AWS Cloud Path Week 11: AWS Networking Workshop Part 1 – Building Secure VPC Infrastructure
Welcome to Week 11 of the AWS Cloud Path series! In this hands-on workshop, we dive deep into AWS networking fundamentals by working through a comprehensive AWS Networking Workshop. This tutorial covers the full spectrum of AWS networking, from basic VPC and subnet configurations to advanced setups with security groups, route tables, and NAT gateways.
Missed the session? Catch up here:
Prerequisites
Before diving into this workshop, you should have:
- An active AWS account with appropriate permissions
- Basic understanding of networking concepts (IP addresses, CIDR blocks, subnets)
- Familiarity with AWS Console navigation
- Understanding that resources created in this workshop will incur costs (~$7 USD in us-east-1)
⚠️ Cost Warning: The resources created in this workshop will cost approximately $7 in the US East 1 region. Pricing may vary in different regions.
Workshop Overview
This workshop is part of the AWS Networking Immersion Day and covers foundational to advanced networking topics:
Foundation Topics Covered:
- Virtual Private Cloud (VPC) creation and configuration
- Public and private subnet architecture
- Internet Gateway setup
- NAT Gateway configuration
- Route tables and routing
- Network Access Control Lists (NACLs)
- Security group configuration
Advanced Topics (Future Sessions):
- VPC Endpoints
- Transit Gateway
- VPN connections
- Gateway Load Balancers
- Multi-cast networking
Step-by-Step Implementation
1. Environment Setup with CloudFormation
Before creating our networking infrastructure, we need to deploy a CloudFormation template that provisions prerequisite resources.
Deploying the Initial Stack
- Download the provided CloudFormation template
- Navigate to the CloudFormation console
- Create a new stack and upload the template
- Name your stack (e.g., “networking-workshop-prerequisites”)
- Deploy the stack
Resources Created:
- Flow logs role
- VPC endpoint policies
- Elastic IP addresses
# The CloudFormation template creates essential resources like:
# - IAM roles for flow logs
# - Endpoint policies
# - Pre-allocated Elastic IPs
2. Creating Your VPC Foundation
VPC Creation
Navigate to the VPC console and create a new VPC:
- Name: VPCA
- IPv4 CIDR block: 10.0.0.0/16
- IPv6 CIDR block: No IPv6 CIDR block
- Tenancy: Default
CIDR Block Explanation:
10.0.0.0/16 provides approximately 65,536 IP addresses
This gives us plenty of room for multiple subnets across availability zones
Enable DNS Hostnames
After VPC creation:
- Select your VPC
- Go to Actions → Edit VPC settings
- Enable DNS hostnames
- Save changes
This allows instances in your VPC to receive public DNS hostnames when they have public IP addresses.
3. Subnet Architecture Design
We’ll create four subnets across two Availability Zones following AWS best practices:
| Subnet Type | AZ | CIDR Block | Purpose |
|---|---|---|---|
| Public Subnet AZ1 | eu-central-1a | 10.0.0.0/24 | Resources needing direct internet access |
| Private Subnet AZ1 | eu-central-1a | 10.0.1.0/24 | Backend resources, databases |
| Public Subnet AZ2 | eu-central-1b | 10.0.2.0/24 | High availability public resources |
| Private Subnet AZ2 | eu-central-1b | 10.0.3.0/24 | High availability private resources |
Creating Subnets
For each subnet:
- Navigate to VPC → Subnets → Create subnet
- Select your VPC (VPCA)
- Configure subnet settings following the table above
- Create the subnet
Naming Convention Best Practices:
- Use consistent naming patterns (e.g., VPCA-public-subnet-az1)
- Include VPC identifier, subnet type, and availability zone
- This makes resource management much easier in production environments
4. Network Access Control Lists (NACLs)
Creating Custom NACLs
Default NACLs allow all traffic, which isn’t ideal for security. Let’s create a custom NACL:
- Navigate to VPC → Network ACLs → Create network ACL
- Name: VPCA-workload-subnet-nacl
- VPC: VPCA
Configuring NACL Rules
Inbound Rules:
Rule # | Type | Protocol | Port Range | Source | Allow/Deny
100 | HTTP | TCP | 80 | 0.0.0.0/0 | ALLOW
Outbound Rules:
Rule # | Type | Protocol | Port Range | Destination | Allow/Deny
100 | All Traffic | All | All | 0.0.0.0/0 | ALLOW
⚠️ Security Note: This configuration allows all traffic for demonstration purposes. In production, implement least-privilege access with specific rules for your application requirements.
