Initial commit: AWS VPC + ALB + private EC2 architecture lab

jmac052002 · jmac052002 · commit 2e1358145c2d · 2025-12-03T21:24:55.000-06:00
diff --git a/README.md b/README.md
@@ -0,0 +1,139 @@
+# AWS VPC + ALB + Private EC2 Lab (2-AZ Network Architecture)
+
+This lab demonstrates a production-style AWS network like you’d design as a Solutions Architect:
+
+- Custom **VPC**
+- **Public** and **private** subnets across **2 Availability Zones**
+- **Internet Gateway** and **NAT Gateway**
+- **Application Load Balancer (ALB)** in public subnets
+- **EC2 web servers** in private subnets
+- Layered **route tables** and **security groups**
+
+> Traffic flow: **Client → ALB (public subnet) → EC2 (private subnet)**
+
+I built this to deepen my understanding of AWS networking, high availability, and exam-style architectures for the AWS Solutions Architect Associate.
+
+---
+
+## High-Level Architecture
+
+**Region:** `us-east-1` (N. Virginia)  
+**VPC CIDR:** `10.0.0.0/16`
+
+### Subnets
+
+| Subnet name | Type    | AZ           | CIDR          | Purpose                         |
+|------------|---------|-------------|---------------|---------------------------------|
+| `public-a` | Public  | `us-east-1a` | `10.0.1.0/24` | ALB, NAT gateway                |
+| `public-b` | Public  | `us-east-1b` | `10.0.2.0/24` | ALB                             |
+| `private-a`| Private | `us-east-1a` | `10.0.11.0/24`| EC2 web server                  |
+| `private-b`| Private | `us-east-1b` | `10.0.12.0/24`| EC2 web server                  |
+
+### Internet Connectivity
+
+- **Internet Gateway (`sa-lab-igw`)**
+  - Attached to the VPC
+  - Public route table sends `0.0.0.0/0` → IGW
+
+- **NAT Gateway (`sa-lab-nat-a`)**
+  - Lives in `public-a`
+  - Private route table sends `0.0.0.0/0` → NAT
+  - Allows private EC2 instances to reach the internet **outbound only** (e.g., OS updates) while remaining non-public.
+
+### Route Tables
+
+- **Public Route Table (`sa-lab-public-rt`)**
+  - Associated with `public-a`, `public-b`
+  - Routes:
+    - `10.0.0.0/16` → local
+    - `0.0.0.0/0` → Internet Gateway
+
+- **Private Route Table (`sa-lab-private-rt`)**
+  - Associated with `private-a`, `private-b`
+  - Routes:
+    - `10.0.0.0/16` → local
+    - `0.0.0.0/0` → NAT Gateway
+
+### Compute & Load Balancing
+
+- **EC2 Instances**
+  - AMI: Amazon Linux
+  - Type: `t2.micro`/`t3.micro`
+  - Subnets:
+    - `sa-lab-web-a` in `private-a`
+    - `sa-lab-web-b` in `private-b`
+  - **No public IPs**
+  - Bootstrapped with a user data script to install Apache and serve a simple page:  
+    [`user-data/webserver.sh`](user-data/webserver.sh)
+
+- **Application Load Balancer (`sa-lab-alb`)**
+  - Scheme: Internet-facing
+  - Subnets: `public-a`, `public-b`
+  - Listener: HTTP :80 → Target group `sa-lab-tg-web`
+  - Target type: **Instance**
+  - Health checks: HTTP `/`
+
+### Security Groups
+
+- **ALB Security Group (`sa-lab-alb-sg`)**
+  - Inbound:
+    - HTTP 80 from `0.0.0.0/0` (internet) — for the lab
+  - Outbound:
+    - All traffic (default)
+
+- **Web Server Security Group (`sa-lab-web-sg`)**
+  - Inbound:
+    - HTTP 80 **from `sa-lab-alb-sg` only**
+  - Outbound:
+    - All traffic (default)
+
+This creates a proper layered security model:
+
+- Internet can reach **only** the ALB
+- ALB can reach the web servers
+- Web servers are not directly reachable from the internet
+
+---
+
+## Build Steps (Summary)
+
+I created everything using the AWS Console to really see how the pieces fit:
+
+1. **VPC**
+   - Created `sa-lab-vpc` with CIDR `10.0.0.0/16`
+
+2. **Subnets**
+   - Created two public and two private subnets across `us-east-1a` and `us-east-1b`
+
+3. **Internet Gateway & NAT**
+   - Created and attached `sa-lab-igw`
+   - Created `sa-lab-nat-a` in `public-a` with an Elastic IP
+
+4. **Route Tables**
+   - Public RT: associated with public subnets, default route to IGW
+   - Private RT: associated with private subnets, default route to NAT
+
+5. **EC2 Instances in Private Subnets**
+   - Launched `sa-lab-web-a` in `private-a` and `sa-lab-web-b` in `private-b`
+   - Disabled public IPs
+   - Added user data to install Apache and serve a simple HTML page
+
+6. **Security Groups**
+   - `sa-lab-alb-sg`: HTTP from internet
+   - `sa-lab-web-sg`: HTTP only from `sa-lab-alb-sg`
+
+7. **Target Group & ALB**
+   - Created `sa-lab-tg-web` (instance target type, HTTP:80, health check `/`)
+   - Registered both EC2 instances
+   - Created ALB `sa-lab-alb` targeting `sa-lab-tg-web` and mapped it to `public-a` and `public-b`
+
+---
+
+## How to Test
+
+1. Go to **EC2 → Load Balancers** in the AWS Console.
+2. Select `sa-lab-alb`.
+3. Copy the **DNS name**, e.g.:
+
+   ```text
+   sa-lab-alb-1234567890.us-east-1.elb.amazonaws.com
diff --git a/notes/commands.md b/notes/commands.md
@@ -0,0 +1,4 @@
+# Handy commands used in this lab
+
+# Example curl test from your local machine (replace with your ALB DNS)
+curl http://sa-lab-alb-XXXXXXX.us-east-1.elb.amazonaws.com
diff --git a/user-data/webserver.sh b/user-data/webserver.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+yum update -y
+yum install -y httpd
+systemctl enable httpd
+systemctl start httpd
+echo "Hello from $(hostname) in private subnet!" > /var/www/html/index.html
