Creating your own VPC with own customization

6 min readJul 23, 2020

Imagine creating your whole office from scratch according to your needs and requirements and customizing it accordingly. Here, you decide which region you wanna setup your office aka VPC, you decide which lab or subnet will be public facing and private, you assign the range of IP addresses your DHCP will give.

Lets do the entire setup given below in just a single click that is through Terraform in AWS.

First of all, we create a VPC. Inside our VPC we create subnets. Both the subnets inside the VPC will have connectivity. For this, we dont have to do anything, AWS manages this entirely itself. Without Public IP, NATing, extra router we have connectivity between the instances situated at different AZs. They will have local connectivity because of internal routers which are managed by AWS.

The following code creates the VPC and Subnets inside AWS. We give our own range of IP address that we want to assign to our instances. Then we create two subnets at two different AZ.

provider “aws” {
 region = “ap-south-1”
 profile = “riya”
}resource “aws_vpc” “main” {
 cidr_block = “192.168.0.0/16”
 instance_tenancy = “default”
 enable_dns_hostnames = true
 tags = {
 Name = “myvpc”
 }
}resource “aws_subnet” “main1” {
 vpc_id = aws_vpc.main.id
 cidr_block = “192.168.0.0/24”
 availability_zone = “ap-south-1a”
 map_public_ip_on_launch = true
 tags = {
 Name = “my_subnet_1a”
 }
}resource “aws_subnet” “main2” {
 vpc_id = aws_vpc.main.id
 cidr_block = “192.168.1.0/24”
 availability_zone = “ap-south-1b”
 tags = {
 Name = “my_subnet_1b”
 }
}

To have outside connectivity to our instances inside this VPC we will attach a public facing router which has DNAT rule enabled already . This router is known as Internet gateway. For one VPC we attach only one internet gateway router. As soon as we create a Internet Gateway all the internal routers get connected to it automatically.

resource “aws_internet_gateway” “gw” {
 vpc_id = aws_vpc.main.idtags = {
 Name = “my_igw”
 }
}

As we know that the most secure system is the one which does not has outside connectivity. Here, we want to create a secure environment for our Database server suppose, so we will put it in the subnet which is private that is no outside connectivity. And similarly, if we want to create a web-app so that outside client can visit it and use it we will put our web-application server in public subnet. We are making my_subnet_1a public , so we will assign a public IP to all the instances launched in this subnet. And this public IP is actually assigned to Internet Gateway router .

Now, if any instance wants to go to to the public world or reply to a public IP it must know its Internet Gateway as internal routers will not help in this case. Hence, we give a routing table to the instance at the public subnet so that they know, if they want to connect to the world, this is the gateway for that . DHCP is the one that give this information to the instances at the respective subnet. Hence , with the following code we create a routing table and update the DHCP of our public subnet. (here: my_subnet_1a)

resource “aws_route_table” “r” {
 vpc_id = aws_vpc.main.idroute {
 cidr_block = “0.0.0.0/0”
 gateway_id = aws_internet_gateway.gw.id
 }tags = {
 Name = “my_routing_table”
 }
}resource “aws_route_table_association” “a” {
 subnet_id = aws_subnet.main1.id
 route_table_id = aws_route_table.r.id
}

Associating the Routing table to my_subnet_1a (its Dedicated DHCP) we get:

Private subnet do not have outside connectivity

Firewalls at system adds an additional security layer to any system as it control the ingress and outgress traffic to any system. For this we create security groups in our VPC to assign it to instances launched there. suppose we want to create a web-application ex : WordPress , we enable port 80 ingress traffic, and port 22 for management purpose.

resource “aws_security_group” “sg1” {
 name = “wp-sg”
 description = “Allow ssh and http “
 vpc_id = aws_vpc.main.idingress {
 description = “allow ssh”
 from_port = 22
 to_port = 22
 protocol = “tcp”
 cidr_blocks = [“0.0.0.0/0”]
 }
 ingress {
 description = “allow http”
 from_port = 80
 to_port = 80
 protocol = “tcp”
 cidr_blocks = [“0.0.0.0/0”]
 }
 egress {
 from_port = 0
 to_port = 0
 protocol = “-1”
 cidr_blocks = [“0.0.0.0/0”]
 }tags = {
 Name = “wp-sg”
 }
}

And now for suppose our data base server we want that only our web application can access this server , since our web application can undergo scaling, so the IP address allowing for ingress might change but the security group assigned to the web-application at each instance must remain same, so here we decide the inbound traffic according to the security groups at port 3306.

resource “aws_security_group” “sg3” {
 name = “mysql-sg”
 description = “Allow security groups”
 vpc_id = aws_vpc.main.idingress {
 description = “allow wp-sg”
 from_port = 3306
 to_port = 3306
 protocol = “tcp”
 security_groups = [aws_security_group.sg1.id]
 }
 egress {
 from_port = 0
 to_port = 0
 protocol = “-1”
 cidr_blocks = [“0.0.0.0/0”]
 }tags = {
 Name = “mysql-sg”
 }
}

Now we launch our instances at required subnet, that is database server ex MySQL at private subnet and Web-application ex WordPress at public subnet.

resource “aws_instance” “web” {
 ami = “ami-08706cb5f68222d09”
 instance_type = “t2.micro”
 key_name = “mykey-new”
 security_groups = [aws_security_group.sg3.id]
 subnet_id = aws_subnet.main2.id
 tags = {
 Name = “MySQL”
 }
}
resource “aws_instance” “web1” {
 ami = “ami-7e257211”
 instance_type = “t2.micro”
 key_name = “mykey-new”
 security_groups = [aws_security_group.sg1.id]
 subnet_id = aws_subnet.main1.id
 tags = {
 Name = “wordpress”
 }
}