Bird
Raised Fist0
AWScloud~5 mins

Public vs private subnets in AWS - CLI Comparison

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
When you build a network in the cloud, you need to decide which parts are open to the internet and which parts are kept safe inside. Public subnets let resources talk to the internet directly, while private subnets keep resources hidden and secure, only reachable through special paths.
When you want your web servers to be accessible by anyone on the internet.
When you want your databases to be hidden from the internet for security.
When you need to run backend services that only your app servers can access.
When you want to control internet access for different parts of your application.
When you want to reduce security risks by limiting exposure of sensitive resources.
Config File - vpc-subnets.yaml
vpc-subnets.yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS VPC with Public and Private Subnets
Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: my-vpc

  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: my-igw

  AttachGateway:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref MyVPC
      InternetGatewayId: !Ref InternetGateway

  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.1.0/24
      MapPublicIpOnLaunch: true
      AvailabilityZone: us-east-1a
      Tags:
        - Key: Name
          Value: public-subnet

  PrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.2.0/24
      MapPublicIpOnLaunch: false
      AvailabilityZone: us-east-1a
      Tags:
        - Key: Name
          Value: private-subnet

  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref MyVPC
      Tags:
        - Key: Name
          Value: public-rt

  PublicRoute:
    Type: AWS::EC2::Route
    DependsOn: AttachGateway
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  PublicSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref PublicRouteTable

  PrivateRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref MyVPC
      Tags:
        - Key: Name
          Value: private-rt

  PrivateSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PrivateSubnet
      RouteTableId: !Ref PrivateRouteTable

This file creates a VPC with two subnets: one public and one private.

The InternetGateway connects the VPC to the internet.

The PublicSubnet has MapPublicIpOnLaunch: true so instances get public IPs.

The PublicRouteTable routes internet traffic through the Internet Gateway.

The PrivateSubnet does not assign public IPs and uses a separate route table without internet access.

Commands
This command creates the VPC, subnets, and routing setup from the configuration file.
Terminal
aws cloudformation deploy --template-file vpc-subnets.yaml --stack-name my-vpc-stack
Expected OutputExpected
Waiting for stack create/update to complete... Successfully created/updated stack - my-vpc-stack
--template-file - Specifies the CloudFormation template file to use
--stack-name - Names the CloudFormation stack for management
This command lists the subnets in the created VPC to verify public and private subnets exist.
Terminal
aws ec2 describe-subnets --filters Name=vpc-id,Values=$(aws ec2 describe-vpcs --query 'Vpcs[?Tags[?Key==`Name` && Value==`my-vpc`]].VpcId' --output text)
Expected OutputExpected
{ "Subnets": [ { "SubnetId": "subnet-0a1b2c3d4e5f6g7h8", "VpcId": "vpc-1234567890abcdef0", "CidrBlock": "10.0.1.0/24", "MapPublicIpOnLaunch": true, "AvailabilityZone": "us-east-1a" }, { "SubnetId": "subnet-1h2g3f4e5d6c7b8a9", "VpcId": "vpc-1234567890abcdef0", "CidrBlock": "10.0.2.0/24", "MapPublicIpOnLaunch": false, "AvailabilityZone": "us-east-1a" } ] }
This command shows the route tables to confirm the public subnet routes to the internet gateway and the private subnet does not.
Terminal
aws ec2 describe-route-tables --filters Name=vpc-id,Values=$(aws ec2 describe-vpcs --query 'Vpcs[?Tags[?Key==`Name` && Value==`my-vpc`]].VpcId' --output text)
Expected OutputExpected
{ "RouteTables": [ { "RouteTableId": "rtb-0a1b2c3d4e5f6g7h8", "VpcId": "vpc-1234567890abcdef0", "Routes": [ { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": "igw-12345678", "State": "active" } ] }, { "RouteTableId": "rtb-1h2g3f4e5d6c7b8a9", "VpcId": "vpc-1234567890abcdef0", "Routes": [ { "DestinationCidrBlock": "10.0.0.0/16", "State": "active" } ] } ] }
Key Concept

Public subnets have a route to the internet gateway and assign public IPs, while private subnets do not, keeping resources isolated from direct internet access.

Common Mistakes
Not attaching the internet gateway to the VPC.
Without the internet gateway attached, public subnets cannot route traffic to the internet.
Always create and attach an internet gateway to your VPC before setting up public subnets.
Setting MapPublicIpOnLaunch to false on public subnets.
Instances launched in the public subnet won't get public IPs and won't be reachable from the internet.
Set MapPublicIpOnLaunch to true for public subnets to assign public IPs automatically.
Assigning a route to the internet gateway in the private subnet's route table.
This exposes private subnet resources to the internet, defeating the purpose of isolation.
Do not add internet gateway routes to private subnet route tables; use NAT gateways if internet access is needed.
Summary
Use CloudFormation to create a VPC with separate public and private subnets.
Public subnets have a route to the internet gateway and assign public IPs to instances.
Private subnets have no direct internet route and do not assign public IPs, keeping resources secure.

