DEV Community

ODINKEMELU INNOCENT
ODINKEMELU INNOCENT

Posted on • Edited on

Building Security by Design: My AWS Project Showcasing VPC, NAT Gateway, and Private Networking Mastery

#cloudsecurity #cloudarchitecture #vpc #nategateway

INTRODUCTION
This project reflects how I combine cloud architecture principles with practical implementation to build secure, scalable environments.
In today’s cloud-driven world, security and design are not optional — they are essential. As part of my hands-on learning and practical implementation of AWS architecture, I completed a project titled “Building a Secure Web Architecture on AWS.” The aim was to design a secure, professional-grade cloud network that demonstrates how public and private resources can coexist in the same environment, safely and efficiently.

This project combines concepts of network isolation, controlled routing, and secure connectivity — principles that are fundamental to cloud security and modern infrastructure management. Every step was documented with annotated screenshots, from setup to validation.

PROJECT OVERVIEW

Objective:
To build a secure network architecture on AWS consisting of a public and a private section. The web server in the public section is accessible from the internet, while the database server in the private section remains hidden from external access but can still reach the internet securely through a NAT Gateway

Final Architecture

Phase 1: Foundation Setup - Building Your Private Network (VPC)

  1. Create a VPC (Your Private Cloud Network) Go to: AWS Console -> VPC service -> "Your VPCs" -> "Create VPC". Image sowing Red arrow indicating VPC and

Image Red arrow indicate Yours VPC,Green arrow for Create VPC

Settings:
▪ Name tag: My-Secure-VPC
IPv4 CIDR block: 10.0.0.0/16(This creates 65,536 private IP address for your use).
Image Red arrow indicate Tag name, Green forIPv4 CIDR

Click Create.
Image Red arrow indicate Create VPC
Image Showing VPC Successfully created

  1. Create Subnets (Your Designated Areas) Go to: Subnets -> Create subnet. Image Red Arrow indicate go to Subnet

VPC ID: Select My-Secure-VPC.
Image VPC-ID, Green arrow select My-Secure-VPC

Create Public Subnet:
▪ Subnet name: public-subnet-1
▪ Availability Zone: Pick the first one (e.g., us-east-1a).
▪ IPv4 CIDR block: 10.0.1.0/24 (This gives us 256 addresses in this
zone).
Image Indicating public-Subnet-1,Availability zone and IPv4 subnet
Image indicating Create Subnet
Image Subnet successfully created

Create Private Subnet:
▪ Click "Create subnet" again.
Image Create Subnet

▪ Subnet name: private-subnet-1
▪ Availability Zone: Pick the same zone (e.g., us-east-1a).
▪ IPv4 CIDR block: 10.0.2.0/24
Image , Subnet setting,Private-Subnet-1,Availability Zone and IPv4 VPC block
▪ Click Create subnet.
Image Click Create Subnet
Image Successfuly created 1 subnet

  1. Create an Internet Gateway (Your Front Door to the Internet)

Go to: Internet Gateways -> Create internet gateway.
Image Red on internet gateway, Green on Create Internet gateway

Name tag: My-IGW
Click Create.
Image showing name tag:My-IGW and Click Create

Now, ATTACH it to your VPC: Select the My-IGW gateway, click Actions -

Attach to VPC. Select My-Secure-VPC and click Attach.
Image showing Internet gateway successfully created, red arrow clicked internet gateway
Image indicating Click Action
Image Select My-Secure-VPC and green arrow on Attach Internet gateway
Image Internet gateway successfully Attached

Phase 2: Routing & Security - Controlling Traffic

  1. Create a Route Table for the Public Subnet Go to: Route Tables -> Create route table. Image Red arrow click Goto Route table and Green arrow on Create route table

Name: Public-Route-Table
VPC: Select My-Secure-VPC

Click Create.
Image, Name on Public route table and VPC, use for route table

Edit Routes: Select the new table, click the Routes tab -> Edit routes -> Add
route.

