Image sowing Red arrow indicating VPC and

Building Security by Design: My AWS Project Showcasing VPC, NAT Gateway, and Private Networking Mastery

Avatar photoByAdil

INTRODUCTION
This project reflects how I combine cloud architecture principles with practical implementation to build secure, scalable environments.
In today’s cloud-driven world, security and design are not optional — they are essential. As part of my hands-on learning and practical implementation of AWS architecture, I completed a project titled “Building a Secure Web Architecture on AWS.” The aim was to design a secure, professional-grade cloud network that demonstrates how public and private resources can coexist in the same environment, safely and efficiently.

This project combines concepts of network isolation, controlled routing, and secure connectivity — principles that are fundamental to cloud security and modern infrastructure management. Every step was documented with annotated screenshots, from setup to validation.

PROJECT OVERVIEW

Objective:
To build a secure network architecture on AWS consisting of a public and a private section. The web server in the public section is accessible from the internet, while the database server in the private section remains hidden from external access but can still reach the internet securely through a NAT Gateway

Final Architecture

Phase 1: Foundation Setup – Building Your Private Network (VPC)

  1. Create a VPC (Your Private Cloud Network)
    o Go to: AWS Console -> VPC service -> “Your VPCs” -> “Create VPC”.
    Image sowing Red arrow indicating VPC and

Image Red arrow indicate Yours VPC,Green arrow for Create VPC

o Settings:
▪ Name tag: My-Secure-VPC

Image Red arrow indicate Tag name, Green forIPv4 CIDR

▪ IPv4 CIDR block: 10.0.0.0/16 (This creates 65,536 private IP
addresses for your use).

Red arrow indicate Tag name and Green arrow for IPv4 CIDR

o Click Create.

Image Red arrow indicate Create VPC

Image Showing VPC Successfully created

Goto Ec2 Instance to configure the Networking Environment

Image Goto EC2-Instance, at AWS Console

Image showing Network Settings, red arrow on VPC

  1. Create Subnets (Your Designated Areas)
    o Go to: Subnets -> Create subnet.

Image Red Arrow indicate go to Subnet
o VPC ID: Select My-Secure-VPC.

Image VPC-ID, Green arrow select My-Secure-VPC
o Create Public Subnet:
▪ Subnet name: public-subnet-1
▪ Availability Zone: Pick the first one (e.g., us-east-1a).
▪ IPv4 CIDR block: 10.0.1.0/24 (This gives us 256 addresses in this
zone).

Image Indicating public-Subnet-1,Availability zone and IPv4 subnet

Image indicating Create Subnet

Image Subnet successfully created

Image Red arrow Subnet Successfully created

o Create Private Subnet:
▪ Click “Create subnet” again.

Image Create Subnet

▪ Subnet name: private-subnet-1
▪ Availability Zone: Pick the same zone (e.g., us-east-1a).
▪ IPv4 CIDR block: 10.0.2.0/24

Image , Subnet setting,Private-Subnet-1,Availability Zone and IPv4 VPC block
▪ Click Create subnet.
Image Click Create Subnet

Image Successfuly created 1 subnet

  1. Create an Internet Gateway (Your Front Door to the Internet)

o Go to: Internet Gateways -> Create internet gateway.

Image Goto Creat Internet gateway

Image Red on internet gateway, Green on Create Internet gateway

o Name tag: My-IGW
o Click Create.
Image showing name tag:My-IGW and Click Create

o Now, ATTACH it to your VPC: Select the My-IGW gateway, click Actions –

Attach to VPC. Select My-Secure-VPC and click Attach.

Image showing Internet gateway successfully created, red arrow clicked internet gateway

Image indicating Click Action

Image Select My-Secure-VPC and green arrow on Attach Internet gateway

Image Internet gateway successfully Attached

Phase 2: Routing & Security – Controlling Traffic

  1. Create a Route Table for the Public Subnet
    o Go to: Route Tables -> Create route table.

Image Red arrow click Goto Route table and Green arrow on Create route table
o Name: Public-Route-Table
o VPC: Select My-Secure-VPC
o Click Create.

