Level 200: Automated Deployment of VPC


  • Ben Potter, Security Lead, Well-Architected


This hands-on lab will guide you through the steps to configure an Amazon VPC and outline some of the AWS security features. AWS CloudFormation will be used to automate the deployment and provide a repeatable way to re-use the template after this lab. The example CloudFormation template will deploy a completely new VPC incorporating a number of AWS security best practices which are:

Networking subnets created in multiple availability zones for the following network tiers:

  • Application Load Balancer - named ALB1
  • Application instances - named App1
  • Shared services - named Shared1
  • Databases - named DB1

VPC Architecture: architecture

VPC endpoints are created for private connectivity to AWS services. NAT Gateways are created to allow different subnets in the VPC to connect to the internet, without any direct ingress access being possible due to Route Table configurations. Network ACLs control access at each subnet layer. While VPC Flow Logs captures information about IP traffic and stores it in Amazon CloudWatch Logs.


  • Security groups restrict network traffic to a minimum.
  • Use Internet Gateways and NAT Gateways to control traffic flows.
  • CloudFormation to automate configuration management.
  • Control traffic with multiple layers, using subnets with different route tables.


  • An AWS account that you are able to use for testing, that is not used for production or other purposes.
  • An IAM user or role in your AWS account with full access to CloudFormation, EC2, VPC, IAM. NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier.
  • Basic understanding of AWS CloudFormation, visit the Getting Started section of the user guide.
  • We recommend you clone the Git repository for easy access to the AWS CloudFormation templates.