In this lab, you will be creating a centralized egress internet environment. You will be given access to two VPCs and will be deploying a transit gateway, network firewall, and NAT gateway before finishing the configuration with route table modifications. Finally, you will be testing web site access from an EC2 instance in one of the VPCs.
To complete this lab, you should have an understanding of all of the technologies mentioned above, as well as knowledge of the AWS Management Console.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Create a Transit Gateway and Attach to the New Transit Gateway Subnets in Each VPC
In this objective, you will be creating a transit gateway. Once this has been created, you will then create transit gateway attachments and configure these for the newly created subnets in the
WorkloadVPCandEgressVPC.Use the following information for this objective:
Creating a transit gateway
Name = Transit-Gateway-01 Description = WorkloadVPC-EgressVPCWorkloadVPC transit gateway attachment
Name = WorkloadVPC-TGW-Att Transit gateway ID = Transit-Gateway01 Attachment type = VPC VPC ID = WorkloadVPC Subnet ID = WorkloadVPCTransitUsEast1aEgressVPC transit gateway attachment
Name = EgressVPC-TGW-Att Transit gateway ID = Transit-Gateway01 Attachment type = VPC VPC ID = EgressVPC Subnet ID = EgressVPCTransitUsEast1a- Create Network Firewall Rule Group, Firewall Policy, and Network Firewall
In this objective, we will be creating the AWS Network Firewall.
Network Firewall rule groups
Rule group type = Stateful rule group Name = WebsiteWhiteList Capacity = 10 Stateful rule group options = Domain list Rule order = Default Domain name source = .acloudguru.com Source IPs type = 10.0.0.0/16 and 10.1.0.0/16 Protocols = HTTP and HTTPS Action = AllowFirewall policies
Name = TestFirewall-Policy Stream exception policy = DropStateless default actions
Choose how to tream fragmented packets = Use the same actions for all packets Action = Forward to stateful rule groupsStateful rule evaluation order and default actions
Rule order = DefaultStateful rule group
Add = WebsiteWhiteListFirewalls
Name = TestNWFW VPC = EgressVPCFirewall Subnets
Availability Zone - us-east-1a Subnet = EgressVPCFirewallUsEast1a IP address type = IPv4Associated firewall policy
Associate an existing firewall policy = Choose policy you created above- Create NAT Gateway
In this objective, we will be deploying a NAT gateway called EgressVPCNGW in the public subnet of our VPC.
Use the following settings for this objective:
Name = EgressVPCNGW Subnet = EgressVPCNATUsEast1a Connectivity type = Public Elastic IP allocation ID = Allocate Elastic IP- Configure Route Tables
In this objective, we will configure the route tables for traffic to flow from the EC2 instance through the environment to the target website. For the transit gateway, make sure you add this as a static route.
WorkloadVPCPrivateRouteTable
0.0.0.0./0 --> Transit GatewayTransit Gateway Route Table
0.0.0.0/0 --> egressVPCEgressVPCTransitRouteTable
0.0.0.0/0 --> Gateway Load Balancer - VPC endpointEgressVPCFirewallRouteTable
0.0.0.0/0 --> NAT Gateway 10.0.0.0/16 --> Transit GatewayEgressVPCNATRouteTable
0.0.0.0/0 --> Internet Gateway 10.0.0.0/16 --> Gateway Load Balancer - VPC endpoint- Test Website Connectivity from EC2Instance1
Using
EC2Instance1, test connectivity tohttps://acloudguru.com.Connect to
EC2Instance1using the connection option in the EC2 console, and select the Session Manager tab. Once connected, issue the following commands to test:Working Website Test
curl https://acloudguru.comBlocked Website Test
curl https://www.bbc.co.uk
