Duration: 2 Hours

Objectives:

• Create AWS account and set up billing alerts
• Configure IAM users, groups, and roles
• Create and attach IAM policies
• Enable MFA for root account
• Create IAM roles for EC2 instances

Prerequisites:

• Valid email address
• Credit/debit card for account verification (will not be charged for Free Tier)

Detailed Procedure:

Step 1: AWS Account Creation

1. Navigate to AWS Sign-up Page

• Go to https://aws.amazon.com/
• Click "Create an AWS Account"
• Enter email address and account name (e.g., "student-labs")

1. Account Verification

• Enter verification code sent to email
• Set root account password (must be strong: 12+ characters, mixed case, numbers, symbols)
• Enter contact information and address

1. Payment Information

• Enter credit/debit card details (required for verification)
• Note: AWS Free Tier provides 750 hours/month EC2, 5GB S3 storage, etc.
• AWS will verify card with $1 authorization (refunded)

1. Account Verification Call

• AWS will call the provided phone number
• Enter the 4-digit PIN shown on screen
• Select support plan: "Basic Plan - Free"

1. Account Activation

• Wait for account activation (usually 5-10 minutes)
• Sign in to AWS Management Console

Expected Result: Successfully logged into AWS Management Console with root account.

Step 2: Configure Billing Alerts

1. Access Billing Dashboard

• Click on account name (top right) → "Billing Dashboard"
• Review current usage (should be $0.00)

1. Create Billing Alert

• Navigate to "Billing" → "Preferences"
• Enable "Receive Billing Alerts"
• Go to CloudWatch → "Alarms" → "Create Alarm"
• Select metric: "Billing" → "EstimatedCharges"
• Set threshold: $5.00
• Configure SNS topic for notifications
• Create new SNS topic: "billing-alerts"
• Enter email address for notifications
• Confirm email subscription
• Name alarm: "BillingAlert-5Dollars"
• Click "Create Alarm"

Expected Result: Billing alarm created and email confirmation received.

Verification Command:

aws cloudwatch describe-alarms --alarm-names BillingAlert-5Dollars

Expected Output:

{
"MetricAlarms": [
{
"AlarmName": "BillingAlert-5Dollars",
"Threshold": 5.0,
"StateValue": "OK"
}
]
}

Step 3: Create IAM User with Programmatic Access

1. Navigate to IAM Console

• Go to Services → "IAM" (Identity and Access Management)
• Click "Users" in left navigation

1. Create New User

• Click "Add users"
• User name: "lab-user-01"
• Access type: Select "Programmatic access" and "AWS Management Console access"
• Console password: "Set custom password"
• Password: Create strong password (save securely)
• Require password reset: Uncheck (for lab purposes)

1. Set Permissions

• Click "Attach existing policies directly"
• Select policy: "AmazonEC2FullAccess"
• Select policy: "AmazonS3FullAccess"
• Click "Next: Tags" (skip tags for now)
• Click "Create user"

1. Save Credentials

• IMPORTANT: Download CSV file with Access Key ID and Secret Access Key
• Store securely (you won't be able to view secret key again)
• Note: Access Key ID: AKIAIOSFODNN7EXAMPLE (example)
• Note: Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY (example)

Expected Result: IAM user created with programmatic and console access.

Verification Command:

aws iam get-user --user-name lab-user-01

Expected Output:

{
"User": {
"UserName": "lab-user-01",
"CreateDate": "2024-01-15T10:30:00Z",
"UserId": "AIDACKCEVSQ6C2EXAMPLE"
}
}

Step 4: Configure AWS CLI

1. Install AWS CLI (if not installed)

# macOS
brew install awscli
# Linux
sudo apt-get install awscli
# Windows - Download from AWS website

2. Configure AWS CLI

aws configure

• AWS Access Key ID: [Enter Access Key from Step 3]
• AWS Secret Access Key: [Enter Secret Key from Step 3]
• Default region name: us-east-1 (or your preferred region)
• Default output format: json

1. Test AWS CLI Configuration

aws sts get-caller-identity

Expected Output:

{
"UserId": "AIDACKCEVSQ6C2EXAMPLE",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/lab-user-01"
}

Step 5: Create IAM Group

1. Create Group

• Navigate to IAM → "Groups"
• Click "Create New Group"
• Group name: "Developers"
• Click "Next Step"

1. Attach Policies to Group

• Search and select: "AmazonEC2FullAccess"
• Search and select: "AmazonS3FullAccess"
• Search and select: "AmazonRDSFullAccess"
• Click "Next Step" → "Create Group"

1. Add User to Group

• Select "Developers" group
• Click "Users" tab → "Add Users to Group"
• Select "lab-user-01"
• Click "Add Users"

Expected Result: Group created with policies, user added to group.

Verification Command:

aws iam get-group --group-name Developers

Step 6: Create IAM Role for EC2

1. Create Role

• Navigate to IAM → "Roles"
• Click "Create Role"
• Trusted entity type: "AWS service"
• Use case: "EC2"
• Click "Next"

1. Attach Permissions

• Search and select: "AmazonS3ReadOnlyAccess"
• Click "Next"

1. Name Role

• Role name: "EC2-S3-ReadOnly-Role"
• Description: "Allows EC2 instances to read from S3"
• Click "Create Role"

Expected Result: IAM role created for EC2 service.

Verification Command:

aws iam get-role --role-name EC2-S3-ReadOnly-Role

Step 7: Enable MFA for IAM User

1. Navigate to User

• Go to IAM → "Users" → Select "lab-user-01"
• Click "Security credentials" tab

1. Assign MFA Device

• Click "Assign MFA device"
• MFA device type: "Virtual MFA device"
• Click "Next"

1. Configure MFA

• Install authenticator app (Google Authenticator, Authy, etc.)
• Scan QR code or enter secret key manually
• Enter two consecutive MFA codes
• Click "Assign MFA"

Expected Result: MFA enabled for IAM user.

Verification: User must provide MFA code when signing in to console.

Step 8: Test IAM Permissions

1. Test EC2 Permissions

aws ec2 describe-instances

Expected Output: List of EC2 instances (may be empty initially)

1. Test S3 Permissions

aws s3 ls

Expected Output: List of S3 buckets (may be empty initially)

1. Test Denied Permission (should fail)

aws iam create-user --user-name test-user

Expected Output: Error - Access Denied (user doesn't have IAM permissions)

Lab Completion Checklist:

• [ ] AWS account created and verified
• [ ] Billing alert configured and tested
• [ ] IAM user created with programmatic access
• [ ] AWS CLI configured and tested
• [ ] IAM group created with policies
• [ ] IAM role created for EC2
• [ ] MFA enabled for IAM user
• [ ] Permissions tested successfully

Assessment Criteria:

• Account setup completed correctly (20%)
• IAM configuration proper (30%)
• AWS CLI working (20%)
• MFA enabled (15%)
• Documentation and screenshots (15%)

Troubleshooting Tips:

• If billing alert not working: Check SNS topic subscription confirmation
• If AWS CLI fails: Verify credentials in ~/.aws/credentials
• If MFA setup fails: Ensure authenticator app is properly configured
• If permissions denied: Check user is in correct group with policies attached

Duration: 2 Hours

Objectives:

• Launch EC2 instances (Linux and Windows)
• Configure security groups
• Connect to instances using SSH/RDP
• Create and attach EBS volumes
• Configure Elastic IP addresses
• Create and use AMIs

Prerequisites:

• Completed Lab 1 (AWS account and IAM configured)
• AWS CLI installed and configured
• SSH client installed (macOS/Linux: built-in, Windows: PuTTY or WSL)

Detailed Procedure:

Step 1: Launch Linux EC2 Instance

1. Navigate to EC2 Console

• Go to Services → "EC2"
• Click "Launch Instance"

1. Choose AMI

• Name: "web-server-linux"
• AMI: Select "Amazon Linux 2023 AMI" (Free Tier eligible)
• Architecture: x86_64
• Click "Select"

1. Choose Instance Type

• Instance type: t2.micro (Free Tier eligible)
• vCPUs: 1, Memory: 1 GiB
• Click "Next: Configure Instance Details"

1. Configure Instance

• Number of instances: 1
• Network: Select default VPC
• Subnet: Select default subnet
• Auto-assign Public IP: Enable
• IAM role: Select "EC2-S3-ReadOnly-Role" (from Lab 1)
• Click "Next: Add Storage"

1. Add Storage

• Volume type: gp3
• Size: 8 GiB (Free Tier: 30 GB)
• Delete on termination: Check (for lab cleanup)
• Click "Next: Add Tags"

1. Add Tags

• Key: Name, Value: web-server-linux
• Key: Environment, Value: Lab
• Key: Project, Value: Cloud-Fundamentals
• Click "Next: Configure Security Group"

1. Configure Security Group

• Security group name: web-server-sg
• Description: "Security group for web server"
• Add rule:
• Type: SSH, Protocol: TCP, Port: 22, Source: My IP
• Add rule:
• Type: HTTP, Protocol: TCP, Port: 80, Source: 0.0.0.0/0
• Click "Review and Launch"

1. Review and Launch

• Review all settings
• Click "Launch"

1. Create/Select Key Pair

• Select "Create a new key pair"
• Key pair name: lab-key-pair
• Key pair type: RSA
• Private key file format: .pem
• Click "Download Key Pair"
• IMPORTANT: Save the .pem file securely
• Set permissions (Linux/macOS):

chmod 400 lab-key-pair.pem

• Click "Launch Instances"

Expected Result: EC2 instance launching, status: "pending" → "running"

Verification Command:

aws ec2 describe-instances --filters "Name=tag:Name,Values=web-server-linux" \
--query 'Reservations[*].Instances[*].[InstanceId,State.Name,PublicIpAddress]' \
--output table

Expected Output:

|              DescribeInstances                        |
+------------------+----------+----------------------+
|  i-0123456789abcdef0  |  running  |  54.123.45.67    |
+------------------+----------+----------------------+

Step 2: Connect to Linux Instance via SSH

1. Get Instance Public IP

aws ec2 describe-instances --instance-ids i-0123456789abcdef0 \
--query 'Reservations[*].Instances[*].PublicIpAddress' \
--output text

2. Connect via SSH

ssh -i lab-key-pair.pem ec2-user@54.123.45.67

• First time: Type "yes" to accept host key
• You should see: [ec2-user@ip-172-31-xx-xx ~]$

1. Verify Connection

# On EC2 instance
whoami
# Output: ec2-user
hostname
# Output: ip-172-31-xx-xx
uname -a
# Output: Linux ip-172-31-xx-xx 5.10.x #1 SMP ...

2. Install Web Server (for testing)

sudo yum update -y
sudo yum install httpd -y
sudo systemctl start httpd
sudo systemctl enable httpd
echo "
Hello from EC2!
" | sudo tee /var/www/html/index.html

3. Test Web Server

• Open browser: http://54.123.45.67
• Should see: "Hello from EC2!"

Expected Result: Successfully connected to EC2 instance, web server running.

