Skip to content
Home » How to build a three-tier highly available Network VPC from Scratch in AWS

How to build a three-tier highly available Network VPC from Scratch in AWS

VPC and its components

Introduction

In this blog, we’re going to create a three-tier VPC network from scratch. We’ll start by building the VPC, building and attaching an Internet gateway, and building six different subnets inside our VPC:

  • Two DMZ layers
  • Two App layers
  • Two Database layers

Video Tutorial for building a VPC from scratch

Next, we’re going to split these pairs of subnets across two different Availability Zones — the bare minimum we always want to do for highly available and fault-tolerant architecture in AWS.

Then we’re going to create two different route tables:

  • A route to the Internet for our public subnets or subnets we want to have access to the open Internet.
  • A route to the NAT gateway so that anything placed in our private subnets will have a route to update software from the open Internet.

Finally, we’ll add some security to our subnets with three Network Access Control Lists (NACLs), which we’ll assign to our pairs of subnet layers.

Solution

Log in to the AWS Management Console using the credentials provided on the lab instructions page. Make sure you’re using the US-east-1 region.

Create a VPC

  1. Select All services.
  2. Click VPC under Networking & Content Delivery.
  3. In the left sidebar menu, click Your VPCs.
  4. Click Create VPC.
  5. Enter the following values for Create VPC:
    • Name tag: Enter prod-vpc.
    • Pv4 CIDR block range: Enter 10.10.0.0/16.
    • Leave the IPv6 CIDR block and Tenancy fields as their default values.
  6. Click Create VPC.

Creating Subnets in our VPC

1. First DMZ Layer

  1. In the left sidebar menu, click Subnets.
  2. Click Create subnet.
  3. Enter the following values for Create subnet:
    • VPC ID: Select prod-vpc.
    • Name tag: Enter DMZpublic1.
    • Availability Zone: Select US East (N. Virginia)/us-east-1a.
    • IPv4 CIDR block range: Enter 10.10.1.0/24.
  4. Click Create subnet.

2. Second DMZ Layer

  1. Click Create subnet.
  2. Enter the following values for Create subnet:
    • VPC ID: Select prod-vpc.
    • Name tag: Enter DMZpublic2.
    • Availability Zone: Select US East (N. Virginia)/us-east-1b.
    • IPv4 CIDR block range: Enter 10.10.2.0/24.
  3. Click Create subnet.

3. First App Layer

  1. Click Create subnet.
  2. Enter the following values for Create subnet:
    • PC ID: Select prod-vpc.
    • Name tag: Enter App-private1.
    • Availability Zone: Select US East (N. Virginia)/us-east-1a.
    • IPv4 CIDR block range: Enter 10.10.3.0/24.
  3. Click Create subnet.

4. Second App Layer

  1. Click Create subnet.
  2. Enter the following values for Create subnet:
    • VPC ID: Select prod-vpc.
    • Name tag: Enter App-private2.
    • Availability Zone: Select US East (N. Virginia)/us-east-1b.
    • IPv4 CIDR block range: Enter 10.10.4.0/24.
  3. Click Create subnet.

4. First Database Layer

  1. Click Create subnet.
  2. Enter the following values for Create subnet:
    • VPC ID: Select prod-vpc.
    • Name tag: Enter DB-private1.
    • Availability Zone: Select US East (N. Virginia)/us-east-1a.
    • IPv4 CIDR block range: Enter 10.10.5.0/24.
  3. Click Create subnet.

6. Second Database Layer

  1. Click Create subnet.
  2. Enter the following values for Create subnet:
    • VPC ID: Select prod-vpc.
    • Name tag: Enter DB-private2.
    • Availability Zone: Select US East (N. Virginia)/us-east-1b.
    • IPv4 CIDR block range: Enter 10.10.6.0/24.
  3. Click Create subnet.

NOTE: We’ve now created all six subnets. We should have three subnets each in the us-east-1a Availability Zone and the us-east-1b Availability Zone.)*

NOTE: Whether we labelled these subnets public or private doesn’t actually make them public or private — it’s just a naming construct. We’ll actually make them public or private in a bit when we route them to a public or private route table.

Create Internet Gateway

  1. In the left sidebar menu, click Internet Gateways.
  2. For the Name tag, enter “prod-vpc-IGW”.
  3. Click Create internet gateway.NOTE: Once it’s created, you’ll see its State says Detached. Even though it’s been created, it isn’t part of the VPC yet. Let’s fix that.
  4. Click Actions at the top of the screen.
  5. From the dropdown menu, click Attach to VPC.
  6. For Avaliable VPCs, select prod-vpc.
  7. Click Attach internet gateway.

NOTE: The state should now say Attached.