Practice

(1/5)
1. Which statement best describes a public subnet in AWS?
easy
A. It has direct internet access and assigns public IPs automatically.
B. It does not assign public IPs and blocks all internet traffic.
C. It is used only for internal communication within the VPC.
D. It requires a VPN connection to access the internet.

Solution

  1. Step 1: Understand public subnet characteristics

    A public subnet allows resources to communicate directly with the internet by assigning public IP addresses.

  2. Step 2: Compare with other subnet types

    Private subnets do not assign public IPs and restrict internet access, unlike public subnets.

  3. Final Answer:

    It has direct internet access and assigns public IPs automatically. -> Option A

  4. Quick Check:

    Public subnet = direct internet access [OK]
Hint: Public subnet = direct internet access + public IPs [OK]
Common Mistakes:
  • Confusing private subnet with public subnet
  • Thinking all subnets have internet access
  • Assuming VPN is needed for public subnet
2. Which AWS subnet configuration correctly creates a private subnet?
easy
A. AssignPublicIpOnLaunch: true
B. EnableInternetGateway: true
C. MapPublicIpOnLaunch: false
D. RouteTable: 0.0.0.0/0 via IGW

Solution

  1. Step 1: Identify private subnet IP assignment

    Private subnets do not assign public IPs automatically, so MapPublicIpOnLaunch must be false.

  2. Step 2: Understand routing and gateway settings

    Internet Gateway (IGW) and routing to 0.0.0.0/0 are for public subnets, not private.

  3. Final Answer:

    <code>MapPublicIpOnLaunch: false</code> -> Option C

  4. Quick Check:

    Private subnet = no public IP assignment [OK]
Hint: Private subnet disables public IP assignment [OK]
Common Mistakes:
  • Setting public IP assignment to true for private subnet
  • Confusing internet gateway with subnet config
  • Using public route table for private subnet
3. Given this route table for a subnet:
Destination: 0.0.0.0/0, Target: igw-12345
What type of subnet is this likely to be?
medium
A. Public subnet with internet access
B. Private subnet with no internet access
C. Isolated subnet with VPN only
D. Subnet with NAT gateway only

Solution

  1. Step 1: Analyze route table destination and target

    The route directs all internet traffic (0.0.0.0/0) to an internet gateway (igw), which enables internet access.

  2. Step 2: Determine subnet type from routing

    Routing to an internet gateway means the subnet is public and can access the internet directly.

  3. Final Answer:

    Public subnet with internet access -> Option A

  4. Quick Check:

    Route to IGW = public subnet [OK]
Hint: Route 0.0.0.0/0 to IGW means public subnet [OK]
Common Mistakes:
  • Assuming NAT gateway means public subnet
  • Confusing IGW with VPN or NAT
  • Ignoring route table targets
4. You created a subnet with MapPublicIpOnLaunch: false but instances still get public IPs. What is the likely issue?
medium
A. The subnet is associated with a route table that routes to an internet gateway.
B. The instance launch configuration overrides subnet settings to assign public IPs.
C. The VPC has no internet gateway attached.
D. The subnet CIDR block overlaps with another subnet.

Solution

  1. Step 1: Understand subnet vs instance IP assignment

    Subnet setting disables automatic public IP assignment, but instance launch settings can override this.

  2. Step 2: Identify cause of public IP despite subnet config

    If instance launch config explicitly assigns public IPs, it overrides subnet default behavior.

  3. Final Answer:

    The instance launch configuration overrides subnet settings to assign public IPs. -> Option B

  4. Quick Check:

    Instance config can override subnet IP assignment [OK]
Hint: Instance launch config can override subnet IP settings [OK]
Common Mistakes:
  • Blaming route table for IP assignment
  • Ignoring instance-level settings
  • Confusing CIDR overlap with IP assignment
5. You want to host a web server accessible from the internet and a database only accessible internally. How should you design your subnets?
hard
A. Place both web server and database in private subnets and use a VPN for access.
B. Place both web server and database in a public subnet with security groups restricting access.
C. Place the web server in a private subnet and the database in a public subnet.
D. Place the web server in a public subnet and the database in a private subnet.

Solution

  1. Step 1: Identify subnet roles for internet access

    The web server needs internet access, so it belongs in a public subnet with a route to the internet gateway.

  2. Step 2: Secure the database internally

    The database should be in a private subnet without direct internet access to keep it secure.

  3. Final Answer:

    Place the web server in a public subnet and the database in a private subnet. -> Option D

  4. Quick Check:

    Internet-facing resources in public, internal in private [OK]
Hint: Web server public, database private subnet [OK]
Common Mistakes:
  • Putting database in public subnet
  • Putting web server in private subnet
  • Relying only on security groups without subnet design