Allari - Providing IT as a Service

Create a VPC in 7 Steps Using Amazon Web Services

For organizations moving infrastructure or other sensitive services to the cloud, VPCs are a requirement. Here's how to get your VPC setup in seven steps with AWS.

Virtual Private Clouds (VPCs) provide an incredible amount of security and make firewall management much easier. They also preserve bandwidth and increase router, switch, and firewall capacity, all of which makes them a must-have for organizations handling sensitive data or cloud-based assets. Amazon Web Services (AWS) makes setting up a VPC fairly straightforward, given you've done your homework and know which of the four primary design arrangements you'll need.  Of those 4, this post will step you through what's needed to set up a VPN with both Public and Private subnets. 

Step 1: Design considerations of your VPC

It is very important to plan the design of  your VPC up front. Here are a few points to consider before embarking on your VPN creation journey. 

•  Before actually creating a VPC, careful consideration must be given to the definition of your IP address range. All networks need IP addresses. AWS offers CIDR IPV4 & IPV6 and allows you to choose your own IP addresses. There is a standard for naming IP addresses called RFC1918. It is highly recommended that you adhere to it. Also keep in mind that determining the size in the beginning is very important because it can't change this down the road. A /16 will give you 64,000 IP addresses.

•  You need to understand your High Availability (HA) requirements when designing your AWS VPC. Your VPC will reside in one of the AWS regions and each region is further divided into Availability Zones aka data centers. These AZs are not close to each other and have separate networks, power sources, etc. It is intentionally designed this way for protection. 

In the example below, the VPC lives in the Dublin Region EU West 1 with the following Availability Zones: eu-west-1a, eu-west-1b and eu-west-1c. In this example, your VPC would be In order to take advantage of HA, each AZ would need to be assigned a subnet. In the event of an AZ failure, you would automatically be switched to the next AZ. In the below example, the three subnets are 0.x, 1.x & 2.x. So whenever something is sent to an IP address of 0.x, it would be routed to that particular asset in the eu-west-1a AZ, etc.

•  AWS recommends you make your subnet a/24. Typically a/24 will get you 256 IP addresses, but in AWS's case a/24 will only get you  251 IP addresses as AWS reserves the low 4 IP addresses for their own purpose. 

Step 2: Create a new VPC using AWS' VPC Dashboard
After you've opened AWS' VPC Dashboard, click to start the VPC Wizard option and then select the "VPC with Public and Private Subnets" option on the left.VPN12.jpg
Step 3: Configure your new VPC
AWS's VPC Wizard is nice, as it does most of the work in setting up your VPC for you. You can also manually configure many of the options yourself, including your Classless Inter-Domain Routing (CIDR) ranges.
About IPv4 CIDR & IPv6 CIDR blocks- Networks do not work without IP addresses. They specify where the information is coming from and where it is going.

5949129_orig.pngCIDR, short for Classless Inter-Domain Routing, adds another layer to IP technology. CIDR is an IP addressing scheme that replaces the older system.  A single IP address can be used to designate many unique IP addresses with CIDR. A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP network prefix. CIDR addresses reduce the size of routing tables and make more IP addresses available within organizations.

A CIDR network address looks like this under IPv4:

The "" is the network address itself and the "18" says that the first 18 bits are the network part of the address, leaving the last 14 bits for specific host addresses

Depending on if you've chosen to go with the default IP address ranges or limit them, the next step is to enter the name of your VPC. In this example, we named it "MyVPC". 
Once you've added your Public subnet name (for your webserver) and Private subnet name (for your app server) as per your network's architecture, you associate your NAT gateway with one of the elastic IPs provided by AWS. Once this is done, click the Create VPC button and you'll now have a default VPC. 

Default VPC using name "first vpc" has been created

Step 4: Create Public and Private subnets for your VPC
Now that you've established a VPC, you'll want to create the Public and Private subnets. Viewing and adding subnets inside the VPC Dashboard is easily done by navigating to Subnets on the left and clicking "Create Subnet".

You can create create multiple subnets by specifying the details of each one- identifying name tag, which VPC it's associated with, optional Availability Zone, and its CIDR block specification.  

The following screenshot shows two subnets which have been created- one Public (web Public subnet) and another Private (app Private subnet). 


Step 5: Create Private subnet for your database server

After creating your Public and Private subnets, you'll also need to create an additional private subnet for your database server (DB private subnet) following your design architecture. 

Once configured, click the "Yes, Create" button and you'll now have a second private subnet for your database server as shown in the screenshot below.


 Step 6: Create Route Tables

Route tables consists of a set of rules, called routes, which are used to decide where network traffic is directed.

Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table

Viewing and creating new route tables is also done by navigating to the option on the left of the VPC Dashboard. After highlighting, simply click on the "Create Route Table" in the new panel view.

Main Route Tables-  A main route table is created automatically for each VPC. The main route table controls the routing for all subnets that are not explicitly associated with any other route table. You can add, remove, and modify routes in the main route table.

You can explicitly associate a subnet with the main route table, even if it's already implicitly associated. You might do that if you change which table is the main route table, which changes the default for additional new subnets, or any subnets that are not explicitly associated with any other route table

Custom Route Tables- Your VPC can have route tables other than the default table. One way to protect your VPC is to leave the main route table in its original default state (with only the local route), and explicitly associate each new subnet you create with one of the custom route tables you've created. This ensures that you explicitly control how each subnet routes outbound traffic.

We've created an additional custom route table alongside the main route table as shown below (Custom = No, Main = Yes). 


 Step 7: Route Tables associated to VPC

Select custom route table above and edit route table and route field associated with Internet Gateway and subnet field associate with webserver and save…. again we edit second main route table and route field associated with NAT gateway and subnet field associated with app and DB servers as seen in the following two screenshots. 


  Your basic VPC setup is now completed!