Associate Subnets with NACL
- Select your custom NACL
- Go to Subnet associations tab
- Edit subnet associations
- Associate all four subnets with the custom NACL
5. Route Tables Configuration
Route tables determine where network traffic from subnets is directed. We’ll create separate route tables for public and private subnets.
Public Route Table
- Navigate to VPC → Route Tables → Create route table
- Name: VPCA-public-route-table
- VPC: VPCA
- Associate with public subnets
Private Route Table
- Create another route table
- Name: VPCA-private-route-table
- VPC: VPCA
- Associate with private subnets
Default Routes:
Both route tables automatically include a local route for the VPC CIDR (10.0.0.0/16) with target “local”, enabling communication within the VPC.
6. Internet Connectivity Setup
Internet Gateway Configuration
Public subnets need internet access through an Internet Gateway:
- Navigate to VPC → Internet Gateways → Create Internet Gateway
- Name: VPCA-IGW
- Attach to VPCA
Configure Public Route Table
Add internet route to public route table:
- Select VPCA-public-route-table
- Edit routes → Add route
- Destination: 0.0.0.0/0
- Target: Internet Gateway (VPCA-IGW)
This route directs all non-local traffic to the internet gateway.
NAT Gateway for Private Subnets
Private subnets need outbound internet access through a NAT Gateway:
- Navigate to VPC → NAT Gateways → Create NAT Gateway
- Name: VPCA-NAT-Gateway
- Subnet: Select a public subnet (VPCA-public-subnet-az1)
- Connectivity type: Public
- Elastic IP: Allocate Elastic IP
- Create NAT Gateway
Configure Private Route Table
Add NAT Gateway route to private route table:
- Select VPCA-private-route-table
- Edit routes → Add route
- Destination: 0.0.0.0/0
- Target: NAT Gateway (VPCA-NAT-Gateway)
Key Learning Points
1. CIDR Block Planning
- Plan your IP address space carefully
- Leave room for future expansion
- Avoid overlapping CIDR blocks
- Consider connectivity requirements with other networks
2. High Availability Design
- Deploy resources across multiple Availability Zones
- Use consistent naming conventions
- Implement redundancy for critical components
3. Security Best Practices
- Use custom NACLs instead of defaults
- Follow least-privilege access principles
- Separate public and private subnets
- Control outbound traffic from private subnets
4. Route Table Strategy
- Create dedicated route tables for different subnet types
- Understand local routes vs. internet routes
- Plan for hybrid connectivity (VPN/Direct Connect)
Common Troubleshooting Tips
Internet Connectivity Issues
- Check Internet Gateway: Ensure it’s attached to the VPC
- Verify Route Tables: Confirm 0.0.0.0/0 routes point to correct targets
- Security Groups: Check that security groups allow required traffic
- NACLs: Ensure NACLs aren’t blocking traffic
NAT Gateway Problems
- Subnet Selection: NAT Gateway must be in a public subnet
- Elastic IP: Ensure Elastic IP is allocated and attached
- Route Configuration: Private subnets should route 0.0.0.0/0 to NAT Gateway
Production Considerations
Cost Optimization
- NAT Gateway: Consider NAT instances for development environments
- Elastic IPs: Release unused Elastic IP addresses
- Data Transfer: Monitor data transfer costs
Security Enhancements
- Implement AWS Config rules for compliance monitoring
- Use VPC Flow Logs for traffic analysis
- Consider AWS Network Firewall for advanced filtering
Monitoring and Logging
- Enable VPC Flow Logs
- Set up CloudWatch monitoring for NAT Gateways
- Monitor Elastic IP usage and costs
Next Steps
In the upcoming sessions, we’ll explore:
VPC Endpoints (Next Session)
- S3 Gateway Endpoints
- Interface Endpoints for AWS services
- Private connectivity without internet gateway dependency
- Cost optimization through private connectivity
Advanced Networking Topics
- Transit Gateway for multi-VPC connectivity
- VPN connections for hybrid cloud
- Direct Connect for dedicated connectivity
- Network segmentation strategies
Conclusion
This foundational networking workshop provides the essential building blocks for secure, scalable AWS network architectures. By understanding VPCs, subnets, route tables, and security controls, you’re building expertise in the core networking components that underpin most AWS solutions.
The hands-on approach of working through actual AWS console configurations helps solidify theoretical knowledge with practical skills. Remember to clean up resources after the workshop to avoid unnecessary costs!
Additional Resources
- AWS VPC Documentation
- AWS Networking Workshops
- VPC Best Practices
- AWS Well-Architected Framework – Security Pillar
Join us next week as we continue with VPC Endpoints and explore how to create private connectivity to AWS services without routing traffic through the public internet!