From c97321790b2528df98b685be113d78bcc8ed5f70 Mon Sep 17 00:00:00 2001 From: dtomlinson Date: Fri, 1 May 2020 02:59:59 +0100 Subject: [PATCH] working config --- .ebextensions/03-general-options.config | 10 +++++----- .ebextensions/07-custom-vpc.config | 3 ++- tempnotes.md | 18 ++++++++++++++++++ todo.md | 8 ++++++++ 4 files changed, 33 insertions(+), 6 deletions(-) diff --git a/.ebextensions/03-general-options.config b/.ebextensions/03-general-options.config index 776cfb2..b9d3c91 100644 --- a/.ebextensions/03-general-options.config +++ b/.ebextensions/03-general-options.config @@ -1,10 +1,10 @@ option_settings: # aws:elasticbeanstalk:environment: # EnvironmentType: SingleInstance - aws:rds:dbinstance: - DBEngine: postgres - DBInstanceClass: "db.t2.micro" - DBAllocatedStorage: 5 - DBUser: strapi + # aws:rds:dbinstance: + # DBEngine: postgres + # DBInstanceClass: "db.t2.micro" + # DBAllocatedStorage: 5 + # DBUser: strapi aws:ec2:instances: InstanceTypes: "t2.micro" diff --git a/.ebextensions/07-custom-vpc.config b/.ebextensions/07-custom-vpc.config index 05a51ba..1b31a42 100644 --- a/.ebextensions/07-custom-vpc.config +++ b/.ebextensions/07-custom-vpc.config @@ -7,4 +7,5 @@ option_settings: aws:autoscaling:launchconfiguration: SecurityGroups: sg-0d339673ef68988a4 aws:autoscaling:asg: - MinSize: 2 + MinSize: 1 + MaxSize: 2 diff --git a/tempnotes.md b/tempnotes.md index 46f69bc..e332208 100644 --- a/tempnotes.md +++ b/tempnotes.md @@ -186,3 +186,21 @@ Create another custom security group for the EC2 instance - should be private autoscaling should have current public security group Load balancer should have the current subnets + +Loadbalancer security group should have inbound + outbound to 80+443 on 0.0.0.0/0 + +The option_settings: aws:elbv2:loadbalancer has two options for security groups + +ManagedSecurityGroup - defines the security group that is used for the load balancer itself. +SecurityGroups - is a list of additional security groups you want to attach. + +If you define a ManagedSecurityGroup you should set SecurityGroups as well to the same one. + +Load balancer needs a security group that allows incoming 80 + 443 from anywhere +It should also set the same for outbound as well + +This security group should be set in `aws:elbv2:loadbalancer` under +`ManagedSecurityGroup` and `SecurityGroups` + +Additional security groups (in addition to the default one created by ELB) for the EC2 instances are defined in `aws:autoscaling:launchconfiguration` under `SecurityGroups` +A security group will be created for you. You can ammend this (add 443 for https for example) by using `.config` file and creating a `AWS::EC2::SecurityGroupIngress` resource. (see 06-https.config) diff --git a/todo.md b/todo.md index be3687b..80741be 100644 --- a/todo.md +++ b/todo.md @@ -114,6 +114,14 @@ Create the security group for the EC2 instances Add this security group to Outputs Reference it in RDS security group +Summarise the VPC creation - VPC is created, internet gateway is created (and route table) and is added to the VPC for internet access. Controlling what can and cannot go in/out to the internet is done with security groups. + Check ssh? - Can ssh if you apply it to the EC2 SG you create. Multiple security groups get squashed to determine what is and isn't allowed: . + +Show how to create private + public subnets as in . You need a nat gateway to allow private subnets to go out to the internet, but back in. How is this different to using security groups? + +If you use private subnets, the nat gateway is not cheap - £30 a month. You dont need the nat gateway, you can achieve the same thing with security groups (block all incoming) (explained ). Advantage to NAT is all outgoing requests to the internet come from a single IP. + +Summarise the flow -> VPC, internet gateway, attachment + route tables, subnets etc. Mention the nat gateway but show how it can be replaced with security groups.