Skip to main content

Create a Multi-Subnet VPC with Secure Access to Private Servers with Outbound Internet Access

Hands-On Lab


Photo of

Training Architect





In this Hands-On Lab we will create a multi-subnet highly-available VPC and subnet structure for private application servers. We'll configure a bastion host so that remote administrative staff can securely connect into the VPC and manage the private instances. Since these instances will require outbound access for security patches and updates, we will create and configure NAT Gateway to allow it.

Our task is to create the VPC with public and private route tables. The VPC's CIDR,, has been subnetted. Our new CIDR /26 allows for a maximum of four subnets. We will create two public and two private subnets.

Then we will create the NACL and Security Group rules to support the bastion host, private instances, and NAT Gateway. Once that's done, we'll validate the connectivity for our bastion host by creating an SSH tunnel through it to our private instance. Once we're in, we will verify that our private instance can connect to the internet.

There is a lot to do in this Hands-On lab, so let's get started.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.