Afdol Riski
Jul 9 · 7 min read
Image from

As developers, our main focus is on building things.

Then, once development is finished, we need to put that app somewhere on the internet so it is publicly accessible.

If you’re working on a team it might not be a problem, as there might be someone in operations that can handle this task.

But if you’re on your own, or maybe this is the first time you’re using the cloud, it can get pretty confusing. There are so many terms that we didn’t even know existed.

In this piece, we’ll talk about AWS in particular, as it is very popular.

Get Your App Running in AWS Cloud

To get your app up and running in the AWS cloud, you need to know at least two things from the AWS resources: EC2 and VPC.


EC2 is a virtual computing environment. It is more or less the same as your laptop that you’re probably using right now.


The overview says:

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

Or, put simply, VPC lets you manage your AWS resources from the network perspective.

In this post, I will explain the building blocks which make up a VPC whilst giving you an explanation for every component of it.

I won’t cover everything about networking as I assume that you already know how the basics of IP addresses work and the difference between public and private IPs.

By the end of this post, you will have a running EC2 instance that you can connect via SSH to prove that it is accessible from the internet.

By default, AWS already provides you with a default VPC in each region after you create an account. Those default VPCs will suit most of your needs, but you still need to understand how it works.

Creating a VPC

Let’s name it vpc-quickstart .

What is the IPv4 CIDR block?

It is an abbreviation for Classless Inter-Domain Routing.

This is how you’ll want to specify a range of IPs.

The notation is <ip notation>/<number>.

Let’s take our example

The important part here is the number 16. This is what determines what your IP range is.

The IP here is IPv4. It consists of 32-bits and is grouped by eight bits (octet) at a time, separated by dot. So if you convert, for example, a IP address, you get 11111111.11111111.11111111.11111111 in binary format.

If you don’t know how to read binary digits, I encourage you to learn it first.

In our example, you get 00001010.00000000.00000000.00000000.

Then we have the number 16, that acts as a mask that’s represented by numbers of “1” from left to right to form an IP address format. The result is 11111111.11111111.00000000.00000000.

Those places with 0’s on the mask are available for you to use inside your network. That means, if you have all the remaining bits in the last two octets to use for your network, if the mask is 24 or 11111111.11111111.11111111.00000000, you only get the last octet.

So your IP will range from 00001010.00000000.00000000.00000000 to 00001010.00000000.11111111.11111111, or in decimals to

Internet Gateway

As the name implies, in order for your VPC to have access to the Internet, you have to attach an Internet gateway to it. Let’s create an Internet gateway and name it igw-quickstart :


A subnet is a logical group of a networks which differ depending on the requirements.

Subnetting let us break a network into smaller parts. Think of it as a network in a huge building with 100 different companies and 100 divisions each, each with network groups.

An example of a subnet is a range from to

You must also specify the CIDR block for each subnet.

Let’s create three subnets, public1 public2 and private1, as we will create two public subnets and one private subnet.

A public subnet means that the subnet will have access to the internet, while a private subnet will not have access to the internet. I will explain how to do that later.

Let’s create a subnet with the selection of VPCs that we created earlier.

Notice that this time we specify the mask “24”.

A 24 mask converted to binary is 11111111.11111111.11111111.00000000. So, the first three octets are already reserved and the only space we have is the last octet.

So, if we create our subnet equally we end up having 10.0.<0-255>.* subnets.

Network Access Control List

NACL lets you specify the rules for inbound and outbound traffic of your network.

Inbound means traffic that’s coming in, while outbound means traffic that goes out.

You will be able to set any rule for your network, based on the protocol type such as HTTP, TCP, UDP, etc., and the port numbers.

Give every rule a number, evaluated from lowest to highest.

Let’s create one and name it ACL-Quickstart.

By default, all traffic is allowed. For the purpose of this course, let’s leave it as it is. However, I encourage you to not do this in a production environment.

In the “subnet associations tab”, click “edit subnet associations” and add the subnets that you created before.

Route Table

This works like routing does in an app. For example, if the IP destination is, then route it to service-a, it’s that simple.

Let’s create two route tables and named them RT1 and RT2.

For RT1, open the “routes tab” and click “edit routes”. Add the route with the destination of with the target being the internet gateway we created.

What this means, is that the means to direct other traffic to the Internet gateway so it can access the internet. Click “save routes” and then move to the “subnet association tabs”.

Click “edit subnet associations” and add the two subnets named public1 and public2 that you created before.

This is how to make a subnet public; associate it with a route table that has its destination to an internet gateway.

For RT2, edit it so it is associated with the subnet private1 for it to be private.

Launching an EC2 Instance

Finally, let’s test that our network is working properly.

Launch an EC2 instance — use the “t2.micro” instance type as it is free tier eligible.

Go to step #3 to configure the instance. This is where we configure the network this instance is going to use.

Select the VPC and one of the public subnets we just created. Then, go to step #6 to configure the security group and enable the auto-assign public IP.

Security Group

The security group lets us configure the inbound and outbound traffic, but at instance level, while NACL is at network level.

This time, we will only allow for SSH connections with port 22 from all sources of incoming IPs.

Click “Review and Launch” and launch your instance, but don’t forget to download the key-pair — the instance will take some time to provision.

Once it is done, let’s connect to it using SSH. Click on the instance and click “connect” at the top of the table. It will give you the instructions to connect using SSH.

Follow the instructions and… voila!

SSH connection to an EC2 instance.

You now have an EC2 instance that is connected to the internet and you know every step of its process.

After this, you can install your application and make it accessible through the browser easily, by adding more rules to the security group to open HTTP port 80.

There’s a lot more to learn about VPCs — try changing the configuration that we created and see what happens, such as deleting the internet gateway from the route table, changing the rule at the NACL, etc.

I hope you enjoyed this piece!

Better Programming

Advice for programmers.

Afdol Riski

Written by

Better Programming

Advice for programmers.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade