Bird
Raised Fist0
AWScloud~20 mins

Public vs private subnets in AWS - Practice Questions

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Subnet Mastery Badge
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Understanding subnet accessibility

Which statement correctly describes the main difference between a public subnet and a private subnet in AWS?

AA public subnet has a route to an internet gateway, allowing direct internet access; a private subnet does not have this route.
BA private subnet has a route to an internet gateway, allowing direct internet access; a public subnet does not have this route.
CBoth public and private subnets have direct internet access but differ in security group settings.
DPublic subnets are only used for databases, while private subnets are used for web servers.
Attempts:
2 left
💡 Hint

Think about which subnet can send traffic directly to the internet.

Architecture
intermediate
2:00remaining
Subnet design for a web application

You are designing a web application architecture in AWS. Which subnet setup is best practice for hosting web servers and databases?

APlace web servers in a private subnet and databases in a public subnet.
BPlace both web servers and databases in a public subnet.
CPlace web servers in a public subnet and databases in a private subnet.
DPlace both web servers and databases in a private subnet.
Attempts:
2 left
💡 Hint

Consider which resources need internet access and which should be protected.

security
advanced
2:00remaining
Security implications of subnet routing

What is the security risk if a private subnet mistakenly has a route to an internet gateway?

AThere is no risk; routing to an internet gateway does not affect security.
BResources in the private subnet become directly accessible from the internet, increasing exposure to attacks.
CThe subnet automatically becomes public and AWS charges extra fees.
DResources in the private subnet lose all internet access, causing application failures.
Attempts:
2 left
💡 Hint

Think about what happens when private resources can be reached from outside.

service_behavior
advanced
2:00remaining
NAT Gateway role in private subnet internet access

How does a NAT Gateway enable instances in a private subnet to access the internet?

AIt converts private IP addresses to IPv6 addresses for internet access.
BIt assigns public IP addresses directly to instances in the private subnet.
CIt blocks all internet traffic to maintain subnet privacy.
DIt allows outbound internet traffic from private subnet instances by routing through a public subnet with an internet gateway.
Attempts:
2 left
💡 Hint

Consider how private subnet instances send requests to the internet without direct access.

Best Practice
expert
3:00remaining
Subnet IP addressing and CIDR block planning

You have a VPC with CIDR block 10.0.0.0/16. You want to create two public subnets and two private subnets with equal size and no overlap. Which CIDR blocks correctly divide the VPC into these four subnets?

A10.0.0.0/18, 10.0.64.0/18 for public subnets; 10.0.128.0/18, 10.0.192.0/18 for private subnets.
B10.0.0.0/17, 10.0.128.0/17 for public subnets; 10.0.64.0/17, 10.0.192.0/17 for private subnets.
C10.0.0.0/19, 10.0.32.0/19 for public subnets; 10.0.64.0/19, 10.0.96.0/19 for private subnets.
D10.0.0.0/16 for public subnets; 10.0.0.0/16 for private subnets.
Attempts:
2 left
💡 Hint

Remember that /16 means 65536 IPs. Dividing into four equal subnets means each subnet has /18 (16384 IPs).

Practice

(1/5)
1. Which statement best describes a public subnet in AWS?
easy
A. It has direct internet access and assigns public IPs automatically.
B. It does not assign public IPs and blocks all internet traffic.
C. It is used only for internal communication within the VPC.
D. It requires a VPN connection to access the internet.

Solution

  1. Step 1: Understand public subnet characteristics

    A public subnet allows resources to communicate directly with the internet by assigning public IP addresses.

  2. Step 2: Compare with other subnet types

    Private subnets do not assign public IPs and restrict internet access, unlike public subnets.

