Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
  • Labs icon Lab
  • A Cloud Guru
Google Cloud Platform icon

Create a Multi-Subnet VPC with Secure Access to Private Servers with Outbound Internet Access

In this hands-on lab, we will create a highly available multi-subnet VPC and subnet structure for private application servers. We'll then configure a bastion host so that remote administrative staff can securely connect into the VPC and manage the private instances. Since these instances will require outbound access for security patches and updates, we will create and configure a NAT gateway to allow it. Our task is to create the VPC with public and private route tables. The VPC's CIDR, ``, has been subnetted. Our new CIDR block `/26` allows for a maximum of four subnets. We will create two public and two private subnets. Then, we will create the NACL and security group rules to support the bastion host, private instances, and NAT gateway. Once that's done, we'll validate the connectivity for our bastion host by creating an SSH tunnel through it to our private instance. Once we're in, we will verify that our private instance can connect to the internet. There is a lot to do in this hands-on lab, so let's get started.

Google Cloud Platform icon

Path Info

Clock icon Intermediate
Clock icon 1h 0m
Clock icon May 20, 2021

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

Table of Contents

  1. Challenge

    Create the VPC Skeleton

    1. Create a VPC named ATD_VPC with a CIDR block of
    2. Within the VPC, create four subnets using the CIDR block /26.
  2. Challenge

    Create an Internet Gateway and a Public and Private Route Table

    1. Create an internet gateway and attach it to the VPC.
    2. Create a public route table named ATD_PublicRT with a default route to the internet gateway.
    3. Create a private route table named ATD_PrivateRT with a destination CIDR block of
  3. Challenge

    Configure the Bastion Host

    1. Create the NACLs named ATD_Public1 and a security group named ATD_Bastion-SG with the appropriate configuration for the bastion host.
    2. Set up the bastion host Amazon EC2 instance with the name tag BastionHost and verify connectivity using SSH.
  4. Challenge

    Create an Amazon EC2 Instance in the Private Subnet

    1. Create the NACLs and security group configuration necessary to support SSH connectivity between the bastion host and an Amazon EC2 instance in the private subnet.
    2. Create an instance in the private subnet with the name tag PrivateAppServer, and verify SSH connectivity from the bastion host.
  5. Challenge

    Set Up the NAT Gateway and Validate Connectivity

    1. Create the NACLs required for the NAT gateway subnet.
    2. Create the NAT gateway and set it as the target for the default route in the private route table.
    3. Verify connectivity to the internet from the private EC2 instance.

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Provided environment for hands-on practice

We will provide the credentials and environment necessary for you to practice right within your browser.

Guided walkthrough

Follow along with the author’s guided walkthrough and build something new in your provided environment!

Did you know?

On average, you retain 75% more of your learning if you get time for practice.

Start learning by doing today

View Plans