BrainyBeeBrainyBee
Hands-On Lab1,216 words

Build Your First AWS Virtual Private Cloud (VPC)

AWS network services

Build Your First AWS Virtual Private Cloud (VPC)

Welcome to this hands-on lab on AWS Network Services. In this guided lab, you will build the foundational networking block of the AWS Cloud: the Amazon Virtual Private Cloud (VPC). Just as physical servers require a local network, your cloud resources (like EC2 instances and RDS databases) require a VPC to communicate securely with each other and the internet.

Prerequisites

Before beginning this lab, ensure you have the following:

  • Time: Approximately 30 minutes
  • Cloud Provider Account: An active AWS Account
  • CLI Tools: AWS CLI installed and configured with your credentials (aws configure)
  • IAM Permissions: Access to create, modify, and delete VPC resources (e.g., AmazonVPCFullAccess policy)
  • Knowledge: Basic understanding of IPv4 CIDR notation (e.g., 10.0.0.0/16)

Learning Objectives

By completing this lab, you will be able to:

  1. Provision an isolated AWS Virtual Private Cloud (VPC) using a custom IPv4 CIDR block.
  2. Carve out a public Subnet for hosting internet-facing resources.
  3. Create and attach an Internet Gateway (IGW) to enable external connectivity.
  4. Configure a Route Table to direct subnet traffic to the public internet.
  5. Implement a Security Group acting as a stateful virtual firewall to filter incoming traffic.

Architecture Overview

Below is the logical architecture of the network you will build. Traffic from the internet flows through the Internet Gateway, is routed by the Route Table, and reaches your public subnet, governed by the rules of the Security Group.

Loading Diagram...

Understanding CIDR Blocks in a VPC

When creating a VPC, you assign it a block of IP addresses. You then divide this block into smaller subnets.

Compiling TikZ diagram…
Running TeX engine…
This may take a few seconds

Step-by-Step Instructions

[!NOTE] Throughout these steps, you will see placeholders like <YOUR_VPC_ID>. You must replace these with the actual IDs returned by your CLI commands or seen in the console.

Step 1: Create the Virtual Private Cloud (VPC)

The VPC is the logical boundary for your network. We will create a VPC with the CIDR block 10.0.0.0/16.

bash
aws ec2 create-vpc \ --cidr-block 10.0.0.0/16 \ --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=brainybee-lab-vpc}]'

Note the VpcId in the JSON output (e.g., vpc-0a1b2c3d4e5f6g7h8).

Console alternative
  1. Navigate to the VPC Dashboard in the AWS Console.
  2. Click Your VPCs, then click the Create VPC button.
  3. Choose VPC only.
  4. Name tag: brainybee-lab-vpc
  5. IPv4 CIDR block: 10.0.0.0/16
  6. Click Create VPC.

Step 2: Create a Public Subnet

A VPC spans all Availability Zones in a region, but a subnet is tied to a specific Availability Zone. We will carve out a /24 block for our subnet.

bash
aws ec2 create-subnet \ --vpc-id <YOUR_VPC_ID> \ --cidr-block 10.0.1.0/24 \ --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=brainybee-lab-public-subnet}]'

Note the SubnetId in the output.

Console alternative
  1. In the VPC Dashboard, navigate to Subnets and click Create subnet.
  2. Select your brainybee-lab-vpc from the dropdown.
  3. Subnet name: brainybee-lab-public-subnet
  4. IPv4 CIDR block: 10.0.1.0/24
  5. Click Create subnet.

Step 3: Create and Attach an Internet Gateway

By default, a new VPC is completely isolated. To allow internet access, we must create an Internet Gateway (IGW) and attach it to the VPC.

bash
# 1. Create the IGW aws ec2 create-internet-gateway \ --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=brainybee-lab-igw}]' # 2. Attach it to your VPC (Replace the placeholders!) aws ec2 attach-internet-gateway \ --vpc-id <YOUR_VPC_ID> \ --internet-gateway-id <YOUR_IGW_ID>
Console alternative
  1. Navigate to Internet Gateways and click Create internet gateway.
  2. Name tag: brainybee-lab-igw, then click Create.
  3. On the confirmation screen, click the Actions dropdown and select Attach to VPC.
  4. Select your VPC and click Attach internet gateway.

Step 4: Configure the Custom Route Table

A subnet uses a Route Table to determine where traffic should go. We will create a custom route table, add a route sending all external traffic (0.0.0.0/0) to the IGW, and associate it with our subnet.

bash
# 1. Create a custom Route Table aws ec2 create-route-table \ --vpc-id <YOUR_VPC_ID> \ --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=brainybee-lab-rt}]' # Note the RouteTableId from the output! # 2. Create a route to the internet aws ec2 create-route \ --route-table-id <YOUR_RT_ID> \ --destination-cidr-block 0.0.0.0/0 \ --gateway-id <YOUR_IGW_ID> # 3. Associate the Route Table with our Subnet aws ec2 associate-route-table \ --subnet-id <YOUR_SUBNET_ID> \ --route-table-id <YOUR_RT_ID>
Console alternative
  1. Navigate to Route Tables and click Create route table.
  2. Name tag: brainybee-lab-rt, select your VPC, and click Create.
  3. In the route table details, click the Routes tab, then Edit routes.
  4. Add route: Destination 0.0.0.0/0, Target Internet Gateway (select your IGW). Save.
  5. Click the Subnet associations tab, click Edit subnet associations.
  6. Select your brainybee-lab-public-subnet and click Save associations.