Step 3: Launch Windows EC2 Instance

1. Launch Windows Instance

• Follow Steps 1-8 from Linux instance
• AMI: Select "Microsoft Windows Server 2022 Base"
• Instance type: t2.micro
• Security group: Add RDP rule (Port 3389, Source: My IP)
• Key pair: Use same lab-key-pair or create new one

1. Get Windows Password

• Wait for instance to be "running"
• Select instance → "Connect" → "RDP client"
• Click "Get Password"
• Upload lab-key-pair.pem file
• Click "Decrypt Password"
• Save the password (shown only once)

1. Connect via RDP

• Download RDP file or use RDP client
• Public IP: [from instance details]
• Username: Administrator
• Password: [decrypted password from step 2]
• Connect

Expected Result: Successfully connected to Windows instance via RDP.

Step 4: Create and Attach EBS Volume

1. Create EBS Volume

aws ec2 create-volume \
--availability-zone us-east-1a \
--size 10 \
--volume-type gp3 \
--tag-specifications 'ResourceType=volume,Tags=[{Key=Name,Value=lab-data-volume}]'

• Note the VolumeId from output

1. Attach Volume to Instance

aws ec2 attach-volume \
--volume-id vol-0123456789abcdef0 \
--instance-id i-0123456789abcdef0 \
--device /dev/xvdf

2. Verify Volume Attachment

aws ec2 describe-volumes --volume-ids vol-0123456789abcdef0

• State should be "in-use"
• Attachment state should be "attached"

1. Format and Mount Volume (on Linux instance)

# SSH into instance first
ssh -i lab-key-pair.pem ec2-user@54.123.45.67
# List block devices
lsblk
# Should see: xvdf (your new volume)
# Check if formatted
sudo file -s /dev/xvdf
# Output: /dev/xvdf: data (if not formatted)
# Format volume
sudo mkfs -t xfs /dev/xvdf
# Create mount point
sudo mkdir /mnt/data
# Mount volume
sudo mount /dev/xvdf /mnt/data
# Verify mount
df -h
# Should see: /dev/xvdf mounted on /mnt/data
# Make mount persistent (add to /etc/fstab)
echo "/dev/xvdf /mnt/data xfs defaults,nofail 0 2" | sudo tee -a /etc/fstab
# Test
echo "Test data" | sudo tee /mnt/data/test.txt
cat /mnt/data/test.txt

Expected Result: EBS volume created, attached, formatted, and mounted successfully.

Verification Command:

# On instance
df -h | grep xvdf
# Output: /dev/xvdf  10G  33M  10G   1% /mnt/data

Step 5: Configure Elastic IP

1. Allocate Elastic IP

aws ec2 allocate-address --domain vpc

• Note the AllocationId and PublicIp from output

1. Associate Elastic IP with Instance

aws ec2 associate-address \
--instance-id i-0123456789abcdef0 \
--allocation-id eipalloc-0123456789abcdef0

2. Verify Association

aws ec2 describe-addresses --allocation-ids eipalloc-0123456789abcdef0

• InstanceId should match your instance
• PublicIp should be shown

1. Test Connection with Elastic IP

# Get Elastic IP
ELASTIC_IP=$(aws ec2 describe-addresses \
--allocation-ids eipalloc-0123456789abcdef0 \
--query 'Addresses[0].PublicIp' --output text)
echo $ELASTIC_IP
# Should show the Elastic IP address
# Test SSH connection
ssh -i lab-key-pair.pem ec2-user@$ELASTIC_IP

Expected Result: Elastic IP allocated and associated with instance.

Note: Elastic IPs are free when attached to running instances. Charges apply if Elastic IP is not associated with an instance.

Step 6: Create AMI from Running Instance

1. Create AMI

aws ec2 create-image \
--instance-id i-0123456789abcdef0 \
--name "web-server-ami-$(date +%Y%m%d)" \
--description "AMI created from web server instance" \
--no-reboot

• Note the ImageId from output

1. Wait for AMI Creation

# Check AMI status
aws ec2 describe-images --image-ids ami-0123456789abcdef0

• State: "pending" → "available" (takes 5-10 minutes)

1. Launch Instance from AMI

• Go to EC2 Console → "AMIs"
• Select your AMI → "Launch Instance from AMI"
• Configure same as original instance
• Launch

Expected Result: AMI created and new instance launched from AMI.

Verification:

• New instance should have web server pre-installed
• Access http://[new-instance-ip] should show "Hello from EC2!"

Lab Completion Checklist:

• [ ] Linux EC2 instance launched and running
• [ ] Connected to Linux instance via SSH
• [ ] Web server installed and accessible
• [ ] Windows EC2 instance launched
• [ ] Connected to Windows instance via RDP
• [ ] EBS volume created and attached
• [ ] Volume formatted and mounted
• [ ] Elastic IP allocated and associated
• [ ] AMI created from instance
• [ ] New instance launched from AMI

Assessment Criteria:

• Instance launch configuration (20%)
• SSH/RDP connection successful (20%)
• EBS volume operations (20%)
• Elastic IP configuration (15%)
• AMI creation and usage (15%)
• Documentation and screenshots (10%)

Troubleshooting Tips:

• SSH connection fails: Check security group allows port 22 from your IP
• Permission denied (publickey): Verify key file permissions (chmod 400)
• Volume not showing: Check volume is attached and in same AZ as instance
• AMI creation slow: Normal, can take 10-15 minutes for large instances
• Elastic IP not working: Verify instance is running and Elastic IP is associated

Duration: 2 Hours

Objectives:

• Create and configure S3 buckets
• Upload and manage objects using Console and CLI
• Configure bucket versioning and lifecycle policies
• Set up bucket policies and ACLs
• Enable static website hosting
• Configure CORS and event notifications

Prerequisites:

• Completed Lab 1 and Lab 2
• AWS CLI configured
• Basic understanding of HTTP and web hosting

Detailed Procedure:

Step 1: Create S3 Bucket

1. Create Bucket via Console

• Navigate to S3 Console
• Click "Create bucket"
• Bucket name: lab-bucket-[your-student-id] (must be globally unique)
• AWS Region: us-east-1
• Object Ownership: ACLs disabled (recommended)
• Block Public Access settings: Uncheck all (for website hosting)
• Bucket Versioning: Enable
• Default encryption: Enable (SSE-S3)
• Click "Create bucket"

1. Create Bucket via CLI

aws s3 mb s3://lab-bucket-cli-$(date +%s) --region us-east-1

Expected Result: Bucket created successfully.

Verification Command:

aws s3 ls

Expected Output:

2024-01-15 10:30:00 lab-bucket-student123
2024-01-15 10:35:00 lab-bucket-cli-1705315200

Step 2: Upload Objects

1. Create Test Files

# Create test files locally
echo "Hello from S3!" > test-file.txt
echo "
My S3 Website
" > index.html

2. Upload via Console

• Navigate to bucket → "Upload"
• Add files: test-file.txt, index.html
• Click "Upload"

1. Upload via CLI

aws s3 cp test-file.txt s3://lab-bucket-student123/
aws s3 cp index.html s3://lab-bucket-student123/
aws s3 sync . s3://lab-bucket-student123/ --exclude "*" --include "*.txt"

2. Verify Upload

aws s3 ls s3://lab-bucket-student123/

Expected Output:

2024-01-15 10:40:00         18 index.html
2024-01-15 10:40:05         15 test-file.txt

Step 3: Configure Bucket Versioning

1. Enable Versioning

aws s3api put-bucket-versioning \
--bucket lab-bucket-student123 \
--versioning-configuration Status=Enabled

2. Upload New Version of File

echo "Updated content!" > test-file.txt
aws s3 cp test-file.txt s3://lab-bucket-student123/

3. List Object Versions

aws s3api list-object-versions \
--bucket lab-bucket-student123 \
--prefix test-file.txt

Expected Output:

{
"Versions": [
{
"VersionId": "null",
"IsLatest": false,
"LastModified": "2024-01-15T10:40:05.000Z"
},
{
"VersionId": "abc123...",
"IsLatest": true,
"LastModified": "2024-01-15T10:45:00.000Z"
}
]
}

1. Restore Previous Version

# Get version ID of previous version
PREV_VERSION=$(aws s3api list-object-versions \
--bucket lab-bucket-student123 \
--prefix test-file.txt \
--query 'Versions[?IsLatest==`false`].VersionId' --output text)
# Restore previous version
aws s3api get-object \
--bucket lab-bucket-student123 \
--key test-file.txt \
--version-id $PREV_VERSION \
restored-file.txt

Expected Result: Versioning enabled, multiple versions stored, previous version restored.

Step 4: Configure Lifecycle Policies

1. Create Lifecycle Policy

cat > lifecycle-policy.json <
Verify Lifecycle Policy
aws s3api get-bucket-lifecycle-configuration \
--bucket lab-bucket-student123

Expected Result: Lifecycle policies configured for cost optimization.

Step 5: Configure Bucket Policy

1. Create Bucket Policy for Public Read Access

cat > bucket-policy.json <
Test Public Access
# Get public URL
aws s3 presign s3://lab-bucket-student123/index.html --expires-in 3600

• Open URL in browser (should work without authentication)

Expected Result: Bucket policy applied, objects publicly accessible.

Step 6: Enable Static Website Hosting

1. Enable Website Hosting

aws s3 website s3://lab-bucket-student123/ \
--index-document index.html \
--error-document error.html

2. Create Error Page

echo "
404 - Page Not Found
" > error.html
aws s3 cp error.html s3://lab-bucket-student123/

3. Get Website URL

aws s3api get-bucket-website \
--bucket lab-bucket-student123

• Website URL: http://lab-bucket-student123.s3-website-us-east-1.amazonaws.com

1. Test Website

• Open website URL in browser
• Should see: "My S3 Website"

Expected Result: Static website hosted and accessible via public URL.

Step 7: Configure CORS

1. Create CORS Configuration

cat > cors-config.json <
Verify CORS Configuration
aws s3api get-bucket-cors --bucket lab-bucket-student123

Expected Result: CORS configured for cross-origin access.

Step 8: Set Up S3 Event Notifications

1. Create SNS Topic (for notifications)

aws sns create-topic --name s3-upload-notifications

• Note TopicArn from output

1. Subscribe to Topic

aws sns subscribe \
--topic-arn arn:aws:sns:us-east-1:123456789012:s3-upload-notifications \
--protocol email \
--notification-endpoint your-email@example.com

• Confirm subscription via email

1. Configure Event Notification

cat > notification-config.json <
Test Notification
echo "Test notification" > test-notification.txt
aws s3 cp test-notification.txt s3://lab-bucket-student123/

• Check email for notification

Expected Result: Event notifications configured and working.

