# Step 3: Deploy the Network stack

Install the Network CloudFormation stack in the **hub account**.

#### How to Install this Stack

1. Login to the AWS Management Console using the **Hub Account.**
2. Navigate to the **CloudFormation** page.
3. Click **Create Stack** and select **With new resources (standard)**.
4. For Template Source, select **Amazon S3 URL** and enter the CloudFormation Template URL shown below and click **Next**.
5. On the **Specify Stack** page, enter the stack name '**SandboxStudio-Network**' and use the parameters shown below.

---

#### CloudFormation Template URL

```
https://sandbox-studio-software-dist.s3.amazonaws.com/versions/<VERSION>/SandboxStudio-Network.template.json
```

For more information on how to find the latest version, [click here](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/aws-cloudformation-templates "AWS CloudFormation templates").

---

#### Parameters

<table class="w-fit min-w-(--thread-content-width)" data-end="6285" data-start="5393" id="bkmrk-key-what-to-enter-na" style="width: 101.429%; height: 72px;"><thead data-end="5491" data-start="5393"><tr data-end="5491" data-start="5393"><th class="align-left" data-col-size="sm" data-end="5414" data-start="5393" style="width: 31.3592%;">**Key**</th><th class="align-left" data-col-size="sm" data-end="5491" data-start="5414" style="width: 68.6446%;">**What to enter**</th></tr></thead><tbody data-end="6285" data-start="5591"><tr data-end="5689" data-start="5591"><td data-col-size="sm" data-end="5612" data-start="5591" style="width: 31.3592%;">**Namespace**</td><td data-col-size="sm" data-end="5689" data-start="5612" style="width: 68.6446%;">Use the same namespace you used in step 1.</td></tr></tbody></table>

<div class="_tableContainer_sk2ct_1" id="bkmrk--2"><div class="_tableWrapper_sk2ct_13 group flex w-fit flex-col-reverse" tabindex="-1"></div></div>---

#### About this Stack

**Purpose**

- Creates the **VPC** foundation required by the application.
- Provides **private subnets** for the database and **private subnets with egress** for Lambda functions that require outbound access.

**Where to deploy**

- **Hub account**.

**What it creates**

- One VPC with multiple subnets (at minimum: private subnets for RDS and for VPC‑attached Lambdas).
- Route configuration to allow **egress** from private subnets (for example, via NAT or suitable endpoints).
- **VPC endpoints** for AWS services that support private routing.
- **Internet Gateway** and **NAT Gateway** for AWS services that do not support private routing.

**Validation checks**

- VPC and subnets are visible in the **VPC** console.
- Private subnets have no direct internet ingress and can reach required AWS endpoints for the application.

**Tips**

- Adjust VPC after installation to suit your needs such as routing through enterprise firewalls if needed.

<div _ngcontent-ng-c3818350049="" class="markdown markdown-main-panel enable-updated-hr-color" dir="ltr" id="bkmrk--4"><div _ngcontent-ng-c3818350049="" class="markdown markdown-main-panel enable-updated-hr-color" dir="ltr" id="bkmrk--5"></div></div><div _ngcontent-ng-c3818350049="" class="markdown markdown-main-panel enable-updated-hr-color" dir="ltr" id="bkmrk--6"></div>