In this laboratory, we going to create a VPC from scratch, one private sub-network and one public sub-network.

Let analyze a simple user case, we need to have a web server application with back-end database.

We going to need a VPC, two subnetworks one public for the web facing application and a private network for the database, we also need a IGW (Internet Gateway) for the public network and a NAT gateway for the private network, for installing, upgrading or patching.


  • AWS Account
  • Linux Basic command knowledge


  1. Go to VPC in you AWS management Console

2. Go to Your VPC's

3. Click on Create VPC

4. Give it a name, and a CIDR block, I'm going to use, if you want to know more about CIDR (Classless Inter-Domain Routing) you can check the wikipedia page here

Click on create VPC

You will get all the information of the VPC

5. Now lets create the sub-networks, first create the private subnetwork, this network will be for the database in the user case, click on "Subnets"

and click on create subnet

Select the VPC ID of the VPC you just created

Give a name to the subnet and select the Availability Zone

Click on the Add new subnet to add another subnet, this time we going to add the public subnet.

Add the new subnet, give it a name, put a different AZ, a CIDR Block different than the private subnet inside the VPC.

And click on Create subnet

In the subnets page, click on the public Subnet ID

Click on "Actions" and select "Modify auto-assign IP settings"

Enable auto-assign public IPv4 address checkbox and save.

6. Create a IGW go to Internet Gateways

7. Click on Create internet gateway

8. Give it a name and create the intenet gateway

9. In the next screen click on Actions and "Attach to VPC"

Select the VPC we created and click on Attach iternet gateway

10. Create the NAT Gateway, firs we going to need an EIP, go to EC2

Go to Elastic IPs

Click on Allocate Elastic IP address

Click on Allocate

Go to VPC

Click on NAT Gateways

And Create NAT Gateway

Give it a name, select the public sub-network (the NAT Gateway needs to be on a public sub-network and front there it will serve to the private network, and finally select the Elastic IP we create earlier.

11. Now lets connect the routes, from the VPC Service go to Route Tables

Click on create route table

Give it a name and select the VPC you created

Select the Route table and go to the tab Routes

Click on Edit Routes, and click on add route

On Destination put and Target put NAT Gateway and select the nat gateway we created.

Save the routes.

Repeat the process this time we going to create a new route table for the public subnetwork

We select the route and in the Route tab we edit the routes.

We add again a new route, but this time we going to add the internet Gateway

Save the route and now, we need to tell the subnets what route to use.

Go to VPC

Click on Subnets

Select the public subnet, and in the tab of "Route table", click on Edit route table association

Select the public subnet we created and save the changes

Now we do the same thing, with the private sub-network, but this time we associate the network with the private route.

Save the changes and that's it! you have a public and private sub-networks

In the public network you can launch instances, if the security group and the NACL permit incoming access you will have both incoming and outgoing access.

In the private network you can establish outgoing connections to internet to update and install packages, but the NAT gateway will deny all incoming traffic from outside.

As they are in the same VPC the private and public network see and communicate with each other.

So let's try it.

13. Testing, lets launch two instances, one in the public sub-network and other in the private sub-network to test the connectivity.

Go to EC2 service

Go to instances

And click on Launch instance

Select the Amazon Linux 2 AMI 64-bits

Select the t2.micro and click on Next: Configure Instance Details

In the next page, select 1 instance, select the VPC we create, and in the subnet select the public subnet, from here, instead of next, click on "Review and Launch"

In the next page review the information and click on Launch.

Create a new key pair, give it a name and Download the Key Pair, and then launch the instance.

Go to View Instances and launch another instance, this time put it in the private subnetwork, and chose the same key pair.

Go to view instances again, and wait until the status of bouth is running.

Put a name in the instances, you can identify the instances with who have the public IP

Ok, now lets test the connectivity, as the private instance does not have external connection, we cannot connect via SSH directly so we need to use the public instance, first copy the pem file to the public instance

Select the public instance ID and copy the IPv4 address

Change the permissions to the pem file

chmod 400 private-public.pem
Use your own ip and pem file name

Copy the pem file to your public instance

scp -i private-public.pem private-public.pem ec2-user@
Use your own ip and pem file name

Connect to your public instance

ssh -i "private-public.pem" ec2-user@

In your AWS Management Console, in EC2 instance, click on the Instance ID of the private instance and copy the private IP

Go to the location of the pem file and connect to the private instance

sudo su -
cd /tmp
chmod 400 private-public.pem

Connect to the private instance

ssh -i "private-public.pem" ec2-user@

Make some ping to and see if you have connectivity to internet.

PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=100 time=21.0 ms
64 bytes from ( icmp_seq=2 ttl=100 time=21.1 ms
64 bytes from ( icmp_seq=3 ttl=100 time=21.0 ms
64 bytes from ( icmp_seq=4 ttl=100 time=20.8 ms
64 bytes from ( icmp_seq=5 ttl=100 time=20.7 ms
64 bytes from ( icmp_seq=6 ttl=100 time=20.8 ms
64 bytes from ( icmp_seq=7 ttl=100 time=20.9 ms
64 bytes from ( icmp_seq=8 ttl=100 time=21.0 ms
--- ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7010ms
rtt min/avg/max/mdev = 20.792/20.954/21.190/0.215 ms

Great! you have your public and private sub-networks!

In the next post we going to go deeper into AWS and they services.


  1. From EC2 instances, select and Terminate the instances

2. From VPC, NAT Gateways, select and delete the NAT gateway, wait until the status is "deleted"

3. From VPC, Elastic IP, Release the Elastic IP address

4. From VPC, Internet Gateway detach from the VPC

Then select and delete the Internet Gateway

5. From the VPC, Subnets, delete the private and public subnets

6. From VPC, select the VPC we create for the lab and click on Actions and then Delete VPC