Lab Completion Checklist:

• [ ] S3 bucket created (Console and CLI)
• [ ] Objects uploaded successfully
• [ ] Versioning enabled and tested
• [ ] Lifecycle policies configured
• [ ] Bucket policy created for public access
• [ ] Static website hosting enabled
• [ ] Website accessible via public URL
• [ ] CORS configured
• [ ] Event notifications set up and tested

Assessment Criteria:

• Bucket creation and configuration (20%)
• Object upload and management (20%)
• Versioning implementation (15%)
• Lifecycle policies (15%)
• Website hosting (15%)
• CORS and notifications (10%)
• Documentation (5%)

Troubleshooting Tips:

• Bucket name already exists: Use unique name with timestamp or student ID
• Public access blocked: Uncheck "Block all public access" in bucket settings
• Website not loading: Verify bucket policy allows public read access
• CORS errors: Check CORS configuration matches your use case
• Notifications not working: Verify SNS topic subscription is confirmed

[Continue with remaining labs following the same detailed format...]

Duration: 2 Hours

Objectives:

• Create custom VPC with proper CIDR blocks
• Configure public and private subnets across availability zones
• Set up Internet Gateway and NAT Gateway
• Configure route tables for proper routing
• Implement security groups and Network ACLs
• Test connectivity between instances

Prerequisites:

• Completed Labs 1-3
• Understanding of IP addressing and subnetting
• Basic networking concepts

Detailed Procedure:

Step 1: Create Custom VPC

1. Create VPC via Console

• Navigate to VPC Console
• Click "Create VPC"
• Name tag: lab-vpc
• IPv4 CIDR block: 10.0.0.0/16
• IPv6 CIDR block: No IPv6 CIDR block
• Tenancy: Default
• Click "Create VPC"

1. Create VPC via CLI

VPC_ID=$(aws ec2 create-vpc \
--cidr-block 10.0.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=lab-vpc}]' \
--query 'Vpc.VpcId' --output text)
echo "VPC ID: $VPC_ID"

Expected Result: VPC created with CIDR 10.0.0.0/16.

Verification Command:

aws ec2 describe-vpcs --vpc-ids $VPC_ID

Step 2: Create Public and Private Subnets

1. Create Public Subnet in AZ-1a

PUBLIC_SUBNET_1=$(aws ec2 create-subnet \
--vpc-id $VPC_ID \
--cidr-block 10.0.1.0/24 \
--availability-zone us-east-1a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=public-subnet-1a}]' \
--query 'Subnet.SubnetId' --output text)
# Enable auto-assign public IP
aws ec2 modify-subnet-attribute \
--subnet-id $PUBLIC_SUBNET_1 \
--map-public-ip-on-launch

2. Create Public Subnet in AZ-1b

PUBLIC_SUBNET_2=$(aws ec2 create-subnet \
--vpc-id $VPC_ID \
--cidr-block 10.0.2.0/24 \
--availability-zone us-east-1b \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=public-subnet-1b}]' \
--query 'Subnet.SubnetId' --output text)
aws ec2 modify-subnet-attribute \
--subnet-id $PUBLIC_SUBNET_2 \
--map-public-ip-on-launch

3. Create Private Subnet in AZ-1a

PRIVATE_SUBNET_1=$(aws ec2 create-subnet \
--vpc-id $VPC_ID \
--cidr-block 10.0.3.0/24 \
--availability-zone us-east-1a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=private-subnet-1a}]' \
--query 'Subnet.SubnetId' --output text)

4. Create Private Subnet in AZ-1b

PRIVATE_SUBNET_2=$(aws ec2 create-subnet \
--vpc-id $VPC_ID \
--cidr-block 10.0.4.0/24 \
--availability-zone us-east-1b \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=private-subnet-1b}]' \
--query 'Subnet.SubnetId' --output text)

Expected Result: Four subnets created (2 public, 2 private) across 2 AZs.

Verification Command:

aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" \
--query 'Subnets[*].[SubnetId,CidrBlock,AvailabilityZone,Tags[?Key==`Name`].Value|[0]]' \
--output table

Step 3: Create and Attach Internet Gateway

1. Create Internet Gateway

IGW_ID=$(aws ec2 create-internet-gateway \
--tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=lab-igw}]' \
--query 'InternetGateway.InternetGatewayId' --output text)

2. Attach Internet Gateway to VPC

aws ec2 attach-internet-gateway \
--internet-gateway-id $IGW_ID \
--vpc-id $VPC_ID

Expected Result: Internet Gateway created and attached to VPC.

Verification Command:

aws ec2 describe-internet-gateways --internet-gateway-ids $IGW_ID

Step 4: Configure Route Tables

1. Create Public Route Table

PUBLIC_RT=$(aws ec2 create-route-table \
--vpc-id $VPC_ID \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=public-rt}]' \
--query 'RouteTable.RouteTableId' --output text)
# Add route to Internet Gateway
aws ec2 create-route \
--route-table-id $PUBLIC_RT \
--destination-cidr-block 0.0.0.0/0 \
--gateway-id $IGW_ID
# Associate public subnets with public route table
aws ec2 associate-route-table \
--subnet-id $PUBLIC_SUBNET_1 \
--route-table-id $PUBLIC_RT
aws ec2 associate-route-table \
--subnet-id $PUBLIC_SUBNET_2 \
--route-table-id $PUBLIC_RT

2. Create Private Route Table

PRIVATE_RT=$(aws ec2 create-route-table \
--vpc-id $VPC_ID \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=private-rt}]' \
--query 'RouteTable.RouteTableId' --output text)
# Associate private subnets with private route table
aws ec2 associate-route-table \
--subnet-id $PRIVATE_SUBNET_1 \
--route-table-id $PRIVATE_RT
aws ec2 associate-route-table \
--subnet-id $PRIVATE_SUBNET_2 \
--route-table-id $PRIVATE_RT

Expected Result: Route tables configured, public subnets route to IGW, private subnets have no internet route.

Verification Command:

aws ec2 describe-route-tables --route-table-ids $PUBLIC_RT $PRIVATE_RT

Step 5: Create NAT Gateway

1. Allocate Elastic IP for NAT Gateway

NAT_EIP=$(aws ec2 allocate-address \
--domain vpc \
--tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=nat-gateway-eip}]' \
--query 'AllocationId' --output text)

2. Create NAT Gateway in Public Subnet

NAT_GW=$(aws ec2 create-nat-gateway \
--subnet-id $PUBLIC_SUBNET_1 \
--allocation-id $NAT_EIP \
--tag-specifications 'ResourceType=nat-gateway,Tags=[{Key=Name,Value=lab-nat-gw}]' \
--query 'NatGateway.NatGatewayId' --output text)
echo "NAT Gateway ID: $NAT_GW"
echo "Waiting for NAT Gateway to be available..."
# Wait for NAT Gateway to be available (takes 2-5 minutes)
aws ec2 wait nat-gateway-available --nat-gateway-ids $NAT_GW

3. Add Route to NAT Gateway in Private Route Table

aws ec2 create-route \
--route-table-id $PRIVATE_RT \
--destination-cidr-block 0.0.0.0/0 \
--nat-gateway-id $NAT_GW

Expected Result: NAT Gateway created, private subnets can access internet via NAT Gateway.

Verification Command:

aws ec2 describe-nat-gateways --nat-gateway-ids $NAT_GW
# State should be "available"

Step 6: Launch Instances in Subnets

1. Launch Instance in Public Subnet

PUBLIC_INSTANCE=$(aws ec2 run-instances \
--image-id ami-0c55b159cbfafe1f0 \
--instance-type t2.micro \
--key-name lab-key-pair \
--subnet-id $PUBLIC_SUBNET_1 \
--security-group-ids $WEB_SG \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=public-web-server}]' \
--query 'Instances[0].InstanceId' --output text)

2. Launch Instance in Private Subnet

PRIVATE_INSTANCE=$(aws ec2 run-instances \
--image-id ami-0c55b159cbfafe1f0 \
--instance-type t2.micro \
--key-name lab-key-pair \
--subnet-id $PRIVATE_SUBNET_1 \
--security-group-ids $DB_SG \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=private-db-server}]' \
--query 'Instances[0].InstanceId' --output text)

Expected Result: Instances launched in respective subnets.

Step 7: Configure Security Groups

1. Create Web Server Security Group

WEB_SG=$(aws ec2 create-security-group \
--group-name web-server-sg \
--description "Security group for web servers" \
--vpc-id $VPC_ID \
--query 'GroupId' --output text)
# Allow SSH from your IP
aws ec2 authorize-security-group-ingress \
--group-id $WEB_SG \
--protocol tcp \
--port 22 \
--cidr $(curl -s https://checkip.amazonaws.com)/32
# Allow HTTP from anywhere
aws ec2 authorize-security-group-ingress \
--group-id $WEB_SG \
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0

2. Create Database Security Group

DB_SG=$(aws ec2 create-security-group \
--group-name db-server-sg \
--description "Security group for database servers" \
--vpc-id $VPC_ID \
--query 'GroupId' --output text)
# Allow MySQL from web server security group only
aws ec2 authorize-security-group-ingress \
--group-id $DB_SG \
--protocol tcp \
--port 3306 \
--source-group $WEB_SG

Expected Result: Security groups configured with proper rules.

Verification Command:

aws ec2 describe-security-groups --group-ids $WEB_SG $DB_SG

Step 8: Configure Network ACLs

1. Get Default NACL

DEFAULT_NACL=$(aws ec2 describe-network-acls \
--filters "Name=vpc-id,Values=$VPC_ID" "Name=default,Values=true" \
--query 'NetworkAcls[0].NetworkAclId' --output text)

2. Create Custom NACL

CUSTOM_NACL=$(aws ec2 create-network-acl \
--vpc-id $VPC_ID \
--tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=lab-custom-nacl}]' \
--query 'NetworkAcl.NetworkAclId' --output text)
# Allow inbound HTTP
aws ec2 create-network-acl-entry \
--network-acl-id $CUSTOM_NACL \
--rule-number 100 \
--protocol tcp \
--port-range From=80,To=80 \
--cidr-block 0.0.0.0/0 \
--egress false \
--rule-action allow
# Allow inbound SSH
aws ec2 create-network-acl-entry \
--network-acl-id $CUSTOM_NACL \
--rule-number 200 \
--protocol tcp \
--port-range From=22,To=22 \
--cidr-block 0.0.0.0/0 \
--egress false \
--rule-action allow
# Allow all outbound
aws ec2 create-network-acl-entry \
--network-acl-id $CUSTOM_NACL \
--rule-number 100 \
--protocol -1 \
--cidr-block 0.0.0.0/0 \
--egress true \
--rule-action allow

Expected Result: Network ACLs configured with proper rules.

