Support Documents

Build Amazon VPC with Public and Private Subnets (from Scratch)


  1. Learn how to build Public and Private subnets from scratch.

  2. The VPC wizard will not be used. Every component required to build public and private subnets will be created and configured manually.

  3. This will give an in-depth understanding of internal components of VPCs and subnets.

Lab Details

  1. This lab walks you through AWS Virtual Private Cloud (VPC) creation from scratch. 

  2. In this lab, we will create a VPC without using VPC Wizard. We will create our own public and private subnets. Along with that, we will be configuring Route tables.

  3. Duration: 30 minutes

  4. AWS Region: US East (N. Virginia) us-east-1


What is VPC?

  • VPC stands for Virtual Private Cloud.

  • It’s a custom-defined virtual network within the AWS Cloud.

  • Users can logically create their personal network, designing and implementing a separate and independent network that would operate in the AWS Cloud.

  • Primary components are : Subnets, IP addresses, NAT Devices (Instances & Gateways), Route Tables, Internet & Virtual Private Gateways, Access Control Lists, Security groups, VPC Endpoints.

  • A subnet is a segment of the VPC IP address range, where we can launch EC2 Instances, RDS, and other AWS resources.

  • Subnet are further classified as Public and Private.

  • Public subnets hold resources that can be accessed from the Internet.

  • Common attributes for instances in Public Subnets to have are:

  • Elastic IP (EIP) address or Public IP address attached to the EC2 instance.

  • IGW attached to the VPC.

  • The subnet must have a route table entry with destination as internet gateway (IGW)

  • Security groups and NACLs should not block remove access.

  • Public subnets are associated with a route table that directs subnet traffic to the internet using an Internet Gateway.

  • Private subnets hold resources that can be accessed from within the VPC network.

  • Multiple subnets can be associated with a single route table. However, a single subnet cannot be associated with multiple route tables.

  • Route tables hold sets of rules, called routes that are used to determine where the traffic is directed.

  • Every subnet in a VPC is linked to the route table.

  • Primary or Main route tables are the ones that automatically come with your VPC.  They control the routing for all subnets that are not explicitly associated with any other route table.

  • The default route table cannot be deleted.

  • Custom route tables are the ones you create for your VPC, and you can add routes as needed.

  • Custom route tables can be deleted when not required.

  • Internet Gateway (IGW) is a virtual router which helps a VPC connect to the Internet.

  • By default, instances that are launched in a VPC cannot communicate with the Internet. To enable Internet access, Internet gateway needed to be attached to the VPC.

  • Public subnets gets connected to IGW through route tables to get accessed over the Internet.

  • Internet Gateways are horizontally scalable, highly available and redundant.

  • EIP, Elastic IP address is a static IPv4 address used by AWS to manage its dynamic cloud computing services.

  • It is associated with an AWS Account, and you can use it to mask if an instance failure occurs i.e., if a server fails, we can map this IP address to another server and keep moving without any issues.

  • NAT devices can be either an Instance / Gateway residing in Public subnet, (to which an EIP is assigned).

  • NAT devices help instances in Private subnets interact with the Internet.

  • Access Control List (ACL) is an optional layer of security that acts as a firewall for controlling network traffic in and out of the subnet.

  • Rules are defined with the ACL for allowing or denying network traffic either on ports / IP addresses.

Basic Understanding before we start building VPC from scratch

  • When you create an Amazon AWS VPC, you specify a set of IP addresses in the form of a Classless Inter-Domain Routing (CIDR) block (Ex:

  • You can assign a single CIDR block to a VPC. The allowed block size is between a /28 netmask and /16 netmask. In other words, the VPC can contain from 16 to 65,536 IP addresses.

Architecture Diagram

Task Details

  1. Log into AWS Management Console.

  2. Create a VPC without using the VPC Wizard.

  3. Create an Internet Gateway.

  4. Create private and public subnets for the VPC.

  5. Create and Configure Route tables.

  6. Validation of the lab.