Brief Explanation of AWS VPC Networking
Building a secure and scalable Virtual Private Cloud (VPC) architecture involves configuring networking components that enable controlled communication between AWS resources and the internet.
The overall workflow consists of the following steps:
- Create a VPC to establish the network boundary.
- Create public and private subnets within the VPC.
- Attach an Internet Gateway (IGW) to provide internet connectivity for public resources.
- Configure route tables to control traffic flow.
- Create separate route tables for private subnets and route outbound traffic through a NAT Gateway.
- Deploy a web server in the public subnet and application servers in the private subnet.
- Configure a NAT Gateway to provide secure outbound internet access for private resources.
- Verify the routing configuration:
- Public subnet traffic is routed through the Internet Gateway.
- Private subnet traffic is routed through the NAT Gateway.
Note: The following architecture diagram illustrates the complete networking setup and is one of the most important visuals for understanding the overall VPC design.
Understanding AWS VPC Networking
Amazon Virtual Private Cloud (Amazon VPC) enables you to create a logically isolated virtual network within AWS, giving you complete control over networking, IP addressing, routing, and security. Understanding the core networking components is essential for designing secure and scalable cloud architectures.
VPC (Virtual Private Cloud)
A VPC is the top-level networking container where all AWS resources are deployed.
It provides:
- A logically isolated virtual network
- Custom IP address ranges (CIDR)
- Route tables
- Network gateways
- Security controls
Subnets
Subnets divide a VPC into smaller network segments.
AWS supports two primary subnet types:
- Public Subnets โ Resources have direct internet connectivity through an Internet Gateway.
- Private Subnets โ Resources do not have direct internet access and typically communicate externally through a NAT Gateway.
Separating workloads into public and private subnets improves both security and network organization.
Route Tables
Route tables define how network traffic flows within the VPC.
They determine whether traffic is routed to:
- Another subnet
- Internet Gateway (IGW)
- NAT Gateway
- VPN Connection
- Transit Gateway
- VPC Peering Connection
Proper route table configuration ensures secure and efficient communication between resources.
Network Access Control Lists (NACLs)
Network ACLs provide subnet-level security.
They act as stateless firewalls that allow or deny inbound and outbound traffic based on configurable rules.
Security Groups
Security Groups function as virtual firewalls attached directly to AWS resources such as EC2 instances.
They:
- Control inbound and outbound traffic
- Operate at the instance level
- Are stateful, automatically allowing return traffic for established connections
Internet Gateway (IGW)
An Internet Gateway enables communication between resources inside a VPC and the public internet.
Instances deployed in public subnets use the IGW to:
- Receive inbound internet traffic
- Send outbound internet traffic
NAT Gateway
A NAT Gateway is deployed within a public subnet to provide secure outbound internet connectivity for resources located in private subnets.
Using a NAT Gateway allows private instances to:
- Download software updates
- Install packages
- Access external APIs
- Communicate with AWS services
while preventing unsolicited inbound internet access.
CIDR (Classless Inter-Domain Routing)
CIDR defines the IP address range allocated to a VPC and its subnets.
Example:
VPC
10.0.0.0/16
Public Subnet
10.0.1.0/24
Private Subnet
10.0.2.0/24
Selecting an appropriate CIDR block is important for scalability and future network expansion.
Step-by-Step Guide: Building a Multi-Tier Architecture
A multi-tier architecture separates application components into different network layers to improve security, scalability, and maintainability.
The implementation involves the following stages:
Create the VPC Layout
- Create a new Amazon VPC.
- Create two public subnets.
- Create one private subnet.
- Attach an Internet Gateway (IGW) to the VPC.
Configure Subnets and Route Tables
- Create dedicated route tables.
- Associate each subnet with its corresponding route table.
- Configure routing rules for public and private traffic.
Deploy Compute Resources
- Launch a web server (EC2) inside the public subnet.
- Launch an application server (EC2) inside the private subnet.
Configure the NAT Gateway
- Deploy a NAT Gateway in a public subnet.
- Allocate an Elastic IP.
- Update the private route table so outbound traffic is routed through the NAT Gateway.
This architecture provides secure internet access for private resources while preventing direct inbound connections from the public internet.
Hands-On Example: Setting Up a Multi-Tier Architecture on AWS VPC
This section demonstrates how to build a secure multi-tier architecture using Amazon VPC. You'll create a VPC, configure public and private subnets, and associate them with the appropriate route tables.
Note: Most AWS Console screenshots have been omitted to keep the documentation concise and lightweight. The written steps are sufficient for following the setup.
Step 1: Set Up the VPC and Subnets
1. Sign In to the AWS Management Console
- Open the AWS Management Console.
- Sign in using your AWS account credentials.
2. Open the Amazon VPC Dashboard
- Search for VPC in the AWS Console search bar.
