A VPC (Virtual Private Cloud) subnet is a logical subdivision of an IP network within your AWS VPC. Subnets allow you to segment your VPC's IP address range into smaller, manageable sections, enabling better organization and security control of your AWS resources.
Each subnet resides in a single A…A VPC (Virtual Private Cloud) subnet is a logical subdivision of an IP network within your AWS VPC. Subnets allow you to segment your VPC's IP address range into smaller, manageable sections, enabling better organization and security control of your AWS resources.
Each subnet resides in a single Availability Zone and cannot span multiple AZs, providing fault isolation. When you create a VPC, you must specify an IPv4 CIDR block, and subnets are carved out from this range.
There are two primary types of subnets:
**Public Subnets**: These have a route to an Internet Gateway, allowing resources with public IP addresses to communicate with the internet. Typically used for web servers, load balancers, and bastion hosts.
**Private Subnets**: These lack a route to an Internet Gateway. Resources here can access the internet through a NAT Gateway or NAT Instance placed in a public subnet. Ideal for databases, application servers, and backend systems.
Key subnet considerations include:
- **CIDR Block**: Each subnet requires a CIDR block that is a subset of the VPC CIDR. AWS reserves 5 IP addresses in each subnet for internal purposes.
- **Route Tables**: Each subnet associates with a route table that determines traffic routing. Multiple subnets can share a route table.
- **Network ACLs**: These provide stateless firewall rules at the subnet level, controlling inbound and outbound traffic.
- **Auto-assign Public IP**: You can configure subnets to automatically assign public IPv4 addresses to instances launched within them.
For high availability, deploy resources across multiple subnets in different Availability Zones. This architecture ensures your application remains accessible even if one AZ experiences issues.
Best practices include using separate subnets for different application tiers, implementing proper CIDR planning to avoid overlap, and using meaningful naming conventions for easier management.
VPC Subnets: Complete Guide for AWS SysOps Administrator Associate Exam
Why VPC Subnets Are Important
VPC subnets are fundamental building blocks of AWS networking. They allow you to segment your Virtual Private Cloud into smaller, manageable sections, enabling you to organize resources, implement security controls, and design highly available architectures. Understanding subnets is essential for any AWS administrator as they impact security, availability, and connectivity of your applications.
What Are VPC Subnets?
A subnet is a range of IP addresses within your VPC. Each subnet resides entirely within a single Availability Zone and cannot span multiple AZs. Subnets can be classified as:
Public Subnets: Have a route to an Internet Gateway, allowing resources to communicate with the internet.
Private Subnets: Do not have a route to an Internet Gateway. Resources here can access the internet through a NAT Gateway or NAT Instance placed in a public subnet.
How VPC Subnets Work
1. CIDR Block Allocation: When creating a subnet, you assign a CIDR block that is a subset of your VPC CIDR. For example, if your VPC is 10.0.0.0/16, you might create subnets like 10.0.1.0/24 or 10.0.2.0/24.
2. Reserved IP Addresses: AWS reserves 5 IP addresses in each subnet: - First address: Network address - Second address: VPC router - Third address: DNS server - Fourth address: Reserved for future use - Last address: Broadcast address
3. Route Tables: Each subnet must be associated with a route table that determines where network traffic is directed. A subnet can only be associated with one route table at a time.
4. Network ACLs: Subnets are associated with Network ACLs that act as stateless firewalls controlling inbound and outbound traffic at the subnet level.
5. Auto-assign Public IP: You can configure subnets to automatically assign public IP addresses to instances launched within them.
Key Subnet Concepts for the Exam
- Subnet sizing: A /24 subnet provides 256 IP addresses, but only 251 are usable due to AWS reservations. - High Availability: Deploy resources across multiple subnets in different AZs for fault tolerance. - Security: Use private subnets for databases and backend services; use public subnets for load balancers and bastion hosts. - VPC Peering: Subnets can communicate across peered VPCs if route tables are configured correctly.
Exam Tips: Answering Questions on VPC Subnets
1. Remember the 5 reserved IPs: When calculating available IP addresses, always subtract 5 from the total. A /24 gives you 251 usable addresses, not 256.
2. Subnet cannot span AZs: If a question mentions high availability, the solution must involve multiple subnets across different Availability Zones.
3. Public vs Private distinction: A subnet becomes public when its route table has a route to an Internet Gateway (0.0.0.0/0 -> igw-xxx).
4. NAT Gateway placement: NAT Gateways must be placed in public subnets to provide internet access for private subnet resources.
5. Default subnet behavior: The default VPC comes with a default subnet in each AZ, all configured as public subnets.
6. Route table associations: If no explicit association exists, the subnet uses the main route table. Always check route table configurations in troubleshooting scenarios.
7. Network ACL defaults: The default Network ACL allows all traffic. Custom Network ACLs deny all traffic by default.
8. Look for connectivity issues: When instances cannot communicate, check subnet route tables, Network ACLs, and Security Groups in that order.
9. CIDR overlap: Subnets within a VPC cannot have overlapping CIDR blocks. This is also important for VPC peering scenarios.
10. IPv6 considerations: Subnets can be dual-stack (IPv4 and IPv6). IPv6 CIDR blocks are /64 in size for subnets.