AWS VPC Architecture


Deploy a Modular and Scalable Virtual Network Architecture with Amazon VPC.


  1. You must be having an AWS account to create infrastructure resources on AWS cloud.
  2. Source Code


Customize the application dependencies mentioned below on AWS EC2 instance and create the Golden AMI.

  1. AWS CLI
  2. Install Apache Web Server
  3. Install Git
  4. Cloudwatch Agent
  5. Push custom memory metrics to Cloudwatch.
  6. AWS SSM Agent

VPC Deployment

  1. Build VPC network ( ) for Bastion Host deployment as per the architecture shown above.
  2. Build VPC network ( ) for deploying Highly Available and Auto Scalable application servers as per the architecture shown above.
  3. Create NAT Gateway in Public Subnet and update Private Subnet associated Route Table accordingly to route the default traffic to NAT for outbound internet connection.
  4. Create Transit Gateway and associate both VPCs to the Transit Gateway  for private communication.
  5. Create Internet Gateway for each VPC and Public Subnet associated Route Table accordingly to route the default traffic to IGW for inbound/outbound internet connection.
  6. Create Cloudwatch Log Group with two Log Streams to store the VPC Flow Logs of both VPCs.
  7. Enable Flow Logs for both VPCs and push the Flow Logs to Cloudwatch Log Groups and store the logs in the respective Log Stream for each VPC.
  8. Create Security Group for bastion host allowing port 22 from public.
  9. Deploy Bastion Host EC2 instance in the Public Subnet with EIP associated.
  10. Create S3 Bucket to store application specific configuration.
  11. Create Launch Configuration with below configuration.
    1. Golden AMI
    2. Instance Type – t2.micro
    3. Userdata to pull the code from Bitbucket Repository  to document root folder of webserver and start the httpd service.
    4. IAM Role granting access to Session Manager and to S3 bucket created in the previous step to pull the configuration. (Do  not grant S3 Full Access)
    5. Security Group allowing port 22 from Bastion Host and Port 80 from Public.
    6. Key Pair
  12. Create Auto Scaling Group with Min: 2 Max: 4 with two Private Subnets associated to 1a and 1b zones.
  13. Create Target Group and associate it with ASG.
  14. Create Network Load balancer in Public Subnet and add Target Group as target.
  15. Update route53 hosted zone with CNAME record routing the traffic to NLB.


  1. As DevOps Engineer login to Private Instances via Bastion Host.
  2. Login to AWS Session Manager and access the EC2 shell from console.
  3. Browse web application from public internet browser using domain name and verify that page loaded.


Follow the LINK to get the complete solution of this project.

Follow the LINK to get the Project documentation

Follow the LINK to get the configuration files used in this project

© Edwiki Trainings – Click HERE If you are interested to learn more on Cloud & DevOps stack.

  1. Customer gateway (CGW) and VPN are shown in the architecture are for connecting to the AWS VPC using private tunnel. You can ignore this from the deployment as CGW is require to setup the VPN at On-Prem datacenter side.

  2. I’ve been able to successfully complete all parts of the assignment. This was an all encompassing lab (thanks PR!) that required me to do some research on creating the approriate routes for the transit gateway. I will try to put my console snapshots together for anyone interested

  3. I am not able to add/select the Nat GW while adding route for pvt subnet route table in vpc -2 ( private subnet. since we have to create nat gw in public Subnet ( ),.Could you please suggest?

    1. NAT and Route Table must be in the same VPC. You might have created the both resources in different VPC. Check once again and make sure the resources are in same VPC.

      1. In this scenario the NatGW and pvt subnet route table are belongs to different vpc , Then how to implement the routing of default traffic to NATGW for outbound internet in vpc-2.

        1. You need to put a route in the private route table with the nat gateway as the target. If you dont see the nat gw, as pr mentioned you most likely created the nat gw in a different vpc
          check my github repo

          You will find an image of routing rules for the private route table with nat gw as target. THERE ARE SCREENSHOTS OF all configurations IN A PDF AND DOC FILE THAT MIGHT HELP WITH COMPARING YOUR WORK.

  4. I have been able to complete all steps of the assignment. Thanks for including new CONCEPTS (TGW, NAT Gateway and ASG, VPC Flow logs) in assignment. it improves confidence and exploring new things and IMPLEMENTING.

  5. Userdata to pull the code from Bitbucket Repository to document root folder of webserver and start the httpd service.

    — In above point, we can add the git commands in the launch configuration right.

  6. it was a task worth taking on. the first time i didn’t quite get all the resources to work but i was successful the second time. i’m happy

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like