Introduction
Ever wondered how companies protect their sensitive data while keeping their applications accessible? The secret lies in secure network architecture!
I just built a professional-grade secure web infrastructure on AWS using VPCs, public/private subnets, and NAT Gateways. In this comprehensive guide, I'll show you exactly how to create your own secure environment where your web server is publicly accessible while your database remains completely hidden yet functional.
Follow along and add this crucial cloud skill to your portfolio!
Phase 1: Foundation Setup - Building Your Private Network (VPC)
Step 1: Create a VPC (Your Private Cloud Network)
Caption: "Starting with the foundation!
Creating our Virtual Private Cloud (VPC) -
think of it as building our own private data center within AWS. The CIDR block 10.0.0.0/16 gives us over 65,000 private IP addresses to work with!"*
Steps:
Go to AWS Console → VPC service → "Your VPCs" → "Create VPC"
Name tag: My-Secure-VPC
IPv4 CIDR block: 10.0.0.0/16
Click Create
Step 2: Create Subnets (Your Designated Areas)
Caption: "Now we're zoning our digital property! Creating both public and private subnets. The public subnet will host our web server (the front door), while the private subnet will hide our database (the secure vault)."
Steps:
Go to Subnets → Create subnet
VPC ID: Select My-Secure-VPC
Create Public Subnet:
Subnet name: public-subnet-1
Availability Zone: us-east-1a
IPv4 CIDR block: 10.0.1.0/24
Create Private Subnet:
Subnet name: private-subnet-1
Availability Zone: us-east-1a
IPv4 CIDR block**: 10.0.2.0/24
Step 3: Create an Internet Gateway
Caption: "Building the front door to the internet! The Internet Gateway allows our public subnet to communicate with the outside world while maintaining security."
Steps:
Go to Internet Gateways → Create internet gateway
Name tag: My-IGW
Click Create
Attach to VPC: Select My-IGW → Actions → Attach to VPC → Select My-Secure-VPC
Phase 2: Routing & Security - Controlling Traffic
Step 4: Create Route Table for Public Subnet
Caption: "Setting up the traffic rules! This route table tells our public subnet how to reach the internet through our Internet Gateway."
Steps:
Go to Route Tables → Create route table
Name: Public-Route-Table
VPC: Select My-Secure-VPC
Edit Routes → Add route:
Destination: 0.0.0.0/0
Target: Select Internet Gateway → My-IGW
*Subnet associations *→ Associate with public-subnet-1
Step 5: Create Security Group for Web Server
Caption: "Building our digital firewall! This security group controls exactly what traffic can reach our web server - HTTP from anywhere, SSH only from my IP."
Steps:
Go to Security Groups → Create security group
Name: Web-Server-SG
Description: Allow HTTP and SSH
VPC: Select My-Secure-VPC
Inbound Rules:
Add HTTP (Port 80) from 0.0.0.0/0
Add SSH (Port 22) from My IP
Phase 3: NAT Gateway - Private Server Internet Access
Step 6: Allocate Elastic IP
Caption: "Reserving a static public IP address! This Elastic IP will be used by our NAT Gateway to provide internet access to our private subnet."
Steps:
Go to Elastic IPs → Allocate Elastic IP address
Click Allocate
Step 7: Create NAT Gateway
Caption: "The magic door! The NAT Gateway allows our private database to access the internet for updates while preventing anyone from accessing it directly."
Steps:
Go to NAT Gateways → Create NAT Gateway
Name: My-NAT-Gateway
Subnet: Choose public-subnet-1
**Elastic **IP: Select the allocated IP
Click Create (Wait for status: Available)
Step 8: Create Private Route Table
Caption: "Creating secret passageways! This route table directs private subnet traffic through our NAT Gateway, enabling controlled internet access."
Steps:
Go to Route Tables → Create route table
Name: Private-Route-Table
VPC: Select My-Secure-VPC
Edit Routes → Add route:
Destination: 0.0.0.0/0
Target: Select NAT Gateway → My-NAT-Gateway
Associate with private-subnet-1
hase 4: Resource Deployment - Launching Servers
Step 9: Launch Web Server (Public Subnet)
Caption: "Deploying our front-line soldier! This web server lives in the public subnet with a public IP, ready to serve web traffic to the world."
Steps:
Go to EC2 → Launch Instances
Name: Web-Server
AMI: Amazon Linux
Instance type: t2.micro
Key pair: Create/download new key
Network Settings:
VPC: My-Secure-VPC
Subnet: public-subnet-1
Auto-assign Public IP: Enable
Security group: Web-Server-SG
Advanced details → User data:
bash
!/bin/bash
sudo dnf update -y
sudo dnf install -y httpd
sudo systemctl start httpd
sudo systemctl enable httpd
echo "
Hello World from my $(hostname -f)
" > /var/www/html/index.html
Step 10: Launch Database Server (Private Subnet)
Caption: "Deploying our secret treasure! This database server lives in the private subnet with NO public IP - completely hidden from direct internet access."
Steps:
Go to EC2 → Launch Instances
Name: DB-Server
AMI: Amazon Linux
Instance type: t2.micro
Key pair: Use same key as web server
Network Settings:
VPC: My-Secure-VPC
Subnet: private-subnet-1
Auto-assign Public IP: Disable
Phase 5: Validation - Testing the Setup
Step 11: Test Web Access
Caption: "The moment of truth! Our web server is live and serving content to the world through its public IP address. 🌐"
Test:
bash
curl http://
Should show: "Hello World from my ..."
Step 12: Test Private Internet Access via NAT
Caption: "The magic works! Our private database can access the internet through the NAT Gateway (see the public IP!), but remains completely hidden from incoming connections."
Test:
SSH into Web Server:
bash
ssh -i "your-key.pem" ec2-user@
SSH into Database Server from there:
bash
ssh -i "your-key.pem" ec2-user@
Test internet access:
bash
curl https://checkip.amazonaws.com
Returns NAT Gateway's public IP!
*Conclusion: You Did It! *
Caption: "Mission accomplished! We've built a professional, secure AWS architecture that would make any cloud engineer proud. This isn't just theory - it's a practical, portfolio-worthy skill!"
What We Achieved:
✅ Built a secure Virtual Private Cloud (VPC)
✅ Created isolated public and private subnets
✅ Implemented proper routing with Internet Gateway
✅ Added security through strategic Security Groups
✅ Enabled private internet access via NAT Gateway
✅ Deployed both web and database servers securely
✅ Validated the entire setup works perfectly
Your Next Challenge:
Now that you've mastered this, try adding:
An Application Load Balancer in front of the web server
Auto Scaling for your web instances
An RDS database instead of EC2 for the database
AWS WAF for additional security
Did you try this lab? Share your experience in the comments below! What part was most challenging? What would you like to build next?
Follow me for more hands-on cloud and DevOps tutorials like this one. Remember to like and share if you found this helpful!
Top comments (0)