Forem: Nsowah Alexander

A Scalable VPC Architecture

Nsowah Alexander — Wed, 15 Apr 2026 14:38:12 +0000

In this article, I'll walk through how I set up a scalable and modular virtual network architecture with AWS VPC. This is part of my hands-on DevSecOps learning journey. This guide is perfect for those who are just starting with AWS networking. Diagram at the bottom.

Prerequisites

AWS Account
HTML web app code

Pre-deployment

AWS CLI
Install nginx
install Git
Cloudwatch Agent
Push custom memory metrics to CloudWatch.
AWS SSM agent

Deployment

I started by creating a VPC for the bastion host in the diagram. I aimed to keep my application servers hidden from the internet. Instead, all admin access would go through a single controlled entry point (bastion host). So in this VPC, I created a public subnet and attached an Internet Gateway, allowing me to SSH into the bastion instance. How I did it:

#create vpc baston vpc
   aws ec2 create-vpc --cidr-block 192.168.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=vpc-baston}]'
#create a public subnet for this VPC
   aws ec2 create-subnet --vpc-id vpc-id --cidr-block 192.168.1.0/24 --availability-zone us-east-1a --tag-specification 'ResourceType=subnet,Tags=[{Key=Name,Value=ubnet-name}]'
#create and attach internet-gateway
   aws ec2 create-internet-gateway --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=igw-name}]'
   aws ec2 attach-internet-gateway --vpc-id vpc-id --internet-gateway-id igw-id

Next, I created the second VPC where the app servers will be located. Unlike the bastion VPC, this VPC will have both private and public subnets. The public subnets will host the load balancer and NAT gateway, while the private subnets will have the application servers. How I went on about it:

#create vpc app vpc
   aws ec2 create-vpc --cidr-block 172.32.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=app-vpc}]'
#create two public subnets
   aws ec2 create-subnet --vpc-id vpc-id --cidr-block 172.32.1.0/24 --availability-zone us-east-1a --tag-specification
   aws ec2 create-subnet --vpc-id vpc-id --cidr-block 172.32.2.0/24 --availability-zone us-east-1b --tag-specification
#create two private subnets
   aws ec2 create-subnet --vpc-id vpc-id --cidr-block 172.32.10.0/24 --availability-zone us-east-1a --tag-specification 
   aws ec2 create-subnet --vpc-id vpc-id --cidr-block 172.32.20.0/24 --availability-zone us-east-1b --tag-specification
#create and attach Internet Gateway to vpc
   aws ec2 create-internet-gateway --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=igw-name}]'
   aws ec2 attach-internet-gateway --vpc-id vpc-id --internet-gateway-id igw-id
#create a nat-gateway to the public subnet.. created a elastic ip first
   aws ec2 create-nat-gateway --subnet-id subnet-id --allocation-id id

Next, I created two route tables, one for the public subnets and another for the private subnets. Edited the public subnets' route table route to take the internet gateway for internet connection and public (Dev) access and edited the private subnet route table routes to take the NAT gateway for outbound internet. (used the console)

Further, I created a transit gateway to establish communication between the 2 VPCs. I also made sure to create the transit gateway for the VPCs, choosing all public subnets from the VPCs. I then edited the public subnets' route table routes to take the IPs from the VPC, i.e., the destination as IPS and targets as the transit gateways. (used the console)

Route table for bastion VPC

Route table for App VPC subnets

I launched an EC2 in the Bastion VPC, assigned an Elastic IP, and allowed SSH on port 22.

Moreover, I made an AMI to be used by the EC2; the reason is I don't want to download the same thing on 3 or more EC2 instances. I install all that is stated in pre-deployment. I then launched the template into 2 instances for the app. Now all working, I needed to add the auto scaling group to handle auto-scaling.

Next, I created an Auto Scaling Group (ASG) across both private subnets to ensure high availability. This way, even if one availability zone goes down, the application would still remain accessible.

I attached a target group configured with the “Instances” target type, listening on port 80, and set the health check path to /. Once the instances began registering and I saw them transition to a healthy state, I knew the backend layer was properly set up.

With that in place, I moved on to creating an internet-facing application load balancer. I deployed it in the public subnets of the application VPC and configured its security group to allow HTTP traffic from anywhere (0.0.0.0/0). I then added a listener on port 80 and pointed it to the target group, allowing incoming requests to be routed to the EC2 instances in the private subnets.

Finally, I configured DNS using Amazon Route 53 by creating an A record (Alias) that points directly to the load balancer. This allowed me to access the application using a domain name instead of the ALB DNS endpoint.

