Skip to content

Launch ECS container using AWS CLI - Step 1 - Network Setup

Setup network infrastructure including new VPC (Virtual Private Cloud), public and private subnets, internet gateway, security group, and ssh access.

This is part of a multi-post thread involving these steps:

  1. Network Setup (this post)
  2. Launch EC2 Instance
  3. Create Docker Image
  4. Create Service
  5. Cleanup

Make sure you do this setup first:

  1. Setup macOS for AWS Cloud DevOps
  2. AWS Authentication

Define names


# Subnets

# Internet Gateway

# Route Table

# Security Group

# instance

# SSH access key

Create VPC


echo "Create a VPC  (Virtual Private Cloud) ..."

aws ec2 create-vpc \
    --cidr-block  \
    --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value='$vpc'}]'

vpc_id=$(aws ec2 describe-vpcs --filters Name=tag:Name,Values=$vpc | jq -r '.Vpcs[0].VpcId')

Create Subnets

Create 2 subnets in the VPC. First subnet will be our public interface. The second subnet will be private.

# Subnets
echo "Create subnet 1 ..."

aws ec2 create-subnet \
    --vpc-id $vpc_id \
    --cidr-block \
    --availability-zone us-west-2a \
    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value='$subnet_1'}]'  

subnet_1_id=$(aws ec2 describe-subnets --filters Name=tag:Name,Values=$subnet_1 | jq -r '.Subnets[0].SubnetId')

echo "Create subnet 2 ..."

aws ec2 create-subnet \
    --vpc-id $vpc_id \
    --cidr-block \
    --availability-zone us-west-2a \
    --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value='$subnet_2'}]'  

subnet_2_id=$(aws ec2 describe-subnets --filters Name=tag:Name,Values=$subnet_2 | jq -r '.Subnets[0].SubnetId')

## Automatically assign Elastic IP address after launch to all instances in subnet 1 
aws ec2 modify-subnet-attribute --subnet-id $subnet_1_id --map-public-ip-on-launch

Create Internet Gateway

Create an Internet gateway and attach it to the VPC. An internet gateway allows communication between your VPC and the Internet:

# Internet Gateway

echo "Create Internet Gateway ..."

aws ec2 create-internet-gateway \
    --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value='$internet_gateway'}]' 

internet_gateway_id=$(aws ec2 describe-internet-gateways --filters Name=tag:Name,Values=$internet_gateway | jq -r '.InternetGateways[0].InternetGatewayId')

## Attach to VPC
aws ec2 attach-internet-gateway --vpc-id $vpc_id --internet-gateway-id $internet_gateway_id

Create Route Table

Create a route table, associate it with the public subnet, and add a route to allow all traffic to the Internet gateway.

# Route Table

echo "Create Route Table ..."

aws ec2 create-route-table \
    --vpc-id $vpc_id \
    --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value='$route_table'}]' 

route_table_id=$(aws ec2 describe-route-tables --filters Name=tag:Name,Values=$route_table | jq -r '.RouteTables[0].RouteTableId')

## Associate with a subnet
aws ec2 associate-route-table  --subnet-id $subnet_1_id --route-table-id $route_table_id

## Create a route in the route table that points all traffic (``) to the Internet gateway:
aws ec2 create-route \
    --route-table-id $route_table_id \
    --gateway-id $internet_gateway_id \

Create Security Group

A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with a VPC, it controls the inbound and outbound traffic for the instances in the VPC.

# Security Group

echo "Create a Security Group ..."

aws ec2 create-security-group \
    --group-name $security_group \
    --description "Security group for instance access" \
    --vpc-id $vpc_id \
    --tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value='$security_group'}]' 

Allow SSH Connections

This is done by adding an ingress rule to the Security Group:

group_id=$(aws ec2 describe-security-groups --filters Name=tag:Name,Values=$security_group | jq -r '.SecurityGroups[0].GroupId')

# Add a rule that allows SSH access from anywhere:
aws ec2 authorize-security-group-ingress \
    --group-id $group_id \
    --protocol tcp --port 22 --cidr