Create a VPC with Public & Private Subnets in AWS
VPC is Virtual Private Cloud, it is a commercial cloud computing service that provides users a virtual private cloud, by “provision[ing] a logically isolated section of Amazon Web Services Cloud”. Enterprise customers are able to access the Amazon Elastic Compute Cloud over an IPsec based virtual private network.
Today we will create a VPC with private and public subnets in VPC.
We will first create VPC from VPC Dashboard from AWS Console:
Click on Create button which will create a VPC:
Now our VPC is created:
Next you need to associate your route table to your subnet using below step:
Let’s create subnets now, we’ll start with creating a public subnet now. This can be create using Subnets options from left hand side list in VPC Dashboard:
Name Tag: Enter any name for your subnet
VPC: Select VPC created in above step
Availability Zone: Select Availability zone in which you want your subnet.
IPv4 CIDR Block: 10.0.1.0/24
Click on ‘Create’ button:
Next you need to associate Route table to your Subnet using below Step:
Let’s create subnets now, we’ll start with creating a private subnet now. This can be create using Subnets options from left hand side list in VPC Dashboard
Name Tag: Enter any name for your subnet
VPC: Select VPC created in above step
Availability Zone: Select Availability zone in which you want your subnet.
IPv4 CIDR Block: 10.0.2.0/24
Click on ‘Create’ Button:
Right click on Public Subnet where you will get Modify Auto assign IP option, on selecting it you will get below screen. Perform the same step for Private Subnet as well:
Till this stage we have created VPC, Private Subnet, Public Subnet, now lets create an Internet Gateway to use with our Public Subnet.
You can create an internet gateway using left hand side list:
Enter Name of internet gateway and click create:
You will get below confirmation when you click on create:
Now its time to attach it to attach Internet Gateway to VPC, when you right click on internet gateway, it will show you Attach to VPC option as below:
Select the VPC we created and click on ‘Attach’:
In below screen, it will show Internet Gateway State as Attached:
NAT Gateway
Now it’s time to create NAT Gateway. NAT Gateway allows outbound internet access to your Private Subnet. Let’s say you have some package running on EC2 in private subnet and it needs to be updated from internet, in this case using NAT gateway, you will have access to the internet. You will have to connect to your Private Subnet’s EC2 using Public Subnet’s EC2 and then you will be able to connect to the internet for software updates.
NAT Gateway prevent the internet from initiating a connection with those instances.
Important: In order to access internet to your private subnet, NAT Gateway must be added to Public Subnet only
We’ll select ‘Public’ subnet from above and ‘Allocate Elastic IP’.
Next we’ll click on ‘Create NAT Gateway’ after which you will see confirmation as below:
Now it’s time to Create Route Tables, First we’ll create Route table for Public Subnet. Enter Name and select VPC:
Click on ‘Create’ after which you will see below confirmation:
Public Route table will be created as below. Please note that it will by default have Local Route:
We’ll now add an internet gateway route as below, We’ll keep Destination as all i.e. 0.0.0.0/0 and target as Internet Gateway. Click on Add Routes now which will save entries for Route table.
By doing above configuration for Route table, our public subnet will have access to the internet. Since we added NAT Gateway to public subnet, it will also have access to the internet.
Lets now create Route Table for Public Subnet, enter name and select VPC and then click on Create
Next we will add route for NAT Gateway which will enable access to the internet for our Private Gateway.
Click on Add routes to save this route table.
Security
NACL : NACL stands for Network Access Control Lists. It is a security layer for your VPC that controls the traffic in and out of one or more subnets. It is an optional layer for your VPC. You can set up a Network ACL similar to the security group that adds an additional layer of security to your VPC.
NACL works on Network and Subnet Level.
Security Group: Security groups can be applied at Instance level.
EC2 Instances
Now lets create an EC2 instance in public subnet
Choose AMI:
Select instance type:
Select VPC and Subnet as public subnet:
Add User Data as below:
#!/bin/bash
# Use this for your user data (script from top to bottom)
# install httpd (Linux 2 version)
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo “<h1>Hello World from $(hostname -f)</h1>” > /var/www/html/index.htmlAdd Storage, tags and Security group:
Create and download keypair in final step.
Similarly create a private EC2 instance and select Private Subnet and newly created VPC.
Below two Private and Public EC2 instances will be created based on subnet selection we did on earlier screens:
Testing
Private Subnet EC2: I am now connected to EC2 in Public Subnet which has a route table having Internet Gateway entry. We are successfully getting ping results as it is connected to the internet.
Public Subnet EC2: this subnet does not have access to Internet Gateway hence it wont connect to the terminal:
Hence we will try connecting to this private instance using public instance as below:
It is not recommended to store Privacy Enhanced Mail (PEM) files on public subnet EC2 hence we’ll look at Bastion hosts in next upcoming article where-in you can store PEM files in your local system and connect to the EC2 in your private subnet using Agent Forwarding method.
Conclusion
Thank you for reading. I hope you have found this useful. Be sure to follow for more similar content in our next article. Feel free to post your comments or you can contact me on ujjwalsoni85@gmail.com
If the article has given you some value, or you know someone who might need it, please share it on the Internet. Don’t let him idle on his blog and waste his potential.
I would also be pleased if you write a comment.
