WhatItShouldLookLike.pdf

INFRASTRUCTURE AS CODE

Infrastructure as Code

University of Maryland Global Campus

CCA 625: Network Engineering

March 2, 2021

INFRASTRUCTURE AS CODE 1 | P a g e

Table of Contents
Executive Summary………………………………………………………………………………………………………………………………………2

Networking in the Cloud……………………………………………………………………………………………………………………………….3

AWS VPC…………………………………………………………………………………………………………………………………………………3

BallotOnline Utilization of AWS VPC……………………………………………………………………………………………………………5

Cloud Command Line Interfaces…………………………………………………………………………………………………………………….5

Explanation of Cloud CLIs………………………………………………………………………………………………………………………….5

Advantages of Cloud CLIs…………………………………………………………………………………………………………………………..5

BallotOnline Utilization of Cloud CLIs………………………………………………………………………………………………………….5

Declarative Resource Definitions……………………………………………………………………………………………………………………5

Explanation of declarative cloud resource definitions…………………………………………………………………………………..5

Advantages of declarative cloud resource definitions…………………………………………………………………………………..5

BallotOnline Utilization of declarative cloud resource definitions…………………………………………………………………..5

Cloud APIs…………………………………………………………………………………………………………………………………………………..5

Explanation of Cloud APIs………………………………………………………………………………………………………………………….5

Advantages of Cloud APIs………………………………………………………………………………………………………………………….5

BallotOnline Utilization of Cloud APIs…………………………………………………………………………………………………………5

References…………………………………………………………………………………………………………………………………………………..7

Appendix A: AWS CLI…………………………………………………………………………………………………………………………………….8

Appendix B: AWS CloudFormation……………………………………………………………………………………………………………….11

Appendix C: Template File……………………………………………………………………………………………………………………………13

Appendix D: Cloud API………………………………………………………………………………………………………………………………..16

INFRASTRUCTURE AS CODE 2 | P a g e

Executive Summary

Historically, IT infrastructure management was an in-depth manual job; configuration and management of

all hardware and software needed took many man hours and a lot of planning to complete. With the introduction

of cloud computing and cloud migration, the need for automation quickly became apparent. In a traditional data

center setup, there would need to be many network and software engineers hired to configure and maintain the

data center. These engineers would need compensated, driving up the costs of service. Along with the cost factor,

scalability and availability also became a problem. Manual configuration takes time, and often times, a lot of time.

There was no time to wait for a new server to be configured and installed if the data center was receiving heavy

loads. Each network and software engineer has their own way of doing things. Even a subtle difference in

configuration could create a very inconsistent configuration, making it harder to troubleshoot. Infrastructure as

Code (IaC) is a process that includes the management and provisioning of data centers through machine-readable

definition files, rather than using physical hardware configuration or an interactive configuration tool. IaC solves

many problems associated with traditional data center setups. Increasing the speed, consistency, and

accountability ultimately leads to cost savings.

INFRASTRUCTURE AS CODE 3 | P a g e

Networking in the Cloud

AWS VPC

Amazon Virtual Private Cloud (Amazon VPC) is a service offered by AWS, allowing users to use a logically

isolated virtual network. This virtual network environment is defined and completely controlled by the user. This

includes selection of the IP address range, subnets, configuration of routing tables, and network gateways. Allowing

the user to use either IPv4 or IPv6 helps to confirm the secure and easy access to all resources and applications.

Amazon VPC offers forward-facing subnets which will allow web servers to connect to the internet as web hosts;

private-facing subnets are also offered, allowing database or application servers to remain inaccessible to or from

the internet [CITATION Ama l 1033 ].