Image, Name on Public route table and VPC, use for route table

o Edit Routes: Select the new table, click the Routes tab -> Edit routes -> Add
route.

Image Public route table created successfully, green arrow on route, red clicked on Edit route
▪ Destination: 0.0.0.0/0 (This means “all internet traffic”).
▪ Target: Select Internet Gateway and choose My-IGW.
▪ Click Save changes.

Red square for Destination, Green square on Target, Red arrow on Add routes. Then green mixed with red arrow for Click save changes

Updated route for public-Route-Table Successfully .Red arrow on subnet associations, green arrow on edit subnet association
o Associate with Public Subnet: Click the Subnet associations tab -> Edit

Red arrow ticked Public-Subnet-1,green arrow clicked on saved associtions

subnet associations. Check the box for public-subnet-1 and click Save
associations.

Successfully updated Subnet association for Public-route-Table

  1. Create a Security Group for the Web Server (The Firewall)

o Go to: Security Groups -> Create security group.

Red arrow go to security groups and green arrow on create security group

o Name: Web-Server-SG
o Description: Allow HTTP and SSH
o VPC: Select My-Secure-VPC

Security group-AlloW HTTP and SSH, Description-AlloW HTTP and SSH, VPC

o Inbound Rules:
▪ Add rule: Type: HTTP, Source: Anywhere-IPv4 (0.0.0.0/0).
▪ Add rule: Type: SSH, Source: My IP (This automatically adds your
computer’s IP for security).

Image SHOWING Inbound rules

Type is annotated with red arrow and Source is annotated with green square

o Click Create security group.

Red arrow Clicked create security group

Security group Successfully creted

Security group running

Phase 3: NAT Gateway – Allowing Private Servers Outbound Internet

  1. Allocate an Elastic IP (A Static Public IP Address)

o Go to: Elastic IPs -> Allocate Elastic IP address.

Go to Elastic IP, annotated with red arrow and Allocate Elastic IP address with green arrow
o Just click Allocate. AWS will give you a fixed public IP.

Fixed public IP by AWS

Red arrow clicked on Allocate

  1. Create the NAT Gateway

o Go to: NAT Gateways -> Create NAT Gateway.

Go to NAT gateway with red arrow and create NAT Gateway on green

o Name: My-NAT-Gateway

NAT gateway settings, name, subnet and connectivity type
o Subnet: Choose public-subnet-1

Choose public-subnet-1
o Elastic IP allocation ID: Click the dropdown and select the Elastic IP you
just created.
o Click Create NAT Gateway. Wait for the status to change
from Pending to Available. This takes a few minutes.

Elastic IP allocation and green arrow on create NAT gateway

NAT gateway successfully created

NAT gateway running

  1. Create a Route Table for the Private Subnet
    o Go to: Route Tables -> Create route table.

Green arrow for Go to Route table and Red arrow click on create route table
o Name: Private-Route-Table
o VPC: Select My-Secure-VPC
o Click Create.

Route table settings, Name, VPC and click create

o Edit Routes: Select this new private route table, click Edit routes -> Add
route.

Private route table was created successfully

Green on Routes and red on Edit Routes
▪ Destination: 0.0.0.0/0 (Send all internet-bound traffic…)
▪ Target: Select NAT Gateway and choose My-NAT-Gateway (…to our
NAT Gateway).
▪ Click Save changes.

Destination on red square , Target on green square, Add rules clicked by red arrow and blue arrow on Save changes

o Associate with Private Subnet: Click Subnet associations -> Edit subnet
associations. Check the box for private-subnet-1 and click Save
associations.

