Securing your VPC using Public and Private subnets

The hands-on lab is part of these learning paths

Security - Specialty Certification Preparation for AWS
course-steps 22 certification 1 lab-steps 11
Scenario: Migrating From an End-of-Life Data Center to AWS
course-steps 6 certification 1 lab-steps 8 quiz-steps 2
AWS Networking & Content Delivery
course-steps 7 certification 1 lab-steps 5
Advanced Networking – Specialty Certification Preparation for AWS
course-steps 18 certification 1 lab-steps 6 quiz-steps 1
SysOps Administrator – Associate Certification Preparation for AWS
course-steps 6 certification 1 lab-steps 18 quiz-steps 6
Solutions Architect—Associate Certification for AWS (2016)
course-steps 9 lab-steps 13 quiz-steps 12
SysOps Administrator—Associate Certification for AWS
course-steps 14 lab-steps 18 quiz-steps 13
more_horiz See 5 more

Lab Steps

Logging in to the Amazon Web Services Console
Creating a VPC
Creating a VPC Internet Gateway
Creating a Public Subnet
Creating a Bastion Host
Creating a Private Subnet
Creating a Network ACL for a Private Subnet
Adding Rules to a Private Network ACL
Launching an EC2 Instance on a Private Subnet
Launching a Network Address Translation (NAT) instance
Testing access of Private Subnet Instances
Highlights of Securing your VPC

Ready for the real environment experience?

Duration1h 45m


Securing your VPC using Public and Private subnets

Lab Overview

In this lab you will design a VPC with a public subnet, a private subnet, and a network address translation (NAT) instance in the public subnet. 

NAT instance enables instances in the private subnet to initiate outbound traffic to the Internet. This scenario is common when you have a public-facing web application, while maintaining back-end servers that aren't publicly accessible. 

A common example is a multi-tier website, with the web servers in a public subnet, and the database servers in a private subnet. You can set up security and routing allowing the web servers to communicate with the database servers. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet cannot. The instances in the private subnet can access the Internet via the NAT instance in the public subnet. In this Lab, you will also increase the network security using a network access control list (NACL), which is an optional layer of security that acts as a firewall for controlling traffic in and out of a subnet. After completing this Lab, you might consider setting up network ACLs with rules similar to your security groups, in order to add an additional layer of security to your VPC.


Lab Objectives

Upon completion of this lab you will be able to create, configure and test the following:

  • Virtual Private Cloud (VPC)
  • Internet Gateway
  • Public and private subnets (inbound/outbound rules)
  • Security groups (inbound/outbound rules for multiple purposes)
  • Network access control lists (NACLs) for additional security on a private subnet
  • Bastion host for SSH access from the internet to private instances
  • Network Address Translation (NAT) instance to grant access for private instances to perform operating system updates
  • Route tables associated with public and private subnets

Lab Prerequisites

You should be familiar with:

  • Elastic Cloud Compute (EC2) basics
  • Conceptual understanding of Virtual Private Clouds (VPCs), subnets, network route tables, firewalls, private and public IP addresses
  • Some Linux shell/command level understanding is helpful, but not required

Lab Environment

After completing the Lab instructions, the environment should look similar to:


September 7th, 2018 - Updated instructions and screenshots to the latest VPC and EC2 user interfaces

May 24th, 2018 - Clarified instructions for connecting to the EC2 instances on Windows.

About the Author


Greg has been a consistent high performer for pioneering technologies in the wireless web industries with an illustrious career that is a testament to his breadth of knowledge. Dabbling with MS Azure, at Cloud Academy, Greg really thrives on evangelizing the benefits of Amazon Web Services. A dedicated and passionate professional who learns new and emerging technologies quickly, Greg always ensures the highest quality and caliber of everything he produces.