Create a Custom VPC in AWS
  • A default routing table, a network access control list (NACL), and a default security group will be created.
  • But no subnets and an internet gateway will be created.

Let’s create a custom VPC!

  • Logging to your AWS console and move to VPC dash board,
    Services → Networking & Content Delivery → VPC
  • Your VPCs → Create VPC
  • Give your VPC a name and IPv4 CIDR block (Block size must be between a /16 and /28 netmask) and choose whether you use IPv6 as well. (I’m not in this case).
  • Choose the default tenancy (Dedicated tenancy ensures all EC2 instances that are launched in a VPC run on hardware that’s dedicated to a single customer.) and finally hit Create VPC.


The Public Subnet

  • Name your subnet and choose the VPC (choose the VPC you created not the default one)
  • Choose an Availability zone (I’m using us-east-1a for the public subnet) and IPv4 CIDR block. (I’m using for the public subnet)

The Private Subnet

  • It’s same procedure as creating the public subnet.
  • Choose your pubic subnet → Actions → Modify auto-assign IP settings → Check auto-assign IPv4

Internet Gateway

  • Internet Gateways → Create internet gateway
  • Choose your new internet gateway → Actions → Attach to VPC
  • You can have only one internet gateway per VPC.

Route Tables

  • Let’s create a route table with a route out to the internet and associate the public subnet to the new route table.
  • Route Tables → Create route table
  • Add an route out to the internet via the internet gateway
  • Choose your route table → Routes → Edit routes
  • Choose the internet gateway you created as the target.
  • Associate the public subnet to this route table.
  • Choose the route table → Subnet Associations → Edit subnet associations
  • Choose the public subnet.

EC2 Instances

  • let’s launch a coupe if ec2 instances in each subnet.
  • Pay attention to the VPC and subnet when launching ec2 instance.
  • Configure the security group for public ec2 instance to allow http traffic.
  1. Copying the .pem file into the public instance and SSH into the private instance via the public instance.
  • Launch another ec2 instance in your public subnet to use as the Bastion host.
  • Allows SSH from trusted hosted in your security group.
  • Allows SSH from the Bastion host in private servers security group.
  • Setup SSH agent.
$ ssh-agent bash
  • Add the private key to the key-chain.
$ ssh-add ".pem"
  • Check whether the key is added or not.
$ ssh-add -l
  • Access the bastion host using the public IP address.
$ ssh -A ec2-user@"public IP"
  • SSH to the private server from the Bastion host.
$ ssh ec2-user@"private IP"
  • Create a new instance in the public subnet.
  • Choose an AMI from community AMIs for the NAT instance.
  • Allow web access in the security group.
  • Disable source destination check.
    Actions → Networking → Change source/destination check → Stop
  • Add an route out to the NAT instance in the main routing table. (Private subnet is associated with the main route table.)
  • Not scalable
  • Single point of failure
  • VPC Dashboard → NAT Gateways → Create NAT gateway
  • Choose your public subnet and allocate an elastic IP.
  • Finally add a route out to the NAT gateway in the main route table.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Charith Herath

Charith Herath

BSc (Hons) Electrical and Electronic Engineering | CCNP | CCNA | Cloud Enthusiast