Amazon VPC is host to many of the same components available within a Small Office/Home Office (SOHO) or

an enterprise network. This makes networking within AWS very similar to that of an enterprise set up. Amazon VPC

offers:

 Internet gateways

o serves two functions:

 provide a target within the VPC route table for internet-routable traffic.

 perform network address translation (NAT) for any instances that have been assigned a

public-facing IPv4 address.

o supports IPv4 and IPv6 traffic [ CITATION Ama1 l 1033 ]

 Egress-only internet gateways

o horizontally scaled, redundant, and highly available.

o allows outbound communication over IPv6 from instances within a VPC to the internet.

o prevents any inbound connections from initiating an IPv6 connection with the instances within

the VPC [ CITATION Ama2 l 1033 ].

INFRASTRUCTURE AS CODE 4 | P a g e

 Carrier gateways

o serves two functions:

 Allows inbound traffic from a carrier network in a specific location.

 Allows outbound traffic to the carrier network and the internet.

o supports IPv4 traffic.

o only available for VPCs containing subnets in a Wavelength Zone.

 provides connectivity between the Wavelength Zone and the telecommunication carrier,

along with the devices on the telecommunication carrier network [ CITATION Ama3 l

1033 ]

 NAT devices

o NAT gateways

 enables instances within a private subnet to connect to the internet or other AWS

services.

 prevents outside hosts from initiating a connection with internal instances [ CITATION

Ama4 l 1033 ].

o NAT instances

 Amazon Machine Instance (AMI) can be used to create a custom NAT to be run on an

EC2 instance.

 instance is run in a public subnet of the VPC

 allows instances to initiate outbound connections

 blocks incoming connections [ CITATION Ama5 l 1033 ]

o only supports IPv4 connections, for IPv6 an Egress-only internet gateway should be used.

 DHCP options

o automatically created and associated with the VPC upon VPC configuration.

o custom DHCP options can be set within the VPC [ CITATION Ama6 l 1033 ].

INFRASTRUCTURE AS CODE 5 | P a g e

 DNS

o Amazon Route 53 Resolver is automatically assigned to the DHCP options upon creation of the

VPC.

o Custom DNS servers can be used by editing DHCP options[ CITATION Ama7 l 1033 ].

 Prefix Lists

o A set of one or more CIDR blocks

 AWS-managed prefix list

 IP address ranges for an AWS service.

 can be referenced within the VPC security group rules and within subnet route

table entries.

 Customer-managed prefix list

 a set of IPv4 or IPv6 CIDR block defined and managed by the customer.

 can be referenced within the VPC security group rules and within subnet route

table entries [ CITATION Ama8 l 1033 ].

BallotOnline Utilization of AWS VPC

In for BallotOnline to maximize their cloud presence, the full features of AWS’ VPC, regions, and

availability zones must be utilized. Accomplishing this can not only provide high levels of security, but also

availability. The easiest way to do this is using AWS’ CloudFormation. AWS’ CloudFormation gives BallotOnline an

easy method of forming AWS and third-party resources. This allows for quick and consistent provisioning and

management, by treating a network’s infrastructure as code. CloudFormation templates describe the desired

resources, along with any dependencies, allowing these resources to be launched and configured as a stack.

CloudFormation allows for management and provisioning of stacks across multiple AWS accounts and Regions

[ CITATION Ama9 l 1033 ].

Using CloudFormation not only allows BallotOnline to create an infrastructure from code, the use of this

code in templates is also:

INFRASTRUCTURE AS CODE 6 | P a g e

 Updateable: Modification of the network stack is done by changing the CloudFormation

template. Based on the modifications to the template, the stack is updated. CloudFormation is

intuitive enough to see a change in the template and change the stack to match accordingly.

 Reusable: By reusing a template, BallotOnline can create multiple networks in various regions,

allowing for quick expansion and better stability.

 Drift Detection: CloudFormation can let BallotOnline’s network engineers know if any resources

have drifted away from their original configuration. Though better-established organizations

discourage it, network administrators do have the ability to manually change resources. In an

environment where network administrators are still learning with adaptation to a cloud

environment, this can be done erroneously.

 Disposable: It is quite easy to perform the deletion of a stack when it is no longer needed.

 Ease of use: CloudFormation supports JSON or YAML for the creation of a template file [ CITATION

Ken18 l 1033 ].

