February 12, 2016

AWS – Setting up ELB to send public traffic to Private EC2 instances

Here are the steps:


You can find all my latest posts on medium.
  1. Create a vpc (which also creates a new route table behind the scenes)
  2. Create 2 subnets inside this vpc. These subnets also needs to be in the same availability zone as the web-server instance, which by default both subnets ends up inheriting the vpc’s route table. We’ll call them public-subnet and private-subnet.
  3. Create an “Internet Gateway” and attach it to the vpc’s routing table. This ends up making both public-subnet and private-subnet, public.  Later on we will set  the subnet, private-subnet, to a private subnet.
  4. attach the Internet Gateway to the route table, configure it to accept traffic from an IP address
  5. Create an EC2 instance inside the vpc (via dropdown list), and attach the subnet, private-subnet (via dropdown list). Also assign a public ip address
  6. Log into this EC2 instance using the public ip address, it is still accessible via the public address since private-subnet is still actually private
  7. Install httpd, disable firewalld, start httpd service inside the instance
  8. check that you can access the instance homepage via the ip address.
  9. In AWS web console’s ec2 section, create an ELB, attach this ELB to the public-subnet, attach your ec2 to this ELB instance.
  10. Check you can access the instance’s homepage, this time via the ELB’s url, the ip address should also work too.
  11. Now go back into the VPC section and create a new route table, call it “private-route-table”, don’t attach an Internet Gateway to this.
  12. Switch the private-subnet’s  route table to this one.
  13. The homepage should no longer be accessible via the ip address, and now only works via the elb’s url. Also you can’t no longer ssh into the instance. You can use the elb’s url to do this, since the elb is designed to distribute traffic (also why you can’t open ssh port when creating elb, only http and https). To now ssh into your instance you will need to do it in of the following ways:
    1. ssh to another instance that is publicly accessible, and shares a subnet with the target instance, then ssh into that.
    2. use aws direct connect
    3. set up a vpn


vpc and subnets

To create a vpc, you need to provide:

A vpc is essentially a range of ip addresses.


You can break this range, into smaller ranges, by creating subnets.



Let’s assume in this scenario, that you only plan to set this up for a single private EC2 instance:


  1. Create a vpc, with the following info:
    1. name=vpc1
    2. CIDR block range=
    3. Tenancy = default
  2. Create a subnet in the “London” AZ. Note this AZ will be where our private EC2 instance will reside. A subnet is attached to an AZ. Here are the details you need to provide:
    1.  subnet name=”public-subnet”
    2. vpc name=”vpc1″
    3. AZ=london
    4. CIDR Block=
  3. Create a private subnet with the London AZ, with the following details:
    1. subnet name = “private-subnet”
    2. vpc name=”vpc1″
    3. AZ=London
    4. CIDR block=



A Public subnet must exist in the vpc, on the same AZ as the private subnet that hosts the private ec2 instance. That’s because a public ELB behind the scenes builds EC2 instance on a public subnet, and then reroutes traffic to private ec2 instances. The reason that this public subnet must be in the same AZ as the private subnet, is that it improves performance.

Note: when creating an ELB, you will be prompted to select at least 2 subnets for High Availability purposes. That’s why it’s best to create another public subnet in a different AZ to achieve this. Although it’s unlikely this second pubsubnet get’s used.