A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. You can specify an IP address range for the VPC, add subnets, associate security groups, and configure route tables.We recommend this scenario if you want to run a public-
facing web application, while maintaining back-end servers that aren’t publicly accessible. A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers.
The following diagram shows the key components of the configuration for this scenario.
The configuration for this scenario includes the following:
- A VPC with a size /16 IPv4 CIDR block (example: 10.0.0.0/16). This provides 65,536 private IPv4 addresses.
- A public subnet with a size /24 IPv4 CIDR block (example: 10.0.0.0/24). This provides 256 private IPv4 addresses. A public subnet is a subnet that’s associated with a route table that has a route to an Internet gateway.
- A private subnet with a size /24 IPv4 CIDR block (example: 10.0.1.0/24). This provides 256 private IPv4 addresses.
- An Internet gateway. This connects the VPC to the Internet and to other AWS services.
- Instances with private IPv4 addresses in the subnet range (examples: 10.0.0.5, 10.0.1.5). This enables them to communicate with each other and other instances in the VPC.
- Instances in the public subnet with Elastic IPv4 addresses which are public IPv4 addresses that enable them to be reached from the Internet. The instances can have public IP addresses assigned at launch instead of Elastic IP addresses.
- A NAT gateway with its own Elastic IPv4 address. Instances in the private subnet can send requests to the Internet through the NAT gateway over IPv4 (for example, for software updates).
- A custom route table associated with the public subnet. This route table contains an entry that enables instances in the subnet to communicate with other instances in the VPC over IPv4, and an entry that enables instances in the subnet to communicate directly with the Internet over IPv4.
- The main route table associated with the private subnet. The route table contains an entry that enables instances in the subnet to communicate with other instances in the VPC over IPv4, and an entry that enables instances in the subnet to communicate with the Internet through the NAT gateway over IPv4.
In this scenario, the VPC wizard updates the main route table used with the private subnet, and creates a custom route table and associates it with the public subnet.
Main Route Table
The first entry is the default entry for local routing in the VPC; this entry enables the instances in the VPC to communicate with each other. The second entry sends all other subnet traffic to the NAT gateway.
Custom Route Table
The first entry is the default entry for local routing in the VPC; this entry enables the instances in this VPC to communicate with each other. The second entry routes all other subnet traffic to the Internet over the Internet gateway .
For this example we will be using 10.0.1.0/24 as the private network and 10.0.0/24 as the public network.
Allocate an Elastic IP address for the NAT gateway (IPv4)
Open the Amazon VPC console, In the navigation pane, choose Elastic IPs.
Choose Allocate new address.
Choose Allocate from pool of IP Addresss option.
Note down the Allocation ID (here: eipalloc-0437f08746d7b79af )
Create a VPC
Open the Amazon VPC console and select VPC in Service option.
On the VPC dashboard, choose Launch VPC Wizard.
Choose the second option, VPC with Public and Private Subnets, and then choose Select.
You can name your VPC and subnets to help you identify them later in the console. You can specify your own IPv4 CIDR block range for the VPC and subnets, or you can keep the default values.
You can keep the rest of the default values on the page, and choose Create VPC.
Create the WebServer and Database Server security groups
Open the Amazon VPC console, In the navigation pane, choose Security Groups, Create Security Group.
Provide a name and description for the security group. For VPC, select the ID of the VPC you created and choose Yes, Create.
Create Security group for both Webserver and Database Server
Select the WebServerSG security group that you created. The details pane displays the details for the security group, plus tabs for working with its inbound and outbound rules.
On the Inbound Rules tab, choose Edit and add rules for inbound traffic
On the Outbound Rules tab, choose Edit and add rules for outbound traffic
Locate the default rule that enables all outbound traffic and choose Remove.
Choose Add rule, Type, MySQL. For Destination, specify the ID of the DBServerSG security group.
Choose Add another rule, Type, HTTPS. For Destination, enter 0.0.0.0/0.
Choose Add another rule, Type, HTTP. For Destination, enter 0.0.0.0/0.
Similarly Create the Database security group
Inbound Rules tab, choose Edit and add rules for inbound traffic
Choose Add rule, Type, MYSQL. For Source, specify the ID of your WebServerSG security group.
On the Outbound Rules tab, choose Edit and add rules for outbound traffic
We will create an Internet Gateway for the public subnet and a NAT gateway for the private one.
Go to the Internet Gateway Section and click “Create Internet Gateway” to create an unattached Internet Gateway. Once the Gateway is created, associate it with the VPC.
Create and Attach “Internet Gateway” to our newly created VPC “Testvpn”
So click on Internet Gateways from the menu on the left and then click “Create Internet Gateway“
Attach the newly created Internet Gateway to a VPC by selecting your Internet Gateway and click on “Attach to VPC“.
Create NAT Gateway
NAT Gateway in AWS can provide your private instances with access to the Internet for essential software updates while blocking incoming traffic from the outside world.
The private subnets in your VPC should have access to Internet only through an AWS feature called NAT Gateway. The NAT Gateway configuration is optional and you can skip it if you want your instances in the private subnets to be completely restricted from accessing the Internet.
Go to the NAT Gateway section and you will create a NAT gateway for the Private Subnet. In the NAT Gateway dialog, you will select the public subnet.
Configure NAT Gateway for private subnets in your VPC:
- Navigate to the AWS console -> Services.
- Go to the Networking & Content Delivery section and click VPC.
- Navigate to Virtual Private Cloud -> NAT Gateways -> Create NAT Gateway
- On the newly opened page select a public subnet from the Subnet drop-down list in which to create the NAT gateway.
- Assign an Elastic IP Address to the NAT Gateway.
- Click Create a NAT Gateway.
Now you need to configure the routing for your private subnets. Enable traffic from your private subnets to Internet by using the NAT Gateway you have created.
Now we need to create a new route table by selecting Route Tables and clicking on “Create Route Table“.
We will need to create two route tables. The first route table will be used to give hosts in the public subnet a default route to an Internet Gateway. The second one will be used set up a default gateway in the private subnet pointing to a NAT Gateway so they can get patches and install software. There will already be a Route Table created for your VPC and this one could be repurposed for one of the subnets, it is the default one and will be in effect for any unassociated subnets. I prefer to leave it as is and create two new route tables for each subnet.
Similarly create a private route table.
Highlight the public Route Table and select the Routes tab. Click the Edit button and add a Default Route that points to the Internet Gateway your created earlier.
Select “Test_Public_RT”, click on “Routes” tab and “edit”.
Then enter 0.0.0.0/0 for the Destination and select your Internet Gateway for the Target and click on “Save“:
Associate this “Teset_Public_RT” route table with Public subnet “Public subnet” (here: subnet-0feba2037eac69c86)
Under Subnet Associations tab Click on Edit subnet associations and add the public subnet id then click on save.
Now you’ll now be able to connect to internet from instances that are launched via Public subnet.
Now, select the Private Route Table and edit the Routes to add a default route to the NAT Gateway.
Navigate to the Subnet Associations tab and associate your private subnets with the route table and save the changes.
Now traffic from instances in the private subnets destined for the Internet will be redirected to the NAT Gateway.
And with that, we have now created a custom VPC in AWS with a public (10.0.0.0/24) subnet and a private (10.0.1.0/24) subnet.