使用CLI创建VPC

1. 架构图

2. 前期准备

2.1 创建具有具有AKSK的账户

打开AWS portal：https://amazonaws-china.com/cn/，并且登陆
选择Service-> 安全性、身份与合规性->IAM服务

选择用户->添加用户

输入用户名，并选择访问类型为编程访问。编程访问主要是为了客户使用CLI或者Rest API的时候提供AKSK；AWS管理控制台访问主要是为了客户portal访问的用户名密码。

在权限页面，选择直接附加现有策略，为改用户附加管理员权限。本例为实验，在实际过程中，应用最小权限原则，应该为用户分配所需要的权限。

添加标签页面是可选的，直接点下一步。
审核页面，检查之前的配置是否正确，之后点击创建用户

显示添加成功以后，要把AKSK保存起来，AK就是访问秘钥ID，SK就是私有访问秘钥。SK只在这一次显示，以后不会再显示，所以一定要保存好，也可以下载保存CSV文件

2.2. 安装CLI命令行工具

Windows系统安装CLI：https://docs.aws.amazon.com/zhcn/cli/latest/userguide/install-cliv2-windows.html
Linux系统安装CLI：https://docs.aws.amazon.com/zhcn/cli/latest/userguide/install-cliv2-linux.html
MacOS系统安装CLI：https://docs.aws.amazon.com/zhcn/cli/latest/userguide/install-cliv2-mac.html

2.3 配置CLI环境

输入：aws configure，配置aws CLI的AKSK

AWS Access Key ID是步骤2.1的AK
AWS secret Access Key是步骤2.1的SK
Default region name，输入默认部署区域，本例为东京区域，区域参数可以在以后的部署步骤中另外指定
Default output format: 保持默认Json就可以

3. 创建VPC

3.1 创建VPC

#VPC的IP地址范围CIDR为10.0.0.0/16
#VPC的Tag为garyvpc
#具体命令如下：
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=garyvpc}]'
#输出为：
{
"Vpc": {
"CidrBlock": "10.0.0.0/16",
"DhcpOptionsId": "dopt-9f6a28f8",
"State": "pending",
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683",
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": [],
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-0a2ce03662264b802",
"CidrBlock": "10.0.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false,
"Tags": [
{
"Key": "Name",
"Value": "garyvpc"
}
]
}
}
请记录VpcId=vpc-024f1b212f5bf801b

3.2 创建子网

本教程只在AZ1中创建子网，若打算再AZ2中创建，将AZ改成ap-northeast-1b或者ap-northeast-1c
#子网1的IP地址范围CIDR为：10.0.0.0/24
#子网1的名称为：sub-1
#具体命令如下：
aws ec2 create-subnet \
--vpc-id $VpcId \
--availability-zone ap-northeast-1a \
--cidr-block 10.0.0.0/24 \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=sub-1}]'
#输出为：
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1a",
"AvailabilityZoneId": "apne1-az4",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.0.0.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-02a5d46bd55bcaf2b",
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "sub-1"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:624581614683:subnet/subnet-02a5d46bd55bcaf2b"
}
}
#记录sub-1的ID，SubId1=subnet-02a5d46bd55bcaf2b

#子网2的IP地址范围CIDR为：10.0.1.0/24
#子网2的名称为：sub-2
#具体命令如下：
aws ec2 create-subnet \
--vpc-id $VpcId \
--availability-zone ap-northeast-1a \
--cidr-block 10.0.1.0/24 \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=sub-2}]'
##输出为：
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1a",
"AvailabilityZoneId": "apne1-az4",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.0.1.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0e53a61969ce06fb1",
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "sub-2"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:624581614683:subnet/subnet-0e53a61969ce06fb1"
}
}
#记录sub-2的ID，SubId2=subnet-0e53a61969ce06fb1

3.3 创建IGW

#创建IGW，名称为IGW-garyvpc
aws ec2 create-internet-gateway \
--tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=IGW-garyvpc}]'
#输出：
{
"InternetGateway": {
"Attachments": [],
"InternetGatewayId": "igw-04133c69ad783377f",
"OwnerId": "624581614683",
"Tags": [
{
"Key": "Name",
"Value": "IGW-garyvpc"
}
]
}
}
#记录，igwId=igw-04133c69ad783377f

#IGW关联VPC
aws ec2 attach-internet-gateway --internet-gateway-id $igwId --vpc-id $VpcId

3.4 创建IGW路由

#创建路由1
aws ec2 create-route-table --vpc-id $VpcId \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Public-Sub-Route}]'
#输出为：
{
"RouteTable": {
"Associations": [],
"PropagatingVgws": [],
"RouteTableId": "rtb-0825a722d5c529067",
"Routes": [
{
"DestinationCidrBlock": "10.0.0.0/16",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
}
],
"Tags": [
{
"Key": "Name",
"Value": "Public-Sub-Route"
}
],
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683"
}
}
#记录路由ID，RouteId1=rtb-0825a722d5c529067

#创建路由条目
aws ec2 create-route --route-table-id $RouteId1 --destination-cidr-block 0.0.0.0/0 --gateway-id $igwId

#关联子网
aws ec2 associate-route-table --route-table-id $RouteId1 --subnet-id $SubId1

3.5 创建NAT网关
#创建EIP
aws ec2 allocate-address
#输出为：
{
"PublicIp": "35.72.202.78",
"AllocationId": "eipalloc-02b0b3cab4c0907c1",
"PublicIpv4Pool": "amazon",
"NetworkBorderGroup": "ap-northeast-1",
"Domain": "vpc"
}
#记录EIPID=eipalloc-02b0b3cab4c0907c1

#创建NAT
aws ec2 create-nat-gateway --subnet-id $SubId1 --allocation-id $EIPID
#输出为：
{
"ClientToken": "b1d50343-6017-45a7-acd5-43e503f8f05e",
"NatGateway": {
"CreateTime": "2021-03-19T13:06:41+00:00",
"NatGatewayAddresses": [
{
"AllocationId": "eipalloc-02b0b3cab4c0907c1"
}
],
"NatGatewayId": "nat-0980a6db6520841ae",
"State": "pending",
"SubnetId": "subnet-02a5d46bd55bcaf2b",
"VpcId": "vpc-024f1b212f5bf801b"
}
}
#记录NATID=nat-0980a6db6520841ae

3.6 创建NAT路由

aws ec2 create-route-table --vpc-id $VpcId \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Private-Sub-Route}]'
#输出为：
{
"RouteTable": {
"Associations": [],
"PropagatingVgws": [],
"RouteTableId": "rtb-0f1b1c3b51f5d1dd2",
"Routes": [
{
"DestinationCidrBlock": "10.0.0.0/16",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
}
],
"Tags": [
{
"Key": "Name",
"Value": "Private-Sub-Route"
}
],
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683"
}
}

#记录路由ID，RouteId2=rtb-0f1b1c3b51f5d1dd2
#创建路由条目
aws ec2 create-route --route-table-id $RouteId2 --destination-cidr-block 0.0.0.0/0 --gateway-id $NATID

#关联子网
aws ec2 associate-route-table --route-table-id $RouteId2 --subnet-id $SubId2

4. 验证成果

4.1 验证公有子网可以被访问

在Sub-1中创建EC2，名为： Bastion，并附带public IP，尝试登陆，可以登陆。

4.2 验证私有子网可以访问Internet

在Sub-2中创建EC2，名为Server1，通过Bastion登陆Server1，可以访问Internet