: copy and paste the following script to create an HTML page served by an Apache httpd web server.

 

  1. Keep everything else as default and click on the Launch instance button.

  2. Launch Status: Your instance is now launching, Navigate to the Instances page from the left menu and wait until the status of the EC2 Instance changes to running.

Task 8: Create a Network LoadBalancer

  1. Navigate to Load Balancers from the left side menu under Load balancing.

  2. Click on the Create Load Balancer.

  3. Select Load Balancer Type: Under the Network Load Balancer, click on the Create button.

  4. The next five screens will require configuration modification from the default values provided. If a field is not mentioned, leave it as default or empty.

  • Configure Load Balancer:

    • Name: Enter MyNetwork-LB

    • Scheme: Select Internet facing

    • VPC: Select Service_Network

      security group: select Webserver_sg.

    • Availability zones: Select the us-east-1 checkbox

    • Listeners:

      • Load Balancer Protocol: Select TCP

      • Load Balancer Port: Choose 80

    • Tags

      • Key: Enter Name

      • Value: Enter MyNetwork-LB

  • Click on Create target group, it will open it in new tab

  • Create Target Group:

    • Target Group:

      • Target Type: Select Instance

      • Name: Enter MyNetwork-TG

      • Port: Enter 80

      • Protocol: Choose TCP

    • Advanced health check settings: Select Interval as 10 Seconds.

    • Click on Next.

  • Now choose the instance Webserver1 from the above step and then click Include as pending below.

  • Click on Create Target Group

  1. Go back to the Network load balancer page and then select the MyNetwork-TG in the default section of the listeners

  2. Click on Create load balancing

  3. Now navigate to the Target Groups from the left side menu under Load balancing.

  4. Now select the Targets tab and wait till the targets become healthy (Important).

  5. Now again navigate to Load Balancers from the left side menu under Load balancing.

  6. Select the MyNetwork-LB Load Balancer and copy the DNS name under the Description tab.

  7. Paste the DNS name in your browser and hit [Enter] and you will be able to see the webpage.

  8. Paste the DNS name in your browser and hit [Enter] and you will be able to see the webpage.

Task 9: Create an Endpoint service

  1. Make sure you are in the N.Virginia Region.

  2. Navigate to VPC by clicking on the Services menu in the top, then click on VPC in the Networking & Content Delivery section.

  3. Select Endpoint Services under Virtual Private Cloud.

  4. Click on the Create Endpoint Service.

    • Associate Load Balancers: Check the MyNetwork-LB checkbox from the list.

  • Require acceptance for endpoint: Make sure this is selected Acceptance required

  • Note: By enabling the Acceptance option, for every customer who creates the vpc endpoint using this Endpoint Service, the service provider needs to accept the connection.

  1. Click on the Create button.

  2. Once the Endpoint service is created, under the Details, table copy the Service name and place it in your text editor. We will be using this Service name to create the VPC Endpoint.

Task 10: Create a customer VPC

  1. Make sure you are in the N.Virginia Region.

  2. Navigate to Your VPCs on the left panel and click on the Create VPC.

    • Name tag : Enter Customer_Network

    • IPv4 CIDR block: Enter 10.0.0.0/16

  3. Leave everything else as default and click on the Create VPC.

  4. You have successfully created the VPC

Task 11: Create and attach an Internet Gateway

  1. Navigate to the Internet Gateways from the left side menu and click on the Create Internet Gateway.

    • Name tag: Enter Customer_IGW

  2. Click on the Create Internet Gateway.

  1. Now click on the Actions button and select Attach to VPC.

    • Available VPCs: Select Customer_Network from the list.

  2. Now click on the Attach Internet Gateway.

Task 12: Create a Public subnet

  1. Navigate to Subnets from the left side menu and click on Create Subnet.

    • VPC ID: Select the Customer_Network VPC from the list.

