Level 200: Automated Deployment of VPC
Last Updated: July 2020
Authors: Ben Potter, Security Lead, Well-Architected
Introduction
This hands-on lab will use AWS CloudFormation
to create an Amazon VPC
to outline some of the AWS security features available. Using CloudFormation to automate the deployment provides a repeatable way to create and update, and you can re-use the template after this lab.
The example template
will deploy a completely new VPC incorporating a number of AWS security best practices which include:
Networking subnets
created in 3 availability zones for the following network tiers:
- Application Load Balancer - named ALB1
- Application instances - named App1
- Shared services - named Shared1
- Database - named DB1
VPC Architecture:

- VPC endpoints
are created for private connectivity to AWS services. Additional endpoints can be enabled for the application tier using the App1SubnetsPrivateLinkEndpoints CloudFormation parameter.
- NAT Gateways
are created to allow subnets in the VPC to connect to the internet, without any direct ingress access as defined by the Route Table
.
- Network ACLs
control access at each subnet tier.
- VPC Flow Logs
captures information about IP traffic and stores it in Amazon CloudWatch Logs.
Requirements
- An AWS account
that you are able to use for testing, that is not used for production or other purposes.
- An IAM user or role in your AWS account with access to CloudFormation, EC2, VPC, IAM.
- Basic understanding of AWS CloudFormation
, visit the Getting Started
section of the user guide.
NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier
. It is recommended to delete the CloudFormation stack when you have completed the lab.
Steps:
References & useful resources