AWS VPC Step-by-Step Full Guide: Hands-on Creating Subnets, Deploying EC2, Security Groups & NAT Gateway
What is a VPC?
A Virtual Private Cloud (VPC) is a logically isolated and customizable virtual network inside AWS. Within a VPC, you can define your own IP ranges, subnets, route tables, and security controls to securely deploy and manage cloud resources.
1. Create a VPC
Steps:
Go to the VPC service in the AWS console.
Click on Your VPCs → Create VPC.
Give a name, choose a CIDR range (based on your IP requirements), and optionally add tags.
Click Create VPC.
First step is completed we created VPC and you can see under your vpcs
2. Create Subnets
Steps:
Go to Subnets.
Select the VPC in which you want to create the subnet.
Provide a Subnet Name and a CIDR Block. AWS will show how many IPs are available.
After the subnet is created, go to Subnet Settings and enable
Auto-assign Public IPv4 address (only if this will be a public subnet).
Your subnet is now created. Next, we will create EC2 instances.
3. Launch an EC2 Instance
Steps:
Go to the EC2 service → Click Launch Instance.
Select the VPC (Hawkins_VPC) and the subnet (Hawkins_public-subnet).
Provide an instance Name, select an OS, and choose a Free-tier AMI.
Select an instance type (choose the smallest to reduce cost).
Create or select a Key Pair (required for SSH access).
In Network Settings:
Select your VPC
Select your Subnet
Choose Create Security Group
Delete the default inbound rule (we will add rules later).
Review storage and launch the instance.
Your EC2 instance is now created.
4. Logging Into the EC2 Instance
We use SSH to connect.
Before connecting:
Ensure the
.pemkey has correct permissions.Your instance must have:
A public IP
A public subnet
Proper security group inbound rules
Command:
ssh -i Hawkins.pem ubuntu@<public_ip>
Why you might fail to connect:
You have not opened any inbound rules (SSH port 22).
You will see connection timeout errors.
Simple architecture Diagram before creating InternetGateWay, RouteTable rules, security group
Check your instance:
Does it have a Public IPv4 address?
Is the subnet public?
Add the security group to your instance
A public subnet must have:
✔Internet Gateway attached
✔ Route table with 0.0.0.0/0 → igw-xxxxx
Our problem is we have created subnet but It is not a public subnet.
We have to make it as a public subnet
5. Public Subnet Requirements
A subnet is considered public only if:
✔ It is associated with a route table that has0.0.0.0/0 → Internet Gateway (igw-xxxx)
✔ The VPC has an Internet Gateway attached
We created a subnet earlier, but it is not public yet.
Let’s convert it into a public subnet.
6. Convert a Subnet Into a Public Subnet
Step 1: Create and Attach an Internet Gateway (IGW)
Go to VPC → Internet Gateways.
Click Create Internet Gateway → Name it (e.g., Hawkins-IGW).
Select your IGW → Actions → Attach to VPC
Choose the VPC where your EC2 instance is located.
Step 2: Update the Subnet’s Route Table
Go to Route Tables.
Find the route table associated with your EC2’s subnet
(Instance → Networking tab → Subnet → Route Table ID).Open the route table → Edit Routes.
Add:
Destination: 0.0.0.0/0
Target: igw-xxxxxxx
Your subnet is now a public subnet.
7. Security group
A security group is like a gatekeeper for your EC2 instance.
It controls:
Who is allowed to enter your server
Who is allowed to leave your server
Security Group = Firewall for your EC2 instance.
It keeps bad traffic out and allows safe traffic in.
Inbound rules = Who can enter your EC2 instance.
Example:
Allow SSH (port 22) from your IP only → You can connect to your server.
Allow HTTP (port 80) from everyone → Website is publicly visible.
Allow HTTPS (port 443) → Secure website access.
If inbound is not allowed, nobody can enter, not even you.
Outbound rules = Who your EC2 instance is allowed to contact.
Example:
Your EC2 instance wants to download updates from the internet → It must be allowed.
Your server sends responses back to users → Outbound must allow it.
Outbound rules are usually open by default, because servers usually need to send data out.
1.Go to security groups and select our security group Hawkins_security_group
2.Select edit inbound rules and add ssh rule
We Finally Did It
1.Our instance has public ip
2.We are inside the public subnet
3.Added inbound ssh security group
After doing all these we are able to login successfully
Creating an instance inside private subnet
1. Creating an Instance in a Private Subnet
Step 1: Create a Private Subnet
Go to Subnets → Create subnet inside your VPC.
