AWS Global Infrastructure and Account Setup
- AWS Regions
- Availability Zones
- Edge Locations
- AWS Accounts
- AWS Organizations
- Landing Zones
Core Infrastructure Services
- EC2 instances
- Auto Scaling Groups (ASG)
- VPC
- Subnets
- Internet Gateway (IGW)
- NAT Gateway
- Route tables, Security Groups, NACLs
Labs
Lab 1: Build a 3-tier VPC with public/private subnets across 2 AZs
- Create VPC
- Create Subnets
- Create Internet Gateway (IGW)
- Configure Public Route Table
- Create NAT Gateway
- Configure Private Route Table
- Launch Bastion Host in Public Subnet
- Launch Web Server Auto Scaling Group (ASG)
- Configure Security Groups
AWS Console Steps
- Services → VPC → Your VPCs → Create VPC
- Name: MyVPC, IPv4 CIDR: 10.0.0.0/16, Tenancy: Default
- Services → VPC → Subnets → Create subnet for each:
- Public Subnet 1: VPC=MyVPC, AZ=us-east-1a, CIDR=10.0.1.0/24
- Public Subnet 2: VPC=MyVPC, AZ=us-east-1b, CIDR=10.0.2.0/24
- Private Subnet 1: VPC=MyVPC, AZ=us-east-1a, CIDR=10.0.101.0/24
- Private Subnet 2: VPC=MyVPC, AZ=us-east-1b, CIDR=10.0.102.0/24
- VPC → Internet Gateways → Create IGW → Attach to MyVPC
- VPC → Route Tables → Create Route Table → Name: PublicRT → Associate with MyVPC
- Edit PublicRT routes: Add route 0.0.0.0/0 to IGW
- Associate PublicRT with public subnets
- VPC → NAT Gateways → Create NAT Gateway in Public Subnet 1 → Allocate Elastic IP
- Create PrivateRT route table → Add route 0.0.0.0/0 to NAT Gateway
- Associate PrivateRT with private subnets
- EC2 → Launch Instance → Amazon Linux AMI → Network: MyVPC, Subnet: Public Subnet 1 → Auto-assign Public IP Enabled
- Configure Bastion Security Group → Allow SSH (port 22) from your IP only
- Set up launch template/configuration for web servers
- Create Auto Scaling Group spanning private subnets
- Create Application Load Balancer in public subnets → Listeners on ports 80/443
- Attach ASG to ALB target group
- Configure Security Groups:
- ALB SG: Allow inbound HTTP/HTTPS from 0.0.0.0/0
- Web Server SG: Allow inbound HTTP only from ALB SG
- Bastion SG: Allow inbound SSH only from your IP
AWS CLI Commands
# Create VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=MyVPC}]'
# Create subnets
aws ec2 create-subnet --vpc-id vpc-xxxxxx --cidr-block 10.0.1.0/24 --availability-zone us-east-1a --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=PublicSubnet1}]'
aws ec2 create-subnet --vpc-id vpc-xxxxxx --cidr-block 10.0.101.0/24 --availability-zone us-east-1a --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=PrivateSubnet1}]'
# Create Internet Gateway and attach
aws ec2 create-internet-gateway --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=MyIGW}]'
aws ec2 attach-internet-gateway --vpc-id vpc-xxxxxx --internet-gateway-id igw-xxxxxx
# Create public route table and route to IGW
aws ec2 create-route-table --vpc-id vpc-xxxxxx --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=PublicRT}]'
aws ec2 create-route --route-table-id rtb-xxxxxx --destination-cidr-block 0.0.0.0/0 --gateway-id igw-xxxxxx
aws ec2 associate-route-table --route-table-id rtb-xxxxxx --subnet-id subnet-xxxxxx
# Allocate Elastic IP and create NAT Gateway in public subnet
aws ec2 allocate-address --domain vpc
aws ec2 create-nat-gateway --subnet-id subnet-xxxxxx --allocation-id eipalloc-xxxxxx
# Create private route table and add route to NAT Gateway
aws ec2 create-route-table --vpc-id vpc-xxxxxx --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=PrivateRT}]'
aws ec2 create-route --route-table-id rtb-private --destination-cidr-block 0.0.0.0/0 --nat-gateway-id nat-xxxxxx
aws ec2 associate-route-table --route-table-id rtb-private --subnet-id subnet-private-xxxxxx
Lab 2: Secure and Instrument Workload
- Configure Security Groups
- Enable CloudWatch Monitoring and Create Alarm
- Tag Resources
AWS Console Steps
- Configure Security Groups:
