Setting Up an AWS VPC with a Private and Public Subnets Part 1

Introduction

This Article is designed to cover the process of setting up an Amazon AWS  VPC with two distinct subnets one “private” with no direct access from public internet and a public subnet which can be accessed from the public internet.

NOTE: Setting some of this up will of course incur Amazon charges so be sure you are prepared for this.

Key Concepts

As someone with a strong networking background, I felt setting up an AWS VPC with a public and private subnet would by and large be a breeze. And in all honesty I was right, however there are a couple key concepts you need to grasp early on.

Firstly the two network types “private” and “public”, I will explain the distinction here. Now you might be thinking, When I setup a VPC I believe that all resources are “private”.  This is of course true in as much as the VPC and the instances contained within are private to you, and no other AWS user can “see” them. However, a private network is a subnet within your VPC which contains hosts that cannot be accessed publicly, and can only make outbound connections to other vpc subnets, or with the assistance of a EC2 Based NAT Instance, the internet.  A private network would not be a good location for a Web Server, but it would be a good place for database server.  On the other hand a “public” network can be made enabling you to publish a web or application server and through the use of public ip addresses or Elastic loadbalancing.

The second important concept to graps is that hosts within a subnet designated as public and those hosts within a subnet designated provate communicate to the internet using different methods.  Hosts within a public network must route their traffic via an internet gateway, whereas hosts within the private network must connect via a dedicated EC2 Instance or a NAT Gateway which provides NATted connectivity.

1. Set up the AWS VPC

Login into your AWS console.  and select the VPC “Isolated Cloud Resources” icon.

This will present you with the “VPC Dashboard.  Click on “Create VPC” and when prompted add a name and  Cidr block.  In my example I am going to use 10.91.0.0 / 16.

create_aws_vpc

 2. Set up a couple of subnets, one “private”  and one “public”

From the “Virtual Private Cloud” menu choose Subnets, then choose “Create Subnet”

create_aws_subnet_1

 

 

Enter a name for each, select the VPC you created an appropriate CIDR subnet within the range of the CIDR VPC.  So in my case my VPC range is 10.91.0.0/16 I will will create a public subnet of 10.91.1.0/24 and a private subnet of 10.91.2.0/24.

create_aws_subnet_public

 

3. Create an Internet Gateway

Now by now I expect you to have one VPC and two subnets likes so:

aws_subnet_list

Let’s add an Internet Gateway so we can get the public subnet hooked up to the internet.

Choose “Internet Gateways” from the “Virtual Private Cloud” menu.

And now create an Internet Gateway, in my example I have created a virtual router named myGateway with an ID igw-726b8017

 

aws_create_internet_gateway

 

We also need to Attach it to a VPC, so go ahead and do this,

aws_attach_to_vpc

 

 

 4. Setup a route table and attach it to the public subnet

Under the Virtual Private Cloud menu choose the Route Tables and create one.  Mine is called “myRoutes”.

Now we need to create a “default route” to the internet.  This is done under the routes tab of the route table you just created, so edit this route and add a destination of  0.0.0.0/0  and set the target to the router (myRouter / igw-726b8017 ) we created in the previous step.

aws_create_route_table

 

 

Finally  let’s associate the route with the public subnet, so choose the “Subnet Associations” tab,  choose the public subnet and associate the route.

5. Lets put an EC2 Instance in the public subnet and hook it to the internet via this gateway.

Go to the EC2 dashboard and and launch and Instance.

aws_ec2_launch_instance

 

I am going to choose the Amazon Linux for this test instance and I am going to drop it in the “public” subnet I created earlier.

aws_configure_instance_details

 

Now it is time to apply an elastic IP so we can connect to it.   From the Network and Security menu choose “Elastic IPs”

Now hit “allocate new address”, this will prompt you to confirm i really want to do this, which I do.

Below you can see I have been given an IP address of 54.171.193.235.  So I simply associate that with my newly created instance

aws_associate_elastic_ip

 

Now you are ready to test.  Using your SSH client machine which in my case is Putty I connect to the instance using this newly assigned elastic IP.

If all has gone well our instance will prompt you to login.  Awesome!

 

Now move to Part 2 to get EC2 instances onto a private network within your VPC infrastructure.

 

Comments are closed.