Securing your VPC using Public and Private subnets


4250 students completed the lab in ~1h:3m

Total available time: 1h:45m

2639 students rated this lab!

Securing your VPC using Public and Private subnets

Lab Overview

In this lab you will design a VPC with a public subnet, a private subnet, and a network address translation (NAT) instance in the public subnet. 

NAT instance enables instances in the private subnet to initiate outbound traffic to the Internet. This scenario is common when you have a public-facing web application, while maintaining back-end servers that aren't publicly accessible. 

A common example is a multi-tier website, with the web servers in a public subnet, and the database servers in a private subnet. You can set up security and routing allowing the web servers to communicate with the database servers. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet cannot. The instances in the private subnet can access the Internet via the NAT instance in the public subnet. In this Lab, you will also increase the network security using a network access control list (NACL), which is an optional layer of security that acts as a firewall for controlling traffic in and out of a subnet. After completing this Lab, you might consider setting up network ACLs with rules similar to your security groups, in order to add an additional layer of security to your VPC.


Lab Objectives

Upon completion of this lab you will be able to create, configure and test the following:

  • Virtual Private Cloud (VPC)
  • Internet Gateway
  • Public and private subnets (inbound/outbound rules)
  • Security groups (inbound/outbound rules for multiple purposes)
  • Network access control lists (NACLs) for additional security on a private subnet
  • Bastion host for SSH access from the internet to private instances
  • Network Address Translation (NAT) instance to grant access for private instances to perform operating system updates
  • Route tables associated with public and private subnets

Lab Prerequisites

You should be familiar with:

  • Elastic Cloud Compute (EC2) basics
  • Conceptual understanding of Virtual Private Clouds (VPCs), subnets, network route tables, firewalls, private and public IP addresses
  • Some Linux shell/command level understanding is helpful, but not required

Lab Environment

After completing the Lab instructions, the environment should look similar to:


May 24th, 2018 - Clarified instructions for connecting to the EC2 instances on Windows.

Follow these steps to learn by building helpful cloud resources

Logging in to the Amazon Web Services Console

Your first step to start the Lab experience

Creating a VPC

Create a Virtual Private Cloud (VPC) using the AWS Management Console 

Creating a VPC Internet Gateway

Create an Internet Gateway for your Virtual Private Cloud (VPC)

Creating a Public Subnet

Create a public subnet for your Virtual Private Cloud (VPC)

Creating a Bastion Host

Create a bastion host for SSH access to private instances

Creating a Private Subnet

Create a private subnet for your Virtual Private Cloud (VPC)

Creating a Network ACL for a Private Subnet

Create a Network Access Control List for an additional layer of security for a private subnet

Adding Rules to a Private Network ACL

Add inbound and outbound rules to a Private Network Access Control List

Launching an EC2 Instance on a Private Subnet

Launch an EC2 instance on a private subnet and test access to and from the instance

Launching a Network Address Translation (NAT) instance

Launch a NAT instance in the public subnet using an AWS Community AMI

Testing access of Private Subnet Instances

Test access to and from an Instance on the private subnet

Highlights of Securing your VPC

Go over key points of your secure VPC