Pirate-Jim Here We Come

Amongst the diving and working it seems this year I’ll also be partaking in some sailing too..

  • May – Quick whiz around the Solent with Commodore Yachting to reacquaint myself with a yacht
  • June – Sailing around Norway from Bergen to Aalesund
  • November – All being well, I may be sailing the Atlantic Rally for Cruisers from Las Palmas (Spain) to St Lucia

Simple AWS Diagrams

So my most recent post included some Visio-style diagrams but not done in Visio.. try draw.io out, it’s pretty good. Basic, but good.


My First vPC

my first vpc

My first attempt at building some form of basic infrastructure constructs in AWS.. Keep in mind that this is the learning curve, so in no way represents best-practice deployments!

The Building Blocks

  • Internet Gateway
  • Single vPC in London Region (eu-west)
  • Two subnets, one in each availability zone (eu-west-2a and eu-west-2b) for Web Servers
  • Two subnets, one in each availability zone for Bastion hosts
  • Two Launch Configurations – one for bastion hosts, one for webservers
  • One Auto Scaling Group for Web Servers – min instances 2, linked to webserver Launch Configuration
  • One Auto Scaling Group for Bastion host – min instances 1, linked to Bastion Launch Configuration
  • Elastic Load Balancer – inbound  HTTP/s connected to the Web Server auto-scaling group
  • One Security Group for Web Servers – enables inbound HTTP / HTTPs from anywhere, and SSH from the Bastion Subnets
  • One Security Group for Bastion hosts – enables inbound SSH from anywhere
  • One IAM Role – to enable Read-Only access to S3

Web Server Launch Configuration

Each web server is built using a Launch configuration which has a bootstrap script to do the following:

  • Update standard AMI packages
  • Install Apache and PHP
  • Start Apache
  • Set Apache to start on bootup
  • Copy custom index.php from S3  (this is why it needs an IAM role to access S3!)
  • Copy health-check HTML from S3
  • Make index.php executable

The index.php is a basic “Hello World” which also shows the internal IP of the host serving it.. this way when tweaking with load-balancers I can tell which instance has served the request.  The two pages are stored in an S3 bucket and the IAM role applied to the Launch Configuration allows the instances to copy the files down to the web server.

 #! /bin/bash
 yum update -y
 yum install http php -y
 service httpd start
 chkconfig httpd on
 aws s3 --region eu-west-2 cp s3://e02-lab-scripts/index.php /var/www/html/
 aws s3 --region eu-west-2 cp s3://e02-lab-scripts/healthcheck.html /var/www/html/
 chmod +x /var/www/html/index.php

Summary

This stuff is bloody complicated – but – certainly not impossible.  Once you know what all the components are, how they work and interact with each other, it’s easy to start building services and constructs based on them.


And it all started so well

Well – my first foray into AWS was going so well.. I’ve been using A Cloud Guru for my AWS Architect Associate training and following each of the labs and doing a bit of playing in the background myself.  Since getting through the initial S3 and EC2 videos, I brought up a Bitnami WordPress instance to host this site and did the relevant Route53 transfer and what have you.  I also moved our wedding website to an S3-Static Site bucket as post-wedding it didn’t need PHP or anything fancy to run.

All seemed well and good.

Then I decided that since I was now hosting ‘live’ sites from my AWS account, I didn’t really want to be meddling with labs and accidentally destroy something.. So I created a new account and went about building a little lab environment: New vPC, subnets for web services, subnets for bastion hosts, scaling groups.. the works!  I thought I was doing so well until I tried connecting to the first bastion instance I’d created and got a dreaded SSH time-out!


Cut to the chase: If you don’t want to read the rest, just remember this:  Don’t forget a default gateway in the routing table – it doesn’t add itself!


The idiot network engineer

“User error” – I thought.  Obviously.  So I walked through my configuration:

  • ElasticIP associated.. check.
  • Instance attached to Subnet.. duh, check.
  • Subnet associated in routing table.. check.
  • vPC associated with Internet Gateway.. check.
  • Security group has sensible ruleset (SSH and HTTP/s inbound from 0.0.0.0/0).. check.

So I still couldn’t see what the issue was.  Now, at this point, I hadn’t done any training on CloudWatch, but I noticed in the vPC configuration I could do something with Flow Logs.  So a bit of playing around and following the on-screen “You’re trying to do something you’re not ready for yet“-type instructions, I got flow information for the vPC going into a log and I could drill down on a per-instance basis.

Now I could see what was going on.. Nothing wrong with the rules, my ping’s and SSH attempts clearly had ‘ACCEPT’ next to them, so the inbound path was fine.

Then it dawn on me… stuff is getting in, but how is it getting out – or more precisely – does it know HOW to get out?  So back to look at the routing table I went, with the sudden realisation that there was no default route!  Doh!  And I’m supposed to be a network engineer!

So what’s the lesson here:  An AWS Internet Gateway isn’t given the default route by default.. makes sense, you might want to use a vASA or something

What good came out of this.. I  learnt how to use CloudWatch


The House has Moved

That’s right.. in bowing to the mentality that you should do what you preach, the 23,333 blog has moved home to AWS!

More in the next post how this was accomplished…