Creating Your Own Virtual Private Cloud (VPC) on AWS: A Practical Walkthrough

Creating Your Own Virtual Private Cloud (VPC) on AWS: A Practical Walkthrough

In this article, we will guide you through the process of creating a custom Virtual Private Cloud (VPC) on Amazon Web Services (AWS). A VPC allows you to have complete control over your virtual network environment, including IP address ranges, subnets, route tables, and network gateways. By following the step-by-step instructions provided, you will be able to set up both public and private subnets within your VPC, configure security groups and network ACLs to control inbound and outbound traffic, and launch EC2 instances in both subnets.

Table of Contents:

  1. Creating a Custom VPC

    1.1 Search and Navigate to VPC Service

    1.2 Create VPC with VPC Settings

    1.3 Copy the VPC ID for Future Reference

  2. Creating Subnets (Public and Private)

    2.1 Creating a Private Subnet

    2.2 Creating a Public Subnet

  3. Creating and Attaching an Internet Gateway

    3.1 Create an Internet Gateway

    3.2 Attach the Internet Gateway to the VPC

  4. Creating Route Tables

    4.1 Create a Route Table for Private Subnet

    4.2 Create a Route Table for Public Subnet

    4.3 Configure Public Route Table

  5. Attaching Subnets to Route Tables

    5.1 Attach the Public Subnet to the Public Route Table

    5.2 Attach the Private Subnet to the Private Route Table

  6. Configuring Security Group and Network ACL

    6.1 Configuring Security Group

    6.2 Configuring Network ACL

  7. Creating EC2 Instances in Public and Private Subnets

    7.1 Creating EC2 Instance in Public Subnet

    7.2 Creating EC2 Instance in Private Subnet

  8. Testing Access to the Instances

The following are the key concepts for VPCs:

Virtual private cloud (VPC) — A virtual network dedicated to your AWS account.

Subnet — A range of IP addresses in your VPC.

Internet gateway — A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.

Route table — A set of rules, called routes, that are used to determine where network traffic is directed.

CIDR block —Classless Inter-Domain Routing. An internet protocol address allocation and route aggregation methodology.

Creating a Custom VPC: To create a custom VPC, we begin by navigating to the VPC service on AWS and selecting the "Create VPC" option. In the VPC settings, we specify the VPC-only configuration, assign a name tag and an IPv4 CIDR block. After confirming the settings, the VPC is created.

Creating Subnets: We create both public and private subnets within the VPC. The public subnet allows connectivity to the internet, while the private subnet is isolated from the internet. Each subnet is associated with a specific availability zone (AZ) and has its own IPv4 CIDR block.

Creating an Internet Gateway: To provide internet access to the VPC, we create an internet gateway and attach it to the VPC. This allows traffic to flow in and out of the VPC.

Creating Route Tables: We create separate route tables for the public and private subnets. The public route table is configured to route traffic to the internet gateway, enabling outbound connectivity. The private route table ensures internal communication between subnets within the VPC.

Configuring Security Groups and Network ACLs: Security groups are used to control inbound and outbound traffic at the instance level, while network ACLs provide additional control at the subnet level. We configure security groups to restrict inbound traffic from the internet and update network ACLs to allow traffic only from specific IP addresses.

Creating EC2 Instances in Public and Private Subnets: We launch EC2 instances in both the public and private subnets. The instances are associated with the appropriate security groups and key pairs. This allows for secure access to the instances.

Testing Access to the Instances: We verify access to the instances by pinging the public IP of the public EC2 instance and confirming successful connectivity. This ensures that the networking setup is functioning correctly.

Creating a custom VPC

Search for VPC in the search box and click on VPC (Isolated Cloud Resources) from the dropdown search results and make sure you are in the US-East (N.Virginia) region.

Click on 'VPC' to navigate to the VPC service and click on the “Create VPC” button.

