A secure, highly available, and auditable VPC setup in AWS with public and private subnets, a bastion host, NAT instance, VPC flow logs, and CloudWatch monitoring – all provisioned using Terraform.
This project provisions a secure and scalable VPC infrastructure using Infrastructure as Code (IaC) with Terraform. The infrastructure will consist of the following components:
- Public and private subnets for segregating resources based on security requirements.
- A Bastion Host in the public subnet that provides secure SSH access to instances in the private subnet.
- A NAT Instance to provide outbound internet access for instances in the private subnet while maintaining their security by keeping them isolated from the public internet.
- VPC Flow Logs for capturing and storing information about the network traffic within the VPC, ensuring the infrastructure is auditable.
- CloudWatch Monitoring for observing performance metrics and setting up alarms to monitor resource utilization, making the infrastructure auditable and observable.
For a detailed walkthrough and architecture explanation, check out my blog post on Medium:
👉 Read the full blog here
The visual below illustrates the full architecture:
- Public Subnets: One per AZ, hosting Bastion Host (AZ1) and NAT Instance (AZ1)
- Private Subnets: One in each AZ; only the AZ1 subnet (
10.0.10.0/24) has an EC2 instance - Private Subnet in AZ2 (
10.0.11.0/24) is reserved for future use - Arrows indicate connectivity paths (SSH, internet, internal routing)
- Color-coded components for quick reference
| 🔰 Feature | ✅ Description |
|---|---|
| 🌐 Custom VPC | VPC with CIDR block 10.0.0.0/16, tailored for secure isolation |
| 🏢 Multi-AZ Deployment | Uses 2 Availability Zones for high availability |
| 🌍 Public Subnets | Two public subnets: 10.0.1.0/24 & 10.0.2.0/24 for gateway, NAT, and Bastion |
| 🔐 Private Subnets | Two private subnets: 10.0.10.0/24 (with instance) and 10.0.11.0/24 (reserved) |
| 🧱 Bastion Host | Jump box in public subnet for secure SSH access to private instances |
| 🚪 NAT Instance | Allows private instances to access the internet without being exposed |
| 👨💻 Private EC2 Instance | Secure instance in 10.0.10.0/24, accessed only through Bastion Host |
| 📄 VPC Flow Logs | Captures IP traffic logs across the VPC for auditing and analysis |
| 📊 CloudWatch Integration | Monitors infrastructure health and activity with AWS CloudWatch |
| ⚙️ Terraform IaC | Infrastructure as Code with Terraform for automation and consistency |
| ❌ No RDS or Load Balancer | Intentionally excluded to keep the architecture lean and secure |
Ensure the following tools are installed and configured:
-
Clone the Repository
git clone https://github.com/virtualISP/Secure-VPC-Architecture-with-Bastion-Host.git cd Secure-VPC-Architecture-with-Bastion-Host -
Initialize Terraform
terraform init
-
Preview changes
terraform plan
-
Apply the infrastructure
terraform apply
-
Connect to Bastion Host
ssh -i /path/to/your-key.pem ec2-user@<bastion-public-ip>
-
From Bastion to Private Instance
ssh -i /path/to/your-key.pem ec2-user@<private-instance-ip>
This project is licensed under the MIT License.
Contributions are welcome! Feel free to fork, improve, and share! Please create a pull request or raise an issue to discuss any changes.
- Fork the repository
- Create a new feature branch (
git checkout -b feature/feature-name) - Commit your changes (
git commit -m 'Add some feature') - Push to the branch (
git push origin feature/feature-name) - Create a new Pull Request
Designed by VirtualISP for secure cloud infrastructure, visibility, and modularity.