Image Public route table created successfully, green arrow on route, red clicked on Edit route
▪ Destination: 0.0.0.0/0 (This means "all internet traffic").
▪ Target: Select Internet Gateway and choose My-IGW.
▪ Click Save changes.

Red square for Destination, Green square on Target, Red arrow on Add routes. Then green mixed with red arrow for Click save changes
Updated route for public-Route-Table Successfully .Red arrow on subnet associations, green arrow on edit subnet association
Associate with Public Subnet: Click the Subnet associations tab -> Edit
Red arrow ticked Public-Subnet-1,green arrow clicked on saved associtions
subnet associations. Check the box for public-subnet-1 and click Save
associations.
Successfully updated Subnet association for Public-route-Table

  1. Create a Security Group for the Web Server (The Firewall) Go to: Security Groups -> Create security group. Red arrow go to security groups and green arrow on create security group

Name: Web-Server-SG
Description: Allow HTTP and SSH
VPC: Select My-Secure-VPC
Security group-AlloW HTTP and SSH, Description-AlloW HTTP and SSH, VPC

Inbound Rules:
▪ Add rule: Type: HTTP, Source: Anywhere-IPv4 (0.0.0.0/0).
▪ Add rule: Type: SSH, Source: My IP (This automatically adds your
computer's IP for security).
Image SHOWING Inbound rules
Type is annotated with red arrow and Source is annotated with green square

Click Create security group.
Red arrow Clicked create security group
Security group Successfully creted
Security group running

Phase 3: NAT Gateway - Allowing Private Servers Outbound Internet

  1. Allocate an Elastic IP (A Static Public IP Address)
    Go to: Elastic IPs -> Allocate Elastic IP address.
    Go to Elastic IP, annotated with red arrow and Allocate Elastic IP address with green arrow
    Just click Allocate. AWS will give you a fixed public IP.
    Fixed public IP by AWS
    Red arrow clicked on Allocate

  2. Create the NAT Gateway
    Go to: NAT Gateways -> Create NAT Gateway.
    Go to NAT gateway with red arrow and create NAT Gateway on green

Name: My-NAT-Gateway
Subnet: Choose public-subnet-1
Image showing the name My-NAT-Gateway and Choose public-subnet-1
Elastic IP allocation ID: Click the dropdown and select the Elastic IP you
just created.
Click Create NAT Gateway. Wait for the status to change
from Pending to Available. This takes a few minutes.
Elastic IP allocation and green arrow on create NAT gateway
NAT gateway successfully created
NAT gateway running

  1. Create a Route Table for the Private Subnet Go to: Route Tables -> Create route table. Green arrow for Go to Route table and Red arrow click on create route table Name: Private-Route-Table VPC: Select My-Secure-VPC

Click Create.
Route table settings, Name, VPC and click create
Edit Routes: Select this new private route table, click Edit routes -> Add
route.
Private route table was created successfully
Green on Routes and red on Edit Routes
▪ Destination: 0.0.0.0/0 (Send all internet-bound traffic...)
▪ Target: Select NAT Gateway and choose My-NAT-Gateway (...to our
NAT Gateway).

▪ Click Save changes.
Destination on red square , Target on green square, Add rules clicked by red arrow and blue arrow on Save changes

Associate with Private Subnet: Click Subnet associations -> Edit subnet
associations. Check the box for private-subnet-1 and click Save
associations.
Associations with Private Subnet, green arrow on Subnet association red arrow on Edit Subnet association
Image indicating red arow Checked the box of Private -Subnet-1 running, green arrow on save association
Successfully Updated private Subnet association for Private-Route-Table

Phase 4: Resource Deployment - Launching Your Servers

  1. Launch the Web Server (in the Public Subnet) Go to: EC2 -> Launch Instances. AWS Console-Go to EC2,indicated by red arrow Click launch Instance with green arrow