    • Subnet name: Enter Customer_Public_subnet

    • Availability Zone: Select us-east-1a

    • IPv4 CIDR block: Enter 10.0.1.0/24

  2. Now click on the Create Subnet.

Task 13: Create a Public Route Table and associate it with the subnet

  1. Navigate to Route Tables on the left side panel and click on the Create route table button.

    • Name tag: Enter Customer_PublicRT

    • VPC*: Select the Customer_Network from the list.

  2. Now click on the Create Route Table.

  3. Select the Customer_PublicRT from the list and go to the Edit subnet association tab below.

  4. Now select the subnet and click on Save Associations.

Task 14: Add public Route in the Route table

  1. Navigate to Route Tables on the left side panel and select the Customer_PublicRT from the list.

  2. Go to the Routes tab below and click on the Edit routes button.

  3. Now click on the Add routes button.

    • Destination: Enter 0.0.0.0/0

    • Target: Select Internet Gateway and then select the Internet Gateway id.

  1. Click on the Save changes button.

Task 15: Create an EC2 Instance

  1. Make sure you are in the N.Virginia Region.

  2. Navigate to EC2 by clicking on the Services menu in the top, then click on EC2 in the Compute section.

  3. Navigate to Instances from the left side menu and click on the Launch Instances button.

  4. Under the Name and tags section :

    • Name: Customer_EC2

  1. Under the Application and OS Images (Amazon Machine Image) section :

    • Select the Quick Start tab and Amazon Linux under it

    • Amazon Machine Image (AMI): select Amazon Linux 2 AMI

Note: If there are two AMIs present for Amazon Linux 2 AMI, choose any of them.

  1. Under the Instance Type section :

    • Instance Type: Select t2.micro

  1. Under the Key Pair (login) section :

    • Key pair name: Select public-key

  1. Under the Network Settings section :

    • Click on the Edit button

    • VPC: Select Customer_Network from the list.

    • Subnet: Select Customer_Public_subnet

    • Auto-assign public IP: Select Enable

    • Firewall (security groups): Select Create a new security group

    • Security group name: Enter Customer_EC2_SG

    • Description: Enter Security group for Customer EC2

    • To add SSH:

      • Choose Type: SSH

      • Source: Anywhere (From ALL IP addresses accessible).

    • For HTTP, click on Add security group rule,

      • Choose Type: HTTP

      • Source: Anywhere (From ALL IP addresses accessible).

    • For HTTPS, click on Add security group rule,

      • Choose Type: HTTPS

      • Source: Anywhere (From ALL IP addresses accessible).

  1. Keep everything else as default and click on the Launch instance button.

  2. Launch Status: Your instance is now launching, Navigate to the Instances page from the left menu and wait until the status of the EC2 Instance changes to running.

  1. Note down the sample IPv4 Public IP Address of the EC2 instance and place it in your text editor. A sample is shown in the screenshot below.

Task 16: Create a VPC Endpoint

  1. Navigate to VPC by clicking on the Services menu in the top, then click on VPC in the Networking & Content Delivery section.

  2. Select Endpoints under Virtual Private Cloud.

  3. Click on the Create endpoint button.

    • Service category: Select Other endpoint services

    • Service Name: Paste the Service name that you copied and placed in your text editor.

    • Click on the Verify service button and you will get a Service name verified message.

    • VPC*: Select Customer_Network from the list.

    • Subnets: Select the us-east-1a Availability Zone

    • IP address type: IPv4

    • Security group: select the Customer_EC2_SG from the list.

  4. Now click on the Create Endpoint button.

  5. Now the status of your endpoint will be in pending acceptance status.

  1. Now navigate back to Endpoint Service under Virtual Private Network.

  2. Select the Endpoint Service and select the Endpoint Connections tab from below.

  3. Click on the Action button and select Accept Endpoint Connection request

  1. Type accept and then click on Accept

  2. Now again navigate back to Endpoints and your endpoint will be in pending status. It will take 3 to 4 Min to become the status as available. Wait till the Status becomes available.

