Create a Virtual Private Cloud with AWS

February 2016 ยท 4 minute read

The following is a step by step instruction set on how to build your own AWS Virtual Private Cloud with public and private subnets and a Network Address Translation server to run between them. This example assumes the reader has some knowledge of SSH/Linux, VPC, AWS and has access to an AWS account.

**Be sure to choose an region which has a minimum of 2 availability zones

1. Under VPC/your VPCs/Create VPC with the IP

2. Under Subnets, create 2x Subnets & at different availability zones

3. Create an Internet Gateway to allow internet access, all subnets are detached from the internet by default.

4. Select ‘Attach to VPC’ and attach the internet gateway to your new Virtual Private Cloud

5. Create a New Route table and add a new route with the settings a) Destination: all b) Local:‘VPC-name’

6. Edit 1 of your Subnet to access the new Route Table allowing internet traffic. This will be your public subnet.

7. Back on the dashboard, create a new EC2 instance for your public subnet

  • Use an amazon AMI, t2 micro
  • Configure to ‘VPC-name’ and your public subnet
  • Select auto-assign public IP
  • Create a new security group which allows SSH & HTTP access
  • Launch the instance and remember to download/save its key-pair value

8. Create a second EC2 instance for the second subnet with no public IP but the same security group. This subnet will remain private and inaccessible from the internet

9. open up your terminal and create a file to store your private key making it easy to access and log into the public instance of your VPC

$ nano VPCKeyPair.pem

$ chmod 600 VPCVPCKeyPair.pem

$ ssh ec2-user@IPaddress -i VPCKeyPair.pem (log in using public IP address, ie

10. Test that the public instance works by running the update command as the root user

$ sudo yum update -y

11. Create another Private Key file on the public instance (exactly the same as above, using the same key and log into it to test that it works too).

$ nano VPCKeyPair.pem

$ chmod 600 VPCKeyPair.pem

$ ssh ec2-user@ -i VPCKeyPair.pem (log in using the private IP address that you configured when creating your subnets)

You now have a Virtual Private Cloud with a public subnet which can access the internet. That public subnet also links to a second private subnet which does not have internet access. You can also test this by running the update command from your private subnet, the update won’t work because there is no internet.

Create a NAT (Network Address Translation Server) Instance for your VPC

When utilising your VPC, it is likely that you will have a use for both public and private subnets, each containing information which you may or may not want others to be able to view. Your private subnets, however, may still require internet access for some activities (ie running updates). In order to securely allow access to your private subnet, you will need to create a Network Address Translation Server. This can be done manually in a few simple steps with AWS

1. In the EC2 dashboard, Create a new Security Group which allow inbound and outbound traffic for HTTP and HTTPs

2. Launch a new EC2 NAT instance

  • Search community AMIs for a NAT ami, t1 or t2 micro instance
  • Configure the instance to be a Public Instance
  • Assign your new Security Group to the instance
  • Launch the Instance with the KeyPair from your VPC (above)

3. Assign an Elastic IP to your NAT Instance

  • allocate a new address
  • assign address to NAT VM

4. Under NAT/Actions/Networking/Change Source Destination: Disable (ensure you disable source destination checks, otherwise the internet access will NOT work).

5. Under VPC/Create New Route

  • Add another route: Target NAT, destination: (all)
  • Subnet Association: Associate Private subnet with NAT Route

8. SSH into your private instance via your public instance (as above) and run an update to test the internet access is working correctly

$ sudo yum update -y

9. If the update works you have configured your NAT instance correctly, if not go back and check to ensure that you have disabled source destination checks.