Menu
Amazon Virtual Private Cloud
User Guide

Example: Create an IPv4 VPC and Subnets Using the AWS CLI

The following example uses AWS CLI commands to create a nondefault VPC with an IPv4 CIDR block, and a public and private subnet in the VPC. After you've created the VPC and subnets, you can launch an instance in the public subnet and connect to it. To begin, you must first install and configure the AWS CLI. For more information, see Getting Set Up with the AWS Command Line Interface.

Step 1: Create a VPC and Subnets

The first step is to create a VPC and two subnets. This example uses the CIDR block 10.0.0.0/16 for the VPC, but you can choose a different CIDR block. For more information, see VPC and Subnet Sizing.

To create a VPC and subnets using the AWS CLI

  1. Create a VPC with a 10.0.0.0/16 CIDR block.

    Copy
    aws ec2 create-vpc --cidr-block 10.0.0.0/16

    In the output that's returned, take note of the VPC ID.

    Copy
    { "Vpc": { "VpcId": "vpc-2f09a348", ... } }
  2. Using the VPC ID from the previous step, create a subnet with a 10.0.1.0/24 CIDR block.

    Copy
    aws ec2 create-subnet --vpc-id vpc-2f09a348 --cidr-block 10.0.1.0/24
  3. Create a second subnet in your VPC with a 10.0.0.0/24 CIDR block.

    Copy
    aws ec2 create-subnet --vpc-id vpc-2f09a348 --cidr-block 10.0.0.0/24

Step 2: Make Your Subnet Public

After you've created the VPC and subnets, you can make one of the subnets a public subnet by attaching an Internet gateway to your VPC, creating a custom route table, and configuring routing for the subnet to the Internet gateway.

To make your subnet a public subnet

  1. Create an Internet gateway.

    Copy
    aws ec2 create-internet-gateway

    In the output that's returned, take note of the Internet gateway ID.

    Copy
    { "InternetGateway": { ... "InternetGatewayId": "igw-1ff7a07b", ... } }
  2. Using the ID from the previous step, attach the Internet gateway to your VPC.

    Copy
    aws ec2 attach-internet-gateway --vpc-id vpc-2f09a348 --internet-gateway-id igw-1ff7a07b
  3. Create a custom route table for your VPC.

    Copy
    aws ec2 create-route-table --vpc-id vpc-2f09a348

    In the output that's returned, take note of the route table ID.

    Copy
    { "RouteTable": { ... "RouteTableId": "rtb-c1c8faa6", ... } }
  4. Create a route in the route table that points all traffic (0.0.0.0/0) to the Internet gateway.

    Copy
    aws ec2 create-route --route-table-id rtb-c1c8faa6 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-1ff7a07b
  5. To confirm that your route has been created and is active, you can describe the route table and view the results.

    Copy
    aws ec2 describe-route-tables --route-table-id rtb-c1c8faa6 { "RouteTables": [ { "Associations": [], "RouteTableId": "rtb-c1c8faa6", "VpcId": "vpc-2f09a348", "PropagatingVgws": [], "Tags": [], "Routes": [ { "GatewayId": "local", "DestinationCidrBlock": "10.0.0.0/16", "State": "active", "Origin": "CreateRouteTable" }, { "GatewayId": "igw-1ff7a07b", "DestinationCidrBlock": "0.0.0.0/0", "State": "active", "Origin": "CreateRoute" } ] } ] }
  6. The route table is currently not associated with any subnet. You need to associate it with a subnet in your VPC so that traffic from that subnet is routed to the Internet gateway. First, use the describe-subnets command to get your subnet IDs. You can use the --filter option to return the subnets for your new VPC only, and the --query option to return only the subnet IDs and their CIDR blocks.

    Copy
    aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-2f09a348" --query 'Subnets[*].{ID:SubnetId,CIDR:CidrBlock}' [ { "CIDR": "10.0.1.0/24", "ID": "subnet-b46032ec" }, { "CIDR": "10.0.0.0/24", "ID": "subnet-a46032fc" } ]
  7. You can choose which subnet to associate with the custom route table, for example, subnet-b46032ec. This subnet will be your public subnet.

