VPC und Subnets erstellen
# VPC erstellen
VPC_ID=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query 'Vpc.VpcId' --output text)
aws ec2 modify-vpc-attribute --vpc-id $VPC_ID --enable-dns-hostnames
aws ec2 create-tags --resources $VPC_ID --tags Key=Name,Value=firma-vpc
# Public Subnets (in zwei Availability Zones)
PUB_SUBNET_1=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.1.0/24 --availability-zone eu-central-1a --query 'Subnet.SubnetId' --output text)
PUB_SUBNET_2=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.2.0/24 --availability-zone eu-central-1b --query 'Subnet.SubnetId' --output text)
# Private Subnets
PRIV_SUBNET_1=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.10.0/24 --availability-zone eu-central-1a --query 'Subnet.SubnetId' --output text)
PRIV_SUBNET_2=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.11.0/24 --availability-zone eu-central-1b --query 'Subnet.SubnetId' --output text)
# Auto-assign Public IP für Public Subnets
aws ec2 modify-subnet-attribute --subnet-id $PUB_SUBNET_1 --map-public-ip-on-launch
aws ec2 modify-subnet-attribute --subnet-id $PUB_SUBNET_2 --map-public-ip-on-launch
Internet Gateway
# Internet Gateway erstellen und anhängen
IGW_ID=$(aws ec2 create-internet-gateway --query 'InternetGateway.InternetGatewayId' --output text)
aws ec2 attach-internet-gateway --internet-gateway-id $IGW_ID --vpc-id $VPC_ID
# Route Table für Public Subnets
PUB_RT=$(aws ec2 create-route-table --vpc-id $VPC_ID --query 'RouteTable.RouteTableId' --output text)
aws ec2 create-route --route-table-id $PUB_RT --destination-cidr-block 0.0.0.0/0 --gateway-id $IGW_ID
aws ec2 associate-route-table --route-table-id $PUB_RT --subnet-id $PUB_SUBNET_1
aws ec2 associate-route-table --route-table-id $PUB_RT --subnet-id $PUB_SUBNET_2
NAT Gateway (Private Instanzen ins Internet)
# Elastic IP für NAT Gateway
EIP_ALLOC=$(aws ec2 allocate-address --domain vpc --query 'AllocationId' --output text)
# NAT Gateway in PUBLIC Subnet
NAT_GW=$(aws ec2 create-nat-gateway --subnet-id $PUB_SUBNET_1 --allocation-id $EIP_ALLOC --query 'NatGateway.NatGatewayId' --output text)
# Warten bis NAT Gateway verfügbar
aws ec2 wait nat-gateway-available --nat-gateway-ids $NAT_GW
# Route für Private Subnets über NAT
PRIV_RT=$(aws ec2 create-route-table --vpc-id $VPC_ID --query 'RouteTable.RouteTableId' --output text)
aws ec2 create-route --route-table-id $PRIV_RT --destination-cidr-block 0.0.0.0/0 --nat-gateway-id $NAT_GW
aws ec2 associate-route-table --route-table-id $PRIV_RT --subnet-id $PRIV_SUBNET_1
Security Groups
# Web Server Security Group
WEB_SG=$(aws ec2 create-security-group --group-name web-sg --description "Web Server" --vpc-id $VPC_ID --query 'GroupId' --output text)
aws ec2 authorize-security-group-ingress --group-id $WEB_SG --protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id $WEB_SG --protocol tcp --port 443 --cidr 0.0.0.0/0
# App Server Security Group (nur von Web SG)
APP_SG=$(aws ec2 create-security-group --group-name app-sg --description "App Server" --vpc-id $VPC_ID --query 'GroupId' --output text)
aws ec2 authorize-security-group-ingress --group-id $APP_SG --protocol tcp --port 8080 --source-group $WEB_SG
# DB Security Group (nur von App SG)
DB_SG=$(aws ec2 create-security-group --group-name db-sg --description "Database" --vpc-id $VPC_ID --query 'GroupId' --output text)
aws ec2 authorize-security-group-ingress --group-id $DB_SG --protocol tcp --port 5432 --source-group $APP_SG
FAQ
Wann brauche ich ein NAT Gateway?
Wenn Private-Subnet-Instanzen (ohne Public IP) auf das Internet zugreifen sollen (z. B. für apt update oder API-Calls), aber nicht direkt erreichbar sein sollen.
NAT Gateway vs. NAT Instance?
NAT Gateway: managed, hochverfügbar, einfacher. NAT Instance: günstigere t3.nano als Alternative für Low-Budget-Setups.
Fazit
Eine saubere VPC-Architektur mit Public/Private Subnets ist das Fundament jeder sicheren AWS-Deployment-Umgebung.
AWS VPC und Cloud-Architektur für KMU in Heidelberg, Mannheim und der Rhein-Neckar-Region. Anfragen.