Give a name, choose a CIDR range.
Disable Auto-assign public IP (private subnets should not have it).
Step 2: Create a Route Table
Go to Route Tables → Create Route Table.
Give a name and select your VPC.
Associate this route table with your private subnet.
Step 3: Create EC2 in Private Subnet
Launch an EC2 instance normally.
Select:
Your VPC
Your private subnet
An existing security group
Launch the instance.
Try SSH:
You will fail and get errors, because:
❌ Private EC2 has no public IP
❌ No Internet Gateway is attached
❌ Cannot be accessed directly from the internet
This is expected.
2.Accessing a private EC2: Bastion Host (Jump Server)
What is a Bastion Host?
A Bastion Host = A small EC2 instance in the public subnet that you use as a bridge.
You do:
Laptop → Bastion Host → Private EC2
STEP 1: Create a Bastion Host in public subnet
Launch a new EC2 instance (If not)
Choose:
Subnet: Public subnet
Auto-assign Public IP: Enable
Attach security group allowing:
SSH (22) from your laptop IP
This instance gets a public IP — you can SSH into it.
STEP 2: SSH into Bastion Host
ssh -i yourkey.pem ubuntu@<BASTION-PUBLIC-IP>
STEP 3: From Bastion, SSH to the Private EC2
Your private EC2 has a private IP like 10.0.2.15.
Run:
ssh ubuntu@10.0.2.15
If the private instance requires the same key pair, upload the .pem inside bastion (SCP) or use SSH agent forwarding.
3.NAT Gateway
If an EC2 instance is in a private subnet, it cannot install packages or update OS because:
❌ No Public IP
❌ No direct internet access
❌ Route table does NOT point to Internet Gateway (IGW)
So you must use a NAT Gateway.
A NAT Gateway = A machine sitting in the public subnet that lets private EC2s go out to the internet, but prevents internet coming inside.
Why must NAT Gateway be in a Public Subnet?
Because a NAT Gateway needs:
✔ Public IP (Elastic IP)
✔ Route to Internet Gateway (IGW)
Only public subnet can reach IGW: 0.0.0.0/0 → igw-1234
SO NAT Gateway MUST be created in the public subnet.
How to Create NAT Gateway (Step-by-Step)
Step 1: Allocate Elastic IP
Go to:
VPC → Elastic IPs → Allocate Elastic IP
This gives a public IP for NAT.
Step 2: Create NAT Gateway
Go to:
VPC → NAT Gateways → Create NAT Gateway
Fill:
Subnet: Choose your Public Subnet
Elastic IP: Select the one you created
NAT Gateway is now created INSIDE the public subnet.
Step 3: Attach NAT Gateway to Private Subnet (this is the important part)**
You don’t attach it physically —
you attach it using the route table.
Go to:
VPC → Route Tables → Select your Private Route Table
Click Edit Routes → Add Route
Add:
Destination: 0.0.0.0/0 Target: NAT Gateway (nat-xxxx) Save.
Now your private EC2 can access the internet, so you can do:
sudo apt update
sudo apt install python3
sudo apt install nginx
pip install flask
git clone
A private EC2 sends its request to the NAT Gateway,
NAT Gateway replaces the private IP with its own public Elastic IP,
and then sends the request to the internet,
then receives the response and returns it to the private EC2.
Private EC2 (10.0.2.15)
| "sudo apt update"
v
Private Route Table
0.0.0.0/0 → NAT Gateway
|
v
NAT Gateway (Elastic IP: 3.122.45.90)
| "outbound traffic"
v
Internet Gateway
|
v
Internet (Ubuntu Repo / GitHub / Google)
|
v
Internet Gateway
|
v
NAT Gateway
| "maps back to 10.0.2.15"
v
Private EC2 (success!)
ConclusioN
In this step-by-step hands-on guide, we explored how AWS VPC networking works from the ground up. You learned how to create a VPC, configure public and private subnets, launch EC2 instances, set up security groups, attach an Internet Gateway, use a Bastion Host for secure access, and enable outbound connectivity using a NAT Gateway.
By understanding these core components, you now have the ability to design secure, scalable, and production-ready cloud architectures on AWS. Whether you are deploying simple applications or building complex enterprise networks, mastering VPC fundamentals is the foundation for becoming a strong cloud engineer or DevOps professional.
