Lab Information
The Nautilus DevOps team needs to build a secure and scalable log aggregation setup within their AWS environment. The goal is to gather log files from an internal EC2 instance running in a private VPC, transfer them securely to another EC2 instance in a public VPC, and then push those logs to a secure S3 bucket.
1) A VPC named devops-priv-vpc already exists with a private subnet named devops-priv-subnet, a route table named devops-priv-rt, and an EC2 instance named devops-priv-ec2 (using ubuntu image). This instance uses the SSH key pair devops-key.pem already available on the AWS client host at /root/.ssh/.
2) Your task is to:
Create a new VPC named devops-pub-vpc.
Create a subnet named devops-pub-subnet and a route table named devops-pub-rt under this public VPC.
Attach an internet gateway to devops-pub-vpc and configure the public route table to enable internet access.
Launch an EC2 instance named devops-pub-ec2 into the public subnet using the same key pair as the private instance.
Create an IAM role named devops-s3-role with PutObject permission to an S3 bucket and attach it to the public EC2 instance.
Create a new private S3 bucket named devops-s3-logs-14184.
Configure a VPC Peering named devops-vpc-peering between the private and public VPCs.
Modify both devops-priv-rt and devops-pub-rt to route each other's CIDR blocks through the peering connection.
On the private instance, configure a cron job to push the /var/log/boots.log file to the public instance (using scp or rsync).
On the public instance, configure a cron job to push that same file to the created S3 bucket.
The uploaded file must be stored in the S3 bucket under the path devops-priv-vpc/boot/boots.log.
Lab Solutions
🔹 Step 1: Create Public VPC
AWS Console → VPC → Create VPC
Name: devops-pub-vpc
CIDR: 10.20.0.0/16
Create.
🔹 Step 2: Create Public Subnet
VPC → Subnets → Create subnet
VPC: devops-pub-vpc
Name: devops-pub-subnet
CIDR: 10.20.1.0/24
AZ: any
After creation:
Enable Auto-assign public IPv4
🔹 Step 3: Internet Gateway
VPC → Internet Gateways → Create
Name: devops-pub-igw
Attach to devops-pub-vpc.
🔹 Step 4: Public Route Table
VPC → Route Tables → Create
Name: devops-pub-rt
VPC: devops-pub-vpc
Add route:
0.0.0.0/0 → Internet Gateway
Associate with devops-pub-subnet.
PART 2: EC2 & S3
🔹 Step 5: Launch Public EC2
EC2 → Launch Instance
Name: devops-pub-ec2
AMI: Ubuntu
Instance type: lab default
Key pair: devops-key.pem
VPC: devops-pub-vpc
Subnet: devops-pub-subnet
Public IP: Enabled
Create Security Group and allow SSH
Launch.
🔹 Step 6: Create S3 Bucket
S3 → Create bucket
Bucket name: devops-s3-logs-14184
Block all public access: ON
Create.
🔹 Step 7: IAM Role for S3
IAM → Roles → Create role
Service or use case - EC2
AmazonS3FullAccess
Role name: devops-s3-role
Attach role to devops-pub-ec2.
PART 3: VPC PEERING
🔹 Step 8: Create VPC Peering
VPC → Peering Connections → Create
Name: devops-vpc-peering
Requester: devops-priv-vpc
Accepter: devops-pub-vpc
Accept the peering request.
🔹 Step 9: Update Route Tables
devops-priv-rt
Add route:
Destination: 10.20.0.0/16
Target: peering connection
devops-pub-rt
Add route:
Destination: CIDR of devops-priv-vpc
Target: peering connection
PART 4: SSH (CORRECT & SIMPLE)
🔹 Step 10: SSH Flow (Correct Design)
AWS client → devops-pub-ec2 → devops-priv-ec2
You never SSH directly to private EC2 from AWS client.
From AWS client → Public EC2
cd .ssh
cp devops-key.pem id_rsa
ssh -i /root/.ssh/devops-key.pem ubuntu@<PUBLIC_EC2_PUBLIC_IP>
exit
ssh ubuntu@<PRIVATE_EC2_PRIVATE_IP> -J ubuntu@<PUBLIC_EC2_PUBLIC_IP>
✅ Works because:
Same key pair
authorized_keys already present
VPC peering routing exists
PART 5: LOG TRANSFER
🔹 Step 11: Cron on Private EC2 (Send Log)
On devops-priv-ec2:
ssh-keygen -t ed25519
cd .ssh/
cat id_ed25519.pub
On devops-pub-ec2
vi .ssh/authorized_keys
# Paste the public key from private EC2
cd ~
mkdir boot
On devops-priv-ec2:
crontab -e
2
Add
* * * * * /usr/bin/scp /var/log/boots.log ubuntu@10.20.1.162:~/boot/boots.log
🔹 Step 12: Cron on Public EC2 (Upload to S3)
On devops-pub-ec2:
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o awscliv2.zip
sudo apt install -y unzip
unzip awscliv2.zip
sudo ./aws/install
aws --version
crontab -e
2
Add:
* * * * * aws s3 cp ~/boot/boots.log s3://devops-s3-logs-14184/devops-priv-vpc/boot/boots.log
🔹 Step 14: Final Validation
After 2–5 minutes, S3 should show:
devops-s3-logs-5789
└── devops-priv-vpc
└── boot
└── boots.log
Top comments (0)