VPC with Public-Private Subnet in Production Environment.

VPC with Public-Private Subnet in Production.

Below example demonstrates how to create a VPC that we can use for servers in a production environment.

To improve resiliency, we deployed the servers in two availability zones, by using an Auto Scaling group and Application Load Balancer. For additional security, we deployed the servers in private subnets. The Servers received through the load balancer. The Servers can connect to the internet by using a NAT Gateway. Also we implemented the bastion hosts to access the servers in Private Subnets.

First, In aws Console Type VPC.

Select VPC and more though it has all the information. Then click on create VPC.

So as per the architecture diagram VPC has created Public and Private Subnets in different availability zones as per the below.

We can see below subnets are attached with the Route Tables.

Assigned the name of the project: Aws-prod -examples.

We can keep IPV4 CIDR block default no need to change

Tenacy: also Default.

Selected NAT Gateways 1 per AZ

Select VPC Endpoints None , post that click on create VPC.

Now VPC has been successfully created.

Now we will create the Auto scaling group. Click on EC2.

Once we select Auto Scaling we have to go with “Launch Template” Lauch template its act as a reference we came to know with template how much instances 5 , 10 or so on are scaling.

So click on Launch Template.

Now it's asking the AMI (Amazon Machine Image), click on recently launched.

Then go on instance type I have selected free tier,

Select the Key Pair.

In Network Settings Select the Create the Security Group option.

Now in below we have to launch this autoscaling group in the VPC which we were created earlier i.e aws-prod-example.

Now in Inbound Security Group Rules.

If you want to keep all inbound traffic allowed but the good practice is always open only that port which your application requires. If we can allow all traffic that means we are not following the security standards. So always open the port only that you require.

So below we have opened the ssh port 22 and port 8000 (python application) where we want to deploy our application and it has been accessible from anywhere.

In other sections we don't want to do any modifications. We can keep as it is.

Then click on Launch Template.

Give the Launch template name aws-prod-example. And below from the drop down list select the aws-prod-example.

Then click on Next.

Once we click on Next have to go in the network section have to select the VPC which we created earlier i.e. (aws-prod-examples)

Post that select the Availability zones: as per the architecture diagram we have to deploy our application in a private subnet so will select the private subnets over here.

Then click on Next.

So as of now we will not be attaching the load balancer here.

Everything seems to be good so click on next .

Even here is the important thing to be address we have to mention desired, minimum and maximum capacity

Other configurations we can keep default. Then click on next.

In the Add notification we don't want anything so click on next.

Review your Launch Template Configuration.

Create the Auto scaling Group.

Now the Autoscaling group has been successfully created.

Now we can check if our EC2 instances have been created or not in the console.

With the help of Auto Scaling Group Launch Template EC2 instances have been created. As per the architecture diagram both instances are in Private subnets.and we check carefully these two instances not having a Public Ip address though these are in Private Subnets.

Now we have to install the applications in these two instances but as we checked there is no public ip address assigned to these instances so how are we able to login into it?

So here Bastion Host comes into the picture. Bastion hosts acts like a mediator in between private and public subnet. It functions like a jump server. Why is it useful ? Let's say you are having a dedicated server in a private subnet so with the bastion host we are able to know who is going to access the servers and we are able to fetch the metrics and audits and with the help of this we can secure our environments.

A bastion host is a fortified server that acts as a gateway between a public network (like the internet) and a private network.

It's designed to withstand attacks and provide controlled access to internal resources.

Key characteristics:

Located on the network perimeter: Typically placed in a DMZ (Demilitarized Zone) or outside a firewall.

Minimal services: Runs only essential services to reduce the attack surface.

Secure configuration: Hardened with strong security measures to protect against vulnerabilities.

Access control: Enforces strict authentication and authorization rules to limit access.

Benefits of using a bastion host:

Enhanced security:

Reduces the risk of unauthorized access to internal systems.

Centralized management: Provides a single point of control for network access.

Improved auditing: Logs all access attempts, making it easier to detect and investigate security incidents.

Reduced attack surface: Minimizes the number of exposed services, making it harder for attackers to exploit vulnerabilities.

So we will going to create a Bastion Hosts:

Create on Launch Instance:

The give a name “Bastion-host”

Then choose a Ubuntu as a Image

Provide the key-pair

In the network setting add a security group which has access to SSH . We will connect through SSH to instances which sit in Private Subnets.

So SSH has already enabled.

Now in the same Network Settings click on Edit at the right side.

Once clicked on Edit, a bastion host should be added in the same VPC.

Then Auto-assigned public ip should be enabled.

Then click on Launch Instance.

So now the Bastion host has been created. From my personal laptop I will ssh to bastion and from bastion to private subnet (instances sit in private subnet). But before doing this we need a key value pair, so we have to copy the key value pair to the bastion host.

Now we can see there are three instances we are able to see on the dashboard.

For copying the key to the bastion host we can use our laptop’s terminal's open the bastion host and get the public IP of that instance.

While trying we received the above error “Permission Denied” it means & we came to know that /home is not having appropriate permission.

Now we have successfully copied the .pem key from my laptop to the bastion host. The /home directory on the remote host might have restrictive permissions that prevent the ubuntu user from writing to it. So with the help of the Chmod command we have changed the permission.

Now the Key has been successfully copied.

So we will go and try to get into the bastion host. We are able to see the key has been copied to the bastion host sucessfully.

Now from the bastion host we will going to try to login into in the private instances:

Yes, and now we are able to login into our Private instances from the bastion host server.

Now we are going to install the python application on one of the EC2 instances which sits in Private Subnet.

We have created the index.html file taking just random example over here

Copy the code and paste. Once done save the index.html file.

Then just run the python server with the following command python3 -m HTTP. Server 8000 so the application running on this instance.

Now the final step is to create the load balancer . Just from the

Dashboard goes to the Load balancer.

Go with Application Load Balancer:

Give the name to the Load Balancer.

& Load Balancer should always be in the Public Subnet so select Internet-facing.

In Network Mapping select the created VPC & select the both the Availability Zones.

The Subnet should be the Public Subnet.

The Security Group Should be like below:

From Listeners and routing click on create a target group first.

Click on Next

Select the instances excluding Bastion-Host. In one instance the application has been installed and the other one application does not have been installed.