In the Create VPC View, under VPC Settings, click the radio button “VPC ONLY”, then enter a name tag (e.g. nahid-vpc). Then, for the IPv4 CIDR block, enter the VPC IP address in the form of the CIDR block. {10.0.0.0/16}.

Retain the other default settings as they are, then scroll down to the bottom and click on Create VPC.

Now we have successfully created a VPC. please Copy the VPC ID for future reference in this projects.

Create Subnets ( public and private subnet)

Now we will need to create subnets. Subnets are logical divisions of a VPC, and you can use them to control the traffic between different parts of your VPC. To create subnets, navigate to the Subnets section of the VPC service and click on the 'Create Subnet' button.

NOTE: Public subnets are created for connectivity to the internet which is where less sensitive data are stored while Private subnets are isolated from the internet which is where sensitive data are stored and are protected from internet-facing attacks such as DDOS etc. We First create the Private Subnet before creating the Public Subnet

Creating private subnet (10.0.0.0/24)

On the left pane of your VPC console, navigate and click on Subnets below "Virtual Private Cloud. Then click on Create subnet.

On the create subnet page, under VPC ID, click on the dropdown for Select a VPC. Select your VPC (cloud-demo-vpc).

NB: You might have multiple VPCs in the dropdown menu, so make sure you select the same VPC ID

Next, under Subnet Settings, enter a subnet name for the private subnet (nahid-private-subnet). Enter the availability zone (us-east-1a) depending on your region. Once DONE, Click create subnet

NB: You can select an AZ of your choice. Then, for the IPv4 CIDR block, enter the IP range (e.g. 10.0.1.0/24) for the subnet.

Creating a public subnet (10.0.2.0/24)

Hence, we have created a private subnet. Now we create a public subnet in a different availability zone from the private subnet. On the same page as shown below, click on Create subnet.
NB: This process is similar to how we created a private subnet.

On the Create subnet page, select your VPC ID as you have create previously.
NB: You might have multiple VPCs in the dropdown menu so make sure you select the same VPC ID.

Under Subnet Settings, Enter a Subnet name for the public subnet ( e.g. nahid-public-subnet). Enter the Availability Zone (us-east-1b) depending on your region. Once DONE, Click create subnet

NB: You can select an AZ of your choice. Then for the IPv4 CIDR block, enter the IP range (e.g. 10.0.2.0/24) for the subnet.

Now we have both Public and Private subnets created in different AZ

Create Internet gateway

Now we want to Create Internet gateway and attach it to custom VPC so that the VPC Will get the internet.

click on Internet Gateways on the left pane under "Virtual Private Cloud. Then click “Create Internet Gateway”

In the Create Internet Gateway view, enter a name tag (nahid-igw) for the Internet gateway. For tags, retain the default setting (optional) and click on Create internet gateway.

Hence, the internet gateway is successfully created. Now, to allow internet access to the VPC, attach the internet gateway to the VPC. Click on Attach to a VPC in the message displayed on the top. or Actions, then click on Attach to a VPC

In the Attach to VPC view, select the created VPC (nahid-vpc) under Available VPCs. Click on Attach Internet gateway.

Note: In some cases, you will have multiple VPCs under Available VPCs if you have any already created VPCs. Ensure that you select the VPC that you created for the purpose of this lab.

Now Internet gateway is successfully attached to VPC for internet-access.

Create Route Table

Next, we need to create route tables to route the network traffic for private and public routing.
In your VPC dashboard, navigate and click on Route Tables in the left pane under "Virtual Private Cloud". Click on "Click route table"

To route traffic between your subnets and the Internet Gateway, you will need to create a Route Table. A Route Table contains a set of rules called routes, which are used to determine where network traffic is directed.

You will notice that a default route table has been automatically created and attached to the VPC. This default route table is for private subnets. You have to create the ROUTE TABLE for PUBLIC SUBNET. To confirm this, scroll right and identify the VPC (nahid-vpc) of the routing table.

