使用CLI建立VPC

1. 架構圖

2. 前期準備

2.1 建立具備具備AKSK的帳戶

打開AWS portal：https://amazonaws-china.com/cn/，而且登錄
選擇Service-> 安全性、身份與合規性->IAM服務

選擇用戶->添加用戶

輸入用戶名，並選擇訪問類型爲編程訪問。編程訪問主要是爲了客戶使用CLI或者Rest API的時候提供AKSK；AWS管理控制檯訪問主要是爲了客戶portal訪問的用戶名密碼。

在權限頁面，選擇直接附加現有策略，爲改用戶附加管理員權限。本例爲實驗，在實際過程當中，應用最小權限原則，應該爲用戶分配所須要的權限。

添加標籤頁面是可選的，直接點下一步。
審覈頁面，檢查以前的配置是否正確，以後點擊建立用戶

顯示添加成功之後，要把AKSK保存起來，AK就是訪問祕鑰ID，SK就是私有訪問祕鑰。SK只在這一次顯示，之後不會再顯示，因此必定要保存好，也能夠下載保存CSV文件

2.2. 安裝CLI命令行工具

Windows系統安裝CLI：https://docs.aws.amazon.com/zhcn/cli/latest/userguide/install-cliv2-windows.html
Linux系統安裝CLI：https://docs.aws.amazon.com/zhcn/cli/latest/userguide/install-cliv2-linux.html
MacOS系統安裝CLI：https://docs.aws.amazon.com/zhcn/cli/latest/userguide/install-cliv2-mac.html

2.3 配置CLI環境

輸入：aws configure，配置aws CLI的AKSK

AWS Access Key ID是步驟2.1的AK
AWS secret Access Key是步驟2.1的SK
Default region name，輸入默認部署區域，本例爲東京區域，區域參數能夠在之後的部署步驟中另外指定
Default output format: 保持默認Json就能夠

3. 建立VPC

3.1 建立VPC

#VPC的IP地址範圍CIDR爲10.0.0.0/16
#VPC的Tag爲garyvpc
#具體命令以下：
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=garyvpc}]'
#輸出爲：
{
"Vpc": {
"CidrBlock": "10.0.0.0/16",
"DhcpOptionsId": "dopt-9f6a28f8",
"State": "pending",
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683",
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": [],
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-0a2ce03662264b802",
"CidrBlock": "10.0.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false,
"Tags": [
{
"Key": "Name",
"Value": "garyvpc"
}
]
}
}
請記錄VpcId=vpc-024f1b212f5bf801b

3.2 建立子網

本教程只在AZ1中建立子網，若打算再AZ2中建立，將AZ改爲ap-northeast-1b或者ap-northeast-1c
#子網1的IP地址範圍CIDR爲：10.0.0.0/24
#子網1的名稱爲：sub-1
#具體命令以下：
aws ec2 create-subnet \
--vpc-id $VpcId \
--availability-zone ap-northeast-1a \
--cidr-block 10.0.0.0/24 \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=sub-1}]'
#輸出爲：
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1a",
"AvailabilityZoneId": "apne1-az4",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.0.0.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-02a5d46bd55bcaf2b",
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "sub-1"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:624581614683:subnet/subnet-02a5d46bd55bcaf2b"
}
}
#記錄sub-1的ID，SubId1=subnet-02a5d46bd55bcaf2b

#子網2的IP地址範圍CIDR爲：10.0.1.0/24
#子網2的名稱爲：sub-2
#具體命令以下：
aws ec2 create-subnet \
--vpc-id $VpcId \
--availability-zone ap-northeast-1a \
--cidr-block 10.0.1.0/24 \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=sub-2}]'
##輸出爲：
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1a",
"AvailabilityZoneId": "apne1-az4",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.0.1.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0e53a61969ce06fb1",
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "sub-2"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:624581614683:subnet/subnet-0e53a61969ce06fb1"
}
}
#記錄sub-2的ID，SubId2=subnet-0e53a61969ce06fb1