Step 5: Provision a Security Group

Security Groups act as a stateful virtual firewall for your EC2 instances. We will create one that allows incoming web traffic (HTTP on port 80).

bash
# 1. Create the Security Group aws ec2 create-security-group \ --group-name brainybee-web-sg \ --description "Allow HTTP web traffic" \ --vpc-id <YOUR_VPC_ID> # Note the GroupId from the output! # 2. Add an Inbound (Ingress) rule for HTTP aws ec2 authorize-security-group-ingress \ --group-id <YOUR_SG_ID> \ --protocol tcp \ --port 80 \ --cidr 0.0.0.0/0
Console alternative
  1. Navigate to Security Groups and click Create security group.
  2. Security group name: brainybee-web-sg
  3. Description: Allow HTTP web traffic
  4. VPC: Ensure your brainybee-lab-vpc is selected.
  5. In Inbound rules, click Add rule. Type: HTTP, Source: Anywhere-IPv4 (0.0.0.0/0).
  6. Click Create security group.

Checkpoints

Let's verify your configuration was successful before tearing down.

Checkpoint 1: Verify the VPC exists and is available

bash
aws ec2 describe-vpcs \ --filters "Name=tag:Name,Values=brainybee-lab-vpc" \ --query "Vpcs[*].{ID:VpcId,State:State,CIDR:CidrBlock}" \ --output table

Expected result: You should see your VPC ID with a State of available and the 10.0.0.0/16 CIDR block.

Checkpoint 2: Verify the Route to the Internet

bash
aws ec2 describe-route-tables \ --filters "Name=vpc-id,Values=<YOUR_VPC_ID>" \ --query "RouteTables[*].Routes"

Expected result: You should see a route where the DestinationCidrBlock is 0.0.0.0/0 and the GatewayId starts with igw-.

Clean-Up / Teardown

[!WARNING] It is crucial to clean up cloud resources to prevent AWS account clutter and avoid potential charges if you deploy billing resources (like NAT Gateways) later. You must delete VPC resources in a specific order because of dependency constraints.

Run the following commands, replacing the placeholders with your actual resource IDs.

1. Delete the Security Group

bash
aws ec2 delete-security-group --group-id <YOUR_SG_ID>

2. Delete the Route Table (You must disassociate it first, or simply delete it if it's the only custom one. To find the Association ID, use describe-route-tables)

bash
aws ec2 disassociate-route-table --association-id <YOUR_ASSOCIATION_ID> aws ec2 delete-route-table --route-table-id <YOUR_RT_ID>

3. Detach and Delete the Internet Gateway

bash
aws ec2 detach-internet-gateway --internet-gateway-id <YOUR_IGW_ID> --vpc-id <YOUR_VPC_ID> aws ec2 delete-internet-gateway --internet-gateway-id <YOUR_IGW_ID>

4. Delete the Subnet

bash
aws ec2 delete-subnet --subnet-id <YOUR_SUBNET_ID>

5. Delete the VPC

bash
aws ec2 delete-vpc --vpc-id <YOUR_VPC_ID>

Troubleshooting

If you run into issues, check this matrix of common errors and solutions:

Common ErrorCauseFix
VpcLimitExceededYou have reached the maximum number of VPCs allowed in this region (default is 5).Delete an unused VPC or switch to a different AWS Region.
InvalidSubnet.RangeThe CIDR block you specified for the subnet is not within the VPC's CIDR block.Ensure the subnet CIDR (10.0.1.0/24) falls within the VPC CIDR (10.0.0.0/16).
DependencyViolation during teardownYou are trying to delete a resource that is still attached to or used by another resource.Follow the exact teardown order provided above. AWS requires you to delete resources from the "inside out".
InvalidGroup.NotFoundThe security group ID provided does not exist in the region.Verify you are using the correct sg-XXXXX ID and are querying the correct AWS Region.

Concept Review

To solidify your understanding for the AWS Cloud Practitioner exam, let's compare two closely related networking components you will encounter when working with VPCs:

FeatureSecurity Groups (SG)Network Access Control Lists (NACL)
Level of OperationInstance level (EC2, RDS)Subnet level
StatefulnessStateful: Return traffic is automatically allowed, regardless of rules.Stateless: Return traffic must be explicitly allowed by rules.
Rule TypesSupports allow rules only.Supports both allow and deny rules.
EvaluationAll rules are evaluated before deciding to allow traffic.Rules are evaluated in numerical order (lowest to highest).

By deploying this lab, you have practically applied the core definitions of AWS network isolation. This foundation paves the way for advanced topics like Route 53 DNS routing and AWS CloudFront content delivery!

All AWS Certified Cloud Practitioner (CLF-C02) Study Resources

Ready to study AWS Certified Cloud Practitioner (CLF-C02)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free