Mistakes I did

Missing transit gateway route. I couldnt SSH from the Bastion into App VPC
503 Error. No targets in target group'
Couldnt make the golden AMI.. I didnt understand in the first place
Nginx default page.. browser cached the nginx default page. I did hard reloading

Archichecture

Conclusion

Built a Production-Style AWS Architecture (And Broke It 5 Times First). This project was really fire; it helped me to understand VPC, bastion hosts, IPs, subnetting, etc. Whats next? I'm starting Terraform next week.
full project on https://github.com/NotHarshhaa/DevOps-Projects/tree/master/DevOps-Project-02

#GOODPROJECT

01-VPC — AWS Private/Public Subnet Architecture

Nsowah Alexander — Fri, 03 Apr 2026 23:19:29 +0000

In this article, I'll walk through how I set up an AWS VPC with a public and private subnet, deployed two EC2 instances, and configured Nginx as a reverse proxy. This is part of my hands-on cloud learning journey. If you're just getting started with AWS networking, this is for you.

Prerequisites

You need to have an AWS account to be able to create the infrastructure
A basic understanding of networking

VPC Deployment

A Virtual Private Cloud provides a logical, isolated virtual network that you define, where you can launch resources that you want. It closely resembles a traditional network you set up or operate in your own data center.

Setting up VPC

Logged in to my AWS and navigated to the VPC section to create a VPC
To create the VPC, I chose VPC only, gave a dummy name, and specified the IPV4 CIDR as 10.0.0.0/16. Click Create to create the VPC

IPV4 CIDR is the address range to be used by the VPC and should be private. I chose 10.0.0.0/16, with /16 as the netmask.

To be able to access the resources in the VPC, you need a subnet placed in an HA zone

Setting up a Subnet

A subnet is a smaller network within a larger network. I created two subnets, a public and a private.

Click Subnets on the VPC window to create a subnet
To create subnets for the VPC, I selected the VPC I just made (vpc-spec-01)
Gave it a name (public), chose us-east-1a as the availability zone
10.0.1.0/24 as the IPV4 CIDR to give me 256 IPs to use

for the private subnet

I used a different availability zone, us-east-1b
to spice things up, I used 10.0.2.0/24 as the IPV4 CIDR.

After creating the subnets, I created an EC2 instance in the public subnet so that I could SSH into it.
To create the EC2 instance.

I navigated to the EC2 service window
I clicked on Create and gave the instance a name.
For the Application and OS images, I chose Ubuntu and a free-tier eligible AMI

Instance type is also free-tier eligible. created a key pair to securely SSH into the instance
In the network settings section, here is where you configure the VPC, subnets, and ports to access the instance.
. Choose the VPC made earlier.
. Select the public subnet in the VPC and select Enable on Auto-assign IP.
. Select Create security groups
. for the inbound security rules, SSH and HTTP to listen on port 80(nginx)
. Launch the EC2

Now, to SSH into the EC2, locate where the key is saved, and git bash there
Run these commands to connect

chmod 400 "key.pem"
ssh -i "key55.pem" ubuntu@instanceIP

Ja, we can't connect to the EC2 because the VPC does not allow any connection from outside. We need to add an internet gateway to achieve this.
steps involve

Create an internet gateway
Attach the internet gateway to the VPC.
Create a route table for the gateway
attach the route table to the public subnet After creating the route table, you need to edit the route to attach the internet gateway created

Move to the public subnet, select the route table, edit the route table association, and select the route table created

Now SSH back into the instance and run the following:

sudo apt update
sudo apt install nginx # to install nginx

Before the creation of the private EC2, I copied the key into the public EC2 for secure SSH
scp -i key.pem key.pem ec2-user@<public-ec2-ip>:~/.ssh/

Setting up the Private EC2

Just like building the public EC2, I maintained everything except the following:

Disabled auto-assign public ip
Selected the private subnet
Added Custom TCP on port 8080 to the inbound security rules

The private EC2 is only accessible in the public EC2. To access the private EC2, SSH into the public, change directory to .ssh, and SSH from there.
Once in the private EC2, I updated the OS and opened Vim to make a simple HTML page to serve up from the public EC2.

<html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Document</title> </head> <body> <h1>ich bin poloand</h1> </body> </html>
I served up this HTML file with Python, which ran in the background.
nohup python3 -m http.server 8080 &exit from the private EC2 to the public.

Once in the public EC2, I changed the nginx config file to serve up the python server from the private EC2

sudo vim /etc/nginx/nginx.conf # move the conf to make changes

user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
}

http {
        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        access_log /var/log/nginx/access.log;
        gzip on;
        include /etc/nginx/conf.d/*.conf;

        server {
                listen 80;                         
                server_name _;
                location / {
                        proxy_pass http://privateIP:8080; 
                }
        }
}

sudo nginx -T # for conf linting
sudo systemctl restart nginx #to restart the service.
Now open the browser to see the HTML page served up

Mistakes I encountered

HTML file was not executable
Security group blocking port 8080
No key pair that resulted in a failed SSH into the private EC2.
Missing semicolons in nginx.conf

Conclusion

This project has taught me more about VPCs, subnets, IPv4s, compute, etc. Some of the lessons i got from this project are

Security groups are everything about security
Always create a key pair
Always ls -l to see permissions on a file.
Read config carefully

Next up more projects on VPC