Introduction:
In my last blog, I shared how to launch an EC2 instance inside a public subnet in a custom AWS VPC.
But what if we want more security — like running our application or database servers in a private subnet, isolated from the internet?
That’s where things like Private Subnets, NAT Gateways, and Bastion Hosts come in.
In this blog, We’ll Learn:
- Setting up a private subnet in our existing VPC
- Creating a NAT Gateway for internet access (outbound only)
- Using a Bastion Host (jump server) to SSH into the private EC2
- Let’s build a secure network architecture!
Recap: Components We Need..!
| Component | Description |
| -------------------------- | ------------------------------------------------ |
| VPC | our existing Virtual Private Cloud |
| Public Subnet | Already created for Bastion Host |
| Private Subnet | New subnet with no direct internet access |
| Internet Gateway (IGW)** | Already attached to VPC |
| NAT Gateway | Needed for outbound internet from private subnet |
| Route Tables | One for public, one for private subnet |
| Bastion Host | Public EC2 to connect securely to private EC2 |
Step-by-Step Setup
1. Use the Existing VPC
We’ve already created a VPC (e.g., 10.0.0.0/16), continue using it.
2. Create a Private Subnet
- Go to Subnets > Create Subnet
Choose:
- VPC:
my-custom-vpc - Name:
private-subnet - CIDR block:
10.0.2.0/24 - Availability Zone: Same as NAT Gateway
- Do NOT enable auto-assign public IP
3. Create a NAT Gateway
- Go to NAT Gateway > Create
Choose:
- Subnet: Our Public Subnet
- Elastic IP: Allocate a new one
- Name it:
my-nat-gateway - Click Create NAT Gateway
- NAT Gateway must be in a public subnet because it needs internet access via IGW.
4. Create a Private Route Table
- Go to Route Tables > Create Route Table
- Name: private-route-table
- VPC: my-custom-vpc
- Add Route:
- Destination:
0.0.0.0/0 - Target: NAT Gateway
- Go to Subnet Associations
- Select our private-subnet
- Now, private subnet has outbound internet access only.
5. Launch EC2 in Private Subnet
- Go to EC2 > Launch Instance
Choose:
- Name: private-ec2
- Amazon Linux 2
- Subnet: private-subnet
- Auto-assign Public IP: Disabled
- Key Pair: Choose existing
- Security Group:
Allow SSH from Bastion Host’s internal IP or SG
EC2 in private subnet won’t be accessible directly from our local machine.
6. Use Existing Public EC2 as Bastion Host to Access Private EC2
- Connect to the Private EC2 (2-Hop SSH):
# Step 1: SSH into our public EC2 (Bastion Host)
ssh -i your-key.pem ec2-user@<Public-IP-of-Bastion>
# Step 2: From inside the Bastion EC2, SSH into the private EC2
ssh -i your-key.pem ec2-user@<Private-IP-of-Private-EC2>
8. Test Internet Connectivity
ping google.com
If it replies, then our NAT Gateway is working properly.
Points to Remember:
- Private subnets increase security by not exposing EC2 to the internet directly
- NAT Gateway allows outbound-only access (like updates, package installs)
- Bastion Host is required to SSH into private EC2 (jump server setup)
- CIDR blocks must remain within the VPC range (e.g., 10.0.0.0/16)
Thanks for Reading!
If you’re just getting started with AWS, this guide should help you take that first confident step into cloud networking.
Happy cloud building!🙌