Getting Started
I'm writing this section retroactively, since I already did most of this before starting this blog.
Building a VPC
Intro
VPC - Virtual Private Clouds - are basically private networks (existing inside the standard private class A/B/C IP ranges) inside of which you can launch EC2 instances. You can subnet VPCs, create custom routes and ACLs between them - pretty much anything you could do with a physical network.
I decided to use 10.0.0.0/16 as my private network to give myself room to subnet (and because I knew if I went with class B, I'd never be able to remember which 172.* network I settled on.)
When I did this initially, I created a single subnet that took up the entire /16 address space of my network and started putting machines in there.
This was a mistake. Afterwards, I realized I wanted to make actual /24 subnets, but at this point I already had EC2 instances assigned to the /16 subnet and couldn't figure out how to get rid of it... so at this point I just gave up and started over from scratch with a new VPC. You live, you learn. Fortunately, I hadn't done much at this point.
Final(?) Design
I settled on 10.0.0.0/16 as my VPC network, with a single subnet of 10.0.0.0/24 to start. Since I was going to start out building a domain controller, by default, 10.0.0.0/24 is now my "core" subnet where critical servers are going to live.
Big takeaway: don't create a subnet that takes up your entire VPC if you want to be able to create smaller subnets later on.
Implementation
VPC Creation
First thing to do is create the actual VPC. This is pretty simple - all you need is the CIDR range of the network (though it's helpful to give it a name, too.) You can also specify that you want dedicated hardware for it, but I don't need or care about that. I also don't care about IPv6, at least not right now.
 |
| New VPC: 10.0.0.0/24 |
Most of the default settings (ACL, routing table, DHCP options) for a new VPC are perfectly fine, with one exception: new VPCs have no "Internet Gateway," which means they have no way to reach the Internet. (That might be okay if you only want this VPC to be reachable from other VPCs, but for me, that just means I can't reach it to set it up.)
Adding a new Internet gateway is easy. Like, really easy. You go to the Internet Gateways section of the VPC console and create one. You don't even have to give it a name (though you probably should.)
Route Setup
The easiest way to get at your VPC's routing table is to open up your VPC listing screen, select your VPC, and click the routing table in the window at the bottom.
Select the routing table from the list that appears, and in the bottom window, select "Routes." By default, you'll only have one route, for your VPC's CIDR address with a target of "local." Select "Edit," and add a new route for destination 0.0.0.0/0, with a target of the Internet gateway you selected in the previous step.
 |
| Routing table with 0.0.0.0/0 route added to my Internet Gateway. |
Adding a Subnet
One last step: creating a subnet within your VPC. Add a subnet from the Subnets category of the VPC console. You can (should) specify a name, but you must specify the VPC you want to add the subnet to and the CIDR address of the subnet itself. Availability zone doesn't matter - that's for people wanting to design redundant EC2 systems.
Again, I don't recommend creating a subnet that takes up your entire VPC unless you know for sure you're not going to want to create any other subnets later on.
 |
| Subnet 10.0.0.0/24. |
You now have an Internet-connected VPC with a subnet, ready for EC2 instances.
Creating EC2 Instances
Launching an instance
The first step is to build the hardware requirements for the instance and then save it to create the instance.
From the EC2 console, select Instances, and Launch an Instance. You'll first be prompted to select the operating system configuration to install on the instance. There are a whole bunch of operating system options, with various customizations. For my initial setup, I only needed a basic Windows 2016 Server setup.
The next important consideration is what type of instance you're going to run; they come in various configurations, some specialized for memory, some for storage, some for computing power. I just needed a generic instance, with enough memory to run W2016, so I opted for t2.micro.
On the next screen, there are a couple important options: Network, where you specify the VPC you want the instance in, and Subnet, where you specify the subnet within that VPC. Slightly further down, under Network Interfaces, you have the option of specifying the primary IP address that will be assigned to that instance.
On the next screen, you specify how much storage space you want the instance to have. Different operating systems/configurations have different minimums; the minimum for a W2016 Server Base is 30GB.
On the next screen, you can add your own "tags" to the instance. Don't need to here.
The next screen is important. This is where you can specify the firewall rules that will apply to your instance right away. Since the Internet is full of infected systems automatically scanning for other systems to infect, you want to minimize the chance that your system will get infected before you've had a chance to harden it. With that, two things to keep in mind. First, out of the box, you should only allow a connection to the service you're going to be using to configure the machine (typically RDP for Windows and SSH for Linux.) Second, for that service, you should (at least initially) restrict access to the IP address or subnet that you're going to be administering the machine from. I opted to use the /16 of my own IP address just in case it changed, which still restricts access to a relatively small subset of random Comcast users.
 |
Security group for my "hub" server.
(Note: this screenshot was taken after I'd already patched the machine and set up a DNS server.) |
 |
Summary description of my hub EC2 instance.
(Note: Elastic IP is already assigned.) |
Adding a Public IP
AWS assigns public IPs with something called "Elastic IPs."
The idea is, you get assigned a public IP address from Amazon's pool, which you can then assign and swap between your EC2 instances at will (though you probably don't want to do this.)
Since IPv4 addresses are a limited commodity, and they can't be reused as long as they're assigned to your account, Amazon will charge you (not a lot, but they will) any time they're not being used (i.e. attached to a running EC2 instance.)
Creating Elastic IPs is easy, though. Go to the Elastic IP screen of the EC2 console, and allocate a new address. Next, right-click the address, and choose "Associate Address" to tie the Elastic IP to the private IP address of an EC2 instance.
You can verify the configuration by looking at the configuration of the Network Interface attached to the EC2 instance.
 |
Network interface with a public IP attached.
(Note: this instance has two "private" interfaces. The primary is attached to the Elastic IP and is publicly accessible - the other is not and can only be accessed from the inside.) |
Summary
So far, we've:
- Created a VPC
- Added an Internet gateway to the VPC, and made it the default route for non-VPC destined traffic
- Created a subnet within the VPC
- Created an EC2 instance
- Restricted inbound access to the EC2 instance
- Created a public IP address and attached it to the instance.
Next post is setting up the instance as a domain controller.
