LAB: Create a Custom VPC & test reachability between EC2 via Internet GW and NAT GW.

LAB: Create a Custom VPC & test reachability between EC2 via Internet GW and NAT GW.

Posted on Mar 29, 2022 (0)

LAB: Create a Custom VPC & Test Reachability between EC2 via Internet GW and NAT GW.  


Refer Below Topology to configure Custom VPC.


  • Create a Custom VPC DCLESONS-VPC-01 with CIDR
  • Create public Subnet Dclessons-pub-east2a with subnet on AZ us-east-2a
  • Create Private subnet Dclessons-pri-east2a with subnet on AZ us-east-2b
  • Create Public Subnet Route table: Dclessons-pub-RT and Network ACL: Dclessons-NACL
  • Create Private Subnet Route table: Dclessons-pri-RT and Network ACL: Dclessons-NACL
  • Create IGW: Dclessons-INT-GW01 and attach to VPC DCLESSONS-VPC-01
  • Update Public Route Table Dclessons-pub-RT with Default route with target IGW
  • Create New Security Group Dclessons-SG-01 and allow all traffic for inbound and outbound
  • Launch EC2 instance Dclessons-pub-EC2 in Public Subnet , Create an EIP and associate to it.
  • SSH to Dclessons-Pub-EC2 and check traffic via Reachability Analyzer.
  • Create NAT gateway – Dclessons-NAT-GW and allocate EIP and associate to it.
  • Update Private Subnet Route table and added default route pointing to NAT GW
  • Launch EC2 instance in Private Subnet and SSH it from Dclessons-pub-EC2 for testing.



Create VPC:

Here to create a Custom VPC, we need to login to AWS management Console and under AWS Services | Select VPC and Select the region US East (Ohio), where you want to create your VPC

In the Left Side | Select your VPC and on right side workboard, you will see 1 VPC has been already created, named as Default VPC in all Region.

You can also observe under subnets section, Route Table, Internet gateway, Network ACLs, Security Groups, there are default Route table, Default Internet gateway, Default NACL, Default SG supporting to your Default VPC are already there.

On Right hand side of your VPC work plane, Click on Create VPC.

Under VPC Setting, Provide VPC name: DCLESSONS-VPC-01 | IPV4 CIDR: | Tenancy: Default | Tags: Name: Value: DCLESSONS-VPC-01 | Create VPC.

Once VPC is created, you can see its details: DCLESSONS-VPC-01 (vpc-0dc9830877f791943). Here you can see that DHCP option set is also defined. This DHCP Option sets defines the Domain name and DNS server, in this you can also define the NTP server.

In the Route table Section, You can see one RT, which is MAIN RT  , which we have renamed it to DCLESSONS-MAIN-VPC01-RT. In the details section, you can see that there is no Explicit Subnet Association done with this RT.

In same RT, Click on Route Section, where you can see that CIDR is already associated with Target: local and status is Active. This Route is mainly used for Inter-VPC Communication, and this RT will make sure that all EC2 instance within VPC have IP reachability between each other.

In below figure, you can also see that, there are 3 Default Subnet for Default VPC in that region, one subnet in each Availability Zone. This default Subnet also have default RT and default NACL associated to it.

Create Subnets:

Here we have to create two subnets, One Public Subnet for Internet access and One Private Subnet which will have EC2 instance and will access Internet via NAT Gateway. 

Go to Subnet Section on Left hand side of your VPC Work plane. Under Subnet setting | Name: Select VPC ID: DCLESSONS-VPC-01 | Subnet Name: Dclessons-pub-east2a | AZ: east-2a | IPV4 CIDR block : | tag : name: Value : Dclessons-Pub-east2a | Click Create |

Now you can see that Public Subnet has been created and is associated it to DCLESSONS-VPC-01 and has been associated to DCLESSONS-MAIN-VPC01-RT and one NACL.

Like Wise Create the private Subnet as per details shown in below Figure

Create Route Tables:

In the left-hand Side of your VPC Work Plane | Select Route table | Click on Create RT. here you can see that there is already one Default RT named DCLESSONS-MAIN-VPC01-RT, and has no Subnet Associated to it. You can see this in below figure

Here we will create two RT one for Public Subnet and one for private Subnet, which we have previously created. Provide below input.

Name: Dclessons-Pub-RT | Associate it to DCLESSONS-VPC-01 | Tag: Name: value: Dclessons-Pub-RT| Create Route Table

Once Route Table id created, you can see its details : Dclessons-Pub-RT : rtb-0a01d56e3dfccc495. You can see that it has already one Route with target: Local.

Now Click to Subnet Association | Edit Subnet Association as shown in figure

Select Dclessons-pub-RT and click Save

Now you can see that public Subnet: Dclessons-Pub-RT has subnet associated to it and One subnet subnet has not explicit association.