Creating NAT Gateway

Let’s create –

1. NAT Gateway

  1. In the left sidebar menu, click NAT Gateways(NOTE: If there’s one already in your account, you can ignore it; we’re still going to create a new one.)
  2. Click Create NAT Gateway.
  3. Enter the following for Create NAT gateway:
    • Name: Enter prod-NAT.
    • Subnet: Select DMZpublic2.
    • Connectivity type: Select Public.
    • Elastic IP allocation ID: Select Allocate Elastic IP.
  4. Click Create NAT gateway.

2. Public Route Table

  1. In the left sidebar menu, click Route Tables(NOTE: A route table will already exist — when we created the VPC, it created a default route table. But we’re going to create two new route tables.)
  2. Click Create route table.
  3. Enter the following for Create route table:
    • Name tag: Enter prod-vpc-public-route.
    • VPC: Select prod-vpc.
  4. Click Create route table.

3. Private Route Table

  1. Click Create route table.
  2. Enter the following for Create route table:
    • Name tag: Enter prod-vpc-private-route.
    • VPC: Select prod-vpc.
  3. Click Create route table.

On their own, route tables don’t do anything — we have to give them routes to something. For the public route table, we need to. For the private route table, we need to provide a route to the NAT gateway.

Provide Route from the Public Route Table to the Internet Gateway

  1. Select prod-vpc-public-route.
  2. Click on the Routes tab.
  3. Click Edit routes.
  4. Click Add route.
  5. For Target, select Internet Gateway.
  6. For Destination, select 0.0.0.0/0.
  7. Click Save changes.

We’ve now created a route from our public route table through the internet gateway into the open internet.

Provide Route from the Private Route Table to the NAT Gateway

  1. Select prod-vpc-private-route.
  2. Click on the Routes tab.
  3. Click Edit routes.
  4. Click Add route.
  5. For Target, select NAT Gateway.
  6. For Destination, select 0.0.0.0/0.
  7. Click Save changes.

Associate Public Subnets with the Public Route Table

  1. Click prod-vpc-public-route.
  2. Click on the Subnet associations tab.
  3. Click Edit subnet associations.
  4. Select the DMZpublic1 and DMZpublic2 subnets.
  5. Click Save associations.

Associate Private Subnets with the Private Route Table

  1. Click private-route.
  2. Click on the Subnet associations tab.
  3. Click Edit subnet associations.
  4. Select the following subnets:
    • App-private1
    • App-private2
    • DB-private1
    • DB-private2
  5. Click Save associations.

Now, anything placed inside the public route table has a route to the internet gateway, and anything placed inside the private route table has a route to the NAT gateway.

If we have databases or EC2 instances located inside these private subnets, they can get updates from the open internet by going through the NAT gateway, which provides an extra layer of security. Essentially, it’s a one-way street: The resources in the private subnets can access the open internet, but the open Internet cannot access the resources in the private subnets (unless we explicitly allow it).

We’re almost done with this lab. Before we wrap things up, let’s add another layer of security to our VPC by creating an NACL — a sort of firewall for controlling traffic in and out of one or more subnets — for each of our layers.

Createing Three NACLs and Associating them with Subnets

Lets create –

1. DMZ NACL

  1. In the left sidebar menu, click Network ACLs(NOTE: We should see a default NACL, similar to route tables. The default NACL was created when we created our VPC. But we’re going to create three new ones.)
  2. Click Create network ACL.
  3. For Name, enter DMZ-prod-vpc.
  4. For VPC, select prod-vpc.
  5. Click Create network ACL.

2. App NACL

  1. Click Create network ACL.
  2. For Name, enter APP-prod-vpc.
  3. For VPC, select prod-vpc.
  4. Click Create network ACL.

3. DB NACL

  1. Click Create network ACL.
  2. For Name, enter DB-prod-vpc.
  3. For VPC, select prod-vpc.
  4. Click Create network ACL.

Associate Subnets with NACLs

  1. Select DMZ-prod-vpc.
  2. Click on the Subnet associations tab.
  3. Click Edit subnet associations.
  4. Select the DMZpublic1 and DMZpublic2 subnets.
  5. Click Save changes.

NOTE: Now traffic coming in and out of these subnets will be subject to the inbound and outbound rules we set up on this particular NACL. We’re not going to set up any rules as part of this lab — right now, we’re just building the infrastructure and a shell we could put resources in.

Finish NACLs for the Remaining Layers

  1. Click APP-prod-vpc.
  2. Click on the Subnet associations tab.
  3. Click Edit subnet associations.
  4. Select the App-private1 and App-private2 subnets.
  5. Click Save changes.
  6. Click DMZ-prod-vpc.
  7. Click on the Subnet associations tab.
  8. Click Edit subnet associations.
  9. Select the DB-private1 and DB-private2 subnets.
  10. Click Save changes.

Conclusion

Congratulations! You’ve just built a three-tier VPC networking architecture inside AWS. For more such content please subscribe to our blog and our youtube channel.

Leave a Reply

Your email address will not be published. Required fields are marked *