It is easy to launch an EC2 in a VPC on a public or private subnet.
AWS isolated your instances or resources using Virtual Private Cloud (VPC) from the millions of others applications all running in AWS. By default, AWS will provision a default VPC. The Route Table that is associated with the default VPC will include an internet gateway. This internet gateway allows your instances to communicate with the internet. Three public subnets will be created for you by default in Singapore Region. This is because Singapore has 3 Availability Zone. So think about VPC is a bounding box, a subnet is a partition. Your resources e.g. App Server, Web Server, DB Server and so on can be organised into a different partition. In between, they can communicate with each other by using private IPv4.
When you launch an EC2 into one of the public subnets, your EC2 will be assigned a public IPv4 and private IPv4 address. You can access your EC2 with the public IPv4 address via the Internet by configuring the Security Group to allow the connection. This also means that your EC2 will be facing the public and accessible from the public. Imagine that if you are allowing strangers to access your production DB. Although you can configure the Security Group to block the inbound traffic, however, if someone accidentally allows all the TCP traffic from anywhere. Your DB instance will be compromised.
The good practice is to host your DB instance or App Server or any resources which you do not want to face public into a private subnet. I will show you how to create a VPC, Public & Private Subnet, Internet Gateway, Route Table in this article. In the next article, I will show you how to install and deploy a DB server in private subnet, and accessing the DB server from a web server on the public subnet.
Now we going to create an architecture similar to below with one VPC, one public subnet, one private subnet, two route table and one internet gateway.
Step 1: Create a VPC
By default there is one VPC, however, you can still build your own VPC. To create a VPC you only need to declare two things: the region and the IP range.
- Log into your AWS Management Console, and select VPC.
- Give your VPC a name MyProject
- Enter 10.10.0.0/16 on IPv4 CIDR block.
Step 2: Create a Public and Private Subnet
- Select Subnet at left navigation panel.
- Enter 10.10.1.0/24 on IPv4 CIDR block. This will be public subnet.
- Choose the VPC we had created earlier on.
- Repeat step 1 to 3 for the private subnet. But enter 10.10.2.0/24 on IPv4 CIDR block.
Step 3: Create two Route Table
A default Main route table will be created and associated with your subnet. Under the Routes tab, you can see a default destination 10.10.0.0/16 is available. This will allow your instances or resources able to communicate with each other within the VPC. However, if you want to connect to the internet, you need to create an Internet Gateway and attached to the VPC.
Step 3: Create an Internet Gateway
Navigate to Internet Gateway from left navigation panel and create one of it. Then click the Actions button and select Attach to VPC, choose the VPC you have created earlier on.
Go back to Route Tables, create another Route Table for public subnet. Under the Routes tab, click Edit routes button. Then click Add route and select the Internet Gateway from the target. And enter 0.0.0.0/0 at the destination field.
That’s all. You have successfully created a VPC, Public & Private subnet, Route Tables and Internet Gateway. Stay tuned for the next tutorial.