Any EC2 running on a private subnet can be accessed from another EC2 instance from within VPC network or over a VPN network. The instances running are not accessible via the public internet. Each VPC has a default internet gateway associated with it. A new subnet is always created as a public subnet. The public subnet can be changed to a private subnet by assigning its route table to a private route table:

1. The first step is to create a private route table:
   1. From the VPC dashboard, navigate to Route Tables and click on the Create Route Table button:

1. 2. In the Create Route Table popup, assign the name of the route table in the Name tag.  Click on the Yes, Create button:

 

1. 3. You should see the following screen:

4. The next step is to create a subnet:
   1. From the VPC dashboard, navigate to Subnets and then click on Create Subnets:

1. 2. Name tag: Specify a name for the subnet. This name will be reflected in the VPC dashboard.
   3. VPC: Choose the VPC in which this subnet will be created. Select the option containing 172.31.0.0/16 from the dropdown if you have more than one VPC.
   4. Availability Zone: The availability zone in which this subnet will be created. From the dropdown, select us-west-2a; this is one of the two private subnets. The other one will created in the us-west-2c Availability Zone as per the deployment architecture.
   5. CIDR block: Classless Inter-Domain Routing (CIDR) defines a range of IP addresses to be allocated to the hosts in the subnet. In this case, 172.31.80.0/20 defines the IP address range from 172.31.80.0 to 172.31.95.255 (a total of 4,096 hosts):

6. You should see the following screen:

7. The last step is to associate the private route table created in step 1 with the subnet created in step 2:
   1. From the VPC dashboard, navigate to Subnets and click on the subnet created in step 2.
   2. Navigate to Route Table tab in the bottom pane and click on Edit:

1. 3. From the Change To dropdown, select the route created in step 1:

Similarly create another subnet, Private Subnet, with CIDR block 172.31.96.0/20 in the Availability Zone us-west-2c; assign the private route table to it (created in step 1):