- Alternatively, navigate to:
Services โ Networking & Content Delivery โ VPC
This opens the Amazon VPC Dashboard, where you can create and manage networking resources.
3. Create a New VPC
- Click Create VPC.
- Enter a name for the VPC.
Example:
my-vpc
- Specify the IPv4 CIDR block.
Example:
10.0.0.0/16
The CIDR block defines the IP address range available for resources inside the VPC.
4. Create Public and Private Subnets
After creating the VPC:
- Navigate to Subnets.
- Click Create Subnet.
- Select the VPC created in the previous step.
- Choose an Availability Zone.
- Specify a subnet CIDR block.
Example configuration:
| Subnet | CIDR Block | Type |
|---|---|---|
| Public Subnet 1 | 10.0.1.0/24 | Public |
| Public Subnet 2 | 10.0.2.0/24 | Public |
| Private Subnet 1 | 10.0.3.0/24 | Private |
Repeat the process until all required subnets have been created.
5. Associate Subnets with Route Tables
Each subnet should be associated with the appropriate route table.
Private Route Table
- Navigate to Route Tables.
- Select the route table intended for the private subnet.
- Open the Subnet Associations tab.
- Click Edit Subnet Associations.
- Associate Private Subnet 1 with the route table.
Public Route Table
Create a separate route table for the public subnets.
Associate:
- Public Subnet 1
- Public Subnet 2
with the public route table.
This separation allows public and private resources to follow different routing policies, improving both security and network management.
Tip: At this stage, the subnets are created and associated with their respective route tables. Internet connectivity will be configured in the next step by attaching an Internet Gateway (IGW) and creating a NAT Gateway.
Step 2: Configure Route Tables and Internet Access
After creating the VPC and subnets, the next step is to configure internet connectivity. Public subnets require an Internet Gateway (IGW), while private subnets use a NAT Gateway for secure outbound internet access.
Configure Internet Access for the Public Subnet
Create and Attach an Internet Gateway (IGW)
- Open the Amazon VPC Dashboard.
- Navigate to Internet Gateways.
- Click Create Internet Gateway.
- Attach the Internet Gateway to your VPC.
The Internet Gateway enables resources in public subnets to communicate with the internet.
Update the Public Route Table
- Navigate to Route Tables.
- Select the route table associated with the public subnet.
- Add the following default route:
| Destination | Target |
|---|---|
0.0.0.0/0 | Internet Gateway (IGW) |
This allows instances in the public subnet to send and receive internet traffic.
Configure a NAT Gateway for Private Subnets
Private subnet resources should not have direct internet access. Instead, they access external services through a NAT Gateway deployed in a public subnet.
Create the NAT Gateway
- Navigate to NAT Gateways.
- Click Create NAT Gateway.
- Select one of the public subnets.
- Allocate an Elastic IP address.
- Create the NAT Gateway.
Update the Private Route Table
After the NAT Gateway is available:
- Open the route table associated with the private subnet.
- Add the following default route:
| Destination | Target |
|---|---|
0.0.0.0/0 | NAT Gateway |
This configuration enables private instances to download software updates, install packages, and access external services while remaining inaccessible from the public internet.
Final Network Architecture
The completed networking configuration should include:
- Amazon VPC
- Public Subnets
- Private Subnet
- Internet Gateway (IGW)
- NAT Gateway
- Public Route Table
- Private Route Table
Important: Include the final VPC networking architecture diagram here, as it provides a clear overview of the complete network topology.
Step 3: Deploy the Web Server (Public Subnet)
The web server is deployed in the public subnet so that it can receive HTTP requests from the internet.
Launch an EC2 Instance
- Open the Amazon EC2 Dashboard.
- Click Launch Instance.
- Select an appropriate Amazon Machine Image (AMI), such as Ubuntu Server.
- Choose an instance type based on your workload.
- Configure the instance:
- Select the VPC created earlier.
- Choose a Public Subnet.
- Enable Auto-assign Public IP if required.
Configure the Security Group
Create or select a Security Group with the following inbound rules:
| Protocol | Port | Source |
|---|---|---|
| SSH | 22 | Your Public IP |
| HTTP | 80 | 0.0.0.0/0 |
This allows administrators to connect securely via SSH while exposing the web server over HTTP.
Install the Web Server
Connect to the EC2 instance using an SSH client such as MobaXterm, PuTTY, or the native Linux/macOS terminal.
Install Nginx:
sudo apt update
sudo apt install nginx
sudo systemctl start nginx
sudo systemctl enable nginx
These commands:
- Update the package repository.
- Install the Nginx web server.
- Start the Nginx service.
- Configure Nginx to start automatically after a reboot.
Verify the Deployment
Open the EC2 instance's Public IPv4 Address or Public DNS in a web browser.
If the installation is successful, the default Nginx welcome page should be displayed.
You can now replace the default content with your own website or web application.
