AWS VPC Tutorial | Create VPC, Subnets, IGW, NACLs, Security Groups + Deploy EC2

Lagos Digital Marketing Agency | Web Design | SEO | Website Development | Web Hosting & Domain | Website Training | Digital Marketing Training > Blog > Cloud Computing Blog > AWS VPC Tutorial | Create VPC, Subnets, IGW, NACLs, Security Groups + Deploy EC2
AWS VPC

Designing a Secure, Scalable AWS Network: From VPC to Virtual Machines

As cloud computing continues to dominate enterprise infrastructure, the ability to design, deploy, and secure network environments in AWS has become a key skill for any Cloud or Infrastructure Engineer.

Recently, I undertook a hands-on project to build a complete AWS network architecture from scratch, including VPC, subnets, security layers, and virtual machines. This post summarizes my approach and the lessons learned — framed as a practical guide for anyone looking to solve real-world cloud networking challenges.

Understanding the Challenge

The problem was clear:

How can I build a well-structured Virtual Private Cloud (VPC) that:

  • Supports multiple application tiers

  • Enforces network access control

  • Secures resources with Security Groups

  • Allows controlled internet access

  • Supports deployment of Virtual Machines (EC2 instances)

  • Remains cost-efficient

Addressing this required a combination of AWS architecture best practices, security controls, and operational hygiene.

Step 1: Build a Custom VPC

Creating a custom VPC with a clear CIDR block is foundational. This allowed me to:

  • Define network boundaries

  • Plan subnets according to application tiers

  • Control routing and traffic flow

A clean VPC architecture provides the backbone for scalable cloud environments.

Step 2: Separate Workloads With Subnets

I designed three subnets, each with a specific purpose:

  1. Frontend Subnet – Handles public-facing resources

  2. Backend Subnet – Houses internal services

  3. Database Subnet – Hosts sensitive data

This separation enforces the principle of least privilege and reduces the blast radius if any component is compromised.

Step 3: Implement Network Access Control

At the subnet level, Network ACLs (NACLs) were used to filter inbound and outbound traffic. Each subnet had a dedicated ACL with custom rules:

  • Frontend NACL – allows necessary ports for public access

  • Backend NACL – restricted access to internal communication

  • Database NACL – highly restricted, only essential traffic

NACLs provide stateless, subnet-level security, complementing Security Groups.

Step 4: Apply Security Groups at the Instance Level

Security Groups were configured for each tier:

  • Frontend-SG – allowed RDP for my IP and controlled traffic

  • Backend-SG – limited inbound traffic

  • Database-SG – isolated to internal communication only

Security Groups act as stateful firewalls, ensuring only authorized traffic reaches your instances.

Step 5: Enable Controlled Internet Access

To support external connectivity where needed, I configured:

  • Internet Gateway

  • Route Table entries pointing to 0.0.0.0/0 for outbound traffic

This approach allows the frontend subnet to interact with the internet while keeping internal subnets isolated.

Step 6: Capture Network Activity With Flow Logs

Visibility is critical. I enabled Flow Logs for the VPC:

  • Accept logs – track allowed traffic

  • Reject logs – track blocked traffic

Logs were sent to Amazon S3, providing centralized, persistent observability for monitoring and auditing purposes.

Step 7: Deploy and Connect a Virtual Machine

A Windows EC2 instance was deployed in the frontend subnet:

  • Public IP assigned for RDP access

  • Key pair authentication for secure login

  • Security Group and NACL rules applied to control access

This VM became a practical environment for testing, validating networking, and demonstrating end-to-end functionality.

Step 8: Clean Up and Resource Hygiene

After testing, I performed a complete cleanup to avoid unnecessary costs:

  • Deleted the EC2 instance

  • Removed the VPC, subnets, NACLs, Security Groups, and Internet Gateway

  • Deleted S3 bucket and key pairs

Operational discipline is just as important as deployment skills.

Key Takeaways

This project reinforced several critical skills for any Cloud Engineer:

  • Designing secure and scalable VPC architectures

  • Implementing network segmentation and access control

  • Configuring Security Groups and NACLs effectively

  • Managing virtual machines and controlled internet access

  • Capturing network activity with Flow Logs for monitoring and auditing

  • Maintaining cost-effective and clean cloud infrastructure

Whether preparing for a cloud engineering role or building production-ready environments, mastering these fundamentals is essential.

Watch on YouTube

FAQ – AWS VPC, Subnets, Security, and Virtual Machines

Q1: What is a VPC and why is it important?

A: A Virtual Private Cloud (VPC) is an isolated network environment in AWS where you can launch resources securely. It allows control over IP ranges, subnets, routing, and security, ensuring workloads are protected and can scale efficiently.

Q2: Why separate workloads into multiple subnets?

A: Separating workloads into frontend, backend, and database subnets enforces layered security, limits potential attack surfaces, and ensures better traffic management between application tiers.

Q3: What is the difference between Network ACLs and Security Groups?

A:

  • Network ACLs (NACLs) operate at the subnet level and are stateless, meaning rules must be set for both inbound and outbound traffic.

  • Security Groups operate at the instance level and are stateful, automatically allowing return traffic. Both work together to secure your infrastructure.

Q4: How does an Internet Gateway work in a VPC?

A: An Internet Gateway (IGW) enables communication between resources in a VPC and the internet. By connecting to the VPC’s route table, it allows selected subnets (like frontend) to send and receive traffic securely.

Q5: What are Flow Logs and why use them?

A: Flow Logs capture traffic metadata for your VPC, subnets, or network interfaces. They are essential for monitoring, auditing, and troubleshooting network activity, helping detect suspicious or unintended traffic.

Q6: Why is it important to configure Security Groups for EC2 instances?

A: Security Groups act as virtual firewalls, controlling inbound and outbound traffic for instances. Proper configuration ensures that only authorized traffic reaches your VMs, reducing security risks.

Q7: Can a Virtual Machine in AWS access the internet by default?

A: No. By default, instances do not have internet access. To enable it, you must:

  1. Attach the instance to a subnet with a route to an Internet Gateway

  2. Ensure the Security Group and NACL rules allow outbound traffic

Q8: How do you ensure cost-efficiency when building AWS networks?

A: Cost efficiency is achieved by:

  • Cleaning up resources after testing (EC2, VPC, subnets, S3, key pairs)

  • Avoiding paid features like VPC encryption unless needed

  • Using smaller instance types (like T3.micro) during development and learning

Q9: How does this project demonstrate readiness for Cloud Engineering roles?

A: This project covers core cloud networking skills:

  • Designing secure and scalable VPCs

  • Subnet planning and isolation

  • Implementing NACLs and Security Groups

  • Deploying and configuring virtual machines

  • Enabling observability with Flow Logs

  • Practicing operational discipline with resource cleanup

These skills mirror real-world responsibilities in AWS, DevOps, and Cloud Engineering roles.

Leave a Reply

Your email address will not be published. Required fields are marked *