In Amazon VPC (Virtual Private Cloud), subnets are subdivisions of your VPC's IP address range where you can place AWS resources. Subnets are categorized as either public or private based on their routing configuration and internet accessibility.
**Public Subnets:**
A public subnet is configured t…In Amazon VPC (Virtual Private Cloud), subnets are subdivisions of your VPC's IP address range where you can place AWS resources. Subnets are categorized as either public or private based on their routing configuration and internet accessibility.
**Public Subnets:**
A public subnet is configured to allow resources within it to communicate with the internet. The key characteristics include:
- Route table contains a route to an Internet Gateway (IGW) for traffic destined to 0.0.0.0/0
- Resources can have public IP addresses or Elastic IP addresses assigned
- Commonly used for web servers, load balancers, bastion hosts, and NAT gateways
- Instances must have a public IP to initiate outbound internet connections
**Private Subnets:**
A private subnet does not have a route to the Internet Gateway, keeping resources isolated from the internet. Key characteristics include:
- Route table lacks a route to an IGW
- Resources cannot receive inbound traffic from the internet
- For outbound internet access, traffic must route through a NAT Gateway or NAT Instance placed in a public subnet
- Ideal for databases, application servers, and backend services requiring security
**Best Practices:**
- Deploy multi-tier architectures with web tier in public subnets and application/database tiers in private subnets
- Distribute subnets across multiple Availability Zones for high availability
- Use Network ACLs and Security Groups for layered security
- Implement NAT Gateways in public subnets to allow private subnet resources to download updates and patches
**Key Components:**
- Internet Gateway: Enables public subnet internet connectivity
- NAT Gateway: Allows private subnet outbound internet access while preventing inbound connections
- Route Tables: Determine traffic flow and define whether a subnet is public or private
Understanding subnet architecture is fundamental for designing secure, scalable AWS infrastructure that meets compliance and operational requirements.
Public and Private Subnets in AWS VPC
Why Public and Private Subnets Are Important
Understanding public and private subnets is fundamental to designing secure and functional AWS architectures. Proper subnet configuration ensures that resources requiring internet access can communicate externally while keeping sensitive backend systems protected from external threats. This knowledge is essential for the AWS SysOps Administrator Associate exam and real-world cloud infrastructure management.
What Are Public and Private Subnets?
A subnet is a range of IP addresses within your VPC. Subnets are classified as public or private based on their routing configuration:
Public Subnet: A subnet that has a route to an Internet Gateway (IGW) in its route table. Resources in public subnets can have public IP addresses and communicate with the internet.
Private Subnet: A subnet that does NOT have a route to an Internet Gateway. Resources in private subnets cannot be accessed from the internet and cannot initiate outbound internet connections unless using a NAT Gateway or NAT Instance.
How Public and Private Subnets Work
Public Subnet Configuration: 1. Create a subnet within your VPC 2. Create an Internet Gateway and attach it to your VPC 3. Add a route in the subnet's route table: 0.0.0.0/0 pointing to the Internet Gateway 4. Assign public IP addresses to instances (either auto-assign or Elastic IP) 5. Configure Security Groups and NACLs to allow required traffic
Private Subnet Configuration: 1. Create a subnet within your VPC 2. The route table should only contain local routes (no IGW route) 3. For outbound internet access, add a route to a NAT Gateway or NAT Instance located in a public subnet 4. Resources use private IP addresses only
Common Architecture Pattern: - Web servers and load balancers reside in public subnets - Application servers and databases reside in private subnets - NAT Gateway in public subnet allows private subnet instances to download updates
Key Components: - Internet Gateway (IGW): Enables internet connectivity for public subnets - NAT Gateway: Allows private subnet resources to access the internet for outbound traffic only - Route Tables: Determine whether a subnet is public or private based on routes - Elastic IP: Static public IP address for resources needing consistent public addressing
Exam Tips: Answering Questions on Public and Private Subnets
Tip 1: Remember that what makes a subnet public is the route to an Internet Gateway, NOT the presence of public IP addresses alone. A subnet with instances having public IPs but no IGW route is still private.
Tip 2: NAT Gateways must be placed in a PUBLIC subnet to function. They need an Elastic IP address and internet access through the IGW to provide outbound connectivity for private subnets.
Tip 3: When a question mentions instances needing to download patches or updates but should not be accessible from the internet, think NAT Gateway in a public subnet with private subnet instances routing through it.
Tip 4: Each subnet can only be associated with ONE route table at a time, but one route table can be associated with multiple subnets.
Tip 5: For high availability, deploy NAT Gateways in multiple Availability Zones. NAT Gateways are AZ-specific resources.
Tip 6: Security Groups are stateful (return traffic is allowed), while NACLs are stateless (you must configure both inbound and outbound rules).
Tip 7: When troubleshooting connectivity issues, check in this order: Route tables, NACLs, Security Groups, and instance-level configurations.
Tip 8: Bastion hosts (jump boxes) should be placed in public subnets to provide secure administrative access to instances in private subnets.
Tip 9: VPC Endpoints allow private subnet resources to access AWS services like S3 and DynamoDB using private connectivity, avoiding the need for internet access.