Back to Digital Garden
VPC EC2 NAT Gateway Security

Custom VPC Architecture & Secure Network Design on AWS

๐Ÿ“Œ Project Description

Cloud infrastructure security inherently begins at the network layer. This project demonstrates the from-scratch architectural design and implementation of a custom Amazon Virtual Private Cloud (VPC). The primary focus is establishing a logically isolated network environment by strictly decoupling public and private resources and enforcing rigorous network traffic controls.

Throughout this experiment, I provisioned Public and Private Subnets, engineered Route Tables, established secure outbound internet access for private workloads via a NAT Gateway, and deployed a Bastion Host (Jump Box) to facilitate secure remote administration into the private network tier.

๐Ÿ› ๏ธ Tech Stack & AWS Services

  • Networking & Content Delivery: Amazon VPC, Public & Private Subnets, Internet Gateway (IGW), NAT Gateway, Route Tables.
  • Compute: Amazon EC2 (Bastion Host & Private Instances), EC2 Instance Connect.
  • Security: VPC Security Groups, Secure Shell (SSH) Access Control.
  • Concepts: Network Isolation, Routing, Secure Remote Access (Jump Box), Outbound-Only Internet Access.

๐Ÿข Business Scenario

An enterprise requires a secure cloud environment to host its internal applications and databases. Deploying all servers on a public-facing network poses an unacceptable security risk. To mitigate this, the network architecture was designed to segregate servers into two distinct tiers:

  • Public Tier: Houses only resources that require direct inbound internet access (e.g., Load Balancers or Bastion Hosts).
  • Private Tier: Houses backend application servers and databases. This tier is completely shielded from inbound internet access but retains the ability to securely download external software updates via a proxy.

๐Ÿš€ Implementation Steps

Phase 1: Network Scoping (VPC & Subnet Design)

  • Allocated a custom IPv4 CIDR block (10.0.0.0/16) for the Lab VPC, enabling DNS hostname resolution to ensure seamless internal routing.
  • Partitioned the VPC network into two highly specific subnets within the same Availability Zone:
    • Public Subnet (10.0.0.0/24): Configured to automatically assign public IPv4 addresses to launched instances.
    • Private Subnet (10.0.2.0/23): Designed with a larger capacity (512 IP addresses) to accommodate backend workloads, strictly without public IP assignments.

AWS Costum VPC 1

Phase 2: Public Internet Connectivity (IGW & Route Tables)

  • Provisioned an Internet Gateway (IGW) and attached it to the custom VPC.
  • Engineered a Public Route Table, injecting a static route (0.0.0.0/0) that directs all internet-bound traffic to the IGW.
  • Explicitly associated the Public Subnet with this Public Route Table, establishing bidirectional internet connectivity for the public tier.

Phase 3: Secure Remote Administration (Bastion Host Provisioning)

  • Launched an Amazon EC2 instance (Amazon Linux 2023) within the Public Subnet to act as a Bastion Server (Jump Box).
  • Hardened the Bastion Serverโ€™s Security Group to strictly accept inbound SSH traffic (Port 22) only from authorized connection sources.

Phase 4: Private Outbound Internet Access (NAT Gateway)

  • Deployed a NAT Gateway within the Public Subnet and allocated it a static Elastic IP address.
  • Modified the Private Route Table to route all outbound internet traffic (0.0.0.0/0) from the Private Subnet to the NAT Gateway. This mechanism allows private instances to download external updates without exposing themselves to unsolicited inbound internet connections.

Phase 5: Penetration and Connectivity Validation (Advanced)

  • Launched a test instance (Private Instance) exclusively within the Private Subnet, configuring its Security Group to only accept inbound SSH connections originating from the internal VPC CIDR (10.0.0.0/16).
  • Executed secure network penetration: Connected to the Bastion Host via EC2 Instance Connect, then performed an SSH-jump directly into the private IP address of the Private Instance.
  • Validated NAT Gateway functionality by executing a ping -c 3 google.com command from within the private instance, successfully verifying that ICMP echo responses were returned (proving the system could securely communicate with the outside world).

๐ŸŽฏ Results & Key Takeaways

  • Network Isolation (Defense in Depth): Successfully shielded backend compute infrastructure from direct public internet exposure, drastically reducing the overall attack surface.
  • Centralized Administrative Access: Implemented a Bastion Host architecture, providing a single, heavily monitored, and auditable entry point for managing private backend servers.
  • Precision Traffic Control: Demonstrated strong proficiency in manipulating Route Tables and Gateways (IGW & NAT) to dictate exact traffic flows in alignment with rigorous security architectures.