Building Secure and Scalable Network Architectures with AWS VPC

Building Secure and Scalable Network Architectures with AWS VPC

ยทPavan Kalyan Meda

Learn how to design a secure multi-tier AWS VPC architecture using public and private subnets, Internet Gateway, NAT Gateway, route tables, and Application Load Balancer.

Brief Explanation of AWS VPC Networking

Building a secure and scalable Virtual Private Cloud (VPC) architecture involves configuring networking components that enable controlled communication between AWS resources and the internet.

The overall workflow consists of the following steps:

  1. Create a VPC to establish the network boundary.
  2. Create public and private subnets within the VPC.
  3. Attach an Internet Gateway (IGW) to provide internet connectivity for public resources.
  4. Configure route tables to control traffic flow.
  5. Create separate route tables for private subnets and route outbound traffic through a NAT Gateway.
  6. Deploy a web server in the public subnet and application servers in the private subnet.
  7. Configure a NAT Gateway to provide secure outbound internet access for private resources.
  8. Verify the routing configuration:
    • Public subnet traffic is routed through the Internet Gateway.
    • Private subnet traffic is routed through the NAT Gateway.

Note: The following architecture diagram illustrates the complete networking setup and is one of the most important visuals for understanding the overall VPC design.


Understanding AWS VPC Networking

Amazon Virtual Private Cloud (Amazon VPC) enables you to create a logically isolated virtual network within AWS, giving you complete control over networking, IP addressing, routing, and security. Understanding the core networking components is essential for designing secure and scalable cloud architectures.

VPC (Virtual Private Cloud)

A VPC is the top-level networking container where all AWS resources are deployed.

It provides:

  • A logically isolated virtual network
  • Custom IP address ranges (CIDR)
  • Route tables
  • Network gateways
  • Security controls

Subnets

Subnets divide a VPC into smaller network segments.

AWS supports two primary subnet types:

  • Public Subnets โ€“ Resources have direct internet connectivity through an Internet Gateway.
  • Private Subnets โ€“ Resources do not have direct internet access and typically communicate externally through a NAT Gateway.

Separating workloads into public and private subnets improves both security and network organization.


Route Tables

Route tables define how network traffic flows within the VPC.

They determine whether traffic is routed to:

  • Another subnet
  • Internet Gateway (IGW)
  • NAT Gateway
  • VPN Connection
  • Transit Gateway
  • VPC Peering Connection

Proper route table configuration ensures secure and efficient communication between resources.


Network Access Control Lists (NACLs)

Network ACLs provide subnet-level security.

They act as stateless firewalls that allow or deny inbound and outbound traffic based on configurable rules.


Security Groups

Security Groups function as virtual firewalls attached directly to AWS resources such as EC2 instances.

They:

  • Control inbound and outbound traffic
  • Operate at the instance level
  • Are stateful, automatically allowing return traffic for established connections

Internet Gateway (IGW)

An Internet Gateway enables communication between resources inside a VPC and the public internet.

Instances deployed in public subnets use the IGW to:

  • Receive inbound internet traffic
  • Send outbound internet traffic

NAT Gateway

A NAT Gateway is deployed within a public subnet to provide secure outbound internet connectivity for resources located in private subnets.

Using a NAT Gateway allows private instances to:

  • Download software updates
  • Install packages
  • Access external APIs
  • Communicate with AWS services

while preventing unsolicited inbound internet access.


CIDR (Classless Inter-Domain Routing)

CIDR defines the IP address range allocated to a VPC and its subnets.

Example:

VPC  
10.0.0.0/16

Public Subnet  
10.0.1.0/24

Private Subnet  
10.0.2.0/24  

Selecting an appropriate CIDR block is important for scalability and future network expansion.


Step-by-Step Guide: Building a Multi-Tier Architecture

A multi-tier architecture separates application components into different network layers to improve security, scalability, and maintainability.

The implementation involves the following stages:

Create the VPC Layout

  • Create a new Amazon VPC.
  • Create two public subnets.
  • Create one private subnet.
  • Attach an Internet Gateway (IGW) to the VPC.

Configure Subnets and Route Tables

  • Create dedicated route tables.
  • Associate each subnet with its corresponding route table.
  • Configure routing rules for public and private traffic.

Deploy Compute Resources

  • Launch a web server (EC2) inside the public subnet.
  • Launch an application server (EC2) inside the private subnet.

Configure the NAT Gateway

  • Deploy a NAT Gateway in a public subnet.
  • Allocate an Elastic IP.
  • Update the private route table so outbound traffic is routed through the NAT Gateway.

This architecture provides secure internet access for private resources while preventing direct inbound connections from the public internet.

Hands-On Example: Setting Up a Multi-Tier Architecture on AWS VPC

This section demonstrates how to build a secure multi-tier architecture using Amazon VPC. You'll create a VPC, configure public and private subnets, and associate them with the appropriate route tables.

Note: Most AWS Console screenshots have been omitted to keep the documentation concise and lightweight. The written steps are sufficient for following the setup.