Associations with Private Subnet, green arrow on Subnet association red arrow on Edit Subnet association

Image indicating red arow Checked the box of Private -Subnet-1 running, green arrow on save association

Successfully Updated private Subnet association for Private-Route-Table

Phase 4: Resource Deployment – Launching Your Servers

  1. Launch the Web Server (in the Public Subnet)
    o Go to: EC2 -> Launch Instances.

AWS Console-Go to EC2,indicated by red arrow

Click launch Instance with green arrow

o Name: Web-Server

Instance Name, Web-Server indicated by green arrow

o AMI: Amazon linux

Amazon Linux, indicted by red arrow
o Instance type: t2.micro (Free Tier)

Red arrow indicating t2.micro selected, with green arrow showing it is on a free tier eligible

o Key pair: Create a new key pair or choose an existing one. DOWNLOAD
THE .pem KEY IF NEW

The Blue arrow indicating key-pair.pem already existed/created
o Network Settings:

Image description on the Network Settings
▪ VPC: My-Secure-VPC
▪ Subnet: public-subnet-1
▪ Auto-assign Public IP: Enable
▪ Firewall (Security Groups): Select existing security group WebServer-SG

VPC, Subnet, Auto-assign Public IP, Select Security Group

o Advanced details -> User data: Paste this script to install a web server on

Image on Advance detail page clicked by green arrow

boot:
bash

!/bin/bash

sudo dnf update -y
sudo dnf install -y httpd
sudo systemctl start httpd
sudo systemctl enable httpd
echo “

Hello World from my $(hostname -f)

” > /var/www/html/index.html

Encoded commands and Bashed directly on Advance details indicated with green square

o Click Launch Instance.
Command encoded and indicated by blue square and red arrow clicked on Lunch instance

Image showing EC2 Instance lunched

Red arrow checked the box of EC2-instance named Web-Server running

EC2-Instance Web-Server Summary details

  1. Launch the Database Server (in the Private Subnet)
    o Go to: EC2 -> Launch Instances

Image showing an EC2 instance launch(in the Private Subnet

o Name: DB-Server

DB-Server indicated as Instance name by red arrow
o AMI: Amazon Linux 2023 AMI

AMI: Amazon Linux selected and indicated by red arrow

o Instance type: t2.micro (Free Tier)

Instance type t2.micro selected and indicated by red arrow.The green arrow shows that it is free tier eligible

o Key pair: Choose the same key pair you used for the Web Server.

Red arrow indicating Key-pair. pem already existed or created

o Network Settings:
▪ VPC: My-Secure-VPC
▪ Subnet: private-subnet-1
▪ Auto-assign Public IP: Disable (This is key! It gets no public IP.)

Network Settings Image, VPC,Private-Sunet-1,Auto assign Public IP

o Click Launch Instance.

The Clicked Launch Instance with red arrow

DB-Server EC2 instance Successfully created
DB-Server EC2-instance running , then checked box by green arrow

DB-Server EC2-instance Summary details

Web-Server EC2-Instance Running and DB-Server EC2-Instance Running

Web-Server EC2-instance running and DB-Server EC2-Instance running

Phase 5: Validation – Testing Your Setup

  1. Test Web Access

o In the EC2 console, find your Web-Server instance.
o Copy its Public IPv4 address.
o Open a browser and paste the IP address. You should see “Hello World
from my …”.
o OR, use the terminal: curl http://

The Public -IPv4 address on website-showing--> Hello World from my ip-10-1-232.ec2.internal

  1. Test Private Instance Internet Access (Via NAT)
    o SSH into your Web Server first (it’s public):
    bash
    ssh -i “your-key.pem” ec2-user@

Image showing commands on Gitbash window terminal, green arrow for

o From inside your Web Server, try to SSH into the private Database Server:
▪ In the EC2 console, find your DB-Server and copy its Private IPv4
address (e.g., 10.0.2.50).
▪ Run:
bash
ssh -i “your-key.pem” ec2-user@
o Once logged into the private DB-Server, test if it can reach the internet:
bash
curl https://checkip.amazonaws.com
o This should RETURN THE ELASTIC IP OF YOUR NAT GATEWAY. This proves
your private server is using the NAT Gateway to access the internet!

Conclusion :
You have successfully built a secure, professional-grade network
architecture on AWS. Your web server is publicly accessible, but your database is securely
hidden in a private network, yet can still download updates.

Similar Posts