oracle aide

December 27, 2015

An AWS Sonnet: Build a custom VPC with NAT

Filed under: Uncategorized — oracleaide @ 6:23 pm

… in 14 steps. Hence the sonnet reference.

This is a condensed narrative for lectures 48 and 49 from the AWS Architecture class on Udemy.  The narrative is much faster in getting to the point than 30 minutes of linear videos, it is precise and can be read in any direction.

1. Create a VPC,

2. Create in the VPC 2 subnets, in availability zones “a” and “b”, and respectively.

3. Create an internet gateway and attach it to the new VPC. To reduce clutter – set “Filter by VPC” in the left upper corner of the VPC dashboard to the new VPC.

4. Create in the new VPC a routing table, add a route “ – internet gateway” to it.

5. Associate the subnet “a” with the new routing table. This will make the subnet “a” public.

6. Create a security group, open inbound SSH, HTTP, HTTPS for Anywhere.

7. Launch an instance “a” in subnet “a”, with an Auto-Assigned Public IP, selecting the new security group.

8. Launch an instance “b” in subnet “b”, WITHOUT an Auto-Assigned Public IP, in the same security group.

9. SSH to the instance “a”, verify that it has access to internet, e.g. “sudo yum install telnet” should work.

10. From the instance “a” SSH to the instance “b”.  It should not have access to internet, e.g. “sudo yum install telnet” should time out.

11. Launch a NAT from a community image, select subnet “a”, Public IP, and the same security group (just for the demo – there is no a separate security group, in prod create a separate group for traffic between subnet “b”

12. Turn off the source-destination check for the NAT instance (Networking-Change Source / Destination Check).

13. Add to the main routing table (not the new one from step 4!), a route “ – the new NAT instance”.

14. Repeat the “sudo yum install telnet” test from  instance “b” – it should work now, although the instance “b”  is still in a private subnet.


Blog at