Step 9: Test Connectivity

1. Get Instance IPs

PUBLIC_IP=$(aws ec2 describe-instances \
--instance-ids $PUBLIC_INSTANCE \
--query 'Reservations[0].Instances[0].PublicIpAddress' --output text)
PRIVATE_IP=$(aws ec2 describe-instances \
--instance-ids $PRIVATE_INSTANCE \
--query 'Reservations[0].Instances[0].PrivateIpAddress' --output text)

2. Test Public Instance Internet Access

ssh -i lab-key-pair.pem ec2-user@$PUBLIC_IP "curl -s https://www.google.com | head -1"
# Should return: 

3. Test Private Instance Internet Access (via NAT)

ssh -i lab-key-pair.pem ec2-user@$PUBLIC_IP \
"ssh -i lab-key-pair.pem ec2-user@$PRIVATE_IP 'curl -s https://www.google.com | head -1'"
# Should return: 

4. Test Inter-Instance Communication

ssh -i lab-key-pair.pem ec2-user@$PUBLIC_IP \
"ping -c 3 $PRIVATE_IP"
# Should show successful ping responses

Expected Result: All connectivity tests pass.

Lab Completion Checklist:

• [ ] Custom VPC created with proper CIDR
• [ ] Public and private subnets created in multiple AZs
• [ ] Internet Gateway created and attached
• [ ] Route tables configured correctly
• [ ] NAT Gateway created and configured
• [ ] Instances launched in correct subnets
• [ ] Security groups configured
• [ ] Network ACLs configured
• [ ] Connectivity tests successful

Assessment Criteria:

• VPC and subnet configuration (25%)
• Internet Gateway and NAT Gateway setup (25%)
• Route table configuration (20%)
• Security groups and NACLs (15%)
• Connectivity testing (10%)
• Documentation (5%)

Troubleshooting Tips:

• Instances can't access internet: Check route table has route to IGW/NAT Gateway
• Can't SSH to instance: Verify security group allows port 22 from your IP
• Instances can't communicate: Check security groups allow traffic between instances
• NAT Gateway not working: Ensure it's in public subnet and route table updated

Duration: 2 Hours

Objectives:

• Deploy RDS MySQL instance
• Configure RDS security groups
• Create RDS read replicas
• Implement automated backups
• Connect application to RDS

Prerequisites:

• Completed Labs 1-4
• VPC and subnets configured
• Basic SQL knowledge

Detailed Procedure:

Step 1: Create DB Subnet Group

1. Create DB Subnet Group

aws rds create-db-subnet-group \
--db-subnet-group-name lab-db-subnet-group \
--db-subnet-group-description "Subnet group for RDS instances" \
--subnet-ids $PRIVATE_SUBNET_1 $PRIVATE_SUBNET_2 \
--tags Key=Name,Value=lab-db-subnet-group

Expected Result: DB subnet group created in private subnets.

Verification Command:

aws rds describe-db-subnet-groups --db-subnet-group-name lab-db-subnet-group

Step 2: Create RDS MySQL Instance

1. Create RDS MySQL Instance

aws rds create-db-instance \
--db-instance-identifier lab-mysql-db \
--db-instance-class db.t2.micro \
--engine mysql \
--engine-version 8.0.35 \
--master-username admin \
--master-user-password 'LabPassword123!' \
--allocated-storage 20 \
--storage-type gp2 \
--db-subnet-group-name lab-db-subnet-group \
--vpc-security-group-ids $DB_SG \
--backup-retention-period 7 \
--storage-encrypted \
--tags Key=Name,Value=lab-mysql-db

2. Wait for Instance to be Available

echo "Waiting for RDS instance to be available (takes 5-10 minutes)..."
aws rds wait db-instance-available --db-instance-identifier lab-mysql-db

Expected Result: RDS MySQL instance created and available.

Verification Command:

aws rds describe-db-instances --db-instance-identifier lab-mysql-db \
--query 'DBInstances[0].[DBInstanceStatus,Endpoint.Address,Endpoint.Port]' \
--output table

Expected Output:

|    DescribeDBInstances      |
+-------------+---------------+----+
|  available  |  lab-mysql-db. | 3306 |
|             |  xyz.us-east-1 |    |
|             |  .rds.amazonaws.com |    |
+-------------+---------------+----+

Step 3: Configure Security Group for Database Access

1. Get Database Endpoint

DB_ENDPOINT=$(aws rds describe-db-instances \
--db-instance-identifier lab-mysql-db \
--query 'DBInstances[0].Endpoint.Address' --output text)
echo "Database Endpoint: $DB_ENDPOINT"

2. Verify Security Group Rules

aws ec2 describe-security-groups --group-ids $DB_SG

• Should allow MySQL (port 3306) from web server security group

Step 4: Connect to RDS from EC2 Instance

1. Install MySQL Client on EC2

ssh -i lab-key-pair.pem ec2-user@$PUBLIC_IP
# On EC2 instance
sudo yum install mysql -y

2. Connect to RDS Database

mysql -h $DB_ENDPOINT -u admin -p'LabPassword123!'

3. Create Test Database and Table

CREATE DATABASE lab_db;
USE lab_db;
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL,
email VARCHAR(100) NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
INSERT INTO users (username, email) VALUES
('user1', 'user1@example.com'),
('user2', 'user2@example.com');
SELECT * FROM users;

Expected Result: Successfully connected to RDS and created test data.

Step 5: Create RDS Read Replica

1. Create Read Replica

aws rds create-db-instance-read-replica \
--db-instance-identifier lab-mysql-replica \
--source-db-instance-identifier lab-mysql-db \
--db-instance-class db.t2.micro \
--availability-zone us-east-1b \
--tags Key=Name,Value=lab-mysql-replica

2. Wait for Replica to be Available

aws rds wait db-instance-available --db-instance-identifier lab-mysql-replica

Expected Result: Read replica created in different AZ.

Verification Command:

aws rds describe-db-instances --db-instance-identifier lab-mysql-replica \
--query 'DBInstances[0].[DBInstanceStatus,ReadReplicaSourceDBInstanceIdentifier]'

Step 6: Test Automated Backups

1. Create Manual Snapshot

aws rds create-db-snapshot \
--db-snapshot-identifier lab-mysql-snapshot-$(date +%Y%m%d) \
--db-instance-identifier lab-mysql-db

2. List Snapshots

aws rds describe-db-snapshots \
--db-instance-identifier lab-mysql-db

Expected Result: Snapshot created successfully.

Lab Completion Checklist:

• [ ] DB subnet group created
• [ ] RDS MySQL instance created and available
• [ ] Security group configured correctly
• [ ] Connected to RDS from EC2 instance
• [ ] Test database and tables created
• [ ] Read replica created
• [ ] Automated backups verified
• [ ] Manual snapshot created

Assessment Criteria:

• RDS instance creation (25%)
• Security configuration (20%)
• Database connectivity (20%)
• Read replica setup (15%)
• Backup and snapshot (15%)
• Documentation (5%)

Troubleshooting Tips:

• Can't connect to RDS: Check security group allows MySQL from EC2 security group
• Instance creation fails: Verify DB subnet group has subnets in at least 2 AZs
• Read replica fails: Ensure source instance is available and not in single-AZ mode

Duration: 2 Hours

Objectives:

• Create Lambda functions with different triggers
• Configure Lambda environment variables
• Set up S3 and API Gateway triggers
• Monitor Lambda execution
• Implement error handling

Prerequisites:

• Completed Labs 1-5
• Basic Python programming knowledge
• S3 bucket created (from Lab 3)

Detailed Procedure:

Step 1: Create Lambda Function with Python

1. Create Lambda Function Code

mkdir lambda-functions
cd lambda-functions
cat > lambda_function.py <<'EOF'
import json
import os
def lambda_handler(event, context):
# Get environment variable
greeting = os.environ.get('GREETING', 'Hello')
# Process event
name = event.get('name', 'World')
# Return response
return {
'statusCode': 200,
'body': json.dumps({
'message': f'{greeting}, {name}!',
'timestamp': context.aws_request_id
})
}
EOF

2. Create Deployment Package

zip lambda-function.zip lambda_function.py

3. Create Lambda Function

aws lambda create-function \
--function-name hello-world-lambda \
--runtime python3.11 \
--role arn:aws:iam::123456789012:role/lambda-execution-role \
--handler lambda_function.lambda_handler \
--zip-file fileb://lambda-function.zip \
--timeout 30 \
--memory-size 128 \
--environment Variables="{GREETING=Hi}"

Note: You need to create an IAM role for Lambda first (see Step 2).

Expected Result: Lambda function created successfully.

Verification Command:

aws lambda get-function --function-name hello-world-lambda

Step 2: Create IAM Role for Lambda

1. Create Trust Policy

cat > lambda-trust-policy.json <
Create Role
aws iam create-role \
--role-name lambda-execution-role \
--assume-role-policy-document file://lambda-trust-policy.json
# Attach basic execution policy
aws iam attach-role-policy \
--role-name lambda-execution-role \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Get Role ARN
LAMBDA_ROLE_ARN=$(aws iam get-role \
--role-name lambda-execution-role \
--query 'Role.Arn' --output text)
echo "Lambda Role ARN: $LAMBDA_ROLE_ARN"

Expected Result: IAM role created for Lambda execution.

Step 3: Test Lambda Function

1. Invoke Lambda Function

aws lambda invoke \
--function-name hello-world-lambda \
--payload '{"name": "Cloud Student"}' \
response.json
cat response.json

Expected Output:

{
"statusCode": 200,
"body": "{\"message\": \"Hi, Cloud Student!\", \"timestamp\": \"abc123...\"}"
}

Step 4: Create S3 Trigger for Lambda

1. Create Lambda Function for S3 Events

cat > s3_lambda_function.py <<'EOF'
import json
import boto3
s3 = boto3.client('s3')
def lambda_handler(event, context):
# Process S3 event
for record in event['Records']:
bucket = record['s3']['bucket']['name']
key = record['s3']['object']['key']
print(f"File uploaded: s3://{bucket}/{key}")
# Get object metadata
response = s3.head_object(Bucket=bucket, Key=key)
size = response['ContentLength']
return {
'statusCode': 200,
'body': json.dumps({
'message': f'Processed {key} ({size} bytes) from {bucket}'
})
}
EOF
zip s3-lambda-function.zip s3_lambda_function.py

2. Create Lambda Function

aws lambda create-function \
--function-name s3-file-processor \
--runtime python3.11 \
--role $LAMBDA_ROLE_ARN \
--handler s3_lambda_function.lambda_handler \
--zip-file fileb://s3-lambda-function.zip

3. Add S3 Permission to Lambda

aws lambda add-permission \
--function-name s3-file-processor \
--principal s3.amazonaws.com \
--statement-id s3-trigger \
--action lambda:InvokeFunction \
--source-arn arn:aws:s3:::lab-bucket-student123

4. Configure S3 Bucket Notification

cat > s3-notification-config.json <
Test S3 Trigger
echo "Test file for Lambda" > test-lambda.txt
aws s3 cp test-lambda.txt s3://lab-bucket-student123/
# Check Lambda logs
aws logs tail /aws/lambda/s3-file-processor --follow

Expected Result: Lambda function triggered when file uploaded to S3.

