Level 200: Automated Deployment of VPC

Last Updated: July 2020

Authors: Ben Potter, Security Lead, Well-Architected


This hands-on lab will use AWS CloudFormation to create an Amazon VPC to outline some of the AWS security features available. Using CloudFormation to automate the deployment provides a repeatable way to create and update, and you can re-use the template after this lab.

The example template will deploy a completely new VPC incorporating a number of AWS security best practices which include:

Networking subnets created in 3 availability zones for the following network tiers:

  • Application Load Balancer - named ALB1
  • Application instances - named App1
  • Shared services - named Shared1
  • Database - named DB1

VPC Architecture: architecture

  • VPC endpoints are created for private connectivity to AWS services. Additional endpoints can be enabled for the application tier using the App1SubnetsPrivateLinkEndpoints CloudFormation parameter.
  • NAT Gateways are created to allow subnets in the VPC to connect to the internet, without any direct ingress access as defined by the Route Table.
  • Network ACLs control access at each subnet tier.
  • VPC Flow Logs captures information about IP traffic and stores it in Amazon CloudWatch Logs.


  • An AWS account that you are able to use for testing, that is not used for production or other purposes.
  • An IAM user or role in your AWS account with access to CloudFormation, EC2, VPC, IAM.
  • Basic understanding of AWS CloudFormation, visit the Getting Started section of the user guide.

NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier. It is recommended to delete the CloudFormation stack when you have completed the lab.


References & useful resources