Support Documents

Understanding and Configuring Layered Security in an AWS VPC

Lab Details

  1. This lab walks you through the steps to Configure Multi-layered Security in AWS VPC and to launch 2 EC2 instances (one in a public subnet and another in a private subnet)

  2. You will practice it using Amazon VPC, Amazon EC2

  3. Duration: 1 Hour

  4. AWS Region: US East (N. Virginia) us-east-1


Amazon Virtual Private Cloud

  • Amazon VPC allows us to launch AWS resources in an isolated network that is defined by us in a more private and secure environment.

  • This feature enables us to increase the security level of the AWS resources.

  • The AWS resources can be protected using multilayered VPC which includes security groups and Network Access Control list.

  • The VPC security group provides security at instance level which acts like a firewall and controls both inbound and outbound traffic.

  • The VPC NACL provides security at Network Level i.e subnet level which acts like a firewall for associated subnets and controls inbound and outbound traffic.

Architecture Diagram

Task Details

  1. In this lab, we are going to Configure Multi layered VPC security and launch 2 AWS EC2 instances.

  2. Create a VPC with your custom CIDR block IP range.

  3. Create 2 subnets for public and private resources. AWS resources in the public subnet will have access to the internet, while AWS  resources in the private subnet will be protected and isolated from the internet.

  4. Create an Internet gateway and associate it with the VPC. This is needed in order for the resources to connect to the external world.

  5. Create 2 Route tables (one for public routing and one for private) and then provide the routes and associate the subnets accordingly.

  6. Launch 2 AWS EC2 instances (one in the public subnet and one in the private subnet).

  7. SSH into the public EC2 Instance and use the ping command, try to reach the Private IP of the private EC2 instance.

  8. Verify the response of the ping command to know whether the instance is reachable from the internet.