Tech Junkie Blog - Real World Tutorials, Happy Coding!: Iaas With AWS: VPC With Public And Private Subnets

Wednesday, August 25, 2021

Iaas With AWS: VPC With Public And Private Subnets

 In most scenarios you don't want to expose all of your servers to be public facing.  You probably want to configure your network so that only the server that is hosting your web application is public facing.  What you want to do is put your web application on the public subnet and your backend servers on the private subnet.  This private subnet can access the internet through a NAT gateway for software updates and other functions that require internet access.  However, the outside world cannot establish a connection to servers in the private subnet.  The NAT gateway resides in the public subnet, acting as a bridge between the public subnet and private subnet.

Each subnet has it's own routing table, the private subnet has a route to the NAT gateway.  While the public subnet has a route to the Internet gateway.  The Internet gateway in turn has a connection to the internet.  Therefore, there's no way for the internet to establish a connection with the private subnet directly, but the private subnet can establish an internet connection with the NAT gateway.  It's a one way connection.  Only the instances on the public subnet can connect to the instances in the private subnet through port forwarding.

In this post we are going to setup a public subnet, private subnet, and NAT gateway that resides in our VPC.  What we are about to configure is comparable to a traditional network infrastructure that would probably take a whole team to accomplish, that's the power of the cloud.

When you create your AWS account a lot of things were created for you by default such a default VPC, subnets and route table.  Most of these are the assets that were in the public subnet diagram.

What we want to do is create some of the public assets that were not created by default and create our private subnet.

The first thing we want to do is create a routing table for our private subnet

As you can see a public routing table has already been created, we want to create a routing table for the private subnet.  So click on the "Create route table" button.

Give the routing table a name and select the default VPC, then click on the "Create" button

A new routing table is created without any subnet assigned to it yet.

The following are the subnet IP range that's created by default, basically one for every AZ in the VPC.
Looking at the third octet or third . we can see that number goes up by 16 and the biggest number is .80 so the next number will be .96, then .112 and so on.  If you don't want to do the math you can go the this site and calculate the subnet IP address.

Now that we an figure out what the next subnet IP range is, it's time to create our private subnets.  
Click on "Subnets", then click on "Create subnet"
Give your subnet a name, assign it the default VPC, choose an AZ and fill in the IPv4 CIDR, from the subnets that's already created we know that the next IP range would be click "Create"

Now you want to go back the private routing table that you've created and associate this subnet with it, go to the "Subnets" page and click on the "Subnet Associations" tab and click on "Edit subnet associations"

Assign the private subnet and click "Save"

Now we want to create two instances one in the public subnet and the other one in the private subnet.
I am not going to show you the directions to create an instance, if you don't kn ow how to just follow the directions on this post.  There's just one setting that you need for this work, in the initial configuration page there's an option to choose your subnet, make sure one of your instance is in the public subnet and the other one is in the private subnet.

Also in the security group setting make sure that it has SSH access

On the launch screen make sure you assign the same key pair value

You can tell which instance is on the public subnet by looking at the public IP address because only the instances on the public subnet will have a public IP address.

Once we have the two instances, one public and one private we want to connect our public instance to our private instance using SSH. You can follow this post if you don't know how to. The first thing we have to turn on the SSH Agent with this command. SSH Agent is repository of identity keys that we would need to store our instance key pair in the private subnet.  To turn on the SSH Agent type the command eval `ssh-agent', then change the key pair file's permission with the command sudo chmod 400 keypairfile
Add the keypair file with the command ssh-add keypairfile

Now we are ready to connect to the instance in our private subnet using SSH Agent Forwarding with this command ssh -A ec2-user@

Now we can finally connect to the instance in the private subnet with it's private IP address, with the command ssh ec2-user@ obviously the IP address should be your own private subnet instance IP address


  1. We offer you a selection of unique and professionally embroidered and printed handcrafted wedding accessories at affordable prices.

  2. Additionally, yearly reports of the web facilitating organizations, which are public, are a decent source to decide the quality and execution of the web facilitating organization being referred to.

  3. Great Post Thanx 4 Sharing


Search This Blog