NB: the VPC ID must be the same as the one you already create

You can edit the tag name of the routing table of your VPC (nahid-vpc) for easy identification (nahid-private-RT). To do that, click on the edit icon under the name of the default route table. Enter a name (e.g. nahid-private-RT) for the routing table for the private subnet. Click on Save.

Now, we create the route table for the public subnet, Click on Create route table at the top corner of your screen.

On the Create route table page, enter a name (e.g. nahid-public-RT). Under VPC, select the VPC (nahid-vpc) created by you from the dropdown.

Once DONE, Click on Create route-table

Hence, we have successfully created the routing table for the public subnet. Now, click on Route Tables (in the left pane) to view the route tables.

Configuring public route table

To configure the public route table, select the checkbox for the public route table (nahid-public-RT) and click on the Routes tab at the bottom, then click on Edit route.

Main point → adding internet-gateway to public-subnet in route table

On the Edit route page, click on Add route. Under Destination, enter IP as 0.0.0.0/0 to allow traffic from any IP. And for Target, select Internet Gateway from the dropdown.

NB: Make sure the internet gateway ID or name (cloud-demo-igw) is the same as the internet gateway you created in the previous step.

Click on Save changes. Now the routes for the public subnet have been updated successfully.

Attaching the public subnet to the public route table

Click on Route Tables (in the left pane) to view the route tables. To attach a public subnet to the public route table, click on “nahid-public-RT” then scroll to the bottom and click on the Subnet associations tab, then click on Edit subnet associations.

Select the checkbox for the public subnet (nahid-public-subnet) then click on Save associations.

the public subnet has been successfully added to the public route.

Attaching the private subnet to the private route table

Now we repeat the same procedure to add the subnet for the private route table, and select the checkbox for the private route table (nahid-private-RT). Click on Subnet associations.

Resource Mapping from subnets to route tables

Navigate to "Your VPC" under the virtual private cloud menu and select the check box of the VPC you created (nahid-vpc), scroll down and select the Resource map tab and view how the created subnets are mapped to the route tables

NB: (this visualization shows if your connection is correct or wrong)

Configuring Security Group and Network ACL

Security groups

Now we configure security group to restrict inbound traffic from the internet to the VPC.

in the VPC console, navigate to Security groups Under Security in the left panel. Here, you notice that a default security group has been created automatically. To confirm if the security group created is attached to your VPC. Scroll to the right and confirm the VPC ID with what you copied in your Notepad. {the VPC ID MUST CORRESPOND}

Or you can see your VPC ID in the vpc section . Here are my VPC ID 0f8232d0a0c86380b

Now click on the edit icon under Name for the security group of your VPC and enter a name (nahid-sg). Click on Save.

Once done, select the checkbox for the security group (nahid-sg). Click on the Inbound Rules tab. Then click on Edit inbound rules to configure the incoming traffic.

Click on Add rule.

Under Type: select All traffic; Under Source: select My IP; this will restrict any inbound traffic to only your computer IP. Then click on Save rules.

To confirm your computer IP address, navigate to google chrome and Type “My IP Address”

You will notice the MY IP which was automatically inputted is the same with the “My IP Address” on your PC.

Now, the inbound rules have been updated for the security group.

Network ACLs

Next, click on Network ACLs in the left pane to configure the access control for the subnets.

You will notice that a default network ACL for the subnets was automatically created. Confirm if the network ACL created is attached to your VPC by corresponding it with the VPC ID you copied to your Notepad.

Now edit the icon under Name for the network ACL of your VPC. Enter a name (nahid-ACL) under Edit name. Click on Save.

Now configure the network ACL to restrict traffic to only allow traffic from your IP (as shown in the security group configuration above).

Select the checkbox for the network ACL (nahid-ACL), then click on Inbound Rules. (Here, you can see that all traffic is allowed.) Then click on Edit inbound rules

On the Edit inbound rules page, under Source, change it from 0.0.0.0/0 to your IP (your computer's public IP), as shown above when configuring the security group. {123.136.28.131} Once done, click on Save Changes.