3.3 建立IGW

#建立IGW，名稱爲IGW-garyvpc
aws ec2 create-internet-gateway \
--tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=IGW-garyvpc}]'
#輸出：
{
"InternetGateway": {
"Attachments": [],
"InternetGatewayId": "igw-04133c69ad783377f",
"OwnerId": "624581614683",
"Tags": [
{
"Key": "Name",
"Value": "IGW-garyvpc"
}
]
}
}
#記錄，igwId=igw-04133c69ad783377f

#IGW關聯VPC
aws ec2 attach-internet-gateway --internet-gateway-id $igwId --vpc-id $VpcId

3.4 建立IGW路由

#建立路由1
aws ec2 create-route-table --vpc-id $VpcId \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Public-Sub-Route}]'
#輸出爲：
{
"RouteTable": {
"Associations": [],
"PropagatingVgws": [],
"RouteTableId": "rtb-0825a722d5c529067",
"Routes": [
{
"DestinationCidrBlock": "10.0.0.0/16",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
}
],
"Tags": [
{
"Key": "Name",
"Value": "Public-Sub-Route"
}
],
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683"
}
}
#記錄路由ID，RouteId1=rtb-0825a722d5c529067

#建立路由條目
aws ec2 create-route --route-table-id $RouteId1 --destination-cidr-block 0.0.0.0/0 --gateway-id $igwId

#關聯子網
aws ec2 associate-route-table --route-table-id $RouteId1 --subnet-id $SubId1

3.5 建立NAT網關
#建立EIP
aws ec2 allocate-address
#輸出爲：
{
"PublicIp": "35.72.202.78",
"AllocationId": "eipalloc-02b0b3cab4c0907c1",
"PublicIpv4Pool": "amazon",
"NetworkBorderGroup": "ap-northeast-1",
"Domain": "vpc"
}
#記錄EIPID=eipalloc-02b0b3cab4c0907c1

#建立NAT
aws ec2 create-nat-gateway --subnet-id $SubId1 --allocation-id $EIPID
#輸出爲：
{
"ClientToken": "b1d50343-6017-45a7-acd5-43e503f8f05e",
"NatGateway": {
"CreateTime": "2021-03-19T13:06:41+00:00",
"NatGatewayAddresses": [
{
"AllocationId": "eipalloc-02b0b3cab4c0907c1"
}
],
"NatGatewayId": "nat-0980a6db6520841ae",
"State": "pending",
"SubnetId": "subnet-02a5d46bd55bcaf2b",
"VpcId": "vpc-024f1b212f5bf801b"
}
}
#記錄NATID=nat-0980a6db6520841ae

3.6 建立NAT路由

aws ec2 create-route-table --vpc-id $VpcId \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Private-Sub-Route}]'
#輸出爲：
{
"RouteTable": {
"Associations": [],
"PropagatingVgws": [],
"RouteTableId": "rtb-0f1b1c3b51f5d1dd2",
"Routes": [
{
"DestinationCidrBlock": "10.0.0.0/16",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
}
],
"Tags": [
{
"Key": "Name",
"Value": "Private-Sub-Route"
}
],
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683"
}
}

#記錄路由ID，RouteId2=rtb-0f1b1c3b51f5d1dd2
#建立路由條目
aws ec2 create-route --route-table-id $RouteId2 --destination-cidr-block 0.0.0.0/0 --gateway-id $NATID

#關聯子網
aws ec2 associate-route-table --route-table-id $RouteId2 --subnet-id $SubId2

4. 驗證成果

4.1 驗證公有子網能夠被訪問

在Sub-1中建立EC2，名爲： Bastion，並附帶public IP，嘗試登錄，能夠登錄。

4.2 驗證私有子網能夠訪問Internet

在Sub-2中建立EC2，名爲Server1，經過Bastion登錄Server1，能夠訪問Internet