🌐📶AWS VPC: A Beginner's Guide - Part 2

Introduction:

In my last blog, I shared how to launch an EC2 instance inside a public subnet in a custom AWS VPC.

But what if we want more security — like running our application or database servers in a private subnet, isolated from the internet?

That’s where things like Private Subnets, NAT Gateways, and Bastion Hosts come in.

In this blog, We’ll Learn:

• Setting up a private subnet in our existing VPC
• Creating a NAT Gateway for internet access (outbound only)
• Using a Bastion Host (jump server) to SSH into the private EC2
• Let’s build a secure network architecture!

Recap: Components We Need..!

| Component                  | Description                                      |
| -------------------------- | ------------------------------------------------ |
| VPC                        | our existing Virtual Private Cloud              |
| Public Subnet              | Already created for Bastion Host                 |
| Private Subnet             | New subnet with no direct internet access        |
| Internet Gateway (IGW)**   | Already attached to VPC                          |
| NAT Gateway                | Needed for outbound internet from private subnet |
| Route Tables               | One for public, one for private subnet           |
| Bastion Host               | Public EC2 to connect securely to private EC2    |

Step-by-Step Setup

1. Use the Existing VPC
We’ve already created a VPC (e.g., 10.0.0.0/16), continue using it.

2. Create a Private Subnet

• Go to Subnets > Create Subnet

Choose:

• VPC: my-custom-vpc
• Name: private-subnet
• CIDR block: 10.0.2.0/24
• Availability Zone: Same as NAT Gateway
• Do NOT enable auto-assign public IP

3. Create a NAT Gateway

• Go to NAT Gateway > Create

Choose:

• Subnet: Our Public Subnet
• Elastic IP: Allocate a new one
• Name it: my-nat-gateway
• Click Create NAT Gateway
• NAT Gateway must be in a public subnet because it needs internet access via IGW.

4. Create a Private Route Table

• Go to Route Tables > Create Route Table
• Name: private-route-table
• VPC: my-custom-vpc
• Add Route:
• Destination: 0.0.0.0/0
• Target: NAT Gateway
• Go to Subnet Associations
• Select our private-subnet
• Now, private subnet has outbound internet access only.

5. Launch EC2 in Private Subnet

• Go to EC2 > Launch Instance

Choose:

• Name: private-ec2
• Amazon Linux 2
• Subnet: private-subnet
• Auto-assign Public IP: Disabled
• Key Pair: Choose existing
• Security Group:

• Allow SSH from Bastion Host’s internal IP or SG

• EC2 in private subnet won’t be accessible directly from our local machine.

6. Use Existing Public EC2 as Bastion Host to Access Private EC2

• Connect to the Private EC2 (2-Hop SSH):

# Step 1: SSH into our public EC2 (Bastion Host)
ssh -i your-key.pem ec2-user@<Public-IP-of-Bastion>

# Step 2: From inside the Bastion EC2, SSH into the private EC2
ssh -i your-key.pem ec2-user@<Private-IP-of-Private-EC2>

8. Test Internet Connectivity

ping google.com

If it replies, then our NAT Gateway is working properly.

Points to Remember:

• Private subnets increase security by not exposing EC2 to the internet directly
• NAT Gateway allows outbound-only access (like updates, package installs)
• Bastion Host is required to SSH into private EC2 (jump server setup)
• CIDR blocks must remain within the VPC range (e.g., 10.0.0.0/16)

Thanks for Reading!

If you’re just getting started with AWS, this guide should help you take that first confident step into cloud networking.

Happy cloud building!🙌