How to setup a secure VPC on AWS

This article will show a simple secure network architecture, that you can have up and running within one hour on AWS.

First up you need to decide if you want one VPC or multiple. For example you can use multiple VPC to easier separate your management network from your app network. In this guide I will only use one VPC but you can easily connect multiple VPC with VPN or VPC Peering.

When you create your VPC you need to select a CIDR block for your network. Remember that you want to create multiple subnets on your network. For now we can select the CIDR block 10.1.0.0/16 witch would give us plenty of addresses to work with.

After you have created your VPC I recommend to create a minimum of two subnets for the VPC. One for the private network and one for the public one. For example 10.1.0.0/24 for the private network and 10.1.1.0/24 for the public network. We will use this two subnets to secure or network. On the private network we can host all our machines that doesn't need a direct connection to the internet. On the public network we will host things like load balancers, and small web servers.

All machines on the public network should have there own public IP and a direct route to an Internet Gateway on the VPC. Machines on the private networks need a NAT to access the internet. To setup the NAT we have two choices we can either use a NAT hosted by AWS or we can setup one by our self on a EC2 machine on the public network. The choice here is between cost and performance. For small networks it will be more cost efficient to use a small EC2 machine than the hosted NAT.

Once all of this is up and running you may want to have a VPN server on the public network so you can easily access all your machines. I would recommend setting up a EC2 instance with OpenVPN there is a great guide on DigitalOcean on how to setup an OpenVPN server.

The only thing left now is to change the routing tables for the subnets. The private subnets route table should look something like this:

10.1.0.0/16 -> local, 0.0.0.0/0 -> (NAT or EC2 instance)

And if you have a VPN you would like to route the VPNs IPs back to the VPN server for example 10.8.0.0/24 -> (VPN instance)

For the public network it would almost be the same but instead of 0.0.0.0/0 pointing to the NAT you will point it to the Internet Gateway.

Now you should have a simple and secure network ready for your applications.