This Article is designed to cover the process of setting up an Amazon AWS VPC with two distinct subnets one “private” with no direct access from public internet and a public subnet which can be accessed from the public internet.
NOTE: Setting some of this up will of course incur Amazon charges so be sure you are prepared for this.
As someone with a strong networking background, I felt setting up an AWS VPC with a public and private subnet would by and large be a breeze. And in all honesty I was right, however there are a couple key concepts you need to grasp early on.
Firstly the two network types “private” and “public”, I will explain the distinction here. Now you might be thinking, When I setup a VPC I believe that all resources are “private”. This is of course true in as much as the VPC and the instances contained within are private to you, and no other AWS user can “see” them. However, a private network is a subnet within your VPC which contains hosts that cannot be accessed publicly, and can only make outbound connections to other vpc subnets, or with the assistance of a EC2 Based NAT Instance, the internet. A private network would not be a good location for a Web Server, but it would be a good place for database server. On the other hand a “public” network can be made enabling you to publish a web or application server and through the use of public ip addresses or Elastic loadbalancing.
The second important concept to graps is that hosts within a subnet designated as public and those hosts within a subnet designated provate communicate to the internet using different methods. Hosts within a public network must route their traffic via an internet gateway, whereas hosts within the private network must connect via a dedicated EC2 Instance or a NAT Gateway which provides NATted connectivity.
1. Set up the AWS VPC
Login into your AWS console. and select the VPC “Isolated Cloud Resources” icon.
This will present you with the “VPC Dashboard. Click on “Create VPC” and when prompted add a name and Cidr block. In my example I am going to use 10.91.0.0 / 16.
2. Set up a couple of subnets, one “private” and one “public”
From the “Virtual Private Cloud” menu choose Subnets, then choose “Create Subnet”
Enter a name for each, select the VPC you created an appropriate CIDR subnet within the range of the CIDR VPC. So in my case my VPC range is 10.91.0.0/16 I will will create a public subnet of 10.91.1.0/24 and a private subnet of 10.91.2.0/24.
3. Create an Internet Gateway
Now by now I expect you to have one VPC and two subnets likes so:
Let’s add an Internet Gateway so we can get the public subnet hooked up to the internet.
Choose “Internet Gateways” from the “Virtual Private Cloud” menu.
And now create an Internet Gateway, in my example I have created a virtual router named myGateway with an ID igw-726b8017
We also need to Attach it to a VPC, so go ahead and do this,
4. Setup a route table and attach it to the public subnet
Under the Virtual Private Cloud menu choose the Route Tables and create one. Mine is called “myRoutes”.
Now we need to create a “default route” to the internet. This is done under the routes tab of the route table you just created, so edit this route and add a destination of 0.0.0.0/0 and set the target to the router (myRouter / igw-726b8017 ) we created in the previous step.
Finally let’s associate the route with the public subnet, so choose the “Subnet Associations” tab, choose the public subnet and associate the route.
5. Lets put an EC2 Instance in the public subnet and hook it to the internet via this gateway.
Go to the EC2 dashboard and and launch and Instance.
I am going to choose the Amazon Linux for this test instance and I am going to drop it in the “public” subnet I created earlier.
Now it is time to apply an elastic IP so we can connect to it. From the Network and Security menu choose “Elastic IPs”
Now hit “allocate new address”, this will prompt you to confirm i really want to do this, which I do.
Below you can see I have been given an IP address of 18.104.22.168. So I simply associate that with my newly created instance
Now you are ready to test. Using your SSH client machine which in my case is Putty I connect to the instance using this newly assigned elastic IP.
If all has gone well our instance will prompt you to login. Awesome!
Now move to Part 2 to get EC2 instances onto a private network within your VPC infrastructure.