Cloud Command Line Interfaces
Explanation of Cloud CLIs

The AWS Command Line Interface (AWS CLI) is an open-source tool allowing users to work with AWS

services using commands in a command-line shell. These shells, such as bash, zsh, tcsh, and PowerShell allow

administrators to connect via a Linux, macOS, or Windows machine. Administrators can also use remote connection

software such as PuTTY, SSH, or AWS’ Systems Manager to connect to their instances. According to AWS CLI

documentation, “All IaaS (infrastructure as a service) AWS administration, management, and access functions in the

AWS Management Console are available in the AWS API and CLI” [ CITATION Ama10 l 1033 ].

Advantages of Cloud CLIs
Cloud-based CLI is much like OS-level CLI; if the user is comfortable with CLI, they can be much faster and

much more customized than using even a desktop shortcut. With the development of the graphical user interface

(GUI), CLI seemed to take a backseat to the new user experience (UX) that was GUI. However, many developers and

system administrators still use CLI today. The three main advantages to using CLI over GUI are:

 If a user is familiar and comfortable with the commands, CLI can be a lot faster and efficient than any

other type of interface. Carrying out repetitive tasks can be much easier with CLI over GUI.

 CLI requires much less system memory (RAM) and CPU processing power compared to a GUI. This

allows for more RAM and CPU power to be used by the applications running on the system.

 CLI allows for low resolution monitors; this is advantageous for remote connections as it only needs to

display simple terminal text rather than a graphical interface, allowing for faster connections to the

remote service.

INFRASTRUCTURE AS CODE 7 | P a g e

BallotOnline Utilization of Cloud CLIs

Declarative Resource Definitions
Explanation of declarative cloud resource definitions
Advantages of declarative cloud resource definitions
BallotOnline Utilization of declarative cloud resource definitions

Cloud APIs
Explanation of Cloud APIs
Advantages of Cloud APIs
BallotOnline Utilization of Cloud APIs

INFRASTRUCTURE AS CODE 8 | P a g e

References
Amazon -a. (n.d.). Amazon Virtual Private Cloud. Retrieved from AWS: https://aws.amazon.com/vpc/?vpc-

blogs.sort-by=item.additionalFields.createdDate&vpc-blogs.sort- =desc

Amazon -b. (n.d.). Internet gateways. Retrieved from AWS Documentation:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html

Amazon -c. (n.d.). Egress-only internet gateways. Retrieved from AWS Documentation:

https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html

Amazon -d. (n.d.). Carrier Gateways. Retrieved from AWS Documentation:

https://docs.aws.amazon.com/vpc/latest/userguide/Carrier_Gateway.html

Amazon -e. (n.d.). NAT gateways. Retrieved from AWS Documentation:

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

Amazon -f. (n.d.). NAT instances. Retrieved from AWS Documentation:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html

Amazon -g. (n.d.). DHCP options sets. Retrieved from AWS Documentation:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html

Amazon -h. (n.d.). Using DHS with your VPC. Retrieved from AWS Documentation:

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html

Amazon -i. (n.d.). Prefix lists. Retrieved from AWS Documentation:

https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html

INFRASTRUCTURE AS CODE 9 | P a g e

Appendix A: AWS CLI

Created the VPC using the CIDR clock 10.0.0.0/16

Naming the VPC “CLI VPC”

INFRASTRUCTURE AS CODE 10 | P a g e

Verification of the VPC creation and naming

Creation of the Internet Gateway

Naming the Internet Gateway “CLI IG”

