Lab Steps

Logging In to the Amazon Web Services Console
Creating a VPC
Creating a VPC Internet Gateway
Creating a Public Subnet
Creating a Bastion Host
Creating a Private Subnet
Creating a Network ACL for a Private Subnet
Adding Rules to a Private Network ACL
Launching an EC2 Instance on a Private Subnet
Launching a Network Address Translation (NAT) Gateway
Testing access of Private Subnet Instances
Highlights of Securing your VPC
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

You can pause this lab for
(up to) 1h


In this lab step, you will create a private subnet. A common use case for private subnets is to configure resources for a back-end tier, such as database servers that should not be accessible from the internet. However, you may eventually want these back-end database servers to access the internet for operating system updates or to be accessible by administrators via a bastion host.



1. In the AWS Management Console search bar, enter VPC, and click the VPC result under Services:



2. Select cloudacademy-labs in the Filter by VPC field.


3. Click Subnets in the left navigation pane. The Subnets page lists previously created subnets.


4. Click Create Subnet and specify the following details: 

  • VPC ID: Select the cloudacademy-labs VPC from the drop-down menu
  • Subnet name: Enter Private-A
  • Availability Zone: Select us-west-2a 
  • CIDR block: Enter as the CIDR block of your subnet


5. Click Create subnet:


The created subnet is automatically attached to the default VPC Route table and the default Network ACL. Note that the CIDR block differs from the public subnet created previously. The third octet differs, not

If a subnet does not have a route to the Internet ( through a gateway, the subnet is known as a private subnet.

Next, you will create a custom private route table.


6. In the navigation pane, click Route Tables, then Create route table to open the dialog box:



7. Click Create route table and configure the following:

  • Name: Enter PrivateRouteTable
  • VPC: Select cloudacademy-labs



8. Click Create route table:



9. In the PrivateRouteTable details page, in the Routes tab, click Edit routes:



10. Click Add route and configure the following route settings:

  • Destination: Enter
  • Target: Select Internet Gateway, then labs-gw


Important:  This is a temporary target value. Later in this lab, you will add a NAT device (gateway or instance) and update the Target for the PrivateRouteTable to the NAT device. You are intentionally adding the NAT device last for learning purposes, which will require a minor change to the private route table once the NAT device is created and available. 

This route will eventually send traffic originating from your private subnet and bound for the public internet, to a NAT device. 


11. Click Save changes:



12. Click Subnets from the left navigation pane, then select the Private-A subnet.


13. In the Route Table tab, and click Edit route table association:



14. Select PrivateRouteTable from the Route table ID drop-down menu:



15. Click Save:




In this lab, you created a private subnet and an associated route table. The route table currently has access to the public internet through the route, but as mentioned before, you will update the target to a NAT device in a later lab step.  

Validation checks
Created Subnets

Check if all the subnets have been created in the Lab environment

Amazon VPC