Step 1: Set Up the VPC and Subnets

1. Sign In to the AWS Management Console

  1. Open the AWS Management Console.
  2. Sign in using your AWS account credentials.

2. Open the Amazon VPC Dashboard

  1. Search for VPC in the AWS Console search bar.
  2. Alternatively, navigate to:

Services โ†’ Networking & Content Delivery โ†’ VPC

This opens the Amazon VPC Dashboard, where you can create and manage networking resources.


3. Create a New VPC

  1. Click Create VPC.
  2. Enter a name for the VPC.

Example:

my-vpc  
  1. Specify the IPv4 CIDR block.

Example:

10.0.0.0/16  

The CIDR block defines the IP address range available for resources inside the VPC.


4. Create Public and Private Subnets

After creating the VPC:

  1. Navigate to Subnets.
  2. Click Create Subnet.
  3. Select the VPC created in the previous step.
  4. Choose an Availability Zone.
  5. Specify a subnet CIDR block.

Example configuration:

SubnetCIDR BlockType
Public Subnet 110.0.1.0/24Public
Public Subnet 210.0.2.0/24Public
Private Subnet 110.0.3.0/24Private

Repeat the process until all required subnets have been created.


5. Associate Subnets with Route Tables

Each subnet should be associated with the appropriate route table.

Private Route Table

  1. Navigate to Route Tables.
  2. Select the route table intended for the private subnet.
  3. Open the Subnet Associations tab.
  4. Click Edit Subnet Associations.
  5. Associate Private Subnet 1 with the route table.

Public Route Table

Create a separate route table for the public subnets.

Associate:

  • Public Subnet 1
  • Public Subnet 2

with the public route table.

This separation allows public and private resources to follow different routing policies, improving both security and network management.

Tip: At this stage, the subnets are created and associated with their respective route tables. Internet connectivity will be configured in the next step by attaching an Internet Gateway (IGW) and creating a NAT Gateway.

Step 2: Configure Route Tables and Internet Access

After creating the VPC and subnets, the next step is to configure internet connectivity. Public subnets require an Internet Gateway (IGW), while private subnets use a NAT Gateway for secure outbound internet access.


Configure Internet Access for the Public Subnet

Create and Attach an Internet Gateway (IGW)

  1. Open the Amazon VPC Dashboard.
  2. Navigate to Internet Gateways.
  3. Click Create Internet Gateway.
  4. Attach the Internet Gateway to your VPC.

The Internet Gateway enables resources in public subnets to communicate with the internet.


Update the Public Route Table

  1. Navigate to Route Tables.
  2. Select the route table associated with the public subnet.
  3. Add the following default route:
DestinationTarget
0.0.0.0/0Internet Gateway (IGW)

This allows instances in the public subnet to send and receive internet traffic.


Configure a NAT Gateway for Private Subnets

Private subnet resources should not have direct internet access. Instead, they access external services through a NAT Gateway deployed in a public subnet.

Create the NAT Gateway

  1. Navigate to NAT Gateways.
  2. Click Create NAT Gateway.
  3. Select one of the public subnets.
  4. Allocate an Elastic IP address.
  5. Create the NAT Gateway.

Update the Private Route Table

After the NAT Gateway is available:

  1. Open the route table associated with the private subnet.
  2. Add the following default route:
DestinationTarget
0.0.0.0/0NAT Gateway

This configuration enables private instances to download software updates, install packages, and access external services while remaining inaccessible from the public internet.


Final Network Architecture

The completed networking configuration should include:

  • Amazon VPC
  • Public Subnets
  • Private Subnet
  • Internet Gateway (IGW)
  • NAT Gateway
  • Public Route Table
  • Private Route Table

Important: Include the final VPC networking architecture diagram here, as it provides a clear overview of the complete network topology.


Step 3: Deploy the Web Server (Public Subnet)

The web server is deployed in the public subnet so that it can receive HTTP requests from the internet.


Launch an EC2 Instance

  1. Open the Amazon EC2 Dashboard.
  2. Click Launch Instance.
  3. Select an appropriate Amazon Machine Image (AMI), such as Ubuntu Server.
  4. Choose an instance type based on your workload.
  5. Configure the instance:
    • Select the VPC created earlier.
    • Choose a Public Subnet.
    • Enable Auto-assign Public IP if required.

Configure the Security Group

Create or select a Security Group with the following inbound rules:

ProtocolPortSource
SSH22Your Public IP
HTTP800.0.0.0/0

This allows administrators to connect securely via SSH while exposing the web server over HTTP.


Install the Web Server

Connect to the EC2 instance using an SSH client such as MobaXterm, PuTTY, or the native Linux/macOS terminal.

Install Nginx:

sudo apt update  
sudo apt install nginx  
sudo systemctl start nginx  
sudo systemctl enable nginx  

These commands:

  • Update the package repository.
  • Install the Nginx web server.
  • Start the Nginx service.
  • Configure Nginx to start automatically after a reboot.

Verify the Deployment

Open the EC2 instance's Public IPv4 Address or Public DNS in a web browser.

If the installation is successful, the default Nginx welcome page should be displayed.

