Design and Deployment of a Multi-Tier Custom VPC Architecture in AWS

Pooja MehtaPooja Mehta
5 min read

Overview:

In this project, I architected and deployed a multi-tier Virtual Private Cloud (VPC) environment to simulate a real-world enterprise-grade network architecture using AWS. The environment was split into four logically isolated tiers - Reserved, Database, Application, and Web – across three Availability Zones to ensure high availability and fault tolerance.

The setup included both public and private subnets, with resources in the public web tier accessible via an Internet Gateway, while private application and database subnets were secured with a NAT Gateway for outbound internet access only. Route tables, subnets, and security groups were meticulously configured to ensure precise traffic flow and network isolation.

The final architecture allowed secure, scalable, and highly available deployment of workloads within the AWS cloud, offering a practical foundation for hosting distributed applications.

Key AWS Services Used:

  • Amazon VPC – To create a custom VPC with IPv4/IPv6 support and DNS settings

  • Subnets – 12 subnets distributed across 3 Availability Zones (public and private)

  • Internet Gateway – Enabled public internet access for web-tier subnets

  • Route Tables – Controlled traffic flow across different subnet tiers

  • NAT Gateway – Provided outbound internet access to private subnets

  • Amazon EC2 – Deployed instances in both public (web) and private (application) subnets

  • Security Groups – Configured fine-grained inbound/outbound access rules

  • EC2 Instance Connect – Used for browser-based SSH access

Steps:

1. Create a Custom VPC

  • In the AWS Console, search for VPC and navigate to Your VPCs > Create VPC.

  • Specify the IPv4 CIDR block as 10.16.0.0/16. Enable the IPv6 CIDR block to support dual-stack networking.

  • Once the VPC is created, enable DNS resolution and DNS hostnames in the VPC settings. This ensures that any instances with public IP addresses are also assigned public DNS names.

    2. Create Subnets

    Create four subnets for each Availability Zone (A, B, and C), corresponding to the Reserved, Database, Application, and Web tiers:

    • Go to Subnets > Create Subnet.

    • Start with a subnet naming convention, e.g. sn-reserved-A.

    • Use the Add Subnet option to define additional subnets using the appropriate CIDR blocks.

    • Each subnet should be assigned an IPv6 CIDR block. However, auto-assignment of IPv6 addressing must be enabled manually per subnet.

At this stage, all subnets are private by default and do not have internet access.

3. Configure Public Subnets

To enable internet communication, we will convert. Web-A, Web-B, and Web-C into public subnets.

Step 1: Create and Attach an Internet Gateway

  • Navigate to Internet Gateways > Create Internet Gateway.

  • Attach this Internet Gateway to the custom VPC. This allows public routing for resources in the associated subnets.

    Step 2: Create Route Table for Public Subnets

    • Create a new route table and associate it with the public web subnets.

    • Add a default route (0.0.0.0/0) for IPv4 and a default route (::/0) for IPv6.

    • Set the target of both routes to the Internet Gateway.

    • Go to Subnet Associations and link the route table to Web-A, Web-B, and Web-C.

Step 3: Enable Auto-Assign Public IP

  • For each public web subnet, enable the Auto-assign public IPv4 address setting to ensure instances receive a public IP upon launch.

    4. Launch an EC2 Instance in a Public Subnet

    • Launch a new EC2 instance in the Web-A subnet.

    • Select or create an SSH key pair.

    • In Network Settings, choose the custom VPC and Web-A subnet.

    • Create a new security group with appropriate inbound rules (e.g., allow SSH access).

    • Launch the instance.

To verify access, use EC2 Instance Connect oran SSH client. Since the instance is in a public subnet with an assigned public IP, connectivity from the internet should be successful.

5. Set Up NAT Gateway for Private Subnets

5. Set Up NAT Gateway for Private Subnets

Deploy a NAT Gateway in one of the public subnets (e.g., Web-A). This provides outbound internet access for private instances.

  • Launch a private EC2 instance in the Application-A subnet.

    EC2 Instance Connect Endpoint allows you to connect securely to an instance from the internet, without using a bastion host, or requiring that your virtual private cloud (VPC) has direct internet connectivity.

    I can now connect to the EC2 Instance using endpoints, but the ping doesn’t work as we don’t have access to internet.

  • NAT gateway will provide our private EC2 instance with connectivity to the public IPv4 internet.

  • Create a new route table for private subnets.

  • Add a default IPv4 route (0.0.0.0/0pointing to the NAT Gateway.

  • Associate this route table with all private subnets in AZ-A (e.g., App-A, DB-A, Reserved-A).

You can now verify connectivity from the private EC2 instance to the internet via the NAT Gateway by initiating a ping or software update.

Learning Outcome:

By completing this project, I gained practical, hands-on experience in architecting and deploying a secure, highly available, and scalable multi-tier network infrastructure in AWS. I developed a clear understanding of how to design and implement:

  • Custom VPCs with both IPv4 and IPv6 addressing

  • Public and private subnets across multiple Availability Zones

  • Internet Gateway and NAT Gateway configurations

  • Custom route tables for controlled traffic flow

  • EC2 instance deployment in both public and private environments

0
Subscribe to my newsletter

Read articles from Pooja Mehta directly inside your inbox. Subscribe to the newsletter, and don't miss out.

vpcInternet Gatewayaws nat gateway

Written by

Pooja Mehta
Pooja Mehta