diff --git a/examples/aws-two-tier/main.tf b/examples/aws-two-tier/main.tf
index 254cb7fdd..8b98d979c 100644
--- a/examples/aws-two-tier/main.tf
+++ b/examples/aws-two-tier/main.tf
@@ -3,33 +3,81 @@ provider "aws" {
   region = "${var.aws_region}"
 }
 
-# Our default security group to access
-# the instances over SSH and HTTP
-resource "aws_security_group" "default" {
-  name = "terraform_example"
-  description = "Used in the terraform"
+# Create a VPC to launch our instances into
+resource "aws_vpc" "default" {
+  cidr_block = "10.0.0.0/16"
+}
 
-  # SSH access from anywhere
-  ingress {
-    from_port = 22
-    to_port = 22
-    protocol = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+# Create an internet gateway to give our subnet access to the outside world
+resource "aws_internet_gateway" "default" {
+  vpc_id = "${aws_vpc.default.id}"
+}
+
+# Grant the VPC internet access on its main route table
+resource "aws_route" "internet_access" {
+  route_table_id         = "${aws_vpc.default.main_route_table_id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.default.id}"
+}
+
+# Create a subnet to launch our instances into
+resource "aws_subnet" "default" {
+  vpc_id                  = "${aws_vpc.default.id}"
+  cidr_block              = "10.0.1.0/24"
+  map_public_ip_on_launch = true
+}
+
+# A security group for the ELB so it is accessible via the web
+resource "aws_security_group" "elb" {
+  name        = "terraform_example_elb"
+  description = "Used in the terraform"
+  vpc_id      = "${aws_vpc.default.id}"
 
   # HTTP access from anywhere
   ingress {
-    from_port = 80
-    to_port = 80
-    protocol = "tcp"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
   # outbound internet access
   egress {
-    from_port = 0
-    to_port = 0
-    protocol = "-1"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+# Our default security group to access
+# the instances over SSH and HTTP
+resource "aws_security_group" "default" {
+  name        = "terraform_example"
+  description = "Used in the terraform"
+  vpc_id      = "${aws_vpc.default.id}"
+
+  # SSH access from anywhere
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # HTTP access from the VPC
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.0.0/16"]
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
 }
@@ -38,20 +86,23 @@ resource "aws_security_group" "default" {
 resource "aws_elb" "web" {
   name = "terraform-example-elb"
 
-  # The same availability zone as our instance
-  availability_zones = ["${aws_instance.web.availability_zone}"]
+  subnets         = ["${aws_subnet.default.id}"]
+  security_groups = ["${aws_security_group.elb.id}"]
+  instances       = ["${aws_instance.web.id}"]
 
   listener {
-    instance_port = 80
+    instance_port     = 80
     instance_protocol = "http"
-    lb_port = 80
-    lb_protocol = "http"
+    lb_port           = 80
+    lb_protocol       = "http"
   }
 
-  # The instance is registered automatically
-  instances = ["${aws_instance.web.id}"]
 }
 
+resource "aws_key_pair" "auth" {
+  key_name   = "tf-aws-two-tier-example"
+  public_key = "${file(var.public_key_path)}"
+}
 
 resource "aws_instance" "web" {
   # The connection block tells our provisioner how to
@@ -60,8 +111,7 @@ resource "aws_instance" "web" {
     # The default username for our AMI
     user = "ubuntu"
 
-    # The path to your keyfile
-    key_file = "${var.key_path}"
+    # The connection will use the local SSH agent for authentication.
   }
 
   instance_type = "m1.small"
@@ -70,15 +120,16 @@ resource "aws_instance" "web" {
   # we specified
   ami = "${lookup(var.aws_amis, var.aws_region)}"
 
-  # The name of our SSH keypair you've created and downloaded
-  # from the AWS console.
-  #
-  # https://console.aws.amazon.com/ec2/v2/home?region=us-west-2#KeyPairs:
-  #
-  key_name = "${var.key_name}"
+  # The name of our SSH keypair we created above.
+  key_name = "${aws_key_pair.auth.id}"
 
   # Our Security group to allow HTTP and SSH access
-  security_groups = ["${aws_security_group.default.name}"]
+  vpc_security_group_ids = ["${aws_security_group.default.id}"]
+
+  # We're going to launch into the same subnet as our ELB. In a production
+  # environment it's more common to have a separate private subnet for
+  # backend instances.
+  subnet_id = "${aws_subnet.default.id}"
 
   # We run a remote provisioner on the instance after creating it.
   # In this case, we just install nginx and start it. By default,
diff --git a/examples/aws-two-tier/variables.tf b/examples/aws-two-tier/variables.tf
index ee80ee292..1321fcf1b 100644
--- a/examples/aws-two-tier/variables.tf
+++ b/examples/aws-two-tier/variables.tf
@@ -1,9 +1,11 @@
-variable "key_name" {
-  description = "Name of the SSH keypair to use in AWS."
-}
+variable "public_key_path" {
+  description = <<DESCRIPTION
+Path to the SSH public key to be used for authentication.
+Ensure this keypair is added to your local SSH agent so provisioners can
+connect.
 
-variable "key_path" {
-  description = "Path to the private portion of the SSH key specified."
+Example: ~/.ssh/id_rsa.pub
+DESCRIPTION
 }
 
 variable "aws_region" {