Step 5: Create API Gateway Trigger

1. Create API Gateway REST API

API_ID=$(aws apigateway create-rest-api \
--name lambda-api \
--description "API Gateway for Lambda function" \
--query 'id' --output text)
echo "API ID: $API_ID"

2. Get Root Resource ID

ROOT_RESOURCE_ID=$(aws apigateway get-resources \
--rest-api-id $API_ID \
--query 'items[0].id' --output text)

3. Create Resource and Method

# Create resource
RESOURCE_ID=$(aws apigateway create-resource \
--rest-api-id $API_ID \
--parent-id $ROOT_RESOURCE_ID \
--path-part hello \
--query 'id' --output text)
# Create GET method
aws apigateway put-method \
--rest-api-id $API_ID \
--resource-id $RESOURCE_ID \
--http-method GET \
--authorization-type NONE
# Set Lambda integration
aws apigateway put-integration \
--rest-api-id $API_ID \
--resource-id $RESOURCE_ID \
--http-method GET \
--type AWS_PROXY \
--integration-http-method POST \
--uri arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:hello-world-lambda/invocations
# Deploy API
aws apigateway create-deployment \
--rest-api-id $API_ID \
--stage-name prod

4. Test API Endpoint

API_URL="https://${API_ID}.execute-api.us-east-1.amazonaws.com/prod/hello"
curl "$API_URL?name=Student"

Expected Result: API Gateway triggers Lambda function successfully.

Lab Completion Checklist:

• [ ] Lambda function created with Python
• [ ] IAM role created for Lambda
• [ ] Lambda function tested successfully
• [ ] S3 trigger configured
• [ ] Lambda triggered by S3 upload
• [ ] API Gateway created
• [ ] API Gateway integrated with Lambda
• [ ] API endpoint tested

Assessment Criteria:

• Lambda function creation (25%)
• IAM role configuration (15%)
• S3 trigger setup (20%)
• API Gateway integration (20%)
• Testing and verification (15%)
• Documentation (5%)

Troubleshooting Tips:

• Lambda execution fails: Check CloudWatch logs for errors
• S3 trigger not working: Verify bucket notification configuration and Lambda permissions
• API Gateway 500 error: Check Lambda function returns proper format
• Permission denied: Verify IAM role has necessary permissions

[Continuing with Labs 7-12 following the same detailed format... Due to length, I'll add concise but complete versions of remaining labs]

Duration: 1.5 Hours

Detailed Procedure:

Step 1: Create GCP Project

gcloud projects create lab-project-$(date +%s) \
--name "Cloud Lab Project" \
--set-as-default
PROJECT_ID=$(gcloud config get-value project)
echo "Project ID: $PROJECT_ID"

Step 2: Enable Billing and APIs

# Link billing account (replace with your billing account ID)
gcloud billing projects link $PROJECT_ID \
--billing-account=0X0X0X-0X0X0X-0X0X0X
# Enable required APIs
gcloud services enable compute.googleapis.com
gcloud services enable storage-component.googleapis.com
gcloud services enable sqladmin.googleapis.com

Step 3: Create IAM Users and Service Accounts

# Create service account
gcloud iam service-accounts create lab-service-account \
--display-name "Lab Service Account"
# Grant roles
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:lab-service-account@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/compute.instanceAdmin"
# Create key
gcloud iam service-accounts keys create key.json \
--iam-account=lab-service-account@$PROJECT_ID.iam.gserviceaccount.com

Expected Result: GCP project created, APIs enabled, service account configured.

Verification:

gcloud projects describe $PROJECT_ID
gcloud iam service-accounts list

Duration: 2 Hours

Detailed Procedure:

Step 1: Create Compute Engine Instance

gcloud compute instances create lab-instance-1 \
--zone=us-east1-b \
--machine-type=e2-micro \
--image-family=ubuntu-2204-lts \
--image-project=ubuntu-os-cloud \
--tags=http-server,https-server \
--metadata=startup-script='#!/bin/bash
apt-get update
apt-get install -y apache2
echo "
Hello from GCP!
" > /var/www/html/index.html'

Step 2: Configure Firewall Rules

# Allow HTTP traffic
gcloud compute firewall-rules create allow-http \
--allow tcp:80 \
--source-ranges 0.0.0.0/0 \
--target-tags http-server
# Allow SSH
gcloud compute firewall-rules create allow-ssh \
--allow tcp:22 \
--source-ranges 0.0.0.0/0

Step 3: Create and Attach Persistent Disk

# Create disk
gcloud compute disks create lab-data-disk \
--size=10GB \
--zone=us-east1-b \
--type=pd-standard
# Attach disk
gcloud compute instances attach-disk lab-instance-1 \
--disk=lab-data-disk \
--zone=us-east1-b

Expected Result: Compute Engine instance running with web server, firewall configured, disk attached.

Verification:

gcloud compute instances list
INSTANCE_IP=$(gcloud compute instances describe lab-instance-1 \
--zone=us-east1-b \
--format='get(networkInterfaces[0].accessConfigs[0].natIP)')
curl http://$INSTANCE_IP

Duration: 1.5 Hours

Detailed Procedure:

Step 1: Create Cloud Storage Bucket

BUCKET_NAME="lab-bucket-$(date +%s)"
gsutil mb -p $PROJECT_ID -c STANDARD -l us-east1 gs://$BUCKET_NAME

Step 2: Upload Objects

echo "Hello from Cloud Storage!" > test-file.txt
gsutil cp test-file.txt gs://$BUCKET_NAME/
# List objects
gsutil ls gs://$BUCKET_NAME/

Step 3: Configure Lifecycle Policies

cat > lifecycle.json <
Expected Result: Bucket created, objects uploaded, lifecycle policies configured.

Duration: 2 Hours

Detailed Procedure:

Step 1: Create Cloud SQL Instance

gcloud sql instances create lab-mysql-instance \
--database-version=MYSQL_8_0 \
--tier=db-f1-micro \
--region=us-east1 \
--root-password='LabPassword123!'

Step 2: Create Database and User

gcloud sql databases create lab_db \
--instance=lab-mysql-instance
gcloud sql users create lab_user \
--instance=lab-mysql-instance \
--password='UserPassword123!'

Step 3: Connect from Compute Engine

# Install Cloud SQL Proxy on instance
gcloud compute ssh lab-instance-1 --zone=us-east1-b --command="
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
"
# Get connection name
CONNECTION_NAME=$(gcloud sql instances describe lab-mysql-instance \
--format='value(connectionName)')
# Connect
mysql -h 127.0.0.1 -u lab_user -p'UserPassword123!' lab_db

Expected Result: Cloud SQL instance created, database accessible from Compute Engine.

Duration: 2 Hours

Detailed Procedure:

Step 1: Create Custom VPC Network

gcloud compute networks create lab-vpc \
--subnet-mode=custom \
--bgp-routing-mode=regional

Step 2: Create Subnets

# Public subnet
gcloud compute networks subnets create public-subnet \
--network=lab-vpc \
--range=10.1.0.0/24 \
--region=us-east1 \
--enable-flow-logs
# Private subnet
gcloud compute networks subnets create private-subnet \
--network=lab-vpc \
--range=10.2.0.0/24 \
--region=us-east1 \
--enable-private-ip-google-access

Step 3: Configure Firewall Rules

# Allow HTTP
gcloud compute firewall-rules create allow-http-custom \
--network=lab-vpc \
--allow tcp:80 \
--source-ranges 0.0.0.0/0 \
--target-tags http-server
# Allow internal traffic
gcloud compute firewall-rules create allow-internal \
--network=lab-vpc \
--allow tcp:0-65535,udp:0-65535,icmp \
--source-ranges 10.1.0.0/24,10.2.0.0/24

Expected Result: Custom VPC created with subnets and firewall rules.

Duration: 1.5 Hours

Detailed Procedure:

Step 1: Create CloudWatch Dashboard (AWS)

cat > dashboard.json <
Step 2: Create CloudWatch Alarm
aws cloudwatch put-metric-alarm \
--alarm-name high-cpu-alarm \
--alarm-description "Alarm when CPU exceeds 80%" \
--metric-name CPUUtilization \
--namespace AWS/EC2 \
--statistic Average \
--period 300 \
--threshold 80 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 2 \
--dimensions Name=InstanceId,Value=i-0123456789abcdef0

Step 3: Configure GCP Cloud Monitoring
# Create uptime check
gcloud monitoring uptime-checks create lab-uptime-check \
--display-name="Lab Instance Uptime" \
--http-check-path="/" \
--http-check-port=80 \
--resource-type=INSTANCE \
--resource-group=lab-instance-1
# Create alerting policy
cat > alert-policy.json <
Expected Result: Monitoring dashboards and alerts configured on both platforms.
Lab Completion Checklist:

[ ] CloudWatch dashboard created
[ ] CloudWatch alarms configured
[ ] GCP uptime checks created
[ ] GCP alerting policies configured
[ ] Logs collected and analyzed

Assessment Criteria:

Monitoring setup (30%)
Alerting configuration (30%)
Log management (25%)
Documentation (15%)

Duration: 2 Hours

Objectives:

• Install Docker on local machine
• Understand Docker basic commands
• Pull and run container images
• Manage container lifecycle

Prerequisites:

• Linux/macOS/Windows machine
• Administrator/root access
• Internet connection

Detailed Procedure:

Step 1: Install Docker

For Linux (Ubuntu/Debian):

# Update package index
sudo apt-get update
# Install prerequisites
sudo apt-get install -y \
ca-certificates \
curl \
gnupg \
lsb-release
# Add Docker's official GPG key
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
# Set up repository
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker Engine
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# Start Docker service
sudo systemctl start docker
sudo systemctl enable docker
# Add user to docker group (to run without sudo)
sudo usermod -aG docker $USER
newgrp docker

For macOS:

• Download Docker Desktop from https://www.docker.com/products/docker-desktop
• Install and launch Docker Desktop
• Verify installation

For Windows:

• Download Docker Desktop from https://www.docker.com/products/docker-desktop
• Install Docker Desktop
• Enable WSL 2 backend if prompted
• Launch Docker Desktop

Expected Result: Docker installed and running.

Verification Command:

docker --version
docker info

Expected Output:

Docker version 24.0.7, build afdd53b
Client:
Context:    default
Debug Mode: false
...

Step 2: Pull Official Images

1. Pull Nginx Image

docker pull nginx:latest
docker images nginx

2. Pull Redis Image

docker pull redis:7-alpine
docker images redis

3. Pull PostgreSQL Image

docker pull postgres:15
docker images postgres

4. Pull Python Image

docker pull python:3.11-slim
docker images python

Expected Result: Multiple images pulled successfully.

Verification Command:

docker images

Expected Output:

REPOSITORY   TAG          IMAGE ID       CREATED        SIZE
nginx        latest       abc123...      2 weeks ago    187MB
redis        7-alpine     def456...      3 days ago     32MB
postgres     15           ghi789...      1 week ago     379MB
python       3.11-slim    jkl012...      5 days ago     126MB

Step 3: Run Containers

1. Run Nginx Container

docker run -d --name nginx-container -p 8080:80 nginx:latest

2. Verify Container Running

docker ps

3. Test Nginx

curl http://localhost:8080
# Or open browser: http://localhost:8080

4. Run Redis Container

docker run -d --name redis-container -p 6379:6379 redis:7-alpine

5. Test Redis

docker exec -it redis-container redis-cli ping
# Should return: PONG

Expected Result: Containers running and accessible.

