Hey! Learn about AWS NOW

How to Create an Isolated Network Using AWS VPC ?

Deepak Kushwaha's photo
Deepak Kushwaha
·

5 min read

Table of contents

Introduction

Amazon Web Services (AWS) provides a networking service called VPC (Virtual Private Cloud), which allows you to create a private, secure, and scalable cloud network. In this blog, we will discuss how to create an isolated network in AWS using VPC.

What is AWS VPC?

A Virtual Private Cloud (VPC) is a logically isolated section of the AWS cloud where you can define your own networking environment. Think of it as your private data center in the cloud.

With VPC, you can:

  • Control your network settings (IP addresses, routing, etc.).

  • Create public and private subnets.

  • Connect to the internet or keep your resources private.

Key Features of AWS VPC:

  1. Subnets – Divide your VPC into public and private sub-networks.

  2. Internet Gateway (IGW) – Allows public-facing resources to connect to the internet.

  3. NAT Gateway / NAT Instance – Enables private instances to access the internet securely.

  4. Route Tables – Controls how network traffic flows within the VPC.

  5. Security Groups & NACLs – Controls inbound/outbound traffic at the instance and subnet levels.

  6. VPC Peering – Connects multiple VPCs for intercommunication.

  7. AWS PrivateLink – Provides private access to AWS services without exposing them to the internet.

  8. VPC Endpoints – Connects AWS services privately within a VPC without using IGW or NAT.

What is an Isolated Network?

An isolated network is a VPC setup where instances do not have direct internet access. This is useful for secure workloads, such as databases or backend applications, that should not be exposed to the internet.

Step-by-Step Guide to Creating an Isolated Network in AWS

We will follow these steps:

  1. Create a VPC

  2. Create a Private Subnet

  3. Modify the Route Table to Block Internet Access

  4. Launch an EC2 Instance in the Private Subnet

  5. (Optional) Access the Private Instance Using a Bastion Host

Step 1: Create a VPC

  1. Open AWS Console → Go to VPC.

  2. Click "Create VPC".

  3. Choose VPC only.

  4. Enter:

    • Name: My-Isolated-VPC

    • IPv4 CIDR Block: 10.0.0.0/16

  5. Click "Create VPC".

Step 2: Create a Private Subnet

  1. Go to Subnets → Click "Create Subnet".

  2. Select My-Isolated-VPC.

  3. Enter:

    • Subnet Name: Private-Subnet-1

    • Availability Zone: Choose any (e.g., us-east-1a)

    • CIDR Block: 10.0.1.0/24

  4. Click "Create Subnet".

Step 3: Modify Route Table to Block Internet Access

  1. Go to Route Tables → Click "Create Route Table".

  2. Name it Private-Route-Table.

  3. Attach it to My-Isolated-VPC.

  4. Click "Create".

  5. Associate the Route Table with the Private Subnet:

    • Click on Private-Route-TableSubnet Associations.

    • Click Edit Subnet Associations → Select Private-Subnet-1.

    • Click Save.

Important: Do NOT attach an Internet Gateway (IGW) or NAT Gateway. This keeps it isolated.

Step 4: Launch an EC2 Instance in the Private Subnet

  1. Go to EC2 → Click Launch Instance.

  2. Select an AMI (e.g., Amazon Linux 2).

  3. Choose t2.micro (free-tier eligible).

  4. Networking Section:

    • VPC: My-Isolated-VPC

    • Subnet: Private-Subnet-1

    • Auto-assign Public IP: Disable

  5. Create or select a Security Group that allows private access.

  6. Click Launch.

Your EC2 instance is now running in an isolated network, meaning it cannot access the internet and is not accessible from the internet.

Step 5 (Optional): Access Private Instance Using a Bastion Host

Since your instance is in a private network, you cannot SSH directly. You need a Bastion Host (a publicly accessible instance that acts as a jump server).

Steps to Set Up a Bastion Host:

  1. Create another public subnet in the same VPC.

  2. Launch a new EC2 instance in the public subnet.

  3. Attach an Elastic IP to the Bastion Host.

  4. Use SSH Agent Forwarding or AWS Systems Manager (SSM) to connect securely to the private instance.

    Bonus —

1. What happens if I delete my default VPC?

Answer:
AWS allows you to delete the default VPC, but you cannot recreate it automatically. However, you can manually create a new VPC and configure it like the default VPC.

2. What is the difference between a Public and a Private Subnet?

Answer:

  • Public Subnet: Has direct internet access via an Internet Gateway (IGW).

  • Private Subnet: Has no direct internet access; used for internal applications, databases, etc. It can access the internet using a NAT Gateway.

3. How do you make an AWS VPC fully isolated?

Answer:
To create an isolated VPC:

  1. Do not attach an Internet Gateway (IGW).

  2. Do not use a NAT Gateway.

  3. Use private subnets only.

  4. Control inbound/outbound traffic with Security Groups and NACLs.

  5. If needed, use AWS Direct Connect or a VPN for private connectivity.

4. What is the difference between a Security Group and a NACL?

Answer:

FeatureSecurity GroupNetwork ACL (NACL)
Applies toEC2 instancesSubnets
Stateful?Yes (Tracks request-response)No (Rules apply individually)
Default RuleDeny all inbound, allow all outboundAllow all inbound & outbound
Rules EvaluationChecks all rulesEvaluates in order

Security Groups act as firewalls for instances, while NACLs act as firewalls for subnets.

5. How can instances in a private subnet connect to the internet?

Answer:
Instances in a private subnet cannot directly access the internet. However, they can connect via:

  • NAT Gateway/Instance – Allows outbound internet access.

  • VPC Endpoints – Connects privately to AWS services.

  • Bastion Host – A jump server in a public subnet for SSH access.

6. What is VPC Peering, and how does it work?

Answer:
VPC Peering allows two VPCs to communicate privately using AWS’s network. It is used when you want to share resources between VPCs without using the internet. Peering connections are one-to-one and must be manually configured in both VPCs.

Answer:
AWS PrivateLink enables private access to AWS services without exposing traffic to the internet. It is commonly used for connecting VPCs to AWS services like S3, DynamoDB, and custom applications.

Differences from VPC Peering:

  • VPC Peering: Enables direct private network communication between two VPCs.

  • PrivateLink: Connects services across VPCs using an AWS-managed endpoint.

8. Can you connect multiple VPCs together?

Answer:
Yes, you can connect multiple VPCs using:

  1. VPC Peering – For direct communication (1:1).

  2. Transit Gateway – A scalable solution for connecting multiple VPCs efficiently.

  3. PrivateLink – To expose services between VPCs without full peering.

AWSvpcVpc basics