  3. Final Answer:

    It has direct internet access and assigns public IPs automatically. -> Option A

  4. Quick Check:

    Public subnet = direct internet access [OK]
Hint: Public subnet = direct internet access + public IPs [OK]
Common Mistakes:
  • Confusing private subnet with public subnet
  • Thinking all subnets have internet access
  • Assuming VPN is needed for public subnet
2. Which AWS subnet configuration correctly creates a private subnet?
easy
A. AssignPublicIpOnLaunch: true
B. EnableInternetGateway: true
C. MapPublicIpOnLaunch: false
D. RouteTable: 0.0.0.0/0 via IGW

Solution

  1. Step 1: Identify private subnet IP assignment

    Private subnets do not assign public IPs automatically, so MapPublicIpOnLaunch must be false.

  2. Step 2: Understand routing and gateway settings

    Internet Gateway (IGW) and routing to 0.0.0.0/0 are for public subnets, not private.

  3. Final Answer:

    <code>MapPublicIpOnLaunch: false</code> -> Option C

  4. Quick Check:

    Private subnet = no public IP assignment [OK]
Hint: Private subnet disables public IP assignment [OK]
Common Mistakes:
  • Setting public IP assignment to true for private subnet
  • Confusing internet gateway with subnet config
  • Using public route table for private subnet
3. Given this route table for a subnet:
Destination: 0.0.0.0/0, Target: igw-12345
What type of subnet is this likely to be?
medium
A. Public subnet with internet access
B. Private subnet with no internet access
C. Isolated subnet with VPN only
D. Subnet with NAT gateway only

Solution

  1. Step 1: Analyze route table destination and target

    The route directs all internet traffic (0.0.0.0/0) to an internet gateway (igw), which enables internet access.

  2. Step 2: Determine subnet type from routing

    Routing to an internet gateway means the subnet is public and can access the internet directly.

  3. Final Answer:

    Public subnet with internet access -> Option A

  4. Quick Check:

    Route to IGW = public subnet [OK]
Hint: Route 0.0.0.0/0 to IGW means public subnet [OK]
Common Mistakes:
  • Assuming NAT gateway means public subnet
  • Confusing IGW with VPN or NAT
  • Ignoring route table targets
4. You created a subnet with MapPublicIpOnLaunch: false but instances still get public IPs. What is the likely issue?
medium
A. The subnet is associated with a route table that routes to an internet gateway.
B. The instance launch configuration overrides subnet settings to assign public IPs.
C. The VPC has no internet gateway attached.
D. The subnet CIDR block overlaps with another subnet.

Solution

  1. Step 1: Understand subnet vs instance IP assignment

    Subnet setting disables automatic public IP assignment, but instance launch settings can override this.

  2. Step 2: Identify cause of public IP despite subnet config

    If instance launch config explicitly assigns public IPs, it overrides subnet default behavior.

  3. Final Answer:

    The instance launch configuration overrides subnet settings to assign public IPs. -> Option B

  4. Quick Check:

    Instance config can override subnet IP assignment [OK]
Hint: Instance launch config can override subnet IP settings [OK]
Common Mistakes:
  • Blaming route table for IP assignment
  • Ignoring instance-level settings
  • Confusing CIDR overlap with IP assignment
5. You want to host a web server accessible from the internet and a database only accessible internally. How should you design your subnets?
hard
A. Place both web server and database in private subnets and use a VPN for access.
B. Place both web server and database in a public subnet with security groups restricting access.
C. Place the web server in a private subnet and the database in a public subnet.
D. Place the web server in a public subnet and the database in a private subnet.

Solution

  1. Step 1: Identify subnet roles for internet access

    The web server needs internet access, so it belongs in a public subnet with a route to the internet gateway.

  2. Step 2: Secure the database internally

    The database should be in a private subnet without direct internet access to keep it secure.

  3. Final Answer:

    Place the web server in a public subnet and the database in a private subnet. -> Option D

  4. Quick Check:

    Internet-facing resources in public, internal in private [OK]
Hint: Web server public, database private subnet [OK]
Common Mistakes:
  • Putting database in public subnet
  • Putting web server in private subnet
  • Relying only on security groups without subnet design