Menu
Amazon Virtual Private Cloud
User Guide

Scenario 1: VPC with a Single Public Subnet

The configuration for this scenario includes a virtual private cloud (VPC) with a single public subnet, and an Internet gateway to enable communication over the Internet. We recommend this configuration if you need to run a single-tier, public-facing web application, such as a blog or a simple website.

Configuration for Scenario 1

The following diagram shows the key components of the configuration for this scenario.

Diagram for scenario 1: VPC with a public subnet

Note

If you completed the exercise Getting Started with Amazon VPC, then you've already implemented this scenario using the VPC wizard in the Amazon VPC console.

Basic Components for Scenario 1

The following list describes the basic components presented in the configuration diagram for this scenario:

  • A virtual private cloud (VPC) of size /16 (example CIDR: 10.0.0.0/16). This provides 65,536 private IP addresses.

  • A subnet of size /24 (example CIDR: 10.0.0.0/24). This provides 256 private IP addresses.

  • An Internet gateway. This connects the VPC to the Internet and to other AWS products.

  • An instance with a private IP address in the subnet range (example: 10.0.0.6), which enables the instance to communicate with other instances in the VPC, and an Elastic IP address (example: 198.51.100.2), which enables the instance to be reached from the Internet.

  • A route table entry that enables instances in the subnet to communicate with other instances in the VPC, and a route table entry that enables instances in the subnet to communicate directly over the Internet.

For more information about subnets, see Your VPC and Subnets and IP Addressing in Your VPC. For more information about Internet gateways, see Internet Gateways.

Tip

If you'd like instances in your VPC to communicate over the Internet without having to assign each instance an Elastic IP address, you can use a NAT gateway. For more information about configuring a VPC with a NAT gateway, see Scenario 2: VPC with Public and Private Subnets (NAT).

Routing for Scenario 1

Your VPC has an implied router (shown in the configuration diagram for this scenario.) For this scenario, the VPC wizard creates a route table that routes all traffic destined for an address outside the VPC to the Internet gateway, and associates this route table with the subnet. Otherwise, you'd need to create and associate the route table yourself.

The following table shows what the route table looks like for the example addresses used in the configuration diagram for this scenario. The first row shows the entry for local routing in the VPC; this entry enables the instances in this VPC to communicate with each other. The second row shows the entry for routing all other subnet traffic to the Internet gateway, which is specified using its AWS-assigned identifier.

DestinationTarget

10.0.0.0/16

local

0.0.0.0/0

igw-xxxxxxxx

Security for Scenario 1

AWS provides two features that you can use to increase security in your VPC: security groups and network ACLs. Both features enable you to control the inbound and outbound traffic for your instances, but security groups work at the instance level, while network ACLs work at the subnet level. Security groups alone can meet the needs of many VPC users. However, some VPC users decide to use both security groups and network ACLs to take advantage of the additional layer of security that network ACLs provide. For more information about security groups and network ACLs and how they differ, see Security in Your VPC.

For scenario 1, you'll use a security group but not network ACLs. If you'd like to use a network ACL, see Recommended Rules for Scenario 1.

Recommended Security Group Rules

Your VPC comes with a default security group whose initial settings allow all outbound traffic and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to the default security group for the VPC. We could modify the rules for the default security group, but the rules that you need for your web servers might not work for other instances that you launch into the VPC. Therefore, we recommend that you create a security group to use with the web servers in your public subnet.

You'll create a security group named WebServerSG, modify the rules as needed, and then specify the security group when you launch instances into the VPC. By default, new security groups start with only an outbound rule that allows all traffic to leave the instances. You must add rules to enable any inbound traffic or to restrict the outbound traffic.

The following table describes the inbound and outbound rules for the WebServerSG group. If you want your web server to initiate outbound traffic, for example, to get software updates, you can leave the default outbound rule. If you do not want your web server to initiate outbound traffic, you can remove the default outbound rule.

Inbound
Source Protocol Port Range Comments

0.0.0.0/0

TCP

80

Allow inbound HTTP access to the web servers from anywhere

0.0.0.0/0

TCP

443

Allow inbound HTTPS access to the web servers from anywhere

Public IP address range of your network

TCP

22

(Linux instances) Allow inbound SSH access from your network. You can get the public IP address of your local computer using a service such as http://checkip.amazonaws.com. If you are connecting through an ISP or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers.

