my notes: setting up custom VPC on AWS

  • AZ on AWS are randomised. us-east-1a on one AWS account could be different from another AWS account.
  • Subnet cannot span AZ. 1 subnet can only exist in 1 AZ.
  • Auto assign public IP is not enabled by default
  • There are only 251 available addresses. For /24 block it is supposed to contain 256 addresses (refer to The allowed block size is between /16 (65,536 addresses) and /28 (16 addresses). The 5 missing IP addresses are reserved by Amazon (network address, for VPC router, IP address for DNS server, future use and network broadcast address).
  • 1 VPC can only be attached to 1 IGW. IGW is designed to be HA.
  • Keep default RT private and create a separate public RT.
  • Select custom VPC under Network and public subnet under Subnet. Since it is a public subnet, Auto-assign Public IP will be Enabled. Public subnet will therefore have a public IPv4 address.
  • Configure Security Group for instance. Use either the default security group (created together with the custom VPC) or set up a new security group (SG1).
  • Security Groups do not span VPC.
  • Allow port SSH and HTTP to communicate to the internet
  • NAT instance is a single EC2 instance and is not HA. It is placed behind a security group in the public subnet and could also be a source of bottleneck when high amount of traffic is traversing through it. Although, HA can be achieved using autoscaling groups, multiple subnets in different AZ or a script to automate failover. Will need to disable source/destination checks (turned on by default for every EC2 instance) as NAT instance is not a source or destination of any traffic, it merely sends and receives (acting as a gateway/ bridge to IGW).
  • NAT gateway is preferred as it is HA. Patching is not required and it is not associated to any security group. It is automatically assigned a public IP address and do not need to disable source/destination checks. Will only discuss steps to set up NAT gateway.
  • 1 AZ can only consist of 1 NAT gateway. If all AZs share 1 NAT gateway, failure in that single AZ could cause other AZs to lose internet connection. Therefore, it is advisable to create a AZ-independent architecture with a NAT gateway in each AZ.
  • Each NACL can be associated with multiple subnet but 1 subnet can only be connected to only 1 NACL at a time.
  • All subnets are associated to default NACL when created or if it is not connected explicitly to any NACL.
  • NACL is evaluated before security groups and denied traffic in NACL will not reach security group.
  • Port 80 HTTP
  • Port 443 HTTPS
  • Port 22 SSH
  • Port 1024–65535 Ephemeral (short-lived port)used by NAT gateway



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


trouvez vous un cato. etre un cato.