hands-on lab

Securing your VPC using Public and Private Subnets

Up to 2h 35m
You can pause this lab for up to 1h
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


In this lab, you will design a VPC with a public subnet, a private subnet, and a Network Address Translation (NAT) device in the public subnet. 

NAT device enables instances in the private subnet to initiate outbound traffic to the Internet. This scenario is common when you have a public-facing web application while maintaining back-end servers that aren't publicly accessible. 

A common example is a multi-tier website, with the web servers in a public subnet, and the database servers in a private subnet. You can set up security and routing allowing the web servers to communicate with the database servers. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet cannot. The instances in the private subnet can access the Internet via the NAT Gateway in the public subnet. In this Lab, you will also increase the network security using a network access control list (NACL), which is an optional layer of security that acts as a firewall for controlling traffic in and out of a subnet. After completing this Lab, you might consider setting up network ACLs with rules similar to your security groups, in order to add an additional layer of security to your VPC.

Learning Objectives

Upon completion of this lab you will be able to create, configure and test the following:

  • Virtual Private Cloud (VPC)
  • Internet Gateway
  • Public and private subnets (inbound/outbound rules)
  • Security groups (inbound/outbound rules for multiple purposes)
  • Network access control lists (NACLs) for additional security on a private subnet
  • Bastion host for SSH access from the internet to private instances
  • Network Address Translation (NAT) Gateway to provide private instances access to the public internet to perform operating system updates
  • Route tables associated with public and private subnets

Intended Audience

  • Candidates for the AWS Cloud Practitioner Exam
  • Candidates for the AWS Solutions Architect Associate Exam


You should be familiar with:

  • Elastic Cloud Compute (EC2) basics
  • Conceptual understanding of Virtual Private Clouds (VPCs), subnets, network route tables, firewalls, private and public IP addresses
  • Some Linux shell/command level understanding is helpful, but not required


December 13th, 2022 - Updated a couple of field values to remove trailing spaces to facilitate copy-paste

October 3rd, 2022 -  Updated screenshots and instructions due to UI changes

June 2nd, 2022 - Updated instructions and screenshots to reflect the new launch instance wizard

April 14th, 2022 - Minor update to reflect latest user interface changes

March 31st, 2022 - Updated screenshots and instructions for clarity

March 1st, 2022 - Updated security group rule to allow functionality with complex network environments

February 22nd, 2022 - Updated the instructions and screenshots to reflect the latest UI; added a security group rule

June 29th, 2021 - Migrated lab steps to use NAT Gateway instead of NAT instance going forward; updated lab step format and screenshots

June 8th, 2020 - Added troubleshooting instructions to ensure SSH agent forwarding is enabled when connecting to the bastion host from Windows

August 16th, 2019 - Increased the maximum allowed time on the Lab to allow for a better-paced learning environment

January 10th, 2019 - Added a validation Lab Step to check the work you perform in the Lab

September 7th, 2018 - Updated instructions and screenshots to the latest VPC and EC2 user interfaces

May 24th, 2018 - Clarified instructions for connecting to the EC2 instances on Windows.

Environment before

Environment after

About the author

Jun Fritz, opens in a new tab
Cloud Labs Developer
Learning paths

Jun is a Cloud Labs Developer with previous experience as a Software Engineer and Cloud Developer. He holds the AWS Certified Solutions Architect and DevOps Engineer Professional certifications. He also holds the AWS Certified Solutions Architect, Developer, and SysOps Administrator Associate certifications. 

Jun is focused on giving back to the growing cloud community by sharing his knowledge and experience with students and creating engaging content. 

Covered topics

Lab steps

Logging In to the Amazon Web Services Console
Creating a VPC
Creating a VPC Internet Gateway
Creating a Public Subnet
Creating a Bastion Host
Creating a Private Subnet
Creating a Network ACL for a Private Subnet
Adding Rules to a Private Network ACL
Launching an EC2 Instance on a Private Subnet
Launching a Network Address Translation (NAT) Gateway
Testing access of Private Subnet Instances
Highlights of Securing your VPC