Public IP address range of your network

TCP

3389

(Windows instances) Allow inbound RDP access from your network

Outbound (Optional)
DestinationProtocolPort RangeComments
0.0.0.0/0AllAllAllow all outbound access to anywhere

Tip

You can also get the public IP address of your local computer using a service. To locate a service that provides your IP address, use the search phrase "what is my IP address". If you are connecting through an ISP or from behind a firewall without a static IP address, you need to find the range of IP addresses used by client computers.

The default security group for a VPC has rules that automatically allow assigned instances to communicate with each other. To allow that type of communication between the instances in your VPC, you must add a rule like the following to your security groups.

Inbound
Source Protocol Port Range Comments

The security group ID (sg-xxxxxxxx)

All

All

Allow inbound traffic from other instances assigned to this security group

Implementing Scenario 1

Use the following process to implement the scenario using the VPC wizard.

To implement scenario 1 using the VPC wizard

  1. Set up the VPC, subnet, and Internet gateway:

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. If you have no VPC resources, locate the Your Virtual Private Cloud area of the dashboard and choose Get started creating a VPC, or choose Start VPC Wizard.

    3. Select the first option, VPC with a Single Public Subnet, and then choose Select.

    4. The confirmation page shows the CIDR ranges and settings that you've chosen. Make any changes that you need, and then choose Create VPC to create your VPC, subnet, Internet gateway, and route table.

  2. Create the WebServerSG security group and add rules:

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. In the navigation pane, choose Security Groups.

    3. Choose Create Security Group.

    4. Specify WebServerSG as the name of the security group, and provide a description. Select the ID of your VPC from the VPC menu, and then choose Yes, Create.

    5. Select the WebServerSG security group that you just created. The details pane include a tab for information about the security group, plus tabs for working with its inbound rules and outbound rules.

    6. On the Inbound Rules tab, choose Edit, and then do the following:

      • Select HTTP from the Type list, and enter 0.0.0.0/0 in the Source field.

      • Choose Add another rule, then select HTTPS from the Type list, and enter 0.0.0.0/0 in the Source field.

      • Choose Add another rule, then select SSH from the Type list. Enter your network's public IP address range in the Source field. (If you don't know this address range, you can use 0.0.0.0/0 for testing purposes; in production, you'll authorize only a specific IP address or range of addresses to access your instance.)

        Tip

        If you use both Linux and Windows instances, you can add access for both SSH and RDP.

      • Choose Save.

      Inbound rules for security group
    7. (Optional) On the Outbound Rules tab, choose Edit. Locate the default rule that enables all outbound traffic, choose Remove, and then choose Save.

  3. Launch an instance into the VPC:

    1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

    2. From the dashboard, choose Launch Instance.

    3. Follow the directions in the wizard. Choose an AMI, choose an instance type, and then choose Next: Configure Instance Details.

    4. On the Configure Instance Details page, select the VPC that you created in step 1 from the Network list, and then specify a subnet.

    5. (Optional) By default, instances launched into a nondefault VPC are not assigned a public IP address. To be able to connect to your instance, you can assign a public IP address now, or allocate an Elastic IP address and assign it to your instance after it's launched. To assign a public IP address now, ensure that you select Enable from the Auto-assign Public IP list.

      Note

      You can only assign a public IP address to a single, new network interface with the device index of eth0. For more information, see Assigning a Public IP Address During Launch.

    6. On the next two pages of the wizard, you can configure storage for your instance, and add tags. On the Configure Security Group page, select the Select an existing security group option, and select the WebServerSG security group that you created in step 2. Choose Review and Launch.

    7. Review the settings that you've chosen. Make any changes that you need, and then choose Launch to choose a key pair and launch your instance.

  4. If you did not assign a public IP address to your instance as part of step 3, you will not be able to connect to it. Assign an Elastic IP address to the instance:

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. In the navigation pane, choose Elastic IPs.

    3. Choose Allocate New Address.

    4. Choose Yes, Allocate.

      Note

      If your account supports EC2-Classic, first choose EC2-VPC from the Network platform list.

    5. Select the Elastic IP address from the list, choose Actions, and then choose Associate Address.

    6. In the Associate Address dialog box, select the instance to associate the address with, and then choose Yes, Associate.

You can now connect to your instances in the VPC. For information about how to connect to a Linux instance, see Connect to Your Linux Instance in the Amazon EC2 User Guide for Linux Instances. For information about how to connect to a Windows instance, see Connect to Your Windows Instance in the Amazon EC2 User Guide for Microsoft Windows Instances.