Post

Phase 1.1 Deployment

A More harden version of creating the VPC and the subnets with more secure ACLs and security groups

Posted Updated
Preview Image
By Muhammed Omar
3 min read
Phase 1.1 Deployment

Step 1: The VPC & Subnet Architecture

h

1.1 Creating a VPC

Created A VPC MindCraft-Fortress-VPC

j

with a CIDR OF 10.0.0.0/16

then enabled DNS hostnames for Node.js app to communicate with Firestore and for RDS to function

ee

1.2 Subnet Allocation Table

Created these 6 subnets manually in the VPC console. with 2 AZ as shown in Asia Pacific Region

TierSubnet NameCIDR BlockAvailability ZonePurpose
Publicpub-web-az110.0.1.0/24southeast1aBastion & NAT Instance
Publicpub-web-az210.0.2.0/24southeast1bBackup Web Tier
Privatepriv-app-az110.0.11.0/24southeast1aMindCraft Node.js App
Privatepriv-app-az210.0.12.0/24southeast1bSecondary App Tier
Isolatediso-data-az110.0.21.0/24southeast1aPrimary RDS (MySQL)
Isolatediso-data-az210.0.22.0/24southeast1bStandby RDS (Slave)

h

Step 2: Connectivity & The $0 NAT Workaround

A private subnet has no route to the internet. Since the app needs to talk to Firestore, it needs a way out. i will instead use a NAT Instance instead of the expensive AWS NAT Gateway.

2.1 The Internet Gateway (IGW)

  • Created an IGW named MindCraft-IGW.

  • Attached it to your MindCraft-Fortress-VPC

hh

attach to my VPC

h

2.2 The NAT Instance (The $0 Solution)

  1. Launched a t2.micro Ubuntu instance in pub-web-az1.

  2. Crucial Security Step: Select the instance in the console, go to Actions > Networking > Change source/destination check, and set it to Stop. (This allows the instance to forward traffic for other servers).

  3. The Script: Once inside that instance, run these commands to turn it into a router:

      sudo sysctl -w net.ipv4.ip_forward=1
  sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

H

k

Step 3: Route Tables (The Traffic Flow)

i will need three separate route tables to enforce the 3-tier isolation.

  1. Public Route Table: * Route: 0.0.0.0/0Internet Gateway (IGW).

    • Association: pub-web-az1 and pub-web-az2.

  2. Private Route Table: * Route: 0.0.0.0/0Instance ID of your NAT Instance.

    • Association: priv-app-az1 and priv-app-az2.

  3. Isolated Route Table: * Routes: Local only. No route to 0.0.0.0/0.

    • Association: iso-data-az1 and iso-data-az2.

j

Step 4: Advanced Security (NACLs & Monitoring)

To satisfy the DevSecOps requirements , we add stateless protection.

  • Public NACL: Configure it to allow inbound traffic on 80 (HTTP), 443 (HTTPS), and 22 (SSH - restricted to my IP).

  • Private NACL: Configure it to allow inbound traffic only from the 10.0.1.0/24 and 10.0.2.0/24 ranges. This ensures the backend tier only listens to the frontend tier.

  • VPC Flow Logs:

4.1 — Configure NACLs (Stateless Firewall)

First: Create 2 NACLs

  • nacl-public

  • nacl-private

then attach them to the Mindcraft VPC

1. Public NACL (for Web Tier)

Associate subnets

  • pub-web-az1

  • pub-web-az2

Go to:
Subnet associations → Edit → select public subnets

Inbound Rules

Edited inbound rules:

|Rule #|Type|Protocol|Port|Source|Allow/Deny| |—|—|—|—|—|—| |100|HTTP|TCP|80|0.0.0.0/0|ALLOW| |110|HTTPS|TCP|443|0.0.0.0/0|ALLOW| |120|SSH|TCP|22|Your IP|ALLOW| |*|ALL|ALL|ALL|0.0.0.0/0|DENY| k

Outbound Rules

|Rule #|Type|Port|Destination|Allow| |—|—|—|—|—| |100|ALL|ALL|0.0.0.0/0|ALLOW| l

2. Private NACL (App Tier)

Associate subnets

  • priv-app-az1

  • priv-app-az2

Inbound Rules

Allow ONLY from public subnets:

Rule #TypePortSourceAllow
100ALL TCP0–6553510.0.1.0/24ALLOW
110ALL TCP0–6553510.0.2.0/24ALLOW
*ALLALL0.0.0.0/0DENY

h

Outbound Rules

Rule #TypePortDestinationAllow
100ALLALL0.0.0.0/0ALLOW

Since NACL are stateless

it wont allow the response packet and need to be stated manually, To be safe, allow ephemeral ports (1024–65535)

Public NACL — Inbound
Rule #TypePortSourceAllow
130Custom TCP1024–655350.0.0.0/0ALLOW

jj

Private NACL — Inbound
Rule #TypePortSourceAllow
120Custom TCP1024–655350.0.0.0/0ALLOW

h

Step 5: Flow Logs section

k

Basic config

  • Filter: ALL
  • Destination: Send to CloudWatch Logs

🔹 Log group

  • Select:

    • Create new log group

    • Name :
    • MindCraft-VPC-FlowLogs

🔹 IAM Role

  • Choose:

    • Create new IAM role (AWS will auto-create it)

then Create the flow log

Final Phase 1 Diagram

DIAGRAM

You can find me online at:

My signature image

MindCraft Cloud Deployment
aws EC2 VPC cloud
This post is licensed under CC BY 4.0 by the author.