working config

.ebextensions/03-general-options.config

@@ -1,10 +1,10 @@
 option_settings:
   # aws:elasticbeanstalk:environment:
   #   EnvironmentType: SingleInstance
-  aws:rds:dbinstance:
+  # aws:rds:dbinstance:
-    DBEngine: postgres
+  #   DBEngine: postgres
-    DBInstanceClass: "db.t2.micro"
+  #   DBInstanceClass: "db.t2.micro"
-    DBAllocatedStorage: 5
+  #   DBAllocatedStorage: 5
-    DBUser: strapi
+  #   DBUser: strapi
   aws:ec2:instances:
     InstanceTypes: "t2.micro"

.ebextensions/07-custom-vpc.config

@@ -7,4 +7,5 @@ option_settings:
   aws:autoscaling:launchconfiguration:
     SecurityGroups: sg-0d339673ef68988a4
   aws:autoscaling:asg:
-    MinSize: 2
+    MinSize: 1
+    MaxSize: 2

tempnotes.md

@@ -186,3 +186,21 @@ Create another custom security group for the EC2 instance - should be private
 autoscaling should have current public security group
 
 Load balancer should have the current subnets
+
+Loadbalancer security group should have inbound + outbound to 80+443 on 0.0.0.0/0
+
+The option_settings: aws:elbv2:loadbalancer has two options for security groups
+
+ManagedSecurityGroup - defines the security group that is used for the load balancer itself.
+SecurityGroups - is a list of additional security groups you want to attach.
+
+If you define a ManagedSecurityGroup you should set SecurityGroups as well to the same one.
+
+Load balancer needs a security group that allows incoming 80 + 443 from anywhere
+It should also set the same for outbound as well
+
+This security group should be set in `aws:elbv2:loadbalancer` under
+`ManagedSecurityGroup` and `SecurityGroups`
+
+Additional security groups (in addition to the default one created by ELB) for the EC2 instances are defined in `aws:autoscaling:launchconfiguration` under `SecurityGroups`
+A security group will be created for you. You can ammend this (add 443 for https for example) by using `.config` file and creating a `AWS::EC2::SecurityGroupIngress` resource. (see 06-https.config)

todo.md

@@ -114,6 +114,14 @@ Create the security group for the EC2 instances
 Add this security group to Outputs
 Reference it in RDS security group
 
+Summarise the VPC creation - VPC is created, internet gateway is created (and route table) and is added to the VPC for internet access. Controlling what can and cannot go in/out to the internet is done with security groups.
+
 Check ssh? - Can ssh if you apply it to the EC2 SG you create.
 
 Multiple security groups get squashed to determine what is and isn't allowed: <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html>.
+
+Show how to create private + public subnets as in <https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/cfn-templates/vpc-privatepublic.yaml>. You need a nat gateway to allow private subnets to go out to the internet, but back in. How is this different to using security groups?
+
+If you use private subnets, the nat gateway is not cheap - £30 a month. You dont need the nat gateway, you can achieve the same thing with security groups (block all incoming) (explained <https://www.reddit.com/r/aws/comments/75bjei/private_subnets_nats_vs_simply_only_allowing/>). Advantage to NAT is all outgoing requests to the internet come from a single IP.
+
+Summarise the flow -> VPC, internet gateway, attachment + route tables, subnets etc. Mention the nat gateway but show how it can be replaced with security groups.