Table of Contents
Arjun had just landed his new role as a Cloud Security Engineer at a fintech startup. On Day 2, his manager dropped this on him:
“Build a secure AWS network. No public exposure. We want a private EC2 that can access the internet — but no one should SSH into it directly.”
No default VPCs.
No shortcuts.
Just pure control and clean architecture.
🧱 Step 1: Creating the Custom VPC
- Go to: VPC → “Create VPC”
- Choose: VPC only
- Name:
arjun-custom-vpc - CIDR block:
10.0.0.0/16 - Enable DNS support and hostnames ✅
Boom. A blank slate VPC, isolated from everything.
🌐 Step 2: Subnet Setup — Public and Private
Arjun wanted one EC2 exposed for SSH (the Bastion), and one locked inside (the target private EC2).
🔹 Public Subnet
- Name:
public-subnet-1 - AZ:
us-east-1a - CIDR:
10.0.1.0/24
🔒 Private Subnet
- Name:
private-subnet-1 - AZ:
us-east-1a - CIDR:
10.0.2.0/24
🛣️ Step 3: Route Table for Public Subnet + IGW
- Go to Internet Gateways → Create
- Name:
arjun-igw→ Attach to VPC
Then:
- Go to Route Tables → Create
- Name:
public-rt→ Associate withpublic-subnet-1 - Add route:
0.0.0.0/0→ Internet Gateway
✅ Now the public subnet has internet access.
🚪 Step 4: NAT Gateway for Private Subnet
- Allocate Elastic IP
- Go to NAT Gateway → Create
- Name:
arjun-nat-gw - Subnet:
public-subnet-1 - EIP: the one you just created
- Name:
Now:
- Create Route Table →
private-rt - Associate with
private-subnet-1 - Add route:
0.0.0.0/0→ NAT Gateway
✅ Private subnet has outbound internet only (e.g., to download OS updates).
🧱 Step 5: Launch Two EC2 Instances
🔓 Bastion Host (Public EC2)
- Subnet:
public-subnet-1 - Public IP: ✅ Yes
- Security Group: Allow SSH from your IP
- Key pair:
arjun-key.pem
🔐 Private EC2
- Subnet:
private-subnet-1 - Public IP: ❌ No
- Security Group: Allow SSH only from Bastion’s private IP
Arjun launched both using Amazon Linux 2.
🔑 Step 6: Security Groups Recap
| Instance | Access From | Port |
| Bastion Host | Your IP (e.g., home) | 22 |
| Private EC2 | Bastion Host private IP | 22 |
✅ Keep your networks tight. Don’t allow 0.0.0.0/0 into private servers.
🛠️ Step 7: SSH into Private EC2 (Real-Life Steps)
Arjun tried SSH directly into the private EC2. It failed — obviously, no public IP.
So he followed the correct two-step SSH method:
🔹 7.1: SSH into Bastion Host
CopyCopy
ssh -i arjun-key.pem ec2-user@<Bastion-Public-IP>
🔹 7.2: Upload Key to Bastion Host
From your local terminal:CopyCopy
scp -i arjun-key.pem arjun-key.pem ec2-user@<Bastion-Public-IP>:~/
| Part | What It Means |
scp | Secure Copy – used to copy files securely between computers over SSH. |
-i arjun-key.pem | This tells SCP to use your private key to authenticate when connecting to the Bastion host. |
arjun-key.pem | This is the file you’re uploading to the Bastion host. |
ec2-user@<Bastion-Public-IP> | This is the username and IP of your Bastion EC2 instance (use real IP here). |
:~/ | This means “put the file in the home directory of the EC2 user on that server.” |
✅ Real-World Meaning:
You’re saying:
“Hey SCP, use this
arjun-key.pemkey to log into the Bastion EC2 instance, and then upload the same filearjun-key.peminto its home folder.”
🧠 Beginner Tips:
- You need to run this command from the same folder where the
.pemfile is located, or give the full path to the file like~/Downloads/arjun-key.pem.Example:CopyCopybashCopyEditscp -i ~/Downloads/arjun-key.pem ~/Downloads/arjun-key.pem ec2-user@<Bastion-IP>:~/ ec2-useris the default username for Amazon Linux 3 instances.
If you’re using Ubuntu, replace it withubuntu.
🔹 7.3: Fix Permissions on Bastion Host
Once inside the Bastion:CopyCopy
chmod 400 arjun-key.pem
🔹 7.4: SSH into Private EC2 from Bastion Host
CopyCopy
ssh -i arjun-key.pem ec2-user@<Private-EC2-IP>
✅ Arjun is now inside a fully private EC2. No public access. Full control.
🔐 What Did Arjun Just Build?
- A custom VPC with separate public/private subnets
- A NAT Gateway to allow safe outbound traffic
- A Bastion Host for SSH-based access into private EC2s
- Zero public exposure of sensitive servers
This is the foundation every secure AWS environment starts from.
🧠 Why It Matters (And Why Corporate Teams Love It)
- ✅ No direct SSH into prod EC2s
- ✅ All access is routed, logged, and controlled
- ✅ Easy to expand with ALB, RDS, S3 endpoints, etc.
- ✅ 100% AWS best practices
Read More About AWS VPC
- AWS VPC Explained: Build Your First Private Cloud
- Avoid Mistakes with AWS Reserved IP Addresses
- Secure Your Network with AWS VPC Route Table
- Discover AWS Hyperplane: Smart AWS Traffic Manager
- Why EC2 Instance Connect Fails Despite IP Whitelist
- Why AWS Bastion Host Are Essential for Secure SSH Access?
- 7 Proven Steps to Secure Private EC2 in AWS VPC
- Mastering AWS Security Groups vs NACLs the Right Way
