Building a Secure AWS VPC with NAT Gateway for Application Hosting

Building a Secure AWS VPC with NAT Gateway for Application Hosting


In the dynamic landscape of cloud computing, constructing a secure and well-architected network infrastructure is paramount. Amazon Web Services (AWS) offers a versatile solution known as Virtual Private Cloud (VPC), allowing users to design and customize a virtual network tailored to their specific requirements. In this comprehensive guide, we will delve into the step-by-step process of creating a robust VPC with two distinct subnets, incorporating a Network Address Translation (NAT) gateway to facilitate secure communication. Furthermore, we will deploy instances for hosting an application, ensuring a secure and isolated environment.

Section 1:Creating the VPC

1.1 Login to AWS Console

Begin your AWS journey by logging in to the AWS Management Console using your designated credentials. Navigate to the VPC service within the console.

1.2 Navigate to VPC Dashboard

Once in the AWS Console, locate the VPC service to access the VPC Dashboard. Here, you'll find a comprehensive overview of your VPC resources.

1.3 Start VPC Creation

  1. Click on the "Create VPC" button to initiate the VPC creation process.

  2. Provide a meaningful name for your VPC, such as "MyAppVPC."

  3. Specify a CIDR block for your VPC (e.g.,

  4. Choose the tenancy model according to your requirements (default or dedicated).

The CIDR block determines the IP address range of your VPC, and the tenancy model defines whether instances run on shared (default) or dedicated hardware.

Section 2: Configuring Subnets

2.1 Create Border Subnet

  1. Navigate to "Subnets" in the VPC Dashboard.

  2. Click "Create subnet" and provide a name like "Border Subnet."

  3. Assign a unique CIDR block to the subnet (e.g.,

  4. Associate the subnet with the previously created VPC.

The border subnet will host the NAT gateway and facilitate outbound internet access for instances in the private subnet.

2.2 Create App Subnet

  1. Create another subnet named "App Subnet."

  2. Assign a different CIDR block (e.g.,

  3. Associate the subnet with the VPC.

This subnet will host the application server and will not have direct internet access.

In Amazon Virtual Private Cloud (Amazon VPC), subnet associations are usually referred to in the context of associating a subnet with a route table. Here's how you can associate a subnet with a route table using the AWS Management Console:

Using the AWS Management Console:

  1. Navigate to the VPC Dashboard:

  2. Access Subnet Associations:

    • In the VPC dashboard, navigate to the "Subnets" section.
  3. Select a Subnet:

    • Select the subnet that you want to associate with a route table.
  4. Associate with a Route Table:

    • Under the "Subnet Actions" dropdown, select "Modify auto-assign IP settings."
  5. Choose a Route Table:

    • In the "Modify auto-assign IP settings" dialog, you can see the option to associate the subnet with a specific route table.

    • Choose the desired route table from the dropdown menu.

  6. Save Changes:

    • Click the "Save" button to apply the changes.

Section 3: Internet Gateway and Route Tables

3.1 Create Internet Gateway

  1. Navigate to "Internet Gateways" in the VPC Dashboard.

  2. Click "Create internet gateway" and attach it to your VPC.

The internet gateway enables communication between your VPC and the internet.

3.2 Update Route Tables

  1. Update the route table for the border subnet:

    • Add a route to the internet gateway ( for outbound internet access.
  2. Update the route table for the app subnet:

    • Add a route to the NAT gateway ( for outbound traffic.

Route tables define how traffic is directed within the VPC. The border subnet routes directly to the internet, while the app subnet routes through the NAT gateway.

Section 4: Security Groups

4.1 Create Security Group for App Server

Note:- Remember to choose the vpc you created

  1. Navigate to "Security Groups" in the VPC Dashboard.

  2. Create a security group named "AppSecurityGroup."

  3. Define inbound rules to allow necessary traffic (e.g., SSH for administration, application-specific ports).

Security groups act as virtual firewalls for your instances, controlling inbound and outbound traffic.

4.2 Create Security Group for NAT Instance

  1. Create a security group named "NATSecurityGroup."

  2. Configure rules to allow inbound traffic from the border subnet and outbound traffic to the internet.

The NAT security group ensures secure communication between the NAT instance and the border subnet.

Section 5: Launch Instances

5.1 Launch NAT Instance

  1. Navigate to "Instances" in the EC2 Dashboard.

  2. Launch an instance in the border subnet using an Amazon Machine Image (AMI) that supports NAT.

  3. Ensure the instance has masquerading enabled for proper NAT functionality.

Enhancing VPC Security: Masquerading for Private Network Communication

In the realm of VPC security, masquerading plays a pivotal role in safeguarding private network communication. This concise guide outlines the steps to set up masquerading using straightforward commands.

Step 1: Enable IP Forwarding

echo 1 | sudo tee /proc/sys/net/ipv4/conf/all/forwarding

Activate IP forwarding to empower your Linux system to efficiently route packets between different interfaces.

Step 2: Implement Masquerading with iptables

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Utilize iptables to configure NAT, ensuring that devices within your private VPC network can securely communicate with external servers, appearing under a unified public IP address.


With these commands, you've fortified your VPC's security by enabling masquerading. This ensures that internal devices maintain privacy while accessing external resources. Incorporate these steps into your VPC setup for robust network security.

5.2 Launch App Server Instance

  1. Launch an instance in the app subnet.

  2. Configure the instance with the "AppSecurityGroup" security group.

  3. Don't give permission to auto-assign public for avoiding the app server to have a public IP address.

  4. Install and configure your application on this instance.

Section 6: SSH Hopping Configuration

For secure access to private instances, create an SSH configuration file (~/.ssh/config) with the following content:

Host PublicInstance
  HostName <Public_IP_of_NAT_Instance>
  ForwardAgent yes
  User ubuntu
  StrictHostKeyChecking no
  IdentityFile ~/.ssh/id_rsa

Host 10.0.2.*
  ProxyCommand ssh -q -W %h:%p PublicInstance
  ForwardAgent yes
  StrictHostKeyChecking no
  IdentityFile ~/.ssh/id_rsa
  User ubuntu

Replace <Public_IP_of_NAT_Instance> with the public IP address of your NAT instance.

and 10.0.2.* with the private IP of the App server Instance.


In this guide, we've meticulously covered the essential steps to create a secure AWS VPC with two subnets, a NAT gateway, and instances for your application. By following these detailed steps.