Name: Web-Server
Instance Name, Web-Server indicated by green arrow

AMI: Amazon linux
Amazon Linux, indicted by red arrow
Instance type: t2.micro (Free Tier)
Red arrow indicating t2.micro selected, with green arrow showing it is on a free tier eligible

Key pair: Create a new key pair or choose an existing one. DOWNLOAD
THE .pem KEY IF NEW
The Blue arrow indicating key-pair.pem already existed/created

Network Settings:
Image description on the Network Settings
▪ VPC: My-Secure-VPC
▪ Subnet: public-subnet-1
▪ Auto-assign Public IP: Enable
▪ Firewall (Security Groups): Select existing security group WebServer-SG
VPC, Subnet, Auto-assign Public IP, Select Security Group
Advanced details -> User data: Paste this script to install a web server on
Image on Advance detail page clicked by green arrow

boot:
bash

!/bin/bash

sudo dnf update -y
sudo dnf install -y httpd
sudo systemctl start httpd
sudo systemctl enable httpd
echo "

Hello World from my $(hostname -f)

" > /var/www/html/index.html

Encoded commands and Bashed directly on Advance details indicated with green square

Click Launch Instance.
Command encoded and indicated by blue square and red arrow clicked on Lunch instance
Image showing EC2 Instance lunched
Red arrow checked the box of EC2-instance named Web-Server running
EC2-Instance Web-Server Summary details

  1. Launch the Database Server (in the Private Subnet) Go to: EC2 -> Launch Instances Image showing an EC2 instance launch(in the Private Subnet

Name: DB-Server
DB-Server indicated as Instance name by red arrow

AMI: Amazon Linux 2023 AMI
AMI: Amazon Linux selected and indicated by red arrow

Instance type: t2.micro (Free Tier)
Instance type t2.micro selected and indicated by red arrow.The green arrow shows that it is free tier eligible

Key pair: Choose the same key pair you used for the Web Server.
Red arrow indicating Key-pair. pem already existed or created

Network Settings:
▪ VPC: My-Secure-VPC
▪ Subnet: private-subnet-1
▪ Auto-assign Public IP: Disable (This is key! It gets no public IP.)
Network Settings Image, VPC,Private-Sunet-1,Auto assign Public IP

Click Launch Instance.
The Clicked Launch Instance with red arrow
DB-Server EC2 instance Successfully created
DB-Server EC2-instance running , then checked box by green arrow
DB-Server EC2-instance Summary details

Web-Server EC2-Instance Running and DB-Server EC2-Instance Running
Web-Server EC2-instance running and DB-Server EC2-Instance running

Phase 5: Validation - Testing Your Setup

  1. Test Web Access
    In the EC2 console, find your Web-Server instance.
    Copy its Public IPv4 address.
    Open a browser and paste the IP address. You should see "Hello World
    from my ...".
    OR, use the terminal: curl http://
    The Public -IPv4 address on website-showing--> Hello World from my ip-10-1-232.ec2.internal

  2. Test Private Instance Internet Access (Via NAT)
    SSH into your Web Server first (it's public):
    bash
    ssh -i "your-key.pem" ec2-user@
    Image showing commands on Gitbash window terminal, green arrow for

From inside your Web Server, try to SSH into the private Database Server:
▪ In the EC2 console, find your DB-Server and copy its Private IPv4
address (e.g., 10.0.2.50).

▪ Run:
bash
ssh -i "your-key.pem" ec2-user@
Once logged into the private DB-Server, test if it can reach the internet:
bash
curl https://checkip.amazonaws.com
This should RETURN THE ELASTIC IP OF YOUR NAT GATEWAY. This proves
your private server is using the NAT Gateway to access the internet!

Conclusion :
You have successfully built a secure, professional-grade network
architecture on AWS. Your web server is publicly accessible, but your database is securely
hidden in a private network, yet can still download updates.

Top comments (0)