Status: ✅ Completed
Overview
Built a secure AWS VPC using Infrastructure as Code (CDK, TypeScript).
The design demonstrates subnet segmentation, controlled outbound traffic, and secure administrative access.
Business Need
Organisations require secure and scalable cloud networks.
This project shows a production-style approach with public/private subnets and safe administrative access.
Architecture Diagram
AWS Services Used
- VPC with subnets – public and private isolation
- Internet Gateway + NAT Gateway – secure outbound access
- EC2 Bastion Host – controlled SSH entry point
- Route Tables & Security Groups – enforce network boundaries
- AWS CDK (TypeScript) – reproducible Infrastructure as Code
- Used AWS CDK with TypeScript to define the VPC, subnets, NAT Gateway, and Bastion Host. The code is clean, repeatable, and easy to update.
Key Outcomes
- Isolated application workloads in private subnets
- Controlled outbound internet via NAT Gateway
- Secure SSH entry point with Bastion Host
- Infrastructure deployed repeatably with CDK
Improvements Added
- Introduced subnet segmentation and NAT Gateway for secure architecture
- Replaced manual deployment with CDK for Infrastructure as Code
- Used security groups to restrict SSH access to the Bastion Host
- Used AWS CDK with TypeScript to define the VPC, subnets, NAT Gateway, and Bastion Host. The code is clean, repeatable, and easy to update.
Possible Enhancements
- Add Application Load Balancer (ALB) for high availability
- Replace Bastion Host with SSM Session Manager
- Enable VPC Flow Logs for network visibility
- Add CloudWatch Alarms for proactive monitoring
Failure Scenarios & Mitigations
| Scenario | Mitigation |
|---|---|
| NAT Gateway failure | Add NAT Gateway in a second AZ for HA |
| Bastion Host unreachable | Validate security group ingress and use static Elastic IP |
| Route misconfiguration | CDK-defined route tables reduce error risk |
| Private subnet exposure | Route tables and SGs restrict unintended access |
Expected Outcomes
- Demonstrate ability to design secure AWS VPCs
- Show knowledge of networking, subnets, NAT, and routing
- Present IaC experience using AWS CDK with TypeScript
- Support for secure administrative access and environment isolation
Challenges & Solutions
- CIDR sizing and route table setup: Validated using staged CDK deploys
- Securing Bastion Host access: Used public subnet + SG restrictions + isolated private workload
Reflection / Lessons Learned
- Secure networks require thoughtful planning and layered controls
- CDK simplifies iteration and reusability
- Clear diagrams and documentation help explain the design
- The project lays the foundation for future enhancements (e.g., multi-tier apps, DR)
Project Screenshots
VPC Overview
This shows the VPC and subnets created by the CDK deployment, confirming correct CIDR ranges and availability zone mapping.
Subnet List
Displays public and private subnets, including correct CIDR blocks and mapping across two availability zones.
Route Tables
Confirms that public subnets have a route to the internet gateway and private subnets route outbound traffic via the NAT Gateway.
Security Groups
Shows the configured security groups used to control inbound SSH access to the Bastion Host.
CDK Deploy Output
CDK CLI output confirms successful provisioning of VPC, subnets, route tables, internet/NAT gateways, and Bastion Host.
Bastion EC2 Instance
Displays the running EC2 instance acting as the Bastion Host, deployed into the public subnet with correct key pair association.
SSH Access to Bastion Host
Securely accessed the Bastion Host via SSH using the generated key pair.
This confirms correct setup of the public subnet, routing, and security groups.
