Lab Steps

Logging in to the Amazon Web Services Console
Creating a VPC
Creating a VPC Internet Gateway
Creating a Public Subnet
Creating a Bastion Host
Creating a Private Subnet
Creating a Network ACL for a Private Subnet
Adding Rules to a Private Network ACL
Launching an EC2 Instance on a Private Subnet
Launching a Network Address Translation (NAT) instance
Testing access of Private Subnet Instances
Highlights of Securing your VPC
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.


The simplest way to create a subnet for your VPC is using the AWS Management Console. In this Lab Step you will create a public subnet in the VPC you created earlier. As implied by the name, a public subnet is typically for resources that require ingress and/or egress to the public internet. A common use case for this is a DNS server, and a load balancer sitting in front of front-end webservers or web applications.


1. From the VPC Dashboard, click Subnets in the left navigation pane. The Subnets page lists all previously created subnets.


2. Select the cloudacademy-labs VPC from the options listed in the Filter by VPC located at the top of the left-hand navigation pane of the VPC Dashboard:


Note: You may need to refresh your browser tab to be able to select the cloudacadeylabs-vpc from the Filter by VPC list.

Since you do not have any subnets in the VPC previously created, it should be blank after using the filter. (Prior to the filter, you likely had three subnets already listed that were attached to a previously created VPC in the student account.)


3. Click Create Subnet. In the Create Subnet dialog, specify the following Subnet details:

  • Name tag: Enter Public-A (This is the name for your subnet. A tag with a key of Name and the value "Public-A" is created.)
  • VPC: Select the  cloudacademy-labs VPC
  • Availability Zone: Select us-west-2a from the drop-down menu
  • CIDR block: Enter (Specify a CIDR block in the selected VPC.)


Click Create when ready to proceed, followed by Close.

The new subnet will be deployed into the selected VPC, and into the selected Availability Zone. Next you will need to setup the route table.

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each route in a table specifies a destination CIDR and a target (for example, traffic destined for is targeted for the virtual private gateway).  If a subnet has a route with the destination ( and Internet Gateway as the target, the subnet is known as a public subnet. You can create a custom route table for your VPC using the Amazon VPC console.


4. In the left navigation pane, click Route Tables, then Create Route Table. A Create Route Table dialog is opened up. Fill out accordingly:

  • Name tag: Enter PublicRouteTable. This is the name for your subnet; doing so creates a tag with a key of Name and the value that you specify.

  • VPC: Select the cloudacademy-labs from the drop-down menu. 


Click Yes, Create when ready to proceed. 


5. With the PublicRouteTable selected, switch to the Routes tab, and click Edit.

  • Click Add another route 
  • In the new rule set Destination to  and Target to Internet Gateway -> labs-gw 

Click Save when ready to proceed. Next you will change the default route table of the public subnet to include the new route table. (Note:  The precise ID of your route table will include different random alphanumerics.)


6. From Virtual Private Cloud > Subnets in the left navigation pane, select the Public-A subnet, switch to the Route Table tab, and click the Edit route table association button. In the Edit route table association form, change the Route Table ID to the one that isn't selected by default (that will be the PublicRouteTable). Confirm that the internet gateway route is displayed in the routes:


Then click Save and Close. The default route table only has local routing (Destination with Target local). You need a route to the internet via the Internet Gateway as the destination, associated to your VPC, so you used the PublicRouteTable instead.



Now you have a public subnet in your VPC with a route to the Internet (via the labs-gw Internet Gateway) for all traffic.

Validation checks
Connected Internet Gateway to the Route Table

Connected an internet gateway to a non-default VPC route table

Networking for AWS