Task 17: Test the connectivity

  1. Select the Endpoint that you have created and select the Subnets tab from below.

  2. Copy the IPv4 Addresses and place them in your text editor.

  1. Please follow the steps to SSH to Customer_EC2, SSH into EC2 Instance.

  2. Once you have successfully SSH into EC2, run the following commands :

    • Switch to root user :

      sudo -s

  3. Run curl command to the IPv4 Address

    • Syntax : curl <IPv4 Address>

    • Example: curl 10.0.1.136

  4. You will be able to get the Web Server output from the Network Load balancer.

Do You Know?

Implementing an end-to-end VPC Endpoint service involves a comprehensive configuration that enables secure and private communication between resources within a Virtual Private Cloud (VPC) and AWS services. This setup is particularly useful when you want to access AWS services like S3, DynamoDB, or Kinesis privately, without using public internet connectivity.

Task 18: Validation of the lab

  1. Once the lab steps are completed, please click on the Validation button on the right side panel.

  2. This will validate the resources in the AWS account and display whether you have completed this lab successfully or not.

  3. Sample output :

Task 19: Delete AWS Resources

Delete EC2 Instance

  1. Make sure you are in the US East (N. Virginia) Region.

  2. Navigate to EC2 by clicking on the Services menu in the top, then click on EC2 in the Compute section.

  3. Now select the EC2 instance that you have created and click on Instance State and then click on the Terminate option.

  4. Click on the Terminate button and your EC2 will start terminating.

  5. Now delete the other two EC2 Instances also.

Delete VPC EndPoint

  1. Navigate to VPC by clicking on the Services menu in the top, then click on VPC in the Networking & Content Delivery section.

  2. Select Endpoints under Virtual Private Network.

  3. Select the Endpoint that you have created.

  4. Click on the Action button and select Delete Endpoint.

  5. Click on the Yes, delete button to confirm the deletion.

Delete Endpoint service

  1. Now navigate to Endpoint Service under Virtual Private Network.

  2. Select the Endpoint service that you have created.

  3. Click on the Action button and click on Delete service endpoint

  4. Type delete and then click on Delete.

Delete Elastic LoadBalancer and Target Group

  1. In the EC2 console, navigate to Load Balancers in the left-side panel.

  2. MyNetwork-LB will be listed here.

  1. To delete the load balancer, need to perform the following actions:

    • Select the load balancer,

    • Click on the Actions button,

    • Select the Delete option.

  1. Confirm by clicking on the Yes, Delete button when a pop-up is shown.

  1. MyNetwork-LB will be deleted immediately.

  2. In the EC2 console, navigate to Target Groups in the left-side panel.

  3. MyNetwork-TG will be listed here.

  1. To delete the target group, need to perform the following actions:

    • Select the target group,

    • Click on the Actions button,

    • Select the Delete option

  1. Now click on the Yes, delete button to confirm deletion.

  2. MyNetwork-TG will be deleted immediately.

Completion and Conclusion

  1. You have successfully created a Service provider VPC.

  2. You have successfully created and attached an Internet Gateway.

  3. You have successfully created a Public subnet.

  4. You have successfully created a Public Route Table and associated it with the subnet.

  5. You have successfully added the public Route in the Route table.

  6. You have successfully created an EC2 Instance.

  7. You have successfully created a Network LoadBalancer.

  8. You have successfully created an Endpoint service.

  9. You have successfully created a customer VPC.

  10. You have successfully created and attached an Internet Gateway.

  11. You have successfully created a Public subnet.

  12. You have successfully created a Public Route Table and associated it with the subnet.

  13. You have successfully added the public Route in the Route table.

  14. You have successfully created an EC2 Instance.

  15. You have successfully created a VPC Endpoint.

  16. You have successfully tested the connectivity.

End Lab

  1. Sign out of AWS Account.

  2. You have successfully completed the lab.

endtoendVPC EndpointsEC2 instance