In this Hands-On Lab we will create a multi-subnet highly-available VPC and subnet structure for private application servers. We’ll configure a bastion host so that remote administrative staff can securely connect into the VPC and manage the private instances. Since these instances will require outbound access for security patches and updates, we will create and configure NAT Gateway to allow it.
Our task is to create the VPC with public and private route tables. The VPC’s CIDR, 192.168.0.0/24, has been subnetted. Our new CIDR /26 allows for a maximum of four subnets. We will create two public and two private subnets.
Then we will create the NACL and Security Group rules to support the bastion host, private instances, and NAT Gateway. Once that’s done, we’ll validate the connectivity for our bastion host by creating an SSH tunnel through it to our private instance. Once we’re in, we will verify that our private instance can connect to the internet.
There is a lot to do in this Hands-On lab, so let’s get started.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Create the VPC skeleton
Create a VPC with four subnets.
- Create the Internet Gateway, then a public and a private route table
Create an Internet Gateway and attach it to the VPC. Create a public route table with a default route to the internet gateway and create a private route table.
- Configure the bastion host
Create the NACLs and Security Group configuration for the bastion host.
Set up the bastion host Amazon EC2 instance and verify connectivity using SSH.
- Create an Amazon EC2 instance in the private subnet
Create the NACLs and Security Group configuration necessary to support SSH connectivity between the bastion host and an Amazon EC2 instance in the private subnet.
Create an instance in the private subnet and verify SSH connectivity from the bastion host.
- Set up the NAT Gateway and validate connectivity
Create the NACLs required for the NAT Gateway Subnet.
Create the NAT Gateway, and set it as the target for the default route in the private route table.
Verify connectivity to the Internet from the private EC2 instance.