Verification Command:

docker ps -a

Step 4: Container Lifecycle Management

1. Stop Container

docker stop nginx-container
docker ps
# Container should not appear in running list

2. Start Container

docker start nginx-container
docker ps
# Container should appear in running list

3. Restart Container

docker restart nginx-container

4. Remove Container

docker stop nginx-container
docker rm nginx-container
docker ps -a
# Container should not appear

Expected Result: Container lifecycle managed successfully.

Step 5: Inspect Container Details

1. Inspect Container

docker inspect nginx-container

2. Get Specific Information

# Get IP address
docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' nginx-container
# Get container ID
docker inspect -f '{{.Id}}' nginx-container
# Get container state
docker inspect -f '{{.State.Status}}' nginx-container

Expected Output:

172.17.0.2
running

Step 6: View Container Logs

1. View Logs

docker logs nginx-container

2. Follow Logs

docker logs -f nginx-container
# Press Ctrl+C to stop following

3. View Last N Lines

docker logs --tail 50 nginx-container

Expected Result: Container logs accessible.

Step 7: Execute Commands in Running Containers

1. Execute Command

docker exec nginx-container ls -la /usr/share/nginx/html

2. Interactive Shell

docker exec -it nginx-container /bin/bash
# Inside container:
cat /etc/nginx/nginx.conf
exit

3. Create File in Container

docker exec nginx-container sh -c "echo 'Hello from container' > /tmp/test.txt"
docker exec nginx-container cat /tmp/test.txt

Expected Result: Commands executed successfully in containers.

Step 8: Clean Up Docker System

1. Remove All Stopped Containers

docker container prune -f

2. Remove Unused Images

docker image prune -a -f

3. Remove Unused Volumes

docker volume prune -f

4. System Cleanup

docker system prune -a --volumes -f

Expected Result: Docker system cleaned up.

Lab Completion Checklist:

• [ ] Docker installed and verified
• [ ] Multiple images pulled successfully
• [ ] Containers run with port mapping
• [ ] Container lifecycle managed (start, stop, restart, remove)
• [ ] Container details inspected
• [ ] Container logs viewed
• [ ] Commands executed in containers
• [ ] Docker system cleaned up

Assessment Criteria:

• Docker installation (20%)
• Image management (20%)
• Container operations (30%)
• Logs and inspection (15%)
• Cleanup operations (10%)
• Documentation (5%)

Troubleshooting Tips:

• Permission denied: Add user to docker group or use sudo
• Port already in use: Change port mapping or stop conflicting service
• Container won't start: Check logs with docker logs
• Can't connect to container: Verify port mapping and firewall rules

Duration: 3 Hours

Objectives:

• Create Dockerfiles for different applications
• Build Docker images
• Optimize Docker images
• Use multi-stage builds

Prerequisites:

• Completed Lab 1
• Basic Python/Node.js/Java knowledge
• Text editor

Detailed Procedure:

Step 1: Create Python Flask Application

1. Create Application Directory

mkdir flask-app
cd flask-app

2. Create Flask Application

cat > app.py <<'EOF'
from flask import Flask
import os
app = Flask(__name__)
@app.route('/')
def hello():
env_var = os.environ.get('GREETING', 'Hello')
return f'{env_var}, World from Flask!'
@app.route('/health')
def health():
return {'status': 'healthy'}, 200
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5000)
EOF

3. Create Requirements File

cat > requirements.txt <

Step 2: Create Dockerfile for Flask App

1. Create Basic Dockerfile

cat > Dockerfile <<'EOF'
FROM python:3.11-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY app.py .
EXPOSE 5000
CMD ["python", "app.py"]
EOF

2. Build Image

docker build -t flask-app:1.0 .

3. Run Container

docker run -d -p 5000:5000 --name flask-app flask-app:1.0
curl http://localhost:5000

Expected Result: Flask application running in container.

Verification Command:

docker images flask-app
docker logs flask-app

Step 3: Optimize Dockerfile

1. Create Optimized Dockerfile

cat > Dockerfile.optimized <<'EOF'
FROM python:3.11-slim AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --user --no-cache-dir -r requirements.txt
FROM python:3.11-slim
WORKDIR /app
COPY --from=builder /root/.local /root/.local
COPY app.py .
ENV PATH=/root/.local/bin:$PATH
EXPOSE 5000
CMD ["python", "app.py"]
EOF

2. Create .dockerignore

cat > .dockerignore <
Build Optimized Image
docker build -f Dockerfile.optimized -t flask-app:optimized .

Compare Image Sizes
docker images flask-app

Expected Result: Optimized image smaller than original.

Step 4: Create Node.js Application Dockerfile

1. Create Node.js App

mkdir node-app
cd node-app
cat > package.json < server.js <<'EOF'
const express = require('express');
const app = express();
const port = 3000;
app.get('/', (req, res) => {
res.send('Hello from Node.js!');
});
app.listen(port, () => {
console.log(`Server running on port ${port}`);
});
EOF

2. Create Dockerfile

cat > Dockerfile <<'EOF'
FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY server.js .
EXPOSE 3000
CMD ["node", "server.js"]
EOF

3. Build and Run

docker build -t node-app:1.0 .
docker run -d -p 3000:3000 --name node-app node-app:1.0
curl http://localhost:3000

Expected Result: Node.js application running in container.

Step 5: Multi-Stage Build for Java Application

1. Create Java App Structure

mkdir java-app
cd java-app
mkdir -p src/main/java/com/example

2. Create Multi-Stage Dockerfile

cat > Dockerfile <<'EOF'
# Build stage
FROM maven:3.9-eclipse-temurin-17 AS builder
WORKDIR /app
COPY pom.xml .
COPY src ./src
RUN mvn clean package -DskipTests
# Runtime stage
FROM eclipse-temurin:17-jre-alpine
WORKDIR /app
COPY --from=builder /app/target/*.jar app.jar
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]
EOF

Expected Result: Multi-stage build reduces final image size.

Step 6: Push Images to Docker Hub

1. Login to Docker Hub

docker login
# Enter Docker Hub username and password

2. Tag Image

docker tag flask-app:1.0 yourusername/flask-app:1.0

3. Push Image

docker push yourusername/flask-app:1.0

Expected Result: Image pushed to Docker Hub.

Lab Completion Checklist:

• [ ] Flask application Dockerfile created
• [ ] Flask image built and tested
• [ ] Dockerfile optimized
• [ ] Node.js application Dockerfile created
• [ ] Multi-stage build implemented
• [ ] Images pushed to Docker Hub
• [ ] Image sizes compared

Assessment Criteria:

• Dockerfile creation (30%)
• Image building (20%)
• Optimization techniques (25%)
• Multi-stage builds (15%)
• Documentation (10%)

Duration: 2 Hours

Detailed Procedure:

Step 1: Create Custom Docker Networks

# Create bridge network
docker network create --driver bridge lab-network
# Create network with custom subnet
docker network create --driver bridge --subnet=172.20.0.0/16 custom-network
# List networks
docker network ls
# Inspect network
docker network inspect lab-network

Step 2: Run Containers in Custom Network

# Run containers in custom network
docker run -d --name web-server --network lab-network nginx
docker run -d --name db-server --network lab-network postgres:15
# Test connectivity
docker exec web-server ping -c 3 db-server

Step 3: Create and Use Volumes

# Create named volume
docker volume create lab-data
# Run container with volume
docker run -d --name app-container \
-v lab-data:/data \
alpine sh -c "echo 'Hello from volume' > /data/test.txt"
# Verify data persistence
docker rm app-container
docker run --rm -v lab-data:/data alpine cat /data/test.txt

Expected Result: Custom networks and volumes working correctly.

Duration: 2 Hours

Detailed Procedure:

Step 1: Create docker-compose.yml

cat > docker-compose.yml <
Expected Result: Multi-container application running with Docker Compose.

Duration: 2 Hours

Detailed Procedure:

Step 1: Install Minikube

# macOS
brew install minikube
# Linux
curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
sudo install minikube-linux-amd64 /usr/local/bin/minikube
# Start Minikube
minikube start --driver=docker
minikube status

Step 2: Install kubectl

# macOS
brew install kubectl
# Linux
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
# Verify
kubectl version --client

Step 3: Verify Cluster

kubectl cluster-info
kubectl get nodes
kubectl get pods -n kube-system

Expected Result: Local Kubernetes cluster running.

Duration: 2.5 Hours

Detailed Procedure:

Step 1: Create Pod YAML

cat > nginx-pod.yaml <
Step 2: Create Deployment
cat > nginx-deployment.yaml <
Step 3: Scale Deployment
kubectl scale deployment nginx-deployment --replicas=5
kubectl get pods -l app=nginx

Expected Result: Deployment created and scaled successfully.

Duration: 2 Hours

Detailed Procedure:

Step 1: Create Service

cat > nginx-service.yaml <
Step 2: Install Ingress Controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml
# Wait for ingress controller to be ready
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=90s

Step 3: Create Ingress
cat > nginx-ingress.yaml <
Expected Result: Service and Ingress configured.

Duration: 2 Hours

Detailed Procedure:

Step 1: Create ConfigMap

# From command line
kubectl create configmap app-config \
--from-literal=GREETING=Hello \
--from-literal=ENVIRONMENT=production
# From file
cat > config.properties < configmap.yaml <
Step 2: Use ConfigMap in Pod
cat > pod-with-configmap.yaml <
Step 3: Create Secret
# From command line
kubectl create secret generic db-secret \
--from-literal=username=admin \
--from-literal=password=secret123
# From YAML (base64 encoded)
echo -n 'admin' | base64  # YWRtaW4=
echo -n 'secret123' | base64  # c2VjcmV0MTIz
cat > secret.yaml <
Expected Result: ConfigMaps and Secrets created and used in pods.

Duration: 2.5 Hours

Detailed Procedure:

Step 1: Configure Resource Limits

cat > deployment-with-resources.yaml <
Step 2: Install Metrics Server and HPA
# Install metrics server
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
# Create HPA
kubectl autoscale deployment app-deployment \
--cpu-percent=50 \
--min=2 \
--max=10
kubectl get hpa

Expected Result: HPA configured for automatic scaling.

Duration: 2 Hours

Detailed Procedure:

Step 1: Create GKE Cluster

gcloud container clusters create lab-cluster \
--num-nodes=2 \
--machine-type=e2-medium \
--zone=us-east1-b \
--enable-autorepair \
--enable-autoscaling \
--min-nodes=1 \
--max-nodes=3
# Get credentials
gcloud container clusters get-credentials lab-cluster --zone=us-east1-b
# Verify
kubectl get nodes

Expected Result: GKE cluster created and accessible.

