How to configure a private subnet in AWS VPC
Create a VPC, add a private subnet, and attach an internet gateway for public access while keeping internal resources isolated.
You will create a Virtual Private Cloud (VPC) and add a private subnet to it. This guide targets the AWS Management Console and CLI on any operating system. You will configure route tables and launch an instance to verify connectivity.
Prerequisites
- An active AWS account with admin or root access.
- AWS CLI version 2.x installed and configured (optional for CLI steps).
- At least 2000 USD remaining in your AWS account.
- Basic familiarity with the AWS Management Console.
Step 1: Create a new VPC
Log in to the AWS Management Console and navigate to the VPC Dashboard. Click "Create VPC" and enter a name like "MyPrivateVPC". Set the IPv4 CIDR block to 10.0.0.0/16 to provide a large address space. Leave the Amazon DNS support enabled so DNS resolution works for instances.
Name: MyPrivateVPC
IPv4 CIDR block: 10.0.0.0/16
Amazon DNS support: Enabled
Click "Create VPC". You will see the new VPC appear in the list with a status of "Active".
Step 2: Create a private subnet
Click on the VPC you just created to open its details page. Select "Subnets" in the left navigation menu and click "Create subnet". Enter a name like "Private-Web-Subnet". Choose the Availability Zone you prefer, such as us-east-1a. Set the IPv4 CIDR block to 10.0.1.0/24. This range is inside your VPC CIDR but isolated from public internet by default.
Subnet Name: Private-Web-Subnet
Availability Zone: us-east-1a
IPv4 CIDR block: 10.0.1.0/24
VPC: MyPrivateVPC
Click "Create subnet". The new subnet will appear in the list. Repeat this process to create a second subnet in a different Availability Zone, such as us-east-1b, with CIDR 10.0.2.0/24.
Step 3: Create an Internet Gateway
Private subnets cannot reach the internet directly. You must attach an Internet Gateway to the VPC to allow outbound traffic from instances. Click "Internet gateways" in the left navigation and click "Create internet gateway". Name it "PublicIGW".
Internet Gateway Name: PublicIGW
Click "Create internet gateway". Once created, select the gateway and choose "Actions" > "Attach to VPC". Select your VPC "MyPrivateVPC" from the dropdown and click "Attach". The gateway is now active.
Step 4: Configure the route table
By default, the VPC has a main route table. You must create a custom route table for your private subnet. Click "Route tables" in the left navigation and click "Create route table". Name it "PublicRouteTable". Select your VPC from the dropdown.
Route Table Name: PublicRouteTable
VPC: MyPrivateVPC
Click "Create route table". Select the new route table and click "Edit routes". Add a route with Destination "0.0.0.0/0" and Target "PublicIGW". This allows traffic to go to the internet gateway. Click "Save routes".
Step 5: Associate the subnet with the route table
Associate your private subnet with the new route table. Select the subnet "Private-Web-Subnet" you created earlier. Click "Actions" > "Modify subnet attributes". Change the "Route table" setting from "main" to "PublicRouteTable".
Subnet: Private-Web-Subnet
Route Table: PublicRouteTable
Click "Save". The subnet now uses the route table that points to the internet gateway. This configuration allows instances in this subnet to access the internet while remaining logically separated.
Step 6: Launch an EC2 instance
Launch an EC2 instance to test connectivity. Click "Instances" in the left navigation and click "Launch instances". Choose an Amazon Linux 2023 AMI. Select an instance type like t2.micro. Click "Next: Add storage" and "Next: Add tags".
On the "Configure security group" step, ensure the default security group allows SSH (port 22) and HTTP (port 80). Click "Next: Review and launch". Select the key pair you created or create a new one. Click "Launch instances".
AMI: Amazon Linux 2023
Instance Type: t2.micro
Subnet: Private-Web-Subnet
Security Group: Default
Click "Launch instances". Wait for the instance state to change to "running". Select the instance and click "Connect". Copy the public IP address displayed.
Verify the installation
Open a terminal on your local machine and run the following command to check the route table associations:
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=vpc-xxxxxxxx" --query 'RouteTables[0].Routes[?DestinationCidrBlock==`0.0.0.0/0`].Target'
You should see "igw-xxxxxxxx" as the target. Next, verify the subnet association:
aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-xxxxxxxx" --query 'Subnets[0].RouteTableId'
The output should return "rtb-xxxxxxxx". Finally, test connectivity from the instance by pinging a public IP:
ping -c 4 8.8.8.8
You should see replies from 8.8.8.8. This confirms the private subnet can reach the internet via the internet gateway.
Troubleshooting
If the instance cannot reach the internet, check the security group. Ensure port 80 or 443 is open for HTTP/HTTPS traffic. If using a custom security group, verify the inbound rules allow traffic from 0.0.0.0/0 on the required ports.
Check the route table again. Ensure the destination 0.0.0.0/0 points to the internet gateway and not a NAT gateway unless you specifically configured one. Verify the internet gateway is attached to the correct VPC.
If you see "No route to host" errors, confirm the subnet is associated with the correct route table. Re-associate the subnet if necessary. Ensure the VPC has DNS hostnames enabled in the settings.
Review the VPC flow logs if traffic is blocked. These logs are in the CloudWatch Logs console under VPC Flow Logs. Check for denied traffic entries.