Set up the VPC, subnet, and Internet gateway:
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- Click VPC Dashboard in the navigation pane.
- Locate the Your Virtual Private Cloud area of the dashboard and clicks get started creating a VPC, if you have no VPC resources, or click Start VPC Wizard.
- Select the first option, VPC with a Single Public Subnet Only, and then click Continue.
- The confirmation page shows the CIDR ranges and settings that you've chosen. Make
any changes that you need, and then click Create VPC to create your VPC, subnet,
Internet gateway, and route table.
Create WebServerSG and Adding Rules to the Security Group
The WebServerSG security group is the security group that you'll specify when you launch your web servers into your public subnet. The following table describes the recommended rules for this security group, which allow the web servers to receive Internet traffic, as well as SSH and RDP traffic from your network. The web servers can also initiate traffic to the Internet and read and write requests to the database servers in the private subnet.
| Inbound | |||
| Source | Protocol | Port Range | Comments |
| 0.0.0.0/0 | TCP | 80 | Allow inbound HTTP access to the web servers from anywhere |
| 0.0.0.0/0 | TCP | 443 | Allow inbound HTTPS access to the web servers from anywhere |
| 18.71.152.166/32 | TCP | 3389 | Allow inbound RDP access to Windows instances from your network (over the Internet gateway) |
| Outbound | |||
| Destination | Protocol | Port Range | Comments |
| 0.0.0.0/0 | TCP | 80 | Allow web servers to initiate outbound HTTP access to the Internet (for example, for software updates) |
| 0.0.0.0/0 | TCP | 443 | Allow web servers to initiate outbound HTTPS access to the Internet (for example, for software updates) |
| The ID of your DBServerSG security group | TCP | 1433 | Allow outbound Microsoft SQL Server access to the database servers assigned to DBServerSG |
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
- Security Groups in the navigation pane.
- Click the Create Security Group button.
- Specify WebServerSG as the name of the security group, and provide a description. Select the ID of your VPC from the VPC menu, and then click Yes, Create
- Select the WebServerSG security group that you just created. The details pane include a tab for information about the security group, plus tabs for working with its inbound rules and outbound rules.
- On the Inbound tab, do the following:
- Select HTTP from the Create a new rule list, make sure that Source is 0.0.0.0/0, and then click Add Rule.
- Select HTTPS from the Create a new rule list, make sure that Source is 0.0.0.0/0, and then click Add Rule.
- Select RDP from the Create a new rule list, make sure that Source is “Office IP Address” , and then click Add Rule
- Click Apply Rule Changes to apply these inbound rules.
- On the Outbound tab, do the following:
- Locate the default rule that enables all outbound traffic, and then click Delete.
- Select HTTP from the Create a new rule list, make sure that Destination is 0.0.0.0/0, and then click Add Rule.
- Select HTTPS from the Create a new rule list, make sure that Destination is 0.0.0.0/0, and then click Add Rule.
- Select My SQL from the Create a new rule list, make sure that Destination is “ID of DBServerSG”, and then click Add Rule.
- Click Apply Rule Changes to apply these outbound rules.
Create DBServerSG and Adding Rules to the Security Group
The DBServerSG security group is the security group that you'll specify when you launch your database servers into your private subnet. The following table describes the recommended rules for this security group, which allow read or write database requests from the web servers. The database servers can also initiate traffic bound for the Internet (your route table sends that traffic to the NAT instance, which then forwards it to the Internet over the Internet gateway).
DBServerSG:Rules
| Inbound | |||
| Source | Protocol | Port Range | Comments |
| The ID of your WebServerSG security group | TCP | 1433 | Allow web servers assigned to WebServerSG Microsoft SQL Server access to database servers assigned to DBServerSG |
| 18.71.152.166/32 | TCP | 3389 | Allow inbound RDP access to Windows instances from your network (over the Internet gateway) |
| Outbound | |||
| Destination | Protocol | Port Range | Comments |
| 0.0.0.0/0 | TCP | 80 | Allow outbound HTTP access to the Internet (for example, for software updates) |
| 0.0.0.0/0 | TCP | 443 | Allow outbound HTTPS access to the Internet (for example, for software updates) |
To add the recommended rules to the DBServerSG security group
- Select the DBServerSG security group that you created. The details pane displays the details for the security group, plus tabs for working with its inbound and outbound rules.
- Add rules for inbound traffic using the Inbound tab as follows:
- Select MYSQL from the Create a new rule list. In the Source box, specify the ID of your WebServerSG security group, and then click Add Rule.
- Select RDP from the Create a new rule list. In the Source box, specify IP Address of office security group, and then click Add Rule.
- Click Apply Rule Changes.
- Add rules for outbound traffic using the Outbound tab as follows:
- Select HTTP from the Create a new rule list. Make sure that Destination is 0.0.0.0/0, and then click Add Rule.
- Select HTTPS from the Create a new rule list. Make sure that Destination is 0.0.0.0/0, and then click Add Rule.
- Click Apply Rule Changes.
To launch First Web instance
- Start the Classic wizard:
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- Click the Launch Instance button from the dashboard.
- On the Create a New Instance page, select Classic Wizard, and then click Continue.
- On the CHOOSE AN AMI page, the Quick Start tab displays a list of basic configurations
called Amazon Machine Images (AMI). Choose the AMI that you want to use and click
its Select button.
- On the INSTANCE DETAILS page, under Launch Instances, select the subnet to launch
the instance into. Keep the other default settings on this page and click Continue.
- To use the default settings on the next INSTANCE DETAILS pages, just click Continue
on each page.
- Select EBS Volume
- On the CREATE A KEY PAIR page, you can choose from any existing key pairs that you've created, or follow the wizard directions to create a new key pair.
- On the Configure Firewall page, select the security group you want to use for the
instance (WebServerSG), and then click Continue.
- Review your settings. When you're satisfied with your selections, click Launch.
Before you can access an instance in your public subnet, you must assign it an Elastic IP address.
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- Click Elastic IPs in the navigation pane.
- Click the Allocate New Address button.
- In the Allocate New Address dialog box, in the EIP used in list, select VPC, and
then click Yes, Allocate.
- Select the Elastic IP address from the list, and then click the Associate Address
button.
- In the Associate Address dialog box, select the network interface or instance. Select
the address to associate the Elastic IP address with from the corresponding Private
IP Address list, and then click Yes, Associate.
- Go to instance in EC2 and Right Click on instance.
- Click on “Get Windows Password” , select your Private key pair file and generate
password by clicking on “Decrepit Password”
We have to launch a seperate Instance for Database with the security group "DBServerSG" (specified above) on the same public subnet mask.
Now you can connect to database server from Web server by using Private IP of Database Instance.