Duration: 2.5 Hours

Detailed Procedure:

Step 1: Deploy Application

# Use deployment from previous labs
kubectl apply -f nginx-deployment.yaml
# Create LoadBalancer service
kubectl apply -f nginx-service.yaml
# Get external IP
kubectl get svc nginx-service
EXTERNAL_IP=$(kubectl get svc nginx-service -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
curl http://$EXTERNAL_IP

Expected Result: Application deployed and accessible via external IP.

Duration: 2 Hours

Detailed Procedure:

Step 1: Update Deployment

# Update image
kubectl set image deployment/nginx-deployment nginx=nginx:1.21
# Watch rollout
kubectl rollout status deployment/nginx-deployment
# Check rollout history
kubectl rollout history deployment/nginx-deployment

Step 2: Rollback

# Rollback to previous version
kubectl rollout undo deployment/nginx-deployment
# Rollback to specific revision
kubectl rollout undo deployment/nginx-deployment --to-revision=2

Expected Result: Rolling updates and rollbacks working correctly.

Lab Completion Checklist:

• [ ] Docker networking configured
• [ ] Docker volumes created and used
• [ ] Docker Compose multi-container app running
• [ ] Kubernetes cluster set up
• [ ] Pods and Deployments created
• [ ] Services and Ingress configured
• [ ] ConfigMaps and Secrets used
• [ ] Scaling and self-healing implemented
• [ ] GKE cluster created
• [ ] Applications deployed on GKE
• [ ] Rolling updates and rollbacks tested

Assessment Criteria:

• Docker networking and volumes (15%)
• Docker Compose (15%)
• Kubernetes basics (20%)
• Services and Ingress (15%)
• ConfigMaps and Secrets (15%)
• Scaling and GKE (15%)
• Documentation (5%)

Duration: 2.5 Hours

Objectives:

• Create Lambda functions with different triggers
• Implement Lambda layers
• Configure Lambda destinations
• Optimize Lambda performance

Prerequisites:

• Completed Semester 1 labs
• Basic Python programming
• S3 bucket created

Detailed Procedure:

Step 1: Create Lambda Function with S3 Trigger

1. Create Lambda Function Code

mkdir lambda-s3-processor
cd lambda-s3-processor
cat > lambda_function.py <<'EOF'
import json
import boto3
import os
s3 = boto3.client('s3')
sns = boto3.client('sns')
def lambda_handler(event, context):
sns_topic_arn = os.environ['SNS_TOPIC_ARN']
for record in event['Records']:
bucket = record['s3']['bucket']['name']
key = record['s3']['object']['key']
# Get object metadata
response = s3.head_object(Bucket=bucket, Key=key)
size = response['ContentLength']
content_type = response['ContentType']
# Send notification
message = f"File {key} ({size} bytes, {content_type}) uploaded to {bucket}"
sns.publish(TopicArn=sns_topic_arn, Message=message)
return {
'statusCode': 200,
'body': json.dumps({'message': f'Processed {key}'})
}
EOF

2. Create Deployment Package

zip lambda-s3-processor.zip lambda_function.py

3. Create SNS Topic

SNS_TOPIC_ARN=$(aws sns create-topic \
--name s3-upload-notifications \
--query 'TopicArn' --output text)
# Subscribe email
aws sns subscribe \
--topic-arn $SNS_TOPIC_ARN \
--protocol email \
--notification-endpoint your-email@example.com

4. Create Lambda Function

# Get Lambda execution role ARN (create if needed)
LAMBDA_ROLE_ARN="arn:aws:iam::123456789012:role/lambda-execution-role"
aws lambda create-function \
--function-name s3-file-processor \
--runtime python3.11 \
--role $LAMBDA_ROLE_ARN \
--handler lambda_function.lambda_handler \
--zip-file fileb://lambda-s3-processor.zip \
--environment Variables="{SNS_TOPIC_ARN=$SNS_TOPIC_ARN}" \
--timeout 30 \
--memory-size 256

5. Add S3 Permission

aws lambda add-permission \
--function-name s3-file-processor \
--principal s3.amazonaws.com \
--statement-id s3-trigger \
--action lambda:InvokeFunction \
--source-arn arn:aws:s3:::lab-bucket-student123

6. Configure S3 Bucket Notification

cat > s3-notification.json <
Test S3 Trigger
echo "Test file" > test-trigger.txt
aws s3 cp test-trigger.txt s3://lab-bucket-student123/
# Check Lambda logs
aws logs tail /aws/lambda/s3-file-processor --follow

Expected Result: Lambda function triggered when file uploaded to S3, SNS notification sent.

Verification:

aws lambda get-function --function-name s3-file-processor
aws logs describe-log-streams --log-group-name /aws/lambda/s3-file-processor

Step 2: Create Lambda Layer

1. Create Layer Directory Structure

mkdir -p python-layer/python
cd python-layer/python
# Install requests library
pip install requests -t .
cd ..

2. Create Layer Package

zip -r requests-layer.zip python/

3. Publish Layer

LAYER_ARN=$(aws lambda publish-layer-version \
--layer-name requests-layer \
--zip-file fileb://requests-layer.zip \
--compatible-runtimes python3.11 \
--query 'LayerVersionArn' --output text)
echo "Layer ARN: $LAYER_ARN"

4. Update Lambda Function to Use Layer

aws lambda update-function-configuration \
--function-name s3-file-processor \
--layers $LAYER_ARN

Expected Result: Lambda layer created and attached to function.

Step 3: Configure Lambda Provisioned Concurrency

1. Create Provisioned Concurrency Configuration

aws lambda put-provisioned-concurrency-config \
--function-name s3-file-processor \
--qualifier '$LATEST' \
--provisioned-concurrent-executions 2

2. Monitor Provisioned Concurrency

aws lambda get-provisioned-concurrency-config \
--function-name s3-file-processor \
--qualifier '$LATEST'

Expected Result: Provisioned concurrency configured to reduce cold starts.

Lab Completion Checklist:

• [ ] Lambda function created with S3 trigger
• [ ] SNS topic configured and subscribed
• [ ] Lambda layer created and attached
• [ ] Provisioned concurrency configured
• [ ] Dead letter queue configured
• [ ] Lambda destinations set up
• [ ] Performance monitoring implemented
• [ ] Cost optimization applied

Assessment Criteria:

• Lambda function creation (25%)
• Trigger configuration (20%)
• Lambda layers (15%)
• Performance optimization (20%)
• Monitoring and testing (15%)
• Documentation (5%)

Duration: 2 Hours

Detailed Procedure:

Step 1: Create HTTP Cloud Function

mkdir cloud-function-http
cd cloud-function-http
cat > main.py <<'EOF'
import functions_framework
from flask import jsonify
@functions_framework.http
def hello_http(request):
name = request.args.get('name', 'World')
return jsonify({'message': f'Hello, {name}!'})
EOF
cat > requirements.txt <
Expected Result: HTTP Cloud Function deployed and accessible.

Duration: 2.5 Hours

Detailed Procedure:

Step 1: Create VPC Peering

# Create VPC 1
VPC1_ID=$(aws ec2 create-vpc --cidr-block 10.1.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=vpc-1}]' \
--query 'Vpc.VpcId' --output text)
# Create VPC 2
VPC2_ID=$(aws ec2 create-vpc --cidr-block 10.2.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=vpc-2}]' \
--query 'Vpc.VpcId' --output text)
# Create peering connection
PEERING_ID=$(aws ec2 create-vpc-peering-connection \
--vpc-id $VPC1_ID \
--peer-vpc-id $VPC2_ID \
--query 'VpcPeeringConnection.VpcPeeringConnectionId' --output text)
# Accept peering
aws ec2 accept-vpc-peering-connection \
--vpc-peering-connection-id $PEERING_ID
# Add routes
RT1=$(aws ec2 describe-route-tables \
--filters "Name=vpc-id,Values=$VPC1_ID" \
--query 'RouteTables[0].RouteTableId' --output text)
aws ec2 create-route \
--route-table-id $RT1 \
--destination-cidr-block 10.2.0.0/16 \
--vpc-peering-connection-id $PEERING_ID

Expected Result: VPC peering configured, instances can communicate across VPCs.

[Continuing with Labs 4-10 following same detailed format...]

Duration: 2 Hours

Detailed Procedure:

Step 1: Create Site-to-Site VPN

# Create Customer Gateway
CGW=$(aws ec2 create-customer-gateway \
--type ipsec.1 \
--public-ip YOUR_PUBLIC_IP \
--bgp-asn 65000 \
--query 'CustomerGateway.CustomerGatewayId' --output text)
# Create Virtual Private Gateway
VGW=$(aws ec2 create-vpn-gateway \
--type ipsec.1 \
--query 'VpnGateway.VpnGatewayId' --output text)
# Attach to VPC
aws ec2 attach-vpn-gateway \
--vpn-gateway-id $VGW \
--vpc-id $VPC_ID
# Create VPN Connection
VPN_CONN=$(aws ec2 create-vpn-connection \
--type ipsec.1 \
--customer-gateway-id $CGW \
--vpn-gateway-id $VGW \
--query 'VpnConnection.VpnConnectionId' --output text)

Expected Result: Site-to-Site VPN connection created.

Duration: 2.5 Hours

Detailed Procedure:

Step 1: Create Application Load Balancer

# Create ALB
ALB_ARN=$(aws elbv2 create-load-balancer \
--name lab-alb \
--subnets $PUBLIC_SUBNET_1 $PUBLIC_SUBNET_2 \
--security-groups $WEB_SG \
--query 'LoadBalancers[0].LoadBalancerArn' --output text)
# Create target group
TG_ARN=$(aws elbv2 create-target-group \
--name lab-target-group \
--protocol HTTP \
--port 80 \
--vpc-id $VPC_ID \
--health-check-path /health \
--query 'TargetGroups[0].TargetGroupArn' --output text)
# Register targets
aws elbv2 register-targets \
--target-group-arn $TG_ARN \
--targets Id=$INSTANCE_ID_1 Id=$INSTANCE_ID_2
# Create listener
aws elbv2 create-listener \
--load-balancer-arn $ALB_ARN \
--protocol HTTP \
--port 80 \
--default-actions Type=forward,TargetGroupArn=$TG_ARN
# Get ALB DNS
ALB_DNS=$(aws elbv2 describe-load-balancers \
--load-balancer-arns $ALB_ARN \
--query 'LoadBalancers[0].DNSName' --output text)
curl http://$ALB_DNS

Expected Result: Application Load Balancer created and routing traffic.

