I remember when I want to learn about Cisco network gears a decade back, I used to think about renting the physical gears or even purchasing them, which is of course is an expensive option. But when I started to learn about the cloud, getting a hands-on becomes a lot cheaper. If you have never started with AWS you can try their AWS free tier for a whole year for free, and you will be able to start playing with things.
However, you need to be really careful when you start using the resources, cos not everything in the free tiers is free and you will end up with a huge bill if you don’t know what you are doing.
In this blog, we are going to look at how you can set up a private and public subnet in AWS that way you can keep some hosts in the private subnet and others in the public zone.
One use case for this would be for public-facing devices, such as firewalls, routers, and load balancers, etc.
In the case of a firewall, we can have an interface that is connected to the inside/trusted zone where all the LAN users are connected to be part of the private subnet. And another interface that is connected to the outside/untrusted zone connected to the internet can be part of the public subnet. The best example would be your internet connection at home, where the wifi is the private network and the cable that comes from the ISP connected to the wifi router/modem is the public side.
We are going to create a basic private and public subnet creation in the AWS, after which you will be able to deploy your firewall or network devices into it.
When you have AWS free tier account created there will be a default subnet from class B address 172.31.0.0/16, however, we are going to start from scratch, so we all are on the same page.
I have removed all the VPC’s in my region and going to start from the VPC creation.
1. Create a VPC.
An AWS VPC is a virtual private cloud, you can think of it as a virtual datacenter where you pay for what you use. If you don’t use it there won’t be any charge for it.
For this lab, we are going to build a VPC with a subnet 10.100.0.0/16.
Whenever you create a subnet you need to always keep in mind that the subnet that you are going to use doesn’t conflict with other VPC’s or with your on-prem network.
Log in to the AWS with IAM user, Make sure you have the admin rights to manage the VPC and the EC2.
- In Services Open VPC.
- On the top right corner choose your region.
- On the left side menu pan, Under Virtual private cloud click on Your VPC’s.
- Click on Create a VPC.
- Provide a user-friendly name.
- Enter the IPv4 subnet – in our case we are going to create with 10.100.0.0/16.
- Leave everything else to default and click on Create VPC.
2. Create private and Public Subnet.
Our objective is to create a Private and Public Subnet, so first we are going to create a private subnet range and then public.
- Click on Subnet under Virtual private cloud.
- Click on Create subnet.
- In the create subnet wizard, attach the VPC to the subnet.
- Make sure you choose the right VPC, you could confirm by looking at the IPv4 CIDR which is 10.100.0.0/16 in our case.
- In the create subnet wizard, attach the VPC to the subnet.
- On the first Subnet, option enter the name as Private-Subnet.
- You can associate each subnet to different Az’s I am choosing the first AZ in my region.
- Enter the Private IP range 10.100.0.0/20
- To add a public subnet click on Add new Subnet.
You will get subnet2 of 2 fields, in that provide the name as Public Subnet.
- Choose the same AZ as the private zone.
Note: in some deployments, you will be required to have multiple public and private subnets in different Az’s however for basic deployment two subnets in the same AZ should work fine.
- Enter the private IPv4 CIDR – 10.100.16.0/24
- You may click on Create subnet, which creates both the private and public subnet on your VPC.
We just created our subnet, that doesn’t mean you can start using them now. You will have to have a separate routing table to route the packet in the VPC.
3. Internet gateway.
For our public subnet to go out to the internet you will have to have either a NAT gateway or an internet gateway. We are going to use an internet gateway for this purpose.
- Under Virtual Private cloud, click on Internet gateway.
- Click on Create internet gateway in the top right corner.
- Provide a user-friendly name to it and click on create internet gateway.
Attach the internet gateway to the VPC.
Select the internet gateway, and click on Actions and attach to VPC.
- You will be asked to choose the VPC to attach, choose the right VPC and the internet gateway will now be attached to your VPC.
- Public IP allocation on the public subnet.
For the hosts to get public IP automatically on the public Subnet you will also have to assign automatic public IPv4.
- Go back to the Subnet option, and select the public Subnet, click on Actions, and click on Edit subnet settings.
- Check the option that says Enable auto-assign public IPv4 address.
4. Route table for public and private.
In networking when you want to send packets between different subnets you will have to have route enabled. And we are going to do just that here.
- Click on Route table under Virtual Private cloud.
You can see we already have a route table here. We need to make this route table the private route table.
- Edit the name and enter the name as Private-Route-Table and click on Save.
- You will now have to associate the private subnet that we created earlier into the private route table, so click on Subnet associations.
- Under Explicit subnet association, click on Edit subnet association.
- Check the Private subnet and click on Save associations.
Note : The private route table creation is now complete you can now add default routes here to your nat gateway, firewall, or other instances interfaces. That way all the local traffic will stay local and the rest all the traffic will send to an instance in the public subnet and go off to the internet.
We will see at the end how we are going to access the private hosts via the public subnets.
Create a Public Route table.
- On the Route table window, click on Create route table.
- In the name field- enter the name Bublic-Route-Table.
- Attach the VPC to the Route table.
- Associate Public Subnet.
In the subnet association tab, under Explicit Subnet association click on Edit subnet associations.
Choose the Public subnet here and click on Save associations.
Add the default route on the public routing table.
The whole purpose of the public subnet is to route the traffic to the internet and also keep the internet application on the public side of the network.
Similar to how you configure the default route in the traditional way on a network device.
To send the traffic out to the internet from a VPC, we will also have to point the default route to the internet gateway that we have created already.
- Under the Routes tab, click on Edit routes.
- Click on Add route.
- To add the default route choose 0.0.0.0/0 from the drop-down, point the target to an internet gateway.
- Click on Save changes.
That’s it we have successfully created the public and private subnet on the AWS cloud on the same availability zone, let’s go ahead and test the connection.
6. Test the public and private subnet connectivity.
Any instance that you assign to the public subnet will be able to go out to the internet. But what about the private subnet?
The host in private only can communicate to the devices in the private subnet unless you add a nat gateway or internet gateway on the private subnet, we can also keep a firewall in between and route the private subnet traffic through the firewall Ec2 instance to the public network.
We can also use the public instance as the jump server.
Let’s see how we can spin up a public instance that will act as a jump server.
I just spun up an instance in the public subnet and as you can see I can ssh into the host as well as it can reach the internet.
I can use this public host to access my private network now.
I just spun up another ec2 instance in the private zone.
The new private host got a dynamic private IP 10.100.10.180, and it doesn’t have any public IP because we have not configured the automatic public IP assignment. That’s great.
From the public host (10.100.16.75) I tried to ping private host (10.100.10.180 ), it worked just fine and let me try to ssh as well.
For that I need to have my ssh key transferred to the public host and I should be able to get in.
As you can see.
- I can ssh into the private host.
- However, the private host cant access the internet.
You can create multiple instances in the private zone and you can access those private hosts from the public host like a jump server.
One thing to keep in my mind though, you should allow only specific public IP to be able to ssh into the public Server, that way you can make sure only you can ssh into the public host and jump to the other private instances.