Level 200: Automated Deployment of VPC

Last Updated: July 2020

Authors: Ben Potter, Security Lead, Well-Architected


This hands-on lab will use AWS CloudFormation to create an Amazon VPC to outline some of the AWS security features available. Using CloudFormation to automate the deployment provides a repeatable way to create and update, and you can re-use the template after this lab.

The example template will deploy a completely new VPC incorporating a number of AWS security best practices which include:

Networking subnets created in 3 availability zones for the following network tiers:

  • Application Load Balancer - named ALB1
  • Application instances - named App1
  • Shared services - named Shared1
  • Database - named DB1

VPC Architecture: architecture

  • VPC endpoints are created for private connectivity to AWS services. Additional endpoints can be enabled for the application tier using the App1SubnetsPrivateLinkEndpoints CloudFormation parameter.
  • NAT Gateways are created to allow subnets in the VPC to connect to the internet, without any direct ingress access as defined by the Route Table .
  • Network ACLs control access at each subnet tier.
  • VPC Flow Logs captures information about IP traffic and stores it in Amazon CloudWatch Logs.


  • An AWS account that you are able to use for testing, that is not used for production or other purposes.
  • An IAM user or role in your AWS account with access to CloudFormation, EC2, VPC, IAM.
  • Basic understanding of AWS CloudFormation , visit the Getting Started section of the user guide.

NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier . It is recommended to delete the CloudFormation stack when you have completed the lab.


References & useful resources