AWS VPC + ALB + Private EC2 Lab (2-AZ Network Architecture)

This lab demonstrates a production-style AWS network like you’d design as a Solutions Architect:

• Custom VPC
• Public and private subnets across 2 Availability Zones
• Internet Gateway and NAT Gateway
• Application Load Balancer (ALB) in public subnets
• EC2 web servers in private subnets
• Layered route tables and security groups

Traffic flow: Client → ALB (public subnet) → EC2 (private subnet)

I built this to deepen my understanding of AWS networking, high availability, and exam-style architectures for the AWS Solutions Architect Associate.

---

High-Level Architecture

Region: us-east-1 (N. Virginia)
VPC CIDR: 10.0.0.0/16

Subnets

Subnet name	Type	AZ	CIDR	Purpose
public-a	Public	us-east-1a	10.0.1.0/24	ALB, NAT gateway
public-b	Public	us-east-1b	10.0.2.0/24	ALB
private-a	Private	us-east-1a	10.0.11.0/24	EC2 web server
private-b	Private	us-east-1b	10.0.12.0/24	EC2 web server

Internet Connectivity

• Internet Gateway (sa-lab-igw)

  • Attached to the VPC
  • Public route table sends 0.0.0.0/0 → IGW

• NAT Gateway (sa-lab-nat-a)

  • Lives in public-a
  • Private route table sends 0.0.0.0/0 → NAT
  • Allows private EC2 instances to reach the internet outbound only (e.g., OS updates) while remaining non-public.

Route Tables

• Public Route Table (sa-lab-public-rt)

  • Associated with public-a, public-b
  • Routes:
    • 10.0.0.0/16 → local
    • 0.0.0.0/0 → Internet Gateway

• Private Route Table (sa-lab-private-rt)

  • Associated with private-a, private-b
  • Routes:
    • 10.0.0.0/16 → local
    • 0.0.0.0/0 → NAT Gateway

Compute & Load Balancing

• EC2 Instances

  • AMI: Amazon Linux
  • Type: t2.micro/t3.micro
  • Subnets:
    • sa-lab-web-a in private-a
    • sa-lab-web-b in private-b
  • No public IPs
  • Bootstrapped with a user data script to install Apache and serve a simple page:
    user-data/webserver.sh

• Application Load Balancer (sa-lab-alb)

  • Scheme: Internet-facing
  • Subnets: public-a, public-b
  • Listener: HTTP :80 → Target group sa-lab-tg-web
  • Target type: Instance
  • Health checks: HTTP /

Security Groups

• ALB Security Group (sa-lab-alb-sg)

  • Inbound:
    • HTTP 80 from 0.0.0.0/0 (internet) — for the lab
  • Outbound:
    • All traffic (default)

• Web Server Security Group (sa-lab-web-sg)

  • Inbound:
    • HTTP 80 from sa-lab-alb-sg only
  • Outbound:
    • All traffic (default)

This creates a proper layered security model:

• Internet can reach only the ALB
• ALB can reach the web servers
• Web servers are not directly reachable from the internet

---

Build Steps (Summary)

I created everything using the AWS Console to really see how the pieces fit:

1. VPC

   • Created sa-lab-vpc with CIDR 10.0.0.0/16

2. Subnets

   • Created two public and two private subnets across us-east-1a and us-east-1b

3. Internet Gateway & NAT

   • Created and attached sa-lab-igw
   • Created sa-lab-nat-a in public-a with an Elastic IP

4. Route Tables

   • Public RT: associated with public subnets, default route to IGW
   • Private RT: associated with private subnets, default route to NAT

5. EC2 Instances in Private Subnets

   • Launched sa-lab-web-a in private-a and sa-lab-web-b in private-b
   • Disabled public IPs
   • Added user data to install Apache and serve a simple HTML page

6. Security Groups

   • sa-lab-alb-sg: HTTP from internet
   • sa-lab-web-sg: HTTP only from sa-lab-alb-sg

7. Target Group & ALB

   • Created sa-lab-tg-web (instance target type, HTTP:80, health check /)
   • Registered both EC2 instances
   • Created ALB sa-lab-alb targeting sa-lab-tg-web and mapped it to public-a and public-b

---

How to Test

1. Go to EC2 → Load Balancers in the AWS Console.

2. Select sa-lab-alb.

3. Copy the DNS name, e.g.:

   sa-lab-alb-1234567890.us-east-1.elb.amazonaws.com