AWS VPC with public subnet,private subnet,Internet gateway and NAT gateway

8 min readJul 13, 2020

VPC

VPC is like a office or a private space in which we can setup our labs/subnet for launching instances inside it.

This space is look like real but it is virtual . This space is our own means private that is isolated from other spaces/office that’s the reason it is known as VPC- Virtual Private Computing.

SUBNET

IN aws labs are known as Subnet. In VPC there are subnets. These subnet have router,DHCP server that are connected switch .when we launch any instance inside subnet it will attach to switch and DHCP is the one who assign IP to this instance.

There may be many subnet inside VPC. These subnet having connectivity between them. Means instance in one subnet can connect to instance in another subnet.

We can’t directly launch instance in amazon data center. We have to launch it inside subnet. Subnet is inside any of the data center.

NOTE :-

NAAS- Networking As A Service

IAAS- Infrastructure As A service

In AWS NAAS is provided by VPC

In openstack NAAS is provided by Neutron.

One VPC is provided by AWS . the name of it is Default. we can also create VPC. We have to assign a pool of IP’s to VPC at the time of creating.

Subnetting- From this IP pool we assign particular IP range for Subnet in the VPC.

In every subnet 1st IP is reserverd for — Network Name

2nd IP is reserved for — Router

3rd IP is reserved for — DHCP Server

4th IP is reserved for — form some use case

Last IP is reserved for- Broadcasting

Internet Gateway (IG)

It is the router in VPC . This router is Public Facing Router. From this Router from public can connect to instance running in subnet inside VPC. IG belong to VPC. VPC has one IG . Through Internet gateway public can connect to private (instance)and private can also connect to public.

Routing table (For internet gateway)

Routing table created inside VPC. Routing table consists of information of Internet Gateway. Apply this Routing Table to subnet of DHCP Server in which instance want internet connectivity.

NAT Gateway

Use of Nat gateway — when instance in private subnet want internet connectivity. means only instance can go to public world/internet but anyone from internet/public can’t connect to instance in private subnet.

NAT gateway is router basically. NAT gateway is always a part of public subnet.

NAT gateway provides SNAT only.

Internet gateway provides both SNAT and DNAT.

Routing table (For NAT gateway)

Routing table created inside VPC. Routing table consists of information of NAT Gateway. Apply this Routing Table to private subnet of DHCP Server in which instance want internet connectivity.

Private Subnet

In this subnet we not associate the routing table so that all VM’S inside this subnet can’t go to internet gateway for outside connectivity and also public will not able to connect to VM’S inside this subnet.

Public subnet

In this subnet we attach routing table so that all VM’S inside this subnet get connected to outside or public world by using internet gateway.

NOTE:-

DMZ- Demilitarize Zone Public subnet is known as DMZ.

LET’S START THE PROCESS —

Statement: We have to create a web portal for our company with all the security as much as possible.So, we use Wordpress software with dedicated database server.Database should not be accessible from the outside world for security purposes.We only need to public the WordPress to clients.

Here we are adding one additional feature that is NAT Gateway to provide the internet access to instances (Database)running in the private subnet.

So here are the steps for proper understanding!

Steps:

1a. First we have to tell who is your provider means from whom you will Terraform contact to taking the services. In our case our provider is AWS .

1b . Write a Infrastructure as code using terraform, which automatically create a VPC.

2) In that VPC we have to create 2 subnets:

a) public subnet [ Accessible for Public World! ]

b) private subnet [ Restricted for Public World! ]

3) Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.

4) Create a routing table for Internet gateway so that instance can connect to outside world, update it.

and associate it with public subnet.

5)Create a security group allowing port 80 so that our client can connect to our wordpress site on instance running on public subnet. Client can also do ssh to this instance running with wordpress in public subnet.

6) creating one EIP for nat gateway inside VPC. which gives one public static IP to the NAT Gateway

7) Create a NAT gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC in the public network

8) Creating Route table for private subnet (for NAT Gateway) .so that to access the internet it uses the nat gateway created in the public subnet

Associate this Routing table to the private subnet.

9) Create a security group allowing port 3306 in private subnet so that our wordpress vm that is in public subnet can connect with the same.

10) Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 so that our client can connect to our wordpress site.

Also attach the key to instance for further login into it.

11) Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same.

Also attach the key with the same.