Creating a Private Subnet
In this Lab Step you will create a private subnet. A common use for a private subnet is to configure resources for a back-end tier, such as database servers that should not be accessible from the internet. However, you may eventually want these back-end database servers to access the internet (for OS updates), or be accessed by administrators via a bastion host.
1. Navigate to Services > Networking & Content Delivery > VPC to open the VPC Dashboard:
2. Set the Filter by VPC in the VPC Dashboard to the cloudacademy-labs
3. Click Subnets in the left navigation pane. The Subnets page lists previously created subnets.
4. Click Create Subnet. In the Create Subnet dialog box, specify the following details:
- Name tag: Enter Private-A (This will be the name for your subnet)
- VPC: Select the cloudacademy-labs VPC from the drop-down menu
- Availability Zone: Select us-west-2a
- CIDR block: Enter 10.0.10.0/24 as the CIDR block of your VPC
Click Yes, Create when ready to proceed, then Close.
The created subnet is automatically attached to the default VPC Route table and the default Network ACL. Note that the CIDR block differs from the public subnet created previously. (That is, the third octet differs: 10.0.10.0/24, not 10.0.20.0/24)
A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each route in a table specifies a destination CIDR and a target (for example, traffic destined for 172.16.0.0/12 is targeted for a virtual private gateway). If a subnet does not have a route to the Internet (0.0.0.0/0) through a gateway, the subnet is known as a private subnet.
Next you will create a custom private route table for a VPC using the Amazon VPC Dashboard.
5. In the navigation pane, click Route Tables, then Create Route Table to open the dialog box:
Name tag: Enter PrivateRouteTable (This will be the name of your subnet. A tag is created with a key of Name and PrivateRouteTable for the Value.)
VPC: Select cloudacademy-labs from the VPC list.
Select Yes, Create when ready to proceed.
Next you will change the default route table for the private subnet with the new route table you just created. Continue performing the instructions below to change a subnet route table association.
6. With the PrivateRouteTable selected:
Switch to the Routes tab, and click Edit
Click Add another route and enter
0.0.0.0/0in the Destination field
Select internet-gateway named labs-gw as the Target. Important! This is a temporary setting. Later, you wil add a NAT instance and change the Target for the PrivateRouteTable to the NAT instance. (In this Lab, we are intentionally adding the NAT instance last for learning purposes, which will require a minor change to the private route table once the NAT instance is created and available.
- Click Save
Once completed, this route is designed so traffic from private instances on your private subnet destined for hosts on the internet goes through a NAT instance.
7. Take note of the Route Table ID for the PrivateRouteTable:
You will need to know the ID to select it at the private subnet's route table.
8. Click Subnets from the left navigation pane, then select the Private-A subnet.
9. Switch to the Route Table tab, and click Edit route table association button. In the Edit route table association form, change the Route Table ID to the one that you took note of a couple instructions ago:
The route table currently can access to the public internet through the second route, but as mentioned before, you will change the Target to a NAT instance in a later Lab Step.
10. Click Save, then Close.
Check if all the subnets have been created in the Lab environment