Securing your VPC using Public and Private Subnets

Creating a Public Subnet

Lab Steps

Logging In to the Amazon Web Services Console

Creating a VPC

Creating a VPC Internet Gateway

Creating a Bastion Host

Creating a Private Subnet

Creating a Network ACL for a Private Subnet

Adding Rules to a Private Network ACL

Launching an EC2 Instance on a Private Subnet

Launching a Network Address Translation (NAT) Gateway

Testing access of Private Subnet Instances

Highlights of Securing your VPC

Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

You can pause this lab for
(up to) 1h

Introduction

As implied by the name, a public subnet will hold resources that require ingress and/or egress to the public internet. A common use case for this is a DNS server, or a load balancer sitting in front of front-end web servers or web applications.

In this lab step, you will create a public subnet in your VPC.

Instructions

1. In the VPC Dashboard, click Subnets in the left navigation pane:

The Subnets page lists all previously created subnets.

2. Click Create subnet:

3. Configure the following subnet details:

VPC ID: Select cloudacademy-labs
Subnet name: Enter Public-A (This is the name for your subnet. A tag with a key of Name and the value "Public-A" is created)
Availability Zone: Select us-west-2a from the drop-down menu
CIDR block: Enter 10.0.20.0/24

alt

4. Click Create subnet:

The new subnet will be deployed into the selected VPC, and into the selected Availability Zone.

Next, you will need to set up the route table.

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each route in a table specifies a destination CIDR and a target (for example, traffic destined for 172.16.0.0/12 is targeted for the virtual private gateway). If a subnet has a route with the destination (0.0.0.0/0) and Internet Gateway as the target, the subnet is known as a public subnet. You can create a custom route table for your VPC using the Amazon VPC console.

5. In the left-hand navigation pane, click the Filter by VPC field and select the cloudacademy-labs VPC from the drop-down:

alt

Note: You may need to refresh your browser tab to be able to select the cloudacademy-labs VPC from the Filter by VPC field.

6. In the left navigation pane, click Route Tables:

7. Click Create route table:

8. Configure the following route table settings:

Name: Enter PublicRouteTable
VPC: Select the cloudacademy-labs VPC from the drop-down menu

alt

9. Scroll to the bottom of the page and click Create route table:

10. On the route details page, switch to the Routes tab and click Edit routes:

11. Click Add route:

12. Configure the following route settings:

Destination: Enter 0.0.0.0/0
Target: Select Internet Gateway, then labs-gw

13. Click Save changes:

Up next, you will change the default route table of the public subnet to include the new route table.

14. In the left-hand navigation pane, click Subnets.

15. Select the Public-A subnet and click the Route table tab

16. Click the Edit route table association button:

alt

17. Select PublicRouteTable from the Route table ID drop-down menu and confirm the following routes:

alt

Note: The internet gateway under your target will differ from the ID above.

18. Click Save:

This subnet will require a route to the internet, so the associated route table has now been configured to use PublicRouteTable to determine traffic rules.

Summary

In this lab, you created a public subnet in your VPC and associated it with a route table with access to the public internet.

Validation checks

1Checks

Connected Internet Gateway to the Route Table

Connected an internet gateway to a non-default VPC route table

Networking for AWS