Skip to content
Gallery
2. Amazon Elastic Compute Clouds (EC2)
Amazon EC2
IP Addresses
Placement Groups
Elastic Network Interfaces
NAT Gateway vs NAT Instances
Instance Lifecycle
Billing and Provisioning Options
AWS Nitro System and Enclaves
Misc
More
Share
Explore
Amazon EC2

icon picker
Public and Private Subnets

In Amazon Web Services (AWS), public and private subnets are components of a Virtual Private Cloud (VPC) architecture, which helps you organize and isolate your cloud resources. Here's a breakdown:
Public Subnet:
A public subnet is a subnet in your VPC that has a route to the internet gateway (IGW). This means instances (like EC2 instances) launched in a public subnet can communicate directly with the internet and receive inbound traffic initiated from the internet.
Typically, resources placed in a public subnet are those that need to be accessible from the internet, such as web servers, load balancers, or bastion hosts.
To make a subnet public, you need to associate it with a route table that has a route to the internet gateway.
image.png
Private Subnet:
A private subnet is a subnet in your VPC that doesn't have a direct route to the internet. Instances in a private subnet can't be accessed directly from the internet, nor can they initiate outbound connections to the internet.
Usually, resources placed in a private subnet are those that should not be exposed to the public internet, such as databases, internal application servers, or backend services.
To allow instances in a private subnet to access the internet (e.g., for software updates), you typically set up a NAT Gateway or NAT Instance in a public subnet. This allows instances in the private subnet to route their internet-bound traffic through the NAT Gateway or NAT Instance.
image.png
Differentiating between public and private subnets in AWS can be done based on their routing configurations and the types of resources they host. Here's a more detailed breakdown:
Routing Configuration:
Public Subnet: A public subnet has a route to an Internet Gateway (IGW) in its associated route table. This route allows instances in the public subnet to communicate directly with the internet.
Private Subnet: A private subnet does not have a route to an Internet Gateway in its associated route table. Instead, it might have routes to internal resources within the VPC or to a NAT Gateway or NAT Instance for outbound internet access.
Accessibility:
Public Subnet: Resources in a public subnet are accessible from the internet. This includes instances like web servers or load balancers that need to accept incoming requests from users on the internet.
Private Subnet: Resources in a private subnet are not directly accessible from the internet. They are typically internal-facing resources like databases, application servers, or backend services that should not be exposed to the public internet.
Security Group and Network ACL Configuration:
Public Subnet: Security groups and network ACLs (Access Control Lists) for resources in a public subnet might be configured to allow inbound traffic from specific IP ranges or sources on the internet.
Private Subnet: Security groups and network ACLs for resources in a private subnet might restrict inbound traffic to only come from specific subnets within the VPC or from specific security groups, limiting access to only trusted internal resources.
Network Address Translation (NAT):
Public Subnet: A public subnet typically doesn't require NAT for outbound internet access since instances in a public subnet can communicate directly with the internet.
Private Subnet: In a private subnet, if instances need outbound internet access (e.g., for software updates), a NAT Gateway or NAT Instance is typically deployed in a public subnet, and the private subnet's route table is configured to route internet-bound traffic through the NAT Gateway or NAT Instance.
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.