How to Set Up a Private EC2 Network on AWS with NAT and Secured SSH Access

Arjun had just landed his new role as a Cloud Security Engineer at a fintech startup. On Day 2, his manager dropped this on him:

“Build a secure AWS network. No public exposure. We want a private EC2 that can access the internet — but no one should SSH into it directly.”

No default VPCs.
No shortcuts.
Just pure control and clean architecture.

---

🧱 Step 1: Creating the Custom VPC

1. Go to: VPC → “Create VPC”

2. Choose: VPC only

3. Name: arjun-custom-vpc

4. CIDR block: 10.0.0.0/16

5. Enable DNS support and hostnames ✅

Boom. A blank slate VPC, isolated from everything.

---

🌐 Step 2: Subnet Setup — Public and Private

Arjun wanted one EC2 exposed for SSH (the Bastion), and one locked inside (the target private EC2).

🔹 Public Subnet

• Name: public-subnet-1

• AZ: us-east-1a

• CIDR: 10.0.1.0/24

🔒 Private Subnet

• Name: private-subnet-1

• AZ: us-east-1a

• CIDR: 10.0.2.0/24

---

🛣️ Step 3: Route Table for Public Subnet + IGW

1. Go to Internet Gateways → Create

2. Name: arjun-igw → Attach to VPC

Then:

1. Go to Route Tables → Create

2. Name: public-rt → Associate with public-subnet-1

3. Add route:

   • 0.0.0.0/0 → Internet Gateway

✅ Now the public subnet has internet access.

---

🚪 Step 4: NAT Gateway for Private Subnet

1. Allocate Elastic IP

2. Go to NAT Gateway → Create

   • Name: arjun-nat-gw

   • Subnet: public-subnet-1

   • EIP: the one you just created

Now:

1. Create Route Table → private-rt

2. Associate with private-subnet-1

3. Add route:

   • 0.0.0.0/0 → NAT Gateway

✅ Private subnet has outbound internet only (e.g., to download OS updates).

---

🧱 Step 5: Launch Two EC2 Instances

🔓 Bastion Host (Public EC2)

• Subnet: public-subnet-1

• Public IP: ✅ Yes

• Security Group: Allow SSH from your IP

• Key pair: arjun-key.pem

🔐 Private EC2

• Subnet: private-subnet-1

• Public IP: ❌ No

• Security Group: Allow SSH only from Bastion’s private IP

Arjun launched both using Amazon Linux 2.

---

🔑 Step 6: Security Groups Recap

✅ Keep your networks tight. Don’t allow 0.0.0.0/0 into private servers.

---

🛠️ Step 7: SSH into Private EC2 (Real-Life Steps)

Arjun tried SSH directly into the private EC2. It failed — obviously, no public IP.
So he followed the correct two-step SSH method:

---

🔹 7.1: SSH into Bastion Host

ssh -i arjun-key.pem ec2-user@<Bastion-Public-IP>

---

🔹 7.2: Upload Key to Bastion Host

From your local terminal:

scp -i arjun-key.pem arjun-key.pem ec2-user@<Bastion-Public-IP>:~/

✅ Real-World Meaning:

You're saying:

“Hey SCP, use this arjun-key.pem key to log into the Bastion EC2 instance, and then upload the same file arjun-key.pem into its home folder.”

🧠 Beginner Tips:

• You need to run this command from the same folder where the .pem file is located, or give the full path to the file like ~/Downloads/arjun-key.pem.

  Example:

    bashCopyEditscp -i ~/Downloads/arjun-key.pem ~/Downloads/arjun-key.pem ec2-user@<Bastion-IP>:~/
  

• ec2-user is the default username for Amazon Linux 3 instances.
  If you're using Ubuntu, replace it with ubuntu.

---

🔹 7.3: Fix Permissions on Bastion Host

Once inside the Bastion:

chmod 400 arjun-key.pem

---

🔹 7.4: SSH into Private EC2 from Bastion Host

ssh -i arjun-key.pem ec2-user@<Private-EC2-IP>

✅ Arjun is now inside a fully private EC2. No public access. Full control.

---

🔐 What Did Arjun Just Build?

• A custom VPC with separate public/private subnets

• A NAT Gateway to allow safe outbound traffic

• A Bastion Host for SSH-based access into private EC2s

• Zero public exposure of sensitive servers

This is the foundation every secure AWS environment starts from.

---

🧠 Why It Matters (And Why Corporate Teams Love It)

• ✅ No direct SSH into prod EC2s

• ✅ All access is routed, logged, and controlled

• ✅ Easy to expand with ALB, RDS, S3 endpoints, etc.

• ✅ 100% AWS best practices

---

Follow me for more such content

• My YouTube Channel

• My Blogs

• AWS Community

• Medium

• LinkedIn

• Instagram

• Github

• Dev

• X