01-VPC — AWS Private/Public Subnet Architecture

Nsowah Alexander — Fri, 03 Apr 2026 23:19:29 +0000

In this article, I'll walk through how I set up an AWS VPC with a public and private subnet, deployed two EC2 instances, and configured Nginx as a reverse proxy. This is part of my hands-on cloud learning journey. If you're just getting started with AWS networking, this is for you.

Prerequisites

You need to have an AWS account to be able to create the infrastructure
A basic understanding of networking

VPC Deployment

A Virtual Private Cloud provides a logical, isolated virtual network that you define, where you can launch resources that you want. It closely resembles a traditional network you set up or operate in your own data center.

Setting up VPC

Logged in to my AWS and navigated to the VPC section to create a VPC
To create the VPC, I chose VPC only, gave a dummy name, and specified the IPV4 CIDR as 10.0.0.0/16. Click Create to create the VPC

IPV4 CIDR is the address range to be used by the VPC and should be private. I chose 10.0.0.0/16, with /16 as the netmask.

To be able to access the resources in the VPC, you need a subnet placed in an HA zone

Setting up a Subnet

A subnet is a smaller network within a larger network. I created two subnets, a public and a private.

Click Subnets on the VPC window to create a subnet
To create subnets for the VPC, I selected the VPC I just made (vpc-spec-01)
Gave it a name (public), chose us-east-1a as the availability zone
10.0.1.0/24 as the IPV4 CIDR to give me 256 IPs to use

for the private subnet

I used a different availability zone, us-east-1b
to spice things up, I used 10.0.2.0/24 as the IPV4 CIDR.

After creating the subnets, I created an EC2 instance in the public subnet so that I could SSH into it.
To create the EC2 instance.

I navigated to the EC2 service window
I clicked on Create and gave the instance a name.
For the Application and OS images, I chose Ubuntu and a free-tier eligible AMI

Instance type is also free-tier eligible. created a key pair to securely SSH into the instance
In the network settings section, here is where you configure the VPC, subnets, and ports to access the instance.
. Choose the VPC made earlier.
. Select the public subnet in the VPC and select Enable on Auto-assign IP.
. Select Create security groups
. for the inbound security rules, SSH and HTTP to listen on port 80(nginx)
. Launch the EC2

Now, to SSH into the EC2, locate where the key is saved, and git bash there
Run these commands to connect

chmod 400 "key.pem"
ssh -i "key55.pem" ubuntu@instanceIP

Ja, we can't connect to the EC2 because the VPC does not allow any connection from outside. We need to add an internet gateway to achieve this.
steps involve

Create an internet gateway
Attach the internet gateway to the VPC.
Create a route table for the gateway
attach the route table to the public subnet After creating the route table, you need to edit the route to attach the internet gateway created

Move to the public subnet, select the route table, edit the route table association, and select the route table created

Now SSH back into the instance and run the following:

sudo apt update
sudo apt install nginx # to install nginx

Before the creation of the private EC2, I copied the key into the public EC2 for secure SSH
scp -i key.pem key.pem ec2-user@<public-ec2-ip>:~/.ssh/

Setting up the Private EC2

Just like building the public EC2, I maintained everything except the following:

Disabled auto-assign public ip
Selected the private subnet
Added Custom TCP on port 8080 to the inbound security rules

The private EC2 is only accessible in the public EC2. To access the private EC2, SSH into the public, change directory to .ssh, and SSH from there.
Once in the private EC2, I updated the OS and opened Vim to make a simple HTML page to serve up from the public EC2.

<html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Document</title> </head> <body> <h1>ich bin poloand</h1> </body> </html>
I served up this HTML file with Python, which ran in the background.
nohup python3 -m http.server 8080 &exit from the private EC2 to the public.

Once in the public EC2, I changed the nginx config file to serve up the python server from the private EC2

sudo vim /etc/nginx/nginx.conf # move the conf to make changes

user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
}

http {
        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        access_log /var/log/nginx/access.log;
        gzip on;
        include /etc/nginx/conf.d/*.conf;

        server {
                listen 80;                         
                server_name _;
                location / {
                        proxy_pass http://privateIP:8080; 
                }
        }
}

sudo nginx -T # for conf linting
sudo systemctl restart nginx #to restart the service.
Now open the browser to see the HTML page served up

Mistakes I encountered

HTML file was not executable
Security group blocking port 8080
No key pair that resulted in a failed SSH into the private EC2.
Missing semicolons in nginx.conf

Conclusion

This project has taught me more about VPCs, subnets, IPv4s, compute, etc. Some of the lessons i got from this project are

Security groups are everything about security
Always create a key pair
Always ls -l to see permissions on a file.
Read config carefully

Next up more projects on VPC

DEV Community: Nsowah Alexander