Lab Steps

Logging in to the Amazon Web Services Console
Creating a VPC
Creating a VPC Internet Gateway
Creating a Public Subnet
Creating a Bastion Host
Creating a Private Subnet
Creating a Network ACL for a Private Subnet
Adding Rules to a Private Network ACL
Launching an EC2 Instance on a Private Subnet
Launching a Network Address Translation (NAT) instance
Testing access of Private Subnet Instances
Highlights of Securing your VPC
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.


In this Lab Step you will create a private subnet. A common use for a private subnet is to configure resources for a back-end tier, such as database servers that should not be accessible from the internet. However, you may eventually want these back-end database servers to access the internet (for OS updates), or be accessed by administrators via a bastion host.



1. Navigate to Services > Networking & Content Delivery > VPC to open the VPC Dashboard:

VPC service


2. Set the Filter by VPC in the VPC Dashboard to the cloudacademy-labs


3. Click Subnets in the left navigation pane. The Subnets page lists previously created subnets.


4. Click Create Subnet. In the Create Subnet dialog box, specify the following details: 

  • Name tag: Enter Private-A  (This will be the name for your subnet)
  • VPC: Select the cloudacademy-labs VPC from the drop-down menu
  • Availability Zone: Select us-west-2a 
  • CIDR block: Enter as the CIDR block of your VPC

create private subnet

Click Yes, Create when ready to proceed, then Close.

The created subnet is automatically attached to the default VPC Route table and the default Network ACL. Note that the CIDR block differs from the public subnet created previously. (That is, the third octet differs:, not

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each route in a table specifies a destination CIDR and a target (for example, traffic destined for is targeted for a virtual private gateway). If a subnet does not have a route to the Internet ( through a gateway, the subnet is known as a private subnet.

Next you will create a custom private route table for a VPC using the Amazon VPC Dashboard.


5. In the navigation pane, click Route Tables, then Create Route Table to open the dialog box:

  • Name tag: Enter PrivateRouteTable (This will be the name of your subnet.)

  • VPC: Select cloudacademy-labs from the VPC list.

Select Yes, Create when ready to proceed.

Next you will change the default route table for the private subnet with the new route table you just created. Continue performing the instructions below to change a subnet route table association.


6. With the PrivateRouteTable selected:

  • Switch to the Routes tab, and click Edit

  • Click Add another route and enter in the Destination field

  • Select internet-gateway named labs-gw as the Target.  Important!  This is a temporary setting. Later, you wil add a NAT instance and change the Target for the PrivateRouteTable to the NAT instance. (In this Lab, we are intentionally adding the NAT instance last for learning purposes, which will require a minor change to the private route table once the NAT instance is created and available. 

  • Click Save

Once completed, this route is designed so traffic from private instances on your private subnet destined for hosts on the internet goes through a NAT instance.  


7. Take note of the Route Table ID for the PrivateRouteTable:


You will need to know the ID to select it at the private subnet's route table.


8. Click Subnets from the left navigation pane, then select the Private-A subnet.


9. Switch to the Route Table tab, and click Edit route table association button. In the Edit route table association form, change the Route Table ID to the one that you took note of a couple instructions ago:


The route table currently can access to the public internet through the second route, but as mentioned before, you will change the Target to a NAT instance in a later Lab Step.  


10. Click Save, then Close.

Validation checks
Created Subnets

Check if all the subnets have been created in the Lab environment

Amazon VPC