Likewise, you have to create One Route table for private Subnet and associate it with subnet, as shown in below figure

Create NACL:

Go to your VPC Section | Left Side of your Work plane | Click Network ACLs under Security Section

Here you can see that one NACL for your VPC DCLESSONS-VPC-01 has already been created by default. We have renamed it to Dclessons-NACL. Both public and private subnet will be protected by this NACL only.

By default, this NACL will allow all traffic to and from the subnet. Go to outbound Rule Section and see all traffic is allowed from this NACL

Now Select this NACL: Dclessons-NACL | Subnet Association | here you can see that both Subnet has been associated to this NACL .

Create IGW:

In this section, we need an internet gateway, for internet access for EC2 instances. IGW performs Data-plane encapsulation and decapsulation and perform IP address translation. We also must allocate Elastic public IP address and associate it with EC2 instances. By doing it, we don’t add EIP to EC2 instance itself , instead we create One to One NAT entry in to VPC associated IGW.

Below is the Architecture need to be followed while setting up an internet connection for public subnet of AWS DCLESSONS-VPC-01.

Go to Your VPC Section | Select internet Gateways | and Click Create Internet gateway

Here you can also see that , there is one IGW already there , which is being used for default-VPC.

In Internet Gateway page Under Name: Dclessons-INT-GW01 | Tag: name: Value :  Dclessons-INT-GW01 | Click Create Internet Gateway

Once IGW is created, you can find the IGW information in details page. And Click on IGW and Click on attach to VPC

Under Attach to VPC Section | Select DCLESSONS-VPC-01 VPC | Under Platform: Select Window Command Prompt | Click to Attach internet Gateway

Below Figure shows, IGW is connected to DCLESSONS-VPC-01

Update Subnet Route Table:

Below is the Architecture diagram, in which we add default route with target IGW.

Go to your VPC Section, Select Route Table | Select Dclessons-Pub-RT | Under Details you can see that Dclessons-Pub-east2a is associated to this Route table

Under Dclessons-pub-RT | Select Routes | Edit Routes | and add and under target, Select DCLESSONS-INT-IGW01 | Save Changes

Now you can see that default route has been added and status is Active

Check NACL for Inbound and Outbound Traffic:

Select Dclessons-NACL | Select Inbound Rule | You will see Rule 100 – it allowing all traffic

Now Select Outbound Rules | You will see Rule 100 – here it allows all traffic. And Under Subnet Association | Both Dclessons-Pub-east2b and Dclessons-Pri-east2b are associated to it.

Associate Elastic IP and SG with EC2 Instances

Now we have attached the IGW in our VPC, and have default route pointing to IGW in Public RT. Now we will create Security Group, which will allow SSH connection to EC2 instances and ICMP from EC2 instances. And then we will Launch EC2 instance and associate the EIP and SG to it.

Below is the Architecture Diagram, which shows set of EIP, SG and its association to EC2 instances.

Go to Your VPC, In left hand side of Work plane | Select Security Groups under Security and click on Create Security Groups

Here you can see Two Security Groups, one is Default SG for Default VPC, and one is Dclessons-Default-SG, which was created automatically at time of creation of DCLESSONS-VPC-01.

Under Basic Details Section | Name: Dclessons-SGT-01 | Under Inbound Section: Allow All traffic and under outbound Section: Allow All Traffic | Click to create Security Groups.

Launch EC2 instance

Go to AWS Services | Select EC2 | On EC2 Dashboard | Click launch Instance

Select Amazon AMI Linux  | Select t2.micro Free tier | Under Network : Select VPC DCLESSONS-VPC01 | Subnet : Dclessons-Pub-east2a | disable: Auto Assign Public IP | Next

Under Storage Section : Click Next | Tag : Name : value : Dclessons-Pub-EC2 | Next

Under Security Group : Select SG Dclessons-SGT-01 and Click Review and Launch

Select Create a new key pair  | Select RSA |  Under Key pair Name : Dclessons-Key-EC2 | Download the key pair and Click launch Instances.

Now Once EC2 instance is launched , and its status is running , You can see it has been assigned Private IP address from subnet and has been associated to Security Groups Dclessons-SGT-01.

Allocate Elastic IP address from Amazon IPv4 pool

Go to Your VPC Dashboard | From left Side, Select Elastic IP from network & Security and Click Allocate Elastic IP address

Under Allocate Elastic IP address | Elastic IP address Setting: Select Amazon Pool of IPV4 Address | tag Name: value : Dclessons-Pub-EIP | Click Allocate

Now Select Dclessons-Pub-EIP | Click Action | Select Associate Elastic IP address

Under Associate Elastic IP address | resource Type: Instance | Under Instance: Select Dclessons-Pub-EC2 | Click on Associate

Once Association is successful, you can see that EC2 instance has been allocated IP address

This can again be verified in EC2 dashboard under your Dclessons-Pub-EC2 details section

Here you can note that, Public DNS IPv4 field is empty, and this is because when we created VPC, we have not enabled DNS Host name resolution.

