/ AWS

Creating a VPC with a Public and Private Subnet

This post covers the process of creating a VPC with two subnets within it. The first will be the public subnet, and will be used for hosts that have both public and private IPs assigned to them. The second subnet will be used as a backend subnet that will have hosts with only private IP addresses. For this example we will be using 192.168.90.0/24 as the private network and 192.168.91.0/24 as the public network.
The end result of all the work below is similar to the result you'd get from a few clicks in the VPC creation wizards, but hey... it is always nice to know what is actually going on - that way you know how to fix things when traffic wont flow.

Creating the VPC

Enter the name and one of the IPv4 CIDR blocks in the dialog below. We will add the second after the VPC is created.
CreateVPC
Once the VPC is created, you can add the second CIDR range. Select the VPC in the VPC table and then from the Actions menu select "Edit CIDRs" to open the edit CIDR window. From this window you can select "Add IPv4 CIDR" to add the second subnet. I've completed this task in the screenshot below.
Edit-CIDR

Creating Subnets

Next we will create the two subnets in the AWS Subnets section. Create one for each of the CIDR blocks we outlined above, the screenshot below shows the creation of the TestPublic Subnet.
CreateSubnet

Creating Gateways

We will create an Internet Gateway for the public subnet and a NAT gateway for the private one.

Internet Gateway

Go to the Internet Gateway Section and click "Create Internet Gateway" to create an unattached Internet Gateway. Once the Gateway is created, associate it with the VPC.

NAT Gateway

Go to the NAT Gateway section and you will create a NAT gateway for the Private Subnet. In the NAT Gateway dialog, you will select the public subnet... I almost always get this backwards when I'm not thinking about it. You want the private subnet to be able to get out, but the NAT gateway has to be in the public one so it has a way out. The machines in the private subnet can reach those in the public one, so it will work. You will also need to associate an EIP with the NAT gateway.
NAT-Gateway-3

Route Tables

We will need to create two route tables. The first route table will be used to give hosts in the public subnet a default route to an Internet Gateway. The second one will be used set up a default gateway in the private subnet pointing to a NAT Gateway so they can get patches and install software. There will already be a Route Table created for your VPC and this one could be repurposed for one of the subnets, it is the default one and will be in effect for any unassociated subnets. I prefer to leave it as is and create two new route tables for each subnet.
CreateRouteTable
After you create the Route Tables, you should see a list like the one below.
NAT-Gateway-1
Highlight the public Route Table and select the Routes tab. Click the Edit button and add a Default Route that points to the Internet Gateway your created earlier.
Default-Routes
Associate this Route Table with your public Subnet:
SubnetAssociation
Now, select the Private Route Table and edit the Routes to add a default route to the NAT Gateway.
NateGatewary
And, then associate this with the Private Subnet like you did above for the Public Subnet.