Duration: 2 Hours

Detailed Procedure:

Step 1: Create Launch Template

cat > launch-template.json <
Step 2: Create Auto Scaling Group
aws autoscaling create-auto-scaling-group \
--auto-scaling-group-name lab-asg \
--launch-template LaunchTemplateId=$LT_ID \
--min-size 2 \
--max-size 5 \
--desired-capacity 2 \
--vpc-zone-identifier "$PUBLIC_SUBNET_1,$PUBLIC_SUBNET_2" \
--target-group-arns $TG_ARN \
--health-check-type ELB \
--health-check-grace-period 300

Step 3: Create Scaling Policy
aws autoscaling put-scaling-policy \
--auto-scaling-group-name lab-asg \
--policy-name cpu-scaling-policy \
--policy-type TargetTrackingScaling \
--target-tracking-configuration '{
"TargetValue": 50.0,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "ASGAverageCPUUtilization"
}
}'

Expected Result: Auto Scaling Group created with target tracking policy.

Duration: 2 Hours

Detailed Procedure:

Step 1: Configure RDS Multi-AZ

aws rds modify-db-instance \
--db-instance-identifier lab-mysql-db \
--multi-az \
--apply-immediately
# Wait for modification
aws rds wait db-instance-available --db-instance-identifier lab-mysql-db

Step 2: Create Aurora Serverless

aws rds create-db-cluster \
--db-cluster-identifier lab-aurora-serverless \
--engine aurora-mysql \
--engine-version 8.0.mysql_aurora.3.02.0 \
--database-name lab_db \
--master-username admin \
--master-user-password 'LabPassword123!' \
--serverless-v2-scaling-configuration MinCapacity=0.5,MaxCapacity=4
aws rds create-db-instance \
--db-instance-identifier lab-aurora-instance-1 \
--db-instance-class db.serverless \
--engine aurora-mysql \
--db-cluster-identifier lab-aurora-serverless

Expected Result: Aurora Serverless cluster created.

Duration: 2 Hours

Detailed Procedure:

Step 1: Create SQS Queue

# Standard queue
QUEUE_URL=$(aws sqs create-queue \
--queue-name lab-standard-queue \
--query 'QueueUrl' --output text)
# FIFO queue
FIFO_QUEUE_URL=$(aws sqs create-queue \
--queue-name lab-fifo-queue.fifo \
--attributes FifoQueue=true,ContentBasedDeduplication=true \
--query 'QueueUrl' --output text)
# Send message
aws sqs send-message \
--queue-url $QUEUE_URL \
--message-body "Test message"
# Receive message
aws sqs receive-message --queue-url $QUEUE_URL

Expected Result: SQS queues created and messages sent/received.

Duration: 2 Hours

Detailed Procedure:

Step 1: Create CloudFront Distribution

cat > cloudfront-config.json <
Expected Result: CloudFront distribution created and serving content.

Duration: 3 Hours

Detailed Procedure:

Step 1: Design Architecture

• Create architecture diagram showing:
• AWS resources (EC2, RDS, S3)
• GCP resources (Compute Engine, Cloud SQL, Cloud Storage)
• Cross-cloud connectivity
• Unified monitoring

Step 2: Deploy Resources

# AWS resources (from previous labs)
# GCP resources
gcloud compute instances create multi-cloud-instance \
--zone=us-east1-b \
--machine-type=e2-micro
# Cross-cloud connectivity via VPN or Interconnect

Step 3: Unified Monitoring

# Use third-party tools like Datadog, New Relic, or custom solutions
# Configure CloudWatch and Cloud Monitoring exports

Expected Result: Multi-cloud architecture deployed with unified monitoring.

Lab Completion Checklist:

• [ ] Serverless applications built (Lambda and Cloud Functions)
• [ ] Advanced VPC networking configured
• [ ] VPN connections established
• [ ] Load balancers configured
• [ ] Auto-scaling implemented
• [ ] Managed services configured
• [ ] Message queues implemented
• [ ] CDN configured
• [ ] Multi-cloud architecture designed and deployed

Assessment Criteria:

• Serverless applications (20%)
• Advanced networking (20%)
• Load balancing and scaling (20%)
• Managed services (20%)
• Multi-cloud architecture (15%)
• Documentation (5%)

Duration: 3 Hours

Objectives:

• Create shared pipeline libraries
• Implement parallel execution
• Optimize pipeline performance
• Implement pipeline notifications

Prerequisites:

• Jenkins server installed
• Git repository access
• Basic Groovy knowledge

Detailed Procedure:

Step 1: Install Jenkins

1. Install Jenkins (Ubuntu/Debian)

curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key | sudo tee \
/usr/share/keyrings/jenkins-keyring.asc > /dev/null
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
https://pkg.jenkins.io/debian-stable binary/ | sudo tee \
/etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update
sudo apt-get install jenkins -y
sudo systemctl start jenkins
sudo systemctl enable jenkins

2. Access Jenkins

• Open browser: http://localhost:8080
• Get initial admin password:

sudo cat /var/lib/jenkins/secrets/initialAdminPassword

• Install suggested plugins
• Create admin user

Expected Result: Jenkins installed and accessible.

Step 2: Create Shared Pipeline Library

1. Create Library Repository Structure

mkdir jenkins-shared-library
cd jenkins-shared-library
mkdir -p vars src/org/example

2. Create Library Functions

cat > vars/buildApp.groovy <<'EOF'
def call(Map config) {
stage('Build') {
sh """
echo "Building ${config.appName}..."
# Add build commands here
"""
}
}
EOF
cat > vars/testApp.groovy <<'EOF'
def call(Map config) {
stage('Test') {
sh """
echo "Testing ${config.appName}..."
# Add test commands here
"""
}
}
EOF

3. Configure Library in Jenkins

• Go to Jenkins → Manage Jenkins → Configure System
• Scroll to "Global Pipeline Libraries"
• Add library:
• Name: shared-library
• Default version: main
• Retrieval method: Modern SCM
• Source Code Management: Git
• Repository URL: [Your Git repo URL]

Expected Result: Shared library configured in Jenkins.

Step 3: Create Pipeline with Parallel Execution

1. Create Jenkinsfile

cat > Jenkinsfile <<'EOF'
@Library('shared-library') _
pipeline {
agent any
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Build & Test') {
parallel {
stage('Build Frontend') {
steps {
sh 'echo "Building frontend..."'
}
}
stage('Build Backend') {
steps {
sh 'echo "Building backend..."'
}
}
stage('Run Tests') {
steps {
sh 'echo "Running tests..."'
}
}
}
}
stage('Deploy') {
steps {
sh 'echo "Deploying..."'
}
}
}
post {
success {
emailext (
subject: "Pipeline Success: ${env.JOB_NAME} - ${env.BUILD_NUMBER}",
body: "Build successful!",
to: "team@example.com"
)
}
failure {
emailext (
subject: "Pipeline Failed: ${env.JOB_NAME} - ${env.BUILD_NUMBER}",
body: "Build failed!",
to: "team@example.com"
)
}
}
}
EOF

2. Create Pipeline Job

• New Item → Pipeline
• Name: advanced-pipeline
• Pipeline → Definition: Pipeline script from SCM
• SCM: Git
• Repository URL: [Your repo]
• Script Path: Jenkinsfile
• Save and Build

Expected Result: Pipeline created with parallel execution and notifications.

Verification:

• Check pipeline execution in Jenkins UI
• Verify parallel stages run simultaneously
• Check email notifications received

Lab Completion Checklist:

• [ ] Jenkins installed and configured
• [ ] Shared library created
• [ ] Pipeline with parallel execution created
• [ ] Pipeline caching configured
• [ ] Email notifications working
• [ ] Pipeline metrics monitored
• [ ] Pipeline optimized

Assessment Criteria:

• Jenkins setup (20%)
• Shared library creation (25%)
• Parallel execution (20%)
• Notifications (15%)
• Optimization (15%)
• Documentation (5%)

Duration: 3 Hours

Detailed Procedure:

Step 1: Integrate SonarQube

1. Install SonarQube (Docker)

docker run -d --name sonarqube \
-p 9000:9000 \
-e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true \
sonarqube:latest

2. Install SonarQube Scanner Plugin in Jenkins

• Manage Jenkins → Manage Plugins
• Install "SonarQube Scanner" plugin

1. Configure SonarQube in Jenkins

• Manage Jenkins → Configure System
• SonarQube servers → Add SonarQube
• Name: sonarqube
• Server URL: http://localhost:9000
• Server authentication token: [Generate in SonarQube]

1. Add SonarQube Stage to Pipeline

stage('SonarQube Analysis') {
steps {
withSonarQubeEnv('sonarqube') {
sh 'sonar-scanner'
}
}
}

Expected Result: SonarQube integrated in pipeline.

Step 2: Integrate Snyk for Dependency Scanning

1. Install Snyk Plugin

# Install Snyk CLI
npm install -g snyk
# Authenticate
snyk auth

2. Add Snyk Stage

stage('Dependency Scanning') {
steps {
sh 'snyk test --severity-threshold=high'
}
}

Step 3: Integrate Trivy for Container Scanning

1. Install Trivy

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy -y

2. Add Trivy Stage

stage('Container Scanning') {
steps {
sh 'trivy image your-image:latest'
}
}

Expected Result: Security scanning integrated in CI/CD pipeline.

Duration: 3 Hours

Detailed Procedure:

Step 1: Create Module Structure

mkdir terraform-modules
cd terraform-modules
mkdir -p modules/ec2-instance
cat > modules/ec2-instance/main.tf <
Step 2: Use Module
cat > main.tf <
Expected Result: Reusable Terraform module created and used.

Duration: 2.5 Hours

Detailed Procedure:

Step 1: Write Terraform Tests

# Install Terratest (Go required)
go mod init terraform-test
go get github.com/gruntwork-io/terratest/modules/terraform
go get github.com/stretchr/testify/assert
cat > test_terraform.go <<'EOF'
package test
import (
"testing"
"github.com/gruntwork-io/terratest/modules/terraform"
"github.com/stretchr/testify/assert"
)
func TestTerraformInfrastructure(t *testing.T) {
terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
TerraformDir: "../",
})
defer terraform.Destroy(t, terraformOptions)
terraform.InitAndApply(t, terraformOptions)
instanceID := terraform.Output(t, terraformOptions, "instance_id")
assert.NotEmpty(t, instanceID)
}
EOF
go test -v

Expected Result: Infrastructure tests written and executed.

Duration: 2.5 Hours

Detailed Procedure:

Step 1: Install Open Policy Agent

# Download OPA
curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
chmod +x opa
sudo mv opa /usr/local/bin/
# Verify
opa version

Step 2: Write Policy Rules

cat > policies/ec2_policy.rego <
Step 3: Integrate with Terraform
# Use conftest for Terraform
go install github.com/open-policy-agent/conftest@latest
conftest test main.tf --policy policies/

Expected Result: Compliance policies enforced automatically.
Lab Completion Checklist:

[ ] Advanced Jenkins pipelines created
[ ] Security scanning integrated
[ ] Terraform modules developed
[ ] Infrastructure testing implemented
[ ] Compliance automation configured
[ ] All tools working together

Assessment Criteria:

Jenkins pipelines (25%)
Security scanning (25%)
Terraform modules (20%)
Infrastructure testing (15%)
Compliance automation (10%)
Documentation (5%)