    Copy
    aws ec2 associate-route-table --subnet-id subnet-b46032ec --route-table-id rtb-c1c8faa6
  8. You can optionally modify the public IP addressing behavior of your subnet so that an instance launched into the subnet automatically receives a public IP address. Otherwise, you should associate an Elastic IP address with your instance after launch so that it's reachable from the Internet.

    Copy
    aws ec2 modify-subnet-attribute --subnet-id subnet-b46032ec --map-public-ip-on-launch

Step 3: Launch an Instance into Your Subnet

To test that your subnet is public and that instances in the subnet are accessible via the Internet, launch an instance into your public subnet and connect to it. First, you must create a security group to associate with your instance, and a key pair with which you'll connect to your instance. For more information about security groups, see Security Groups for Your VPC. For more information about key pairs, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.

To launch and connect to an instance in your public subnet

  1. Create a key pair and use the --query option and the --output text option to pipe your private key directly into a file with the .pem extension.

    Copy
    aws ec2 create-key-pair --key-name MyKeyPair --query 'KeyMaterial' --output text > MyKeyPair.pem

    In this example, you launch an Amazon Linux instance. If you use an SSH client on a Linux or Mac OS X operating system to connect to your instance, use the following command to set the permissions of your private key file so that only you can read it.

    Copy
    chmod 400 MyKeyPair.pem
  2. Create a security group in your VPC, and add a rule that allows SSH access from anywhere.

    Copy
    aws ec2 create-security-group --group-name SSHAccess --description "Security group for SSH access" --vpc-id vpc-2f09a348 { "GroupId": "sg-e1fb8c9a" }
    Copy
    aws ec2 authorize-security-group-ingress --group-id sg-e1fb8c9a --protocol tcp --port 22 --cidr 0.0.0.0/0

    Note

    If you use 0.0.0.0/0, you enable all IPv4 addresses to access your instance using SSH. This is acceptable for this short exercise, but in production, authorize only a specific IP address or range of addresses.

  3. Launch an instance into your public subnet, using the security group and key pair you've created. In the output, take note of the instance ID for your instance.

    Copy
    aws ec2 run-instances --image-id ami-a4827dc9 --count 1 --instance-type t2.micro --key-name MyKeyPair --security-group-ids sg-e1fb8c9a --subnet-id subnet-b46032ec

    Note

    In this example, the AMI is an Amazon Linux AMI in the US East (N. Virginia) region. If you're in a different region, you'll need the AMI ID for a suitable AMI in your region. For more information, see Finding a Linux AMI in the Amazon EC2 User Guide for Linux Instances.

  4. Your instance must be in the running state in order to connect to it. Describe your instance and confirm its state, and take note of its public IP address.

    Copy
    aws ec2 describe-instances --instance-id i-0146854b7443af453 { "Reservations": [ { ... "Instances": [ { ... "State": { "Code": 16, "Name": "running" }, ... "PublicIpAddress": "52.87.168.235", ... } ] } ] }
  5. When your instance is in the running state, you can connect to it using an SSH client on a Linux or Mac OS X computer by using the following command:

    Copy
    ssh -i "MyKeyPair.pem" ec2-user@52.87.168.235

    If you're connecting from a Windows computer, use the following instructions: Connecting to Your Linux Instance from Windows Using PuTTY.

Step 4: Clean Up

After you've verified that you can connect to your instance, you can terminate it if you no longer need it. To do this, use the terminate-instances command. To delete the other resources you've created in this example, use the following commands in their listed order:

  1. Delete your security group:

    Copy
    aws ec2 delete-security-group --group-id sg-e1fb8c9a
  2. Delete your subnets:

    Copy
    aws ec2 delete-subnet --subnet-id subnet-b46032ec
    Copy
    aws ec2 delete-subnet --subnet-id subnet-a46032fc
  3. Delete your custom route table:

    Copy
    aws ec2 delete-route-table --route-table-id rtb-c1c8faa6
  4. Detach your Internet gateway from your VPC:

    Copy
    aws ec2 detach-internet-gateway --internet-gateway-id igw-1ff7a07b --vpc-id vpc-2f09a348
  5. Delete your Internet gateway:

    Copy
    aws ec2 delete-internet-gateway --internet-gateway-id igw-1ff7a07b
  6. Delete your VPC:

    Copy
    aws ec2 delete-vpc --vpc-id vpc-2f09a348