You can now replace the default content with your own website or web application.

Note: Console screenshots for launching the EC2 instance, configuring networking, and connecting via SSH have been intentionally omitted to keep the documentation concise. The written instructions provide sufficient guidance for these straightforward steps.

Step 4: Set Up the Application Server (Private Subnet)

In a multi-tier architecture, the application server is deployed in a private subnet to improve security. Unlike the web server, it cannot be accessed directly from the internet and communicates only with trusted resources inside the VPC.


Launch an EC2 Instance in the Private Subnet

Create a second EC2 instance to host the application server.

  1. Open the Amazon EC2 Dashboard.
  2. Click Launch Instance.
  3. Select an Ubuntu Server AMI.
  4. Choose an appropriate instance type.
  5. During network configuration:
    • Select the VPC created earlier.
    • Choose Private Subnet 1.
    • Do not assign a public IP address.

This instance will host the application layer of the architecture.


Configure the Security Group

Create a dedicated Security Group for the application server.

Configure the inbound rules to allow traffic only from the web server's Security Group.

Example:

ProtocolPortSource
HTTP80Web Server Security Group

This configuration prevents direct internet access while allowing secure communication between application tiers.


Connect to the Private Instance

Since the application server is deployed in a private subnet, it cannot be accessed directly over the internet.

A common approach is to use the public EC2 instance as a bastion host (jump server).

Upload the SSH Key

After connecting to the public EC2 instance, upload the .pem key required to access the private instance.


Connect to the Private EC2 Instance

Use SSH from the bastion host to connect to the private instance.

If SSH returns a permissions error for the key file, update its permissions before reconnecting.

chmod 400 dose.pem  

Once the permissions are updated, reconnect to the private EC2 instance.


Install Apache Tomcat

The application server uses Apache Tomcat to host Java web applications.

Install Java

sudo apt update

sudo apt install adoptopenjdk-17-hotspot

java --version  

Create the Tomcat User

sudo groupadd tomcat

sudo useradd -s /bin/false \  
-g tomcat \  
-d /opt/tomcat \  
tomcat  

Download and Install Tomcat

wget https://downloads.apache.org/tomcat/tomcat-10/v10.0.18/bin/apache-tomcat-10.0.18.tar.gz -P /tmp

sudo tar xf /tmp/apache-tomcat-10.0.18.tar.gz -C /opt

sudo ln -s /opt/apache-tomcat-10.0.18 /opt/tomcat/latest

sudo chown -R tomcat: /opt/tomcat/latest/  

Configure Environment Variables

Open the shell configuration file.

nano ~/.bashrc  

Add the following variables:

export CATALINA_HOME="/opt/tomcat/latest"  
export JAVA_HOME="/usr/lib/jvm/default-java"  

Reload the shell configuration.

source ~/.bashrc  

Start Apache Tomcat

/opt/tomcat/latest/bin/startup.sh  

Once Tomcat starts successfully, the application server is ready to host Java web applications.


Step 5: Configure an Application Load Balancer (ALB)

Since the application server resides in a private subnet, it cannot receive requests directly from the internet.

An Application Load Balancer (ALB) provides secure access by routing incoming HTTP/HTTPS requests to the private EC2 instance.


Create a Target Group

A Target Group defines the backend resources that receive traffic from the load balancer.

  1. Open the Amazon EC2 Dashboard.
  2. Navigate to Target Groups.
  3. Click Create Target Group.
  4. Select Instances as the target type.
  5. Configure the target group according to your application requirements.
  6. Register the private EC2 instance running Apache Tomcat.

Create the Application Load Balancer

  1. Navigate to Load Balancers.
  2. Click Create Load Balancer.
  3. Select Application Load Balancer.
  4. Configure the following:
    • Select the VPC created earlier.
    • Choose the public subnets for the load balancer.
    • Configure HTTP or HTTPS listeners.
    • Attach the Target Group created in the previous step.

After the configuration is complete, AWS provisions the Application Load Balancer.


Verify the Deployment

Once the Application Load Balancer is active:

  1. Copy the ALB DNS name.
  2. Open the DNS name in a web browser.

The request is forwarded through the load balancer to the Apache Tomcat server running inside the private subnet.

Important: Include the final architecture diagram showing the Application Load Balancer routing traffic to the private EC2 instance. This is the only image required in this section because it clearly illustrates the complete deployment architecture.



Conclusion

Amazon Virtual Private Cloud (Amazon VPC) provides the networking foundation for building secure, scalable, and highly available applications on AWS.

In this guide, you learned how to:

  • Create a custom Amazon VPC
  • Configure public and private subnets
  • Set up Internet and NAT Gateways
  • Configure route tables for secure traffic routing
  • Deploy web and application servers across multiple network tiers
  • Install and configure Apache Tomcat
  • Secure backend resources using Security Groups
  • Expose applications through an Application Load Balancer (ALB)

By combining these AWS networking components and following a multi-tier architecture, you can build production-ready cloud environments that offer improved security, scalability, and maintainability while adhering to AWS networking best practices.

Hi! I'm ERICA. Ask me anything!