Note: This article is an English translation of my original article, which you can find here.
In this article, I demonstrate how to run yum in a private subnet using a VPC endpoint, taking the example of web server configuration via user data. I will also share sample code using AWS CDK.
Background and Objective
I set up a web server at the time of instance launch using user data.
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "This is a sample website." > /var/www/html/index.html
However, the yum command fails in environments without internet access. To resolve this issue, I place a VPC endpoint to use the Amazon Linux repository hosted on S3.
By employing this method, I can set up a web server without internet access and without deploying a NAT gateway.
Update yum on my AL1 or AL2 EC2 instance without internet access | AWS re:Post
Architecture
I deploy a gateway-type VPC endpoint for S3.
I use an ALB as the public endpoint for the web server. I also set up VPC endpoints for SSM for remote connections.
How to Use CDK
First, make sure to complete the setup for CDK.
The official workshop provides a detailed procedure from setting up the development environment to deployment.
AWS CDK Intro Workshop | AWS CDK Workshop
Sample Code
I create a CDK project and edit lib/cdk-private-yum-sample-stack.ts.
mkdir cdk-private-yum-sample
cd cdk-private-yum-sample
cdk init -l typescript
import { Stack, StackProps, CfnOutput } from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
import * as elbv2_tg from 'aws-cdk-lib/aws-elasticloadbalancingv2-targets'
import { Construct } from 'constructs';
export class CdkPrivateYumSampleStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
// vpc
const vpc = new ec2.Vpc(this, 'WebVpc', {
vpcName: 'web-vpc',
ipAddresses: ec2.IpAddresses.cidr('172.16.0.0/16'),
natGateways: 0,
maxAzs: 2,
subnetConfiguration: [
{
cidrMask: 24,
name: 'Public',
subnetType: ec2.SubnetType.PUBLIC
},
{
cidrMask: 24,
name: 'Private',
subnetType: ec2.SubnetType.PRIVATE_ISOLATED
}
],
// remove all rules from default security group
// See: https://docs.aws.amazon.com/config/latest/developerguide/vpc-default-security-group-closed.html
restrictDefaultSecurityGroup: true
});
// add private endpoints for session manager
vpc.addInterfaceEndpoint('SsmEndpoint', {
service: ec2.InterfaceVpcEndpointAwsService.SSM,
});
vpc.addInterfaceEndpoint('SsmMessagesEndpoint', {
service: ec2.InterfaceVpcEndpointAwsService.SSM_MESSAGES,
});
vpc.addInterfaceEndpoint('Ec2MessagesEndpoint', {
service: ec2.InterfaceVpcEndpointAwsService.EC2_MESSAGES,
});
// add private endpoint for Amazon Linux repository on s3
vpc.addGatewayEndpoint('S3Endpoint', {
service: ec2.GatewayVpcEndpointAwsService.S3,
subnets: [
{ subnetType: ec2.SubnetType.PRIVATE_ISOLATED }
]
});
//
// security groups
//
const albSg = new ec2.SecurityGroup(this, 'AlbSg', {
vpc,
allowAllOutbound: true,
description: 'security group for alb'
})
albSg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(80), 'allow http traffic from anyone')
const ec2Sg = new ec2.SecurityGroup(this, 'WebEc2Sg', {
vpc,
allowAllOutbound: true,
description: 'security group for a web server'
})
ec2Sg.connections.allowFrom(albSg, ec2.Port.tcp(80), 'allow http traffic from alb')
//
// web servers
//
const userData = ec2.UserData.forLinux({
shebang: '#!/bin/bash',
})
userData.addCommands(
// setup httpd
'yum update -y',
'yum install -y httpd',
'systemctl start httpd',
'systemctl enable httpd',
'echo "This is a sample website." > /var/www/html/index.html',
)
// launch one instance per az
const targets: elbv2_tg.InstanceTarget[] = new Array();
for (const [idx, az] of vpc.availabilityZones.entries()) {
targets.push(
new elbv2_tg.InstanceTarget(
new ec2.Instance(this, `WebEc2${idx + 1}`, {
instanceName: `web-ec2-${idx + 1}`, // web-ec2-1, web-ec2-2, ...
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
machineImage: ec2.MachineImage.latestAmazonLinux2023(),
vpc,
vpcSubnets: vpc.selectSubnets({
subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
}),
availabilityZone: az,
securityGroup: ec2Sg,
blockDevices: [
{
deviceName: '/dev/xvda',
volume: ec2.BlockDeviceVolume.ebs(8, {
encrypted: true
}),
},
],
userData,
ssmSessionPermissions: true,
propagateTagsToVolumeOnCreation: true,
})
)
);
}
//
// alb
//
const alb = new elbv2.ApplicationLoadBalancer(this, 'Alb', {
internetFacing: true,
vpc,
vpcSubnets: {
subnets: vpc.publicSubnets
},
securityGroup: albSg
})
const listener = alb.addListener('HttpListener', {
port: 80,
protocol: elbv2.ApplicationProtocol.HTTP
})
listener.addTargets('WebEc2Target', {
targets,
port: 80
})
new CfnOutput(this, 'TestCommand', {
value: `curl http://${alb.loadBalancerDnsName}`
})
}
}
To deploy, execute:
cdk deploy
As a side note, the combination of CDK and GitHub Copilot offers an excellent development experience, and I highly recommend it.
Sample code is placed here:
JHashimoto0518
/
cdk-private-yum-sample
This is a sample of using CDK to build a private endpoint for yum on EC2 instances.
cdk private yum sample
This is a sample of using CDK to build a private endpoint for yum on EC2 instances.
diagrams
yum execution
http(s) request
Articles
Japanese
Tested on the following version:
$ cdk --version
2.81.0 (build bd920f2)
Testing
First, I verify the web server's operation.
I connect via the session manager and confirm that it returns responses to HTTP requests. (Sorry, the screenshot is in Japanese)
sh-4.2$ curl http://localhost/
This is a sample website.
Next, I carry out an end-to-end test.
After CDK deployment, a test command appears in the terminal. I copy and run it.
$ curl http://CdkPr-alb8A-1UPL742M6H83S-1170769314.ap-northeast-1.elb.amazonaws.com
This is a sample website.
I verify that the ALB returns the response as expected.
Conclusion
By utilizing VPC endpoints, I can run yum in an environment without internet access. Additionally, using CDK improves the development experience and speeds up the building process.
Top comments (0)