Scalable AWS VPC Architecture

Costmedium

Deployability reference only

Status cloud lab

Validation test -f README.md

HTML Linux scripts VPC design aws

Use the guide first.

The full learning guide is on this page. Open the repository files only when a step asks you to inspect code, fork the project, or download raw assets.

Read safety guide Project files on GitHub

Project Guide

TABLE OF CONTENTS

1. Goal
2. Pre-Requisites
3. Pre-Deployment
4. VPC Deployment
5. Validation

Goal

Deploy a Modular and Scalable Virtual Network Architecture with Amazon VPC.

🛡️ 2026 DevSecOps Enhancements (What You Will Learn)

This project architecture has been updated to model 2026 best practices for Cloud engineers. Pay special attention to:

1. Network Segmentation via Transit Gateway: Learning to isolate internet-facing Bastion VPCs from completely private application VPCs.
2. S3 Block Public Access: How we configured the S3 configurations to actively deny public ACLs and force-encrypt application configuration objects.
3. Session Manager (SSM) over SSH: Why we utilize AWS Systems Manager (AmazonSSMManagedInstanceCore in the IAM role) to completely eliminate public port 22 exposure on modern private nodes.

Pre-Requisites

1. You must be having an AWS account to create infrastructure resources on AWS cloud.
2. Source Code

Pre-Deployment

Customize the application dependencies mentioned below on AWS EC2 instance and create the Golden AMI.

1. AWS CLI
2. Install Apache Web Server
3. Install Git
4. Cloudwatch Agent
5. Push custom memory metrics to Cloudwatch.
6. AWS SSM Agent

VPC Deployment

1. Build VPC network ( 192.168.0.0/16 ) for Bastion Host deployment as per the architecture shown above.
2. Build VPC network ( 172.32.0.0/16 ) for deploying Highly Available and Auto Scalable application servers as per the architecture shown above.
3. Create NAT Gateway in Public Subnet and update Private Subnet associated Route Table accordingly to route the default traffic to NAT for outbound internet connection.
4. Create Transit Gateway and associate both VPCs to the Transit Gateway for private communication.
5. Create internet gateway for each VPC and Public Subnet associated Route Table accordingly to route the default traffic to IGW for inbound/outbound internet connection.
6. Create Cloudwatch Log Group with two Log Streams to store the VPC Flow Logs of both VPCs.
7. Enable Flow Logs for both VPCs and push the Flow Logs to Cloudwatch Log Groups and store the logs in the respective Log Stream for each VPC.
8. Create Security Group for bastion host allowing port 22 from public.
9. Deploy Bastion Host EC2 instance in the Public Subnet with EIP associated.
10. Create S3 Bucket to store application specific configuration.
11. Create Launch Configuration with below configuration.
    1. Golden AMI
    2. Instance Type – t2.micro
    3. Userdata to pull the code from Bitbucket Repository to document root folder of webserver and start the httpd service.
    4. IAM Role granting access to Session Manager and to S3 bucket created in the previous step to pull the configuration. (Do not grant S3 Full Access)
    5. Security Group allowing port 22 from Bastion Host and Port 80 from Public.
    6. Key Pair
12. Create Auto Scaling Group with Min: 2 Max: 4 with two Private Subnets associated to 1a and 1b zones.
13. Create Target Group and associate it with ASG.
14. Create Network Load balancer in Public Subnet and add Target Group as target.
15. Update route53 hosted zone with CNAME record routing the traffic to NLB.

Validation

1. As DevOps Engineer login to Private Instances via Bastion Host.
2. Login to AWS Session Manager and access the EC2 shell from console.
3. Browse web application from public internet browser using domain name and verify that page loaded.

Hit the Star! ⭐

If you are planning to use this repository for learning, please hit the star. Thanks!

Author

DevCloud Ninjas