- ALB SG: Allow inbound HTTP/HTTPS from 0.0.0.0/0
- Web Server SG: Allow inbound HTTP only from ALB SG
- Bastion SG: Allow inbound SSH only from your IP address
- Enable monitoring on EC2 Auto Scaling Group instances
- Create CloudWatch alarm on CPUUtilization > 70% for 5 min
- Attach alarm action to scale out ASG by 1 instance
- Tag resources with Environment and Owner tags
AWS CLI Commands
# Create Security Group for ALB
aws ec2 create-security-group --group-name ALB-SG --description "Allow HTTP/HTTPS" --vpc-id vpc-xxxxxx
aws ec2 authorize-security-group-ingress --group-id sg-alb --protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id sg-alb --protocol tcp --port 443 --cidr 0.0.0.0/0
# Create Security Group for Web Server allowing only ALB SG traffic
aws ec2 create-security-group --group-name WebServer-SG --description "Allow only ALB" --vpc-id vpc-xxxxxx
aws ec2 authorize-security-group-ingress --group-id sg-web --protocol tcp --port 80 --source-group sg-alb
# Create Security Group for Bastion (SSH from your IP)
aws ec2 create-security-group --group-name Bastion-SG --description "Allow SSH" --vpc-id vpc-xxxxxx
aws ec2 authorize-security-group-ingress --group-id sg-bastion --protocol tcp --port 22 --cidr YOUR.IP.ADDRESS/32
# Create CloudWatch Alarm for CPU utilization (replace placeholders)
aws cloudwatch put-metric-alarm \
--alarm-name "HighCPUUtilization" \
--metric-name CPUUtilization \
--namespace AWS/EC2 \
--statistic Average \
--period 300 \
--threshold 70 \
--comparison-operator GreaterThanThreshold \
--dimensions Name=AutoScalingGroupName,Value=MyAutoScalingGroup \
--evaluation-periods 1 \
--alarm-actions arn:aws:autoscaling:REGION:ACCOUNT_ID:scalingPolicy:POLICY_ID:autoScalingGroupName/MyAutoScalingGroup:policyName/MyScaleOutPolicy \
--unit Percent
Cleanup
- Delete Auto Scaling Group
- Delete Launch Template
- Delete Application Load Balancer
- Terminate EC2 Instances (including Bastion)
- Delete Security Groups
- Delete NAT Gateway
- Release Elastic IP
- Delete Route Tables
- Detach and Delete Internet Gateway
- Delete Subnets
- Delete VPC
AWS Console Steps
- EC2 → Auto Scaling Groups → Select → Actions → Delete
- EC2 → Launch Templates → Select → Actions → Delete
- EC2 → Load Balancers → Select → Actions → Delete
- EC2 → Instances → Select all instances → Actions → Terminate
- EC2 → Security Groups → Select ALB, Web Server, Bastion → Actions → Delete
- VPC → NAT Gateways → Select → Actions → Delete NAT Gateway
- VPC → Elastic IPs → Select → Release
- VPC → Route Tables → Select PublicRT, PrivateRT → Actions → Delete
- VPC → Internet Gateways → Detach → Delete
- VPC → Subnets → Select all → Delete
- VPC → Your VPCs → Select → Delete
AWS CLI Commands
aws autoscaling delete-auto-scaling-group --auto-scaling-group-name MyAutoScalingGroup --force-delete
aws ec2 delete-launch-template --launch-template-name MyLaunchTemplate
aws elbv2 delete-load-balancer --load-balancer-arn arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/my-load-balancer/ID
aws ec2 terminate-instances --instance-ids i-xxxxxxx i-yyyyyyy
aws ec2 delete-security-group --group-id sg-alb-id
aws ec2 delete-security-group --group-id sg-web-id
aws ec2 delete-security-group --group-id sg-bastion-id
aws ec2 delete-nat-gateway --nat-gateway-id nat-xxxxxxx
aws ec2 release-address --allocation-id eipalloc-xxxxxxx
aws ec2 delete-route-table --route-table-id rtb-public-id
aws ec2 delete-route-table --route-table-id rtb-private-id
aws ec2 detach-internet-gateway --internet-gateway-id igw-xxxxxxx --vpc-id vpc-xxxxxxx
aws ec2 delete-internet-gateway --internet-gateway-id igw-xxxxxxx
aws ec2 delete-subnet --subnet-id subnet-public1-id
aws ec2 delete-subnet --subnet-id subnet-public2-id
aws ec2 delete-subnet --subnet-id subnet-private1-id
aws ec2 delete-subnet --subnet-id subnet-private2-id
aws ec2 delete-vpc --vpc-id vpc-xxxxxxx