Building a Three-Tier Network VPC from Scratch in AWS

Hands-On Lab

 

Photo of Trent Hayes

Trent Hayes

Training Architect

Length

00:30:00

Difficulty

Intermediate

Welcome to this hands-on AWS Learning Activity for Building a Three Tier Network VPC from scratch. This activity provides you with the opportunity to get hands-on experience building and connecting the following components inside AWS: 1) VPC 2) Subnets 3) Internet Gateway 4) Route Tables 5) Nat Gateway 6) Network Access Control Lists (NACLs) These components are the foundation of highly available/fault tolerant networking architecture inside of AWS, and cover concetps such as infrastrucutre, design, routing, and security. Good luck and enjoy the Learning Activity!

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Building a Three Tier Network VPC From Scratch in AWS

In this lab, we're going to create a three-tier VPC network from scratch. We'll start by building the VPC, building and attaching an internet gateway, and building six different subnets inside our VPC:

  • A DMZ layer
  • An app layer
  • A database layer

Next, we're going to split these pairs of subnets across two different Availability Zones — the bare minimum we always want to do for highly available and fault-tolerant architecture in AWS.

Then we're going to create two different route tables:

  • A route to the internet for our public subnets, or subnets we want to have access to the open internet
  • A route to the NAT gateway so that anything placed into our private subnets will have a route to update software from the open internet

Finally, we'll add some security to our subnets with three network access control lists (NACLs), which we'll assign to our pairs of subnet layers.

If you haven't already done so, log in to the environment using the credentials provided on the lab page. The username will always be cloud_user, and the password will be provided next to the cloud_user login name. Select Sign In. Once you're in the AWS account, make sure you are using us-east-1 (N. Virginia) as the selected region.

Build and Configure a VPC, Subnets, and Internet Gateway

Let's begin by creating the foundation of our VPC. We'll start by creating our VPC, creating six subnets inside the VPC, and creating and attaching an internet gateway to our VPC.

Select All services, and then click VPC under Networking & Content Delivery.

On the Resources page, we'll see there aren't currently any VPCs created.

  • Click Your VPCs in the sidebar.
  • Click Create VPC.
  • For the Name tag, enter "SysOpsVPC".
  • For the IPv4 CIDR block range, enter "10.99.0.0/16".
  • Leave the IPv6 CIDR block and Tenancy fields as their default values.
  • Click Create.

We've now created our VPC, but we still need to create the components within the VPC. Close out of the success message.

We have six subnets to create — two each for the DMZ, app, and database layers.

Let's start with the DMZ layer.

  • Click Subnets in the sidebar.

  • Click Create subnet.

  • For the Name tag, enter "DMZ1public".

  • Select SysOpsVPC in the VPC dropdown menu.

  • Select us-east-1a in the Availability Zone dropdown menu.

  • For the IPv4 CIDR block range, enter "10.99.1.0/24".

  • Click Create, and close out of the success message.

  • Click Create subnet.

  • For the Name tag, enter "DMZ2public".

  • Set the VPC to SysOpsVPC.

  • Set the Availability Zone to us-east-1b.

  • For the IPv4 CIDR block range, enter "10.99.2.0/24".

  • Click Create, and close out of the success message.

Next, let's make the app layers.

  • Click Create subnet.

  • For the Name tag, enter "AppLayer1private".

  • Set the VPC to SysOpsVPC.

  • Set the Availability Zone to us-east-1a.

  • For the IPv4 CIDR block range, enter "10.99.11.0/24".

  • Click Create, and close out of the success message.

  • Click Create subnet.

  • For the Name tag, enter "AppLayer2private".

  • Set the VPC to SysOpsVPC.

  • Set the Availability Zone to us-east-1b.

  • For the IPv4 CIDR block range, enter "10.99.12.0/24".

  • Click Create, and close out of the success message.

Finally, let's create our database layers.

  • Click Create subnet.

  • For the Name tag, enter "DBLayer1private".

  • Set the VPC to SysOpsVPC.

  • Set the Availability Zone to us-east-1a.

  • For the IPv4 CIDR block range, enter "10.99.21.0/24".

  • Click Create, and close out of the success message.

  • Click Create subnet.

  • For the Name tag, enter "DBLayer2private".

  • Set the VPC to SysOpsVPC.

  • Set the Availability Zone to us-east-1b.

  • For the IPv4 CIDR block range, enter "10.99.22.0/24".

  • Click Create, and close out of the success message.

We've now created all six subnets. We have three subnets each in the us-east-1a Availability Zone and the us-east-1b Availability Zone.

Notice a pattern in the CIDR block ranges? Using the third octet, we categorized them by groups of 10. So for quick reference, we know that if the third octet is:

  • 1 or 2, it's part of the DMZ layer
  • In the teens, it's part of the app layer
  • In the 20s, it's part of the database layer

Note: Whether we labeled these subnets public or private doesn’t actually make them public or private — it’s just a naming construct. We’ll actually make them public or private in a bit when we route them to a public or private route table.

Now, we need to create the internet gateway.

  • Click Internet Gateways in the sidebar.
  • Click Create internet gateway.
  • For the Name tag, enter "IGW".
  • Click Create, and close out of the success message.

Once it's created, you'll see its State says detached. Even though it's been created, it isn't part of the VPC yet. Let's fix that.

  • Click Actions at the top of the screen.
  • Click Attach to VPC.
  • Set the VPC to SysOpsVPC.
  • Click Attach.

The state should now say attached.

