One of the good training exercises that you can do while studying for the AWS-ASA is create from scratch an Internet accessible VPC without using one of the pre-built templates. This gives you the insight into how all of the underlying pieces fit together. That way when you are troubleshooting an existing deployment you can “walk through” the build to make sure all the bits are there. I did this several times in preparation for the exam & here it is:
- Log into your AWS console.
-
Click on VPC
-
Click on Your VPCs & Create VPC
& 
-
Create the CIDR range that you want to use:
-
Once you have created your VPC, you will notice that if you click on “Route Tables”, a new route table has been created with the name you used for your VPC:
-
Now you will want to create your subnets within your CIDR block. These subnets need to be smaller than your VPC CIDR block & if you want multiple AZs, you can specify them here:
-
So now I have 2 subnets within my VPC, each one in a different AZ:
-
If you want your VPC to be Internet facing, you now need to create an Internet Gateway. So click on Internet Gateways & “Create Internet Gateway”
-
Now attach it to your VPC:
-
Ok, so now you’ve got all the pieces in place. Now all you need is to establish routing from the Internet Gateway to the subnets that you want to access the outside world! Create a new route table
-
Now go to “Routes” table and create a new route out:
-
Create a subnet association for the subnets that you want to have internet access:
And that’s it! If you create an EC2 instance in the “DMZ” subnet (10.0.1.0) you will have internet access, whereas you wouldn’t in 10.0.2.0