This project demonstrates the creation of a secure AWS VPC environment with public and private subnets, an Internet Gateway, a NAT Gateway, route tables, and EC2 instances configured for secure access. All screenshots are stored in the screenshots/ directory.
Created a new VPC named secure-vpc-lab-vpc using CIDR block 10.0.0.0/16, providing a scalable address space for multiple subnets and future expansion.
Screenshot:
screenshots/01-vpc-created.png
Created a public subnet named public-subnet-1 using CIDR 10.0.1.0/24.
Enabled auto‑assign public IPv4 to support internet‑facing resources.
Screenshot:
screenshots/02-public-subnet.png
Created a private subnet named private-subnet-1 using CIDR 10.0.2.0/24.
Disabled public IP assignment to ensure isolation from the internet.
Screenshot:
screenshots/03-private-subnet.png
Created an Internet Gateway (secure-vpc-lab-igw) and attached it to the VPC to enable outbound internet access for public resources.
Screenshot:
screenshots/04-internet-gateway.png
Created a public route table (secure-vpc-lab-rtb-public) and associated it with the public subnet.
Added a default route 0.0.0.0/0 pointing to the Internet Gateway.
Screenshot:
screenshots/05-public-route-table.png
Created a NAT Gateway (secure-vpc-lab-natgw) in the public subnet and attached an Elastic IP.
This allows private instances to securely access the internet for updates without exposing them publicly.
Screenshot:
screenshots/06-nat-gateway.png
Created a private route table (secure-vpc-lab-rtb-private1-us-east-1a) and associated it with the private subnet.
Added a default route 0.0.0.0/0 pointing to the NAT Gateway.
Screenshot:
screenshots/07-private-route-table.png
Launched two EC2 instances:
Public EC2 (Bastion Host)
- Subnet: Public
- Public IP: Yes
- Purpose: Secure SSH entry point into the VPC
Private EC2
- Subnet: Private
- Public IP: No
- Purpose: Internal application server
Screenshots:
screenshots/08-ec2-bastion.png
screenshots/09-ec2-private.png
Verified SSH access from the local machine into the public EC2 instance using the key pair.
Screenshot:
screenshots/10-ssh-into-bastion.png
Copied the key pair to the bastion host, adjusted permissions, and used it to SSH into the private EC2 instance using its private IP.
This validated that the VPC, subnets, route tables, NAT Gateway, and security groups were all configured correctly.
Screenshot:
screenshots/11-ssh-into-private.png
Ran sudo yum update -y on the private EC2 instance to confirm outbound internet access through the NAT Gateway.
Screenshot:
screenshots/12-private-instance-internet-test.png
Below is a high‑level architecture diagram representing the secure VPC environment built in this lab.
+-----------------------------+
| AWS Region (us-east-1)|
| |
| +---------------------+ |
| | VPC 10.0.0.0/16 | |
| | | |
| | +---------------+ | |
Internet | | | Public Subnet | | |
Gateway <------>|---|--| 10.0.1.0/24 | | |
(IGW) | | +-------+-------+ | |
| | | Bastion | |
| | | EC2 | |
| | +----------+ |
| | | |
| | +---------------+ | |
| | | Private Subnet| | |
| | | 10.0.2.0/24 | | |
| | +-------+-------+ | |
| | | Private | |
| | | EC2 | |
| | +----------+ |
| | | |
| +---------------------+ |
| |
+-----------------------------+
Key:
- Public Subnet routes 0.0.0.0/0 → IGW
- Private Subnet routes 0.0.0.0/0 → NAT Gateway → IGW
- SSH: Local → Bastion → Private EC2
This section provides a high‑level overview of how AI assisted throughout the build.
1. Architecture Planning
- AI helped validate CIDR sizing, subnet layout, and overall VPC design.
2. AWS Console Navigation
- Provided guidance for locating VPC, Subnets, Route Tables, NAT Gateway, and EC2 settings.
3. Troubleshooting
- Assisted with SSH issues, SCP upload errors, NAT routing validation, and AWS console inconsistencies.
4. Documentation
- Helped structure the README, step formatting, naming conventions, and screenshot organization.
5. GitHub Publishing
- Guided the creation of the repo, PAT authentication, and final push of all 12 screenshots.
For the full detailed workflow, see:
ai-workflow.md
This lab demonstrates the creation of a secure, production‑style VPC environment using AWS core networking services.
Key outcomes include:
- Built a fully isolated VPC with public and private subnets
- Configured Internet Gateway and NAT Gateway for controlled internet access
- Implemented public and private route tables with correct routing logic
- Deployed a bastion host for secure SSH access into the VPC
- Launched a private EC2 instance with no public exposure
- Validated connectivity using SSH and NAT‑based internet access
- Documented the entire build with 12 screenshots and a full README
This project reflects real‑world cloud engineering skills including network design, security best practices, and infrastructure documentation.
This lab reinforced several important AWS networking and security concepts:
- How VPCs isolate cloud resources using CIDR blocks
- The difference between public and private subnets
- How Internet Gateways and NAT Gateways enable controlled internet access
- How route tables determine traffic flow inside a VPC
- How to use a bastion host for secure access to private resources
- How to test connectivity and validate NAT functionality
- How to structure and publish cloud projects on GitHub
These skills directly apply to real enterprise environments and align with AWS Cloud Practitioner and Solutions Architect Associate exam objectives.