Build and Configure a NAT Gateway, Route Tables, and NACLs

Next, we need to create a NAT gateway and route tables, set up proper routing, and create and associate our NACLs.

First, let's create our NAT gateway.

  • Click NAT Gateways in the sidebar.
    • If there’s one already in your account, you can ignore it; we’re still going to create a new one.
  • Click Create NAT Gateway.
  • Set the Subnet to DMZ2public.

All NAT gateways require that we create and attach an elastic IP address. We could attach our own if we previously created one, but let's have AWS do it for us. Click Create New EIP, and then close out of the success message.

Next, we need to create our route tables. (We can do this while the status of our NAT gateway is pending, since it'll take a few minutes.)

Click Route Tables in the sidebar. We can see that a route table already exists — when we created the VPC, it created a default route table. But we're going to create two new route tables.

  • Click Create route table.

  • For the Name tag, enter "PublicRT".

  • Set the VPC to SysOpsVPC.

  • Click Create, and close out of the success message.

  • Click Create route table.

  • For the Name tag, enter "PrivateRT".

  • Set the VPC to SysOpsVPC.

  • Click Create, and close out of the success message.

On their own, route tables don't do anything — we have to give them routes to something. For the public route table, we need to provide a route to the internet gateway. For the private route table, we need to provide a route to the NAT gateway.

Navigate to the bottom of the screen, where you'll find the Summary and Routes tabs. Select PublicRT at the top, and click the Routes tab at the bottom.

Under Target, it says local, which means it can communicate with any of the subnets that are in the VPC. However, right now, nothing can communicate with the internet gateway, so nothing can communicate with the outside internet. Let's fix that.

  • Click Edit routes.
  • Click Add route.
  • Click into the Target field, and select Internet Gateway from the dropdown menu.
  • Enter "0.0.0.0/0" in the Destination field.
  • Click Save routes, and close out of the success message.

We've now created a route from our public route table through the internet gateway into the open internet. Close out of the success message.

Now let's go to the private route table. Here, we need to add a route from the private route table to the NAT gateway.

  • Select PrivateRT at the top of the screen.
  • Under the Routes tab at the bottom of the screen, click Edit routes.
  • Click Add route.
  • Click into the Target field, and select NAT Gateway from the dropdown menu.
  • Enter "0.0.0.0/0" in the Destination field.
  • Click Save routes, and close out of the success message.

Although both of these route tables have been created, they aren't currently associated with any subnets. This is another important part of routing: We have to associate subnets with a route table in order for those subnets — or the resources provisioned inside those subnets — to be able to access them.

Now, we're going to make our public subnets, well, public. They're currently only labeled as public, but by associating them with a route table that has a path to the internet gateway, we're going to make them public for real.

  • At the top of the screen, click PublicRT.
  • Under Subnet Associations at the bottom of the screen, click Edit subnet associations.
  • Select the DMZ1public and DMZ2public subnets.
  • Click Save.

Next, let's associate our private subnets with the private route table.

  • Select PrivateRT at the top of the screen.
  • Under Subnet Associations at the bottom of the screen, click Edit subnet associations.
  • Select the four private subnets.
  • Click Save.

Now anything placed inside the public route table has a route to the internet gateway, and anything placed inside the private route table has a route to the NAT gateway.

If we have databases or EC2 instances located inside these private subnets, they can get updates from the open internet by going through the NAT gateway, which provides an extra layer of security. Essentially, it’s a one-way street: The resources in the private subnets can access the open internet, but the open internet cannot access the resources in the private subnets (unless we explicitly allow it).

We’re almost done with this lab. Before we wrap things up, let’s add another layer of security to our VPC by creating an NACL — a sort of firewall for controlling traffic in and out of one or more subnets — for each of our layers.

Click Network ACLs in the sidebar. We should see a default NACL, like we saw with the route tables. The default NACL was created when we created our VPC. But we're going to create three new ones.

  • Click Create network ACL at the top of the screen.

  • For the Name tag, enter "DMZNACL".

  • Set the VPC to SysOpsVPC.

  • Click Create.

  • Click Create network ACL at the top of the screen.

  • For the Name tag, enter "AppNACL".

  • Set the VPC to SysOpsVPC.

  • Click Create.

  • Click Create network ACL at the top of the screen.

  • For the Name tag, enter "DBNACL".

  • Set the VPC to SysOpsVPC.

  • Click Create.

Just like with the route tables, we need to associate subnets with our NACLs.

  • Select DMZNACL at the top of the screen.
  • At the bottom of the screen, click Subnet associations.
  • Click Edit subnet associations.
  • Select the DMZ layer subnets.
  • Click Edit.

Now traffic coming in and out of these subnets will be subject to the inbound and outbound rules we set up on this particular NACL. We're not going to set up any rules as part of this lab — right now, we're just building the infrastructure and a shell we could put resources in.

Let's finish things up with the NACLs for the remaining layers.

  • Select AppNACL at the top of the screen.

  • Under Subnet associations at the bottom of the screen, click Edit subnet associations.

  • Select the app layer subnets.

  • Click Edit.

  • Select DBNACL at the top of the screen.

  • Under Subnet associations at the bottom of the screen, click Edit subnet associations.

  • Select the database layer subnets.

  • Click Edit.

Conclusion

Congratulations! You've just built a three-tier VPC networking architecture inside AWS.

The bare-bones architecture we built in this lab is a design you're going to see a lot when working in AWS. Now, go keep learning!