Verification of the Internet Gateway creation and naming

Linking the Internet Gateway to the VPC

INFRASTRUCTURE AS CODE 11 | P a g e

Verification of the link of the Internet Gateway to the VPC

INFRASTRUCTURE AS CODE 12 | P a g e

Appendix B: AWS CloudFormation

Successful creation of a valid stack template

Successful stack creation using the template previously created

INFRASTRUCTURE AS CODE 13 | P a g e

Verification of successful VPC creation

Verification of successful Internet Gateway creation

INFRASTRUCTURE AS CODE 14 | P a g e

Appendix C: Template File
{

“AWSTemplateFormatVersion”: “2010-09-09”,

“Metadata”: {

“AWS::CloudFormation::Designer”: {

“14bf9360-9808-4548-81b4-0fb066b459a5”: {

“size”: {

“width”: 140,

“height”: 140

},

“position”: {

“x”: 30,

“y”: 50

},

“z”: 0,

“embeds”: []

},

“5aa5c823-103b-418c-9a4e-64c4b9d16426”: {

“size”: {

“width”: 60,

“height”: 60

},

“position”: {

“x”: 290,

“y”: -10

},

“z”: 0,

“embeds”: [],

“dependson”: [

“14bf9360-9808-4548-81b4-0fb066b459a5”

]

},

“44c40cf9-199d-4151-ba8e-3069e8b4fe05”: {

“source”: {

“id”: “5aa5c823-103b-418c-9a4e-64c4b9d16426”

},

INFRASTRUCTURE AS CODE 15 | P a g e

“target”: {

“id”: “14bf9360-9808-4548-81b4-0fb066b459a5”

},

“z”: 1

},

“05a51113-678f-45eb-8282-73977b4a1ead”: {

“source”: {

“id”: “14bf9360-9808-4548-81b4-0fb066b459a5”

},

“target”: {

“id”: “5aa5c823-103b-418c-9a4e-64c4b9d16426”

},

“z”: 0

}

}

},

“Resources”: {

“EC2VPC3ZXN8”: {

“Type”: “AWS::EC2::VPC”,

“Properties”: {

“CidrBlock”: “10.0.0.0/16”,

“Tags”: [

{

“Key”: “Name”,

“Value”: “CF VPC”

}

]

},

“Metadata”: {

“AWS::CloudFormation::Designer”: {

“id”: “14bf9360-9808-4548-81b4-0fb066b459a5”

}

}

},

“EC2IG1JDGU”: {

“Type”: “AWS::EC2::InternetGateway”,

“Properties”: {

INFRASTRUCTURE AS CODE 16 | P a g e

“Tags”: [

{

“Key”: “Name”,

“Value”: “CF IG”

}

]

},

“Metadata”: {

“AWS::CloudFormation::Designer”: {

“id”: “5aa5c823-103b-418c-9a4e-64c4b9d16426”

}

},

“DependsOn”: [

“EC2VPC3ZXN8”

]

},

“EC2VPCGAD34”: {

“Type”: “AWS::EC2::VPCGatewayAttachment”,

“Properties”: {

“InternetGatewayId”: {

“Ref”: “EC2IG1JDGU”

},

“VpcId”: {

“Ref”: “EC2VPC3ZXN8”

}

},

“Metadata”: {

“AWS::CloudFormation::Designer”: {

“id”: “05a51113-678f-45eb-8282-73977b4a1ead”

}

}

}

}

}

INFRASTRUCTURE AS CODE 17 | P a g e

Appendix D: Cloud API

Adding the Key Pair CCA625_BF

INFRASTRUCTURE AS CODE 18 | P a g e

Successful execution of the python create_instance.py command

Verification of successful creation of the Python Instance

Executive Summary
Networking in the Cloud
AWS VPC
BallotOnline Utilization of AWS VPC

Cloud Command Line Interfaces
Explanation of Cloud CLIs
Advantages of Cloud CLIs
BallotOnline Utilization of Cloud CLIs

Declarative Resource Definitions
Explanation of declarative cloud resource definitions
Advantages of declarative cloud resource definitions
BallotOnline Utilization of declarative cloud resource definitions

Cloud APIs
Explanation of Cloud APIs
Advantages of Cloud APIs
BallotOnline Utilization of Cloud APIs

References
Appendix A: AWS CLI
Appendix B: AWS CloudFormation
Appendix C: Template File
Appendix D: Cloud API