Note: Console screenshots for launching the EC2 instance, configuring networking, and connecting via SSH have been intentionally omitted to keep the documentation concise. The written instructions provide sufficient guidance for these straightforward steps.
Step 4: Set Up the Application Server (Private Subnet)
In a multi-tier architecture, the application server is deployed in a private subnet to improve security. Unlike the web server, it cannot be accessed directly from the internet and communicates only with trusted resources inside the VPC.
Launch an EC2 Instance in the Private Subnet
Create a second EC2 instance to host the application server.
- Open the Amazon EC2 Dashboard.
- Click Launch Instance.
- Select an Ubuntu Server AMI.
- Choose an appropriate instance type.
- During network configuration:
- Select the VPC created earlier.
- Choose Private Subnet 1.
- Do not assign a public IP address.
This instance will host the application layer of the architecture.
Configure the Security Group
Create a dedicated Security Group for the application server.
Configure the inbound rules to allow traffic only from the web server's Security Group.
Example:
| Protocol | Port | Source |
|---|---|---|
| HTTP | 80 | Web Server Security Group |
This configuration prevents direct internet access while allowing secure communication between application tiers.
Connect to the Private Instance
Since the application server is deployed in a private subnet, it cannot be accessed directly over the internet.
A common approach is to use the public EC2 instance as a bastion host (jump server).
Upload the SSH Key
After connecting to the public EC2 instance, upload the .pem key required to access the private instance.
Connect to the Private EC2 Instance
Use SSH from the bastion host to connect to the private instance.
If SSH returns a permissions error for the key file, update its permissions before reconnecting.
chmod 400 dose.pem
Once the permissions are updated, reconnect to the private EC2 instance.
Install Apache Tomcat
The application server uses Apache Tomcat to host Java web applications.
Install Java
sudo apt update
sudo apt install adoptopenjdk-17-hotspot
java --version
Create the Tomcat User
sudo groupadd tomcat
sudo useradd -s /bin/false \
-g tomcat \
-d /opt/tomcat \
tomcat
Download and Install Tomcat
wget https://downloads.apache.org/tomcat/tomcat-10/v10.0.18/bin/apache-tomcat-10.0.18.tar.gz -P /tmp
sudo tar xf /tmp/apache-tomcat-10.0.18.tar.gz -C /opt
sudo ln -s /opt/apache-tomcat-10.0.18 /opt/tomcat/latest
sudo chown -R tomcat: /opt/tomcat/latest/
Configure Environment Variables
Open the shell configuration file.
nano ~/.bashrc
Add the following variables:
export CATALINA_HOME="/opt/tomcat/latest"
export JAVA_HOME="/usr/lib/jvm/default-java"
Reload the shell configuration.
source ~/.bashrc
Start Apache Tomcat
/opt/tomcat/latest/bin/startup.sh
Once Tomcat starts successfully, the application server is ready to host Java web applications.
Step 5: Configure an Application Load Balancer (ALB)
Since the application server resides in a private subnet, it cannot receive requests directly from the internet.
An Application Load Balancer (ALB) provides secure access by routing incoming HTTP/HTTPS requests to the private EC2 instance.
Create a Target Group
A Target Group defines the backend resources that receive traffic from the load balancer.
- Open the Amazon EC2 Dashboard.
- Navigate to Target Groups.
- Click Create Target Group.
- Select Instances as the target type.
- Configure the target group according to your application requirements.
- Register the private EC2 instance running Apache Tomcat.
Create the Application Load Balancer
- Navigate to Load Balancers.
- Click Create Load Balancer.
- Select Application Load Balancer.
- Configure the following:
- Select the VPC created earlier.
- Choose the public subnets for the load balancer.
- Configure HTTP or HTTPS listeners.
- Attach the Target Group created in the previous step.
After the configuration is complete, AWS provisions the Application Load Balancer.
Verify the Deployment
Once the Application Load Balancer is active:
- Copy the ALB DNS name.
- Open the DNS name in a web browser.
The request is forwarded through the load balancer to the Apache Tomcat server running inside the private subnet.
Important: Include the final architecture diagram showing the Application Load Balancer routing traffic to the private EC2 instance. This is the only image required in this section because it clearly illustrates the complete deployment architecture.
Conclusion
Amazon Virtual Private Cloud (Amazon VPC) provides the networking foundation for building secure, scalable, and highly available applications on AWS.
In this guide, you learned how to:
- Create a custom Amazon VPC
- Configure public and private subnets
- Set up Internet and NAT Gateways
- Configure route tables for secure traffic routing
- Deploy web and application servers across multiple network tiers
- Install and configure Apache Tomcat
- Secure backend resources using Security Groups
- Expose applications through an Application Load Balancer (ALB)
By combining these AWS networking components and following a multi-tier architecture, you can build production-ready cloud environments that offer improved security, scalability, and maintainability while adhering to AWS networking best practices.