Thus, the inbound rules for the network ACL are successfully updated.

Creating EC2 instances in both public and private subnets

Creating EC2 Instance in Public Subnet

Navigate to the search box and type EC2.

In the EC2 Dashboard, click on Instances under Instances in the left pane and click on Launch Instances from the top right of your screen.

In the Launch an instance page, under Name and tags, enter a name (eg: nahod-public-server) for the public EC2 instance, and for Application and OS Images (Linux), select Ubuntu.

Scroll down to Instance Type and select t2.micro, which is eligible for the free tier

Scroll down under the “Key pair (login)” section, and click on Create new key pair.

NB: the .ppk key pair is used for Windows SSH connection by using Putty software to access your EC2 instance on CLI (command line interface)

Scroll down to the Network Settings section and click on Edit. Under VPC, select your VPC network (e.g nahid-vpc) or check with your notepad.

Under Subnet, select the public subnet (nahid-public-subnet) to configure the first EC2 instance. For Auto-assign Public IP, select Enable from the drop-down, then select the radio button for Select an existing security group, then select the checkbox for the security group you have configured for the VPC. (Default security group).

Retain other default settings, then scroll down, and at the bottom right, click on Launch Instances. Now, we have successfully created an EC2 instance in a public subnet.

Creating EC2 Instance in Private Subnet

Now, we create a new EC2 instance for the private subnet. For that, click on Launch instances. (Similar process of creating EC2 in the public subnet)

In the Launch an instance page, under Name and tags, enter a name (nahid-private-server) for the private EC2 instance, and for Application and OS Images (Linux), select Ubuntu.

Scroll down to Instance Type and select t2.micro, which is eligible for the free tier.

Scroll down to the key pair (login) section. Under the key pair name, select the same name (vpc-key) entered by you while configuring the previous public EC2 instance key pair, as shown above.

Scroll down to the Network Settings section and click on Edit. Under VPC, select the VPC network (nahid-vpc) created by you in the previous steps. For the subnet, select the public subnet already created (nahid-private-subnet). For Auto-assign Public IP, select Enable from the drop-down, and select the radio button for Select an existing security group. Select the checkbox for the security group you have configured for the VPC.

In the Configure Storage Section, retain the default settings and click on Launch instance. Now, we have successfully created an EC2 instance in a Private subnet. Navigate to instances to view the instance created.

Testing access to both instances.

First, we copy the public IP of the public subnet (nahid-public-server) and ping it via the command prompt. Select the checkbox for the public subnet (nahid-public-server) and copy the public IPv4 address under the Details tab.

Open your terminal -->

Type ping {"public IP address of the public instance you copied"} and press, Enter to test access to the public EC2 instance. You will receive a reply which indicates that there is public access to the instance (nahid-public-server) in the VPC.

NB: Note: Replace {"public IP address of the public instance"} with your IP address of the public EC2 instance.

Navigate back to your AWS console and select the checkbox for the EC2 private instance (nahid-private-server) in the private subnet. Copy the private IPv4 address.

Note: Please note that the specific IP addresses, VPC names, and other configuration details mentioned in this tutorial are examples and should be replaced with your own values when following the instructions.

By following the steps outlined in this article, you have successfully created a custom Virtual Private Cloud (VPC) on AWS. You have learned how to configure subnets, route tables, security groups, and network ACLs. Additionally, you have launched EC2 instances in both public and private subnets and verified access to them. This comprehensive guide empowers you to build a secure and customizable network infrastructure on AWS. Enjoy the benefits of a tailored VPC environment for your applications and services.

Thank you for reading this blog. If you found this blog helpful, please like, share, and follow me for more blog posts like this in the future.

— Happy Learning !!!

Let’s connect !!!

Linkedin

Medium

Github

Mail