Now Go back to your VPC: DCLESSSONS-VPC-01 | Click Actions: Edit DNS hostnames | Select Enable | Click Save Changes.

Now Go back to your Dclessons-Pub-EC2 instance and under Details section, you can see that Public DNS has been assigned now

Now SSH the EC2 from Public IP, Procedure to SSH EC2 instance has been already described in AWS Solution Architect Course.

Reachability Analyzer Check:

It is tool, which is very much for troubleshooting reachability problems. It is used to verify path status between two AWS objects in VPC. Here he will verify path status between EC2 and IGW.

Click on Reachability Analyzer under Network Analysis section | Click Create and Analyze path

Under path Configuration | Name: Dclessons-IGW-EC2, Source Type : Internet Gateways : Select Internet Gateways | Destination type Instances : Select your EC2 instance , destination port : 22 and Protocol : TCP.

Under Tags Name: Value: Dclessons-IGW-EC2 | Click Create and Analyze path

Under Analyze path section | click analyze path

Here, you can see that correct path from IGW to EC2 instance , Traffic going from IGW to Subnet RT and then its check ACL and then check Security Group and then it will go to ENI and then finally traffic will reach to EC2 instance.

Create NAT Gateway:

Here We are going to install NAT Gateway to provide internet access to EC2 instance in Private Subnet: Dclessons-Pri-east2b. A subnet is said to be private subnet, as it does not contain default route to internet gateway in its route table. Also, EC2 instance in private Subnet, does not have EIP association.

In order to provide the Internet Access to private EC2 instance, We need to install NAT Gateway, and then we need to allocate EIP and associate it to NAT gateway. As soon as it is done, it creates a static NAT entry to IGW that translates NGW local subnet address to its associated EIP.

NGW is responsible for translating the source IP address from ingress traffic originated from the private subnet to its local subnet IP address.

Here EC2 instance Dclessons-Pri-EC2 sends packet towards internet to NGW, once NGW receives this packet, it will rewrites the source IP address to (Public IP address subnet ) and forwards this packet to Internet Gateway. IGW now translates the Source IP address to NGW EIP

Here we will be launching one EC2 instance in Private Subnet Dclessons-Pri-east2b and attached SG to allow all traffic: inbound and out bound.

Below is the NAT gateway Architecture and setup flow

Go to you VPC | In left hand side, Click on NAT Gateways | Under Nat Gateway Section | Name: Dclessons-NAT-GW | Subnet: Dclessons-Pub-east2a | Connectivity Type; Public | Click Allocate Elastic IP to allocate EIP | Tags: Name: value : Dclessons-NAT-GW | Create Nat Gateway

Now Once Nat gateway is configured, you can see it has been allocated EIP: with private IP in VPC DCLESSONS-VPC-01

Update Route Table for private Subnet: Dclessons-Pri-east2b

Go to Route table | Select Dclessons-pri-RT | Routes: Edit Routes

Add default route with target NGW Dclessons-NAT-GW | Save Changes

Now following below steps to launch EC2 instance in private subnet, Follow the same procedure as discussed above for EC2 Instance in Public Subnet and launch

 Testing from Public EC2 instance to Private EC2 instance

Here we are going to use Dclessons-Pub-EC2 as jump server to access Dclessons-Pri-EC2 , in order to do that , we will SSH to Dclessons-Pub-EC2 and run following commands

Switch to root user: sudo su

Run the updates using the following command:  yum -y update

Now Open the Dclessons-Pri-key ( PEM KEY ) which you must have downloaded while launching EC2 instance in Notepad and Copy it .

In order to SSH into Dclessons-Pri-EC2 , first, we need to create the PEM file in the public EC2 ie, Dclessons-Pub-EC2 and copy the data from our Dclessons-pri-key.pem in the local machine.

To create the Dclessons-pri-key.pem in Dclessons-Pub-EC2, run : vi Dclessons-pri-key.pem

 Now press the following for inserting the data:  Click i

In the editor, copy and paste the key that looks similar to the figure below:

Save the File | click esc |  :wq

Check that the file was created correctly : ls

Now Update Permissions for the Dclessons-Pri-key.Pem : chmod 400 Dclessons-Pri-key.Pem

Use the Private IP address of Dclessons-Pri-EC2  to SSH.

ssh -i “Dclessons-pri-key.pem” ec2-user@

Now run for Update , you will see files will start downloaded from internet.


    You are will be the first.


Please login here to comment.