// VPC
default ip vpc = 172.31.0.0/16
==========
// cara create vpc
1 select region
2 creating vpc
vpc > create vpc > ipv4 CIDR block => masukin ip range yg ingin diallocate
^ nanti ke create vpc id
^ auto muncul route table
^ auto muncul nacl
^ dns hostname = default disable
===========
// connect vpc to internet
1 create internet gateways
internet gateways > create internet gateway
- input name tag : ig-1
^ ketika di create status akan detache. nanti bs di attach ke vpc yg udah di create.
2 attach internet gateway ke vpc
internet gateways > actions > attach a vpc
- select vpc id yg ingin di attach
3 add route table agar dapat rute ke internet
internet gateways > route table > create route table
- name tag: route_to_internet
- vpc : select existing vpc
4 set main route table
route table > actions > set main route table
5 edit route table add 0.0.0.0/0
routes table > edit routes > add route
destination = 0.0.0.0/0
target = ( select internet gateway )
6 edit subnets
// create plg enggk 2 atau 3 di az yg berbeda. biar ada HA nya.
subnets > create subnets >
- edit name tag
- select vpc
- select AZ
- edit bagian ipv4 CIDR block ( size nya hrs lebih kecil / bagian dari vpc CIDR )
// create 3 public ip v4 cidr :
10.0.1.0/24
10.0.0.0/24
10.0.2.0/24
^ action => edit auto-assign public ipv4 address : yes
// create 1 private ip v4 cidr :
10.0.3.0/24
// create route table baru buat segmen ip private
- route tables > create route table > private_ip_route
// set route table association
subnets -> edit route table association
- edit route table id
- ganti ke private
- save
==========
// create ec2
- services > ec2 > instances > launch instances
select platform ( biasanya pake amazon linux 2 ami ( hvm ) => buat public subnet )
- select t2.micro
- network = select vpc network yg udah dicreate
- subnet = select public subnet yg telah di create
- create new IAM role
buat bikin permission akses ke s3
^ select ec2 > bagian filter policies filter ssm ( amazonec2RoleforSSM )
^ bagian filter policies filter s3 ( amazonS3FullAccess )
^ kasih role name > create role
- select new IAM role
// optional
bagian advanced details bs input script buat bikin web server
- storage => biarin default dl
// configure security group
- create new sec group > security group name = ec2-sec-group1
open port ssh
open port http
- edit source yg buat allow
// create ec2 key pair
- digunain untuk remote access menggunakan key. agar lebih secure.
// security group => by default deny
// kita bikin rule buat allow services
==========
// create ec2 buat private subnet
sama stepnya kyk yg diatas tp subnetnya bedain. => select yg private
=========
// edit nacl
- bs buat block specific ip address
- nacl adanya di subnets
Subnets > select subents > liad dibawah ada menu Network ACL > edit
- select inbound rule > add rule // lowest to highest
- add rule 10 > source : ip_private/32 > deny
========
// cara connect dari luar ke private subnet
// bs pake jumphost atau bastion ( cari di market place )
^ buat remote browser ssh ke private instance. biar lebih secure
^ jumpbox = hardened instance
^ bs dikasih google authenticator / mfa
^ bs screen recording
^ ada audit log
^ alternativenya bs pake session manager tp ga ada screen recording
- instances > launch instances > aws marketplace > guacamole bastion host
- edit bagian network dan subnet
- edit policies > filter guaws
- create role > ec2 > filter > ec2readonlyaccess
========
No comments:
Post a Comment