Step 1: Enable Network modules - Modular Cloud Studio on AWS
Option 1.a: Create Amazon VPCOption 1.b: Import Amazon VPCPre-deployment requirementsValidation TestingDeploying the MCS Unmanaged VPC Module

Step 1: Enable Network modules

Follow these steps to enable the Network modules.

  1. Navigate to the MCS web console (see Launch the stack for details).

  2. Select Network from the left navigation pane.

  3. Choose Deploy New Module.

  4. Based on your use cases, follow the steps in Create Amazon VPC for generating a new VPC, or follow the steps in Import Amazon VPC for importing the existing VPC by providing the required attributes.

Option 1.a: Create Amazon VPC

  1. For Select Region, select the Region where you want the VPC to be created. There should be only one hub Region option if you haven’t deployed any spoke Regions.

  2. For Select Network module, select Create Amazon VPC and choose Next.

  3. For Configure VPC settings, review the parameters for this module and modify them as necessary. This module uses the following default values.

    Parameter Default Description

    Availability Zones

    <Region>a, <Region>b

    (Select 2) List of Availability Zones to use for the subnets in the VPC. The logical order is preserved.

    VPC CIDR

    10.0.0.0/16

    CIDR block for the VPC.

    Private Subnet CIDR List

    10.0.0.0/19, 10.0.32.0/19

    Comma delimited list of CIDR blocks for private subnets 1 and 2, located in Availability Zones 1 and 2, respectively.

    Note: CIDR ranges in each Region must not overlap. The default values provided don’t overlap with each other, and are within the default VPC CIDR range provided.

    Public Subnet CIDR List

    10.0.128.0/20, 10.0.144.0/20

    Comma delimited list of CIDR blocks for public subnets 1 and 2, located in Availability Zones 1 and 2, respectively.

    Note: CIDR ranges in each Region must not overlap. The default values provided don’t overlap with each other, and are within the default VPC CIDR range provided.

    Enable VPC Flow Logs

    true

    Set to true to create VPC flow logs for the VPC and publish them to CloudWatch. If you set it to false, the VPC flow logs won’t be created.

    VPC Flow Logs Traffic Type

    REJECT

    The type of traffic to log. You can log traffic that the resource accepts (ACCEPT) or rejects (REJECT), or ALL Traffic.

  4. For Configure Tag Settings, review the tags for this module and modify them as necessary. By default, this module uses tags defined in the main solution stack.

  5. Choose Next.

  6. On the Review page, verify all the parameters that you provided and choose Deploy Module if you confirm that they are correct.

  7. The status of the network module shows as Enabling in progress. The deployment of this module takes approximately five minutes. After the deployment is complete, the status of the network module shows as Enabled.

Option 1.b: Import Amazon VPC

Pre-deployment requirements

  1. Availability Zones

    1. Ensure that selected Availability Zones host the necessary default instance types used by MCS:

      1. t3.large, m5.xlarge, g4dn.xlarge, r6g.large

      2. If other instance types are desired, ensure that they are available in the VPC’s Availability Zones

    2. Use AWS CLI command to verify, e.g. for us-east-1:

      $ aws ec2 describe-instance-type-offerings \
  --location-type availability-zone \
  --filters Name=instance-type,Values=t3.large,m5.xlarge,g4dn.xlarge,r6g.large \
  --region us-east-1 \
  --query 'InstanceTypeOfferings[].Location' \
  --output text | tr '\t' '\n' | sort | uniq

  2. Subnet Configuration

    1. At least 2 public subnets across different Availability Zones which will be used by MCS

    2. At least 2 private subnets across different Availability Zones which will be used by MCS

  3. Internet Connectivity

    1. Public subnets must have route tables with routes to an Internet Gateway (IGW)

    2. Private subnets must have route tables with routes to NAT Gateways (NGW)

  4. Required VPC Endpoints

    1. Interface Endpoints

      1. com.amazonaws.[region].ssm

      2. com.amazonaws.[region].ssmmessages

      3. com.amazonaws.[region].ec2

      4. com.amazonaws.[region].ec2messages

    2. Gateway Endpoint

      1. com.amazonaws.[region].s3

Note

All endpoints must be associated with the private subnets where MCS workloads will run. If the Endpoint already exists, this requires that you navigate to that endpoint’s configuration page, select "Manage Subnets", and ensure that the endpoint is associated with the private subnets that you will provide to MCS. If the Endpoint does not already exist, ensure that during creation of the endpoint, that the subnets that you will provide to MCS are selected.

In addition, the security group associated with these endpoints must be configured to allow all traffic from the VPC CIDR source.

VPC Peering must be configured between hub and spoke VPCs. For more information, see Work with VPC peering connections. Ensure that the route tables are configured correctly for the VPC peering connection. For more information, see Update your route tables for a VPC peering connection.

Validation Testing

Before proceeding with the MCS Unmanaged VPC Module deployment, validate your VPC configuration:

  1. Launch an Amazon Linux 2023 instance in one of the private subnets

  2. Ensure the instance has an IAM Role with AmazonSSMManagedInstanceCore permissions

  3. Attempt to connect to the instance using AWS Systems Manager Session Manager

  4. If you see "Instance is not connected to Session Manager" or the "Connect" button is disabled, troubleshoot your VPC endpoint configuration, network routes, and security groups.

  5. A successful connection confirms proper network configuration.

Deploying the MCS Unmanaged VPC Module

  1. For Select Region, select the Region where you want the VPC to be imported from. There should be only one hub Region option if you have not deployed any spoke Regions.

    Note

    The VPC must exist in the same account and Region where the Network module is being enabled.

  2. For Select Network module, select Import Amazon VPC and choose Next.

  3. For Configure VPC settings, review the parameters for this module and modify them as necessary. This module uses the following default values.

    Parameter Default Description Notes

    VPC ID

    <Requires input>

    Identifier of the existing VPC.

    VPC CIDR

    <Requires input>

    VPC CIDR block.

    Private Subnet IDs

    <Requires input>

    Exactly two comma separated Subnet IDs for the private subnets.

    Public Subnet IDs

    <Requires input>

    Exactly two comma separated Subnet IDs for the public subnets.

    Private Subnet Route Table IDs

    <Requires input>

    Exactly two comma separated Route table IDs for private subnets.

    See Notes below

    Public Subnet Route Table IDs

    <Requires input>

    Exactly two comma separated Route table IDs for public subnets.

    See Notes below

    Availability Zones

    <Requires input>

    (Select 2) List of Availability Zones to use for the subnets in the VPC. The logical order is preserved.
    Note

    If there is only one Route Table available, you can duplicate the entry. MCS expects exactly two comma delimited values to be provided. For example:

    rtb-prv123456,rtb-prv123456

  4. For Configure Tag Settings, review the tags for this module and modify them as necessary. By default, this module uses tags defined in the main solution stack.

  5. Choose Next.

  6. On the Review page, verify all the parameters that you provided. If they are correct, choose Deploy Module.

  7. The status of the network module shows as Enabling in progress. The deployment of this module takes approximately five minutes. After the deployment is complete, the status of the network module shows as Enabled.