Setting up the VPC requires you to—at a minimum—create the VPC, add the subnets, create the security groups, deploy EC2 instances, and attach ENIs with private IP addresses. To allow external access to the servers in the VPC, you also require an internet gateway and an Elastic IP Address for each EC2 instance that needs access to the internet. For this use case, the VPC setup is as follows:
Set Up the VPC
Create the VPC and add the subnets. In this example, we create four subnets within the 192.168.0.0/16 VPC as follows: 192.168.0.0/24 (Public: for external access and management) 192.168.1.0/24 (Firewall: for connecting the firewalls) 192.168.2.0/24 (Web: for connecting to the web farm) 192.168.3.0/24 (DB: for connecting to the database server)
Set up the other basic components in the VPC. Ensure that the web server security group allows access only to destinations that are in the same subnet. Set up the internet gateway for incoming and outgoing traffic to/from the VPC and attach the internet gateway to the VPC. Set up the security groups. These groups are a basic form of security based on IP addresses, ports, and protocols. Security groups do not provide next-generation features like App-ID or threat protection but these groups are part of a complimentary solution that helps secure the VPC. This example has six security groups that control access to the subnets within the VPC: PANOS-MGMT—Attach to the management interface of each VM-Series firewall. The inbound access rules for this security group allow SSH and HTTPS traffic. PANOS-Dataplane—Attach to the dataplane interfaces of each VM-Series firewall. The inbound access rules for this security group allow all traffic. Webserver—Attach to the interfaces of each web server. The inbound access rules for this security group allow all traffic that is sourced from the PAN-OS Dataplane security group. NetScaler-MGMT—Attach to the management interface of the Citrix NetScaler load balancer. The inbound access rules for this security group allow SSH and HTTPS traffic. NetScaler-Loadbalancing—Attach to the other interfaces on the Citrix NetScaler load balancer that are used to load balance traffic to the web farm. The inbound access rules for this security group allow all traffic. Amazon RDS SG —Attach to the interfaces on the Relational Database Service. The inbound access rules for this security group allow traffic on port 3306. For instructions, refer to the AWS documentation.
Allocate Elastic IP Addresses. For details on assigning Elastic IP Addresses, refer to the AWS documentation. AWS has a default maximum number of Elastic IP Addresses; if your specific architecture requires more than the default, you can request more Elastic IP Addresses through AWS. This example uses seven Elastic IP Addresses. See Allocate and associate Elastic IP Addresses for the firewall and the NetScaler VPX. Set up the route tables: Rename the main router with a descriptive name (this route table is automatically created when you create the VPC) and attach the internet gateway to this route table. Add a new route table. This route table is required for routing traffic from the web servers to the VM-Series firewall; this route table alleviates the need to create a default route on each web server as you horizontally scale out your web farm.
Create the subnets, security groups, and routes in the other Availability Zone. Repeat

Related Documentation