Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Creating a VPC
lock
Creating a VPC Internet Gateway
lock
Creating a Public Subnet
lock
Creating a Bastion Host
lock
Creating a Private Subnet
lock
Creating a Network ACL for a Private Subnet
lock
Adding Rules to a Private Network ACL
lock
Launching an EC2 Instance on a Private Subnet
lock
Launching a Network Address Translation (NAT) instance
lock
Testing access of Private Subnet Instances
lock
Highlights of Securing your VPC
live-help Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

In this Lab Step you will create a private subnet. A common use for a private subnet is to configure resources for a back-end tier, such as database servers that should not be accessible from the internet. However, you may eventually want these back-end database servers to access the internet (for OS updates), or be accessed by administrators via a bastion host.

 

Instructions

1. Navigate to Services > Networking & Content Delivery > VPC to open the VPC Dashboard:

VPC service

 

2. Set the Filter by VPC in the VPC Dashboard to the cloudacademy-labs

 

3. Click Subnets in the left navigation pane. The Subnets page lists previously created subnets.

 

4. Click Create Subnet. In the Create Subnet dialog box, specify the following details: 

  • Name tag: Enter Private-A  (This will be the name for your subnet)
  • VPC: Select the cloudacademy-labs VPC from the drop-down menu
  • Availability Zone: Select us-west-2a 
  • CIDR block: Enter 10.0.10.0/24 as the CIDR block of your VPC

create private subnet

Click Yes, Create when ready to proceed, then Close.

The created subnet is automatically attached to the default VPC Route table and the default Network ACL. Note that the CIDR block differs from the public subnet created previously. (That is, the third octet differs: 10.0.10.0/24, not 10.0.20.0/24)

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each route in a table specifies a destination CIDR and a target (for example, traffic destined for 172.16.0.0/12 is targeted for a virtual private gateway). If a subnet does not have a route to the Internet (0.0.0.0/0) through a gateway, the subnet is known as a private subnet.

Next you will create a custom private route table for a VPC using the Amazon VPC Dashboard.

 

5. In the navigation pane, click Route Tables, then Create Route Table to open the dialog box:

  • Name tag: Enter PrivateRouteTable (This will be the name of your subnet. A tag is created with a key of Name and PrivateRouteTable for the Value.)

  • VPC: Select cloudacademy-labs from the VPC list.

Select Yes, Create when ready to proceed.

Next you will change the default route table for the private subnet with the new route table you just created. Continue performing the instructions below to change a subnet route table association.

 

6. With the PrivateRouteTable selected:

  • Switch to the Routes tab, and click Edit

  • Click Add another route and enter 0.0.0.0/0 in the Destination field

  • Select internet-gateway named labs-gw as the Target.  Important!  This is a temporary setting. Later, you wil add a NAT instance and change the Target for the PrivateRouteTable to the NAT instance. (In this Lab, we are intentionally adding the NAT instance last for learning purposes, which will require a minor change to the private route table once the NAT instance is created and available. 

  • Click Save

Once completed, this route is designed so traffic from private instances on your private subnet destined for hosts on the internet goes through a NAT instance.  

 

7. Take note of the Route Table ID for the PrivateRouteTable:

alt

You will need to know the ID to select it at the private subnet's route table.

 

8. Click Subnets from the left navigation pane, then select the Private-A subnet.

 

9. Switch to the Route Table tab, and click Edit route table association button. In the Edit route table association form, change the Route Table ID to the one that you took note of a couple instructions ago:

alt

The route table currently can access to the public internet through the second route, but as mentioned before, you will change the Target to a NAT instance in a later Lab Step.  

 

10. Click Save, then Close.

Validation checks
1Checks
Created Subnets

Check if all the subnets have been created in the Lab environment

Amazon VPC