6. NACLs - Virtual Firewall for your subnets
Security Groups - Virtual Firewall for your instances
7. VPC (172.31.0.0/16)
ap-southeast-1a ap-southeast-1b ap-southeast-1c
Public subnet
ap-southeast-1a
172.31.16.0/20
Public subnet
ap-southeast-1b
172.31.32.0/20
Public subnet
ap-southeast-1c
172.31.0.0/20
rtb (main)
172.31.0.0/16 local
0.0.0.0/0 igw
Network ACLs (acl-489dea2e)
Inbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
Outbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
secu-group (sg-e9f787a4) secu-group (sg-e9f787a4)
public-instance-1
172.31.18.102/20
18.136.120.52/32
public-instance-2
172.31.40.11/20
13.250.31.41/32
8. gritworks-master (123456789012)
ap-southeast-1
VPC (192.168.0.0/16)
ap-southeast-1a ap-southeast-1b ap-southeast-1c
Public subnet
ap-southeast-1a
192.168.0.0/24
Public subnet
ap-southeast-1b
192.168.1.0/24
Public subnet
ap-southeast-1c
192.168.2.0/24
192.168.0.0/16 local
0.0.0.0/0 igw
Private subnet
ap-southeast-1a
192.168.3.0/24
Private subnet
ap-southeast-1b
192.168.4.0/24
Private subnet
ap-southeast-1c
192.168.5.0/24
192.168.0.0/16 local
10. Public subnet
ap-southeast-1a
172.31.16.0/20
Network ACLs (acl-489dea2e)
Inbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Inbound rules
Type Protocol Port range Source
All traffic All All sg-e9f787a4
All traffic All All YOUR IP
public-instance-1
172.31.27.135/20
18.136.120.52/32
Network ACLs (acl-489dea2e)
Outbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Outbound rules
Type Protocol Port range Source
All traffic All All 0.0.0.0/0
12. Public subnet
ap-southeast-1a
172.31.16.0/20
Network ACLs (acl-489dea2e)
Inbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Inbound rules
Type Protocol Port range Source
All traffic All All sg-e9f787a4
All traffic All All YOUR IP
public-instance-1
172.31.27.135/20
18.136.120.52/32
Network ACLs (acl-489dea2e)
Outbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Outbound rules
Type Protocol Port range Source
All traffic All All 0.0.0.0/0
13. Public subnet
ap-southeast-1a
172.31.16.0/20
Network ACLs (acl-489dea2e)
Inbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Inbound rules
Type Protocol Port range Source
All traffic All All sg-e9f787a4
All traffic All All YOUR IP
public-instance-1
172.31.27.135/20
18.136.120.52/32
Network ACLs (acl-489dea2e)
Outbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Outbound rules
Type Protocol Port range Source
All traffic All All 0.0.0.0/0
14. Public subnet
ap-southeast-1a
172.31.16.0/20
Network ACLs (acl-489dea2e)
Inbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Inbound rules
Type Protocol Port range Source
All traffic All All sg-e9f787a4
All traffic All All YOUR IP
public-instance-1
172.31.27.135/20
18.136.120.52/32
Network ACLs (acl-489dea2e)
Outbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Outbound rules
Type Protocol Port range Source
All traffic All All 0.0.0.0/0
public-instance-2
172.31.44.202/20
13.212.86.174/32
Public subnet
ap-southeast-1b
172.31.32.0/20
15. Public subnet
ap-southeast-1b
172.31.32.0/20
Public subnet
ap-southeast-1a
172.31.16.0/20
Network ACLs (acl-489dea2e)
Inbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Inbound rules
Type Protocol Port range Source
All traffic All All sg-e9f787a4
All traffic All All YOUR IP
public-instance-1
172.31.27.135/20
18.136.120.52/32
Network ACLs (acl-489dea2e)
Outbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Outbound rules
Type Protocol Port range Destination
All traffic All All 0.0.0.0/0
public-instance-2
172.31.44.202/20
13.212.86.174/32
16. Public subnet
ap-southeast-1b
172.31.32.0/20
Public subnet
ap-southeast-1a
172.31.16.0/20
Network ACLs (acl-489dea2e)
Inbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Inbound rules
Type Protocol Port range Source
All traffic All All sg-e9f787a4
All traffic All All YOUR IP
public-instance-1
172.31.27.135/20
18.136.120.52/32
Network ACLs (acl-489dea2e)
Outbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Outbound rules
Type Protocol Port range Source
All traffic All All 0.0.0.0/0
public-instance-2
172.31.44.202/20
13.212.86.174/32
17. Public subnet
ap-southeast-1b
172.31.32.0/20
Public subnet
ap-southeast-1a
172.31.16.0/20
Network ACLs (acl-489dea2e)
Inbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Inbound rules
Type Protocol Port range Source
All traffic All All sg-e9f787a4
All traffic All All YOUR IP
public-instance-1
172.31.27.135/20
18.136.120.52/32
Network ACLs (acl-489dea2e)
Outbound rules 100 All traffic All All 0.0.0.0/0 Allow
* All traffic All All 0.0.0.0/0 Deny
security-group (sg-e9f787a4)
Outbound rules
Type Protocol Port range Source
All traffic All All 0.0.0.0/0
public-instance-2
172.31.44.202/20
13.212.86.174/32
public-instance-21
172.31.35.37/20
13.212.87.209/32
24. SSH agent forwarding
For Linux,
ssh-add -c hellocloud-master-sg.pem
For macOS,
ssh-add -K hellocloud-master-sg.pem
Connect to public instance using the -A option to enable SSH agent forwarding,
ssh -A ubuntu@public-instance-1
Connect to private instance from public instance,
ssh ubuntu@private-instance-1
28. The failure of one NAT Gateway and the fail over to an
available NAT Gateway by the manual changing of the
default route next hop in respective private subnets
route table.
29. VPC (172.31.0.0/16)
Public subnet
ap-southeast-1a
172.31.16.0/20
Public subnet
ap-southeast-1b
172.31.32.0/20
Public subnet
ap-southeast-1c
172.31.0.0/20
172.31.0.0/16 local
0.0.0.0/0 igw
Private subnet
ap-southeast-1a
172.31.48.0/20
Private subnet
ap-southeast-1b
172.31.64.0/20
Private subnet
ap-southeast-1c
172.31.80.0/20
secu-group (sg-e9f787a4)
public-instance-1
172.31.18.102/20
18.136.120.52/32
nat-gw-1
pub-ip
priv-ip
secu-group (sg-e9f787a4)
private-instance-1
172.31.60.214/20
secu-group (sg-e9f787a4)
private-instance-2
172.31.69.115/20
secu-group (sg-e9f787a4)
private-instance-3
172.31.84.232/20
nat-gw-2
pub-ip
priv-ip
nat-gw-3
pub-ip
priv-ip
172.31.0.0/16 local
0.0.0.0/0 nat-gw-1
172.31.0.0/16 local
0.0.0.0/0 nat-gw-2
172.31.0.0/16 local
0.0.0.0/0 nat-gw-3