How to create a VPC with Public and Private Subnets (NAT Gateway and Bastion Host)

Nehemiah Cheburet — Wed, 14 Jan 2026 19:56:52 +0000

In the world of cloud computing, "default" settings are often the enemy of security. When you launch your first resource on AWS, it’s tempting to put everything in a public subnet for the sake of simplicity. However, in a production environment, exposing your application servers or databases directly to the internet is like leaving your front door wide open in a crowded city.

The gold standard for cloud networking is the Virtual Private Cloud (VPC) configured with a "Public-Private" split.

By isolating your sensitive resources in a private subnet, you ensure they are invisible to the public web. But this raises two critical questions:

How do your private servers get out? (e.g., for software updates or API calls).

How do you get in? (e.g., for maintenance or troubleshooting).

The answer lies in two essential components: the NAT Gateway and the Bastion Host.

In this guide, we will walk through the end-to-end process of building a secure, professional-grade network architecture. We’ll cover everything from CIDR blocks and route tables to configuring the "Jump Box" that keeps your environment both accessible and airtight.

Whether you are preparing for the AWS Solutions Architect exam or building a secure home for your next big project, this walkthrough will give you the foundational knowledge you need to deploy with confidence.

**Defining the VPC
**In the AWS Console, when you head to VPC > Your VPCs > Create VPC, you generally have two choices: "VPC only" or "VPC and more." For this guide, let's focus on VPC only to understand the manual configuration of each component.

DEV Community: Nehemiah Cheburet

How to create a VPC with Public and Private Subnets (NAT Gateway and Bastion Host)