Bird
Raised Fist0
AWScloud~15 mins

Public vs private subnets in AWS - Trade-offs & Expert Analysis

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Overview - Public vs private subnets
What is it?
Public and private subnets are parts of a virtual network in the cloud that separate resources based on their accessibility. A public subnet allows resources to connect directly to the internet, while a private subnet keeps resources isolated from direct internet access. This separation helps organize and secure cloud environments by controlling which resources can be reached from outside. Understanding these subnets helps manage cloud security and connectivity effectively.
Why it matters
Without public and private subnets, all cloud resources would either be exposed to the internet or completely isolated, making it hard to protect sensitive data or provide necessary access. Public subnets let users reach web servers, while private subnets protect databases and internal services. This separation reduces security risks and improves network management, which is crucial for safe and reliable cloud applications.
Where it fits
Before learning about public and private subnets, you should understand basic networking concepts like IP addresses and routing. After this, you can learn about advanced network security, load balancing, and hybrid cloud connectivity. This topic fits into the broader journey of designing secure and scalable cloud networks.
Mental Model
Core Idea
Public subnets connect directly to the internet, while private subnets keep resources hidden and secure inside the cloud network.
Think of it like...
Imagine a house with a front yard open to the street (public subnet) and a backyard fenced off for privacy (private subnet). Visitors can easily reach the front yard, but the backyard is protected and only accessible through the house.
┌─────────────────────────────┐
│         VPC Network          │
│ ┌───────────────┐           │
│ │ Public Subnet │◄──Internet│
│ │ (Web servers) │           │
│ └───────────────┘           │
│                             │
│ ┌───────────────┐           │
│ │ Private Subnet│           │
│ │ (Databases)   │           │
│ └───────────────┘           │
└─────────────────────────────┘
Build-Up - 7 Steps
1
FoundationUnderstanding subnets basics
🤔
Concept: Learn what a subnet is and why networks are divided into smaller parts.
A subnet is a smaller network inside a bigger network. It helps organize devices and control traffic. Think of it as dividing a city into neighborhoods to manage addresses and services better.
Result
You know that subnets split a network into manageable sections with their own IP ranges.
Understanding subnets is key to controlling how devices communicate and how traffic flows in a network.
2
FoundationWhat makes a subnet public or private
🤔
Concept: Discover the difference between public and private subnets based on internet access.
A public subnet has a route to the internet through a gateway, so devices inside can send and receive internet traffic. A private subnet lacks this direct route, so devices inside cannot be reached from the internet directly.
Result
You can identify which subnet allows internet access and which one keeps devices isolated.
Knowing this difference helps you decide where to place resources depending on their need for internet exposure.
3
IntermediateHow routing controls subnet access
🤔Before reading on: Do you think routing tables decide if a subnet is public or private? Commit to your answer.
Concept: Routing tables determine where network traffic goes, defining subnet accessibility.
Each subnet has a routing table. For a public subnet, the table sends internet-bound traffic to an internet gateway. For a private subnet, the table does not have this route, so internet traffic is blocked or sent through a private gateway like a NAT device.
Result
You understand that routing tables are the control center deciding if a subnet is public or private.
Recognizing routing tables as the key factor prevents confusion about subnet types and helps in designing secure networks.
4
IntermediateRole of NAT in private subnet internet access
🤔Before reading on: Can private subnet resources access the internet without exposing themselves? Yes or no? Commit to your answer.
Concept: Network Address Translation (NAT) allows private subnet resources to reach the internet safely without being directly reachable.
Private subnets use NAT gateways or NAT instances in public subnets to send outbound internet traffic. NAT changes the source address of outgoing packets so responses come back correctly, but inbound connections from the internet are blocked.
Result
You see how private subnet resources can update software or download data without exposing themselves to the internet.
Understanding NAT clarifies how private subnets maintain security while still accessing external resources.
5
IntermediateSecurity benefits of subnet separation
🤔
Concept: Separating resources into public and private subnets improves security by limiting exposure.
Public subnets host resources like web servers that need internet access. Private subnets hold sensitive resources like databases. Firewalls and security groups further restrict traffic between subnets, reducing attack surfaces.
Result
You appreciate how subnet design helps protect critical data and services from internet threats.
Knowing this helps you design networks that balance accessibility and security effectively.
6
AdvancedDesigning multi-tier architectures with subnets
🤔Before reading on: Do you think all application layers should be in public subnets? Commit to your answer.
Concept: Multi-tier applications use public and private subnets to separate layers like web, application, and database for security and scalability.
The web layer sits in the public subnet to receive user requests. The application and database layers sit in private subnets, isolated from direct internet access. This design limits exposure and allows controlled communication between layers.
Result
You can design secure, scalable cloud applications using subnet separation.
Understanding multi-tier subnet design is essential for building professional cloud architectures.
7
ExpertSubnet design trade-offs and edge cases
🤔Before reading on: Is it always better to put all resources in private subnets? Commit to your answer.
Concept: Subnet design involves trade-offs between security, cost, and complexity, with exceptions based on use cases.
While private subnets improve security, they require NAT gateways which add cost and complexity. Some resources may need direct internet access for performance or compliance reasons. Also, hybrid cloud setups may require special routing and subnet configurations.
Result
You understand that subnet design is not one-size-fits-all and requires balancing multiple factors.
Knowing these trade-offs helps you make informed decisions tailored to real-world requirements.
Under the Hood
Subnets are defined by IP address ranges within a virtual private cloud (VPC). Routing tables link subnets to gateways. Public subnets have routes to an internet gateway, enabling direct internet traffic. Private subnets lack this route but can use NAT devices in public subnets to send outbound traffic. Security groups and network ACLs control traffic flow at the subnet and instance level, enforcing access rules.
Why designed this way?
This design evolved to balance accessibility and security in cloud networks. Early cloud networks exposed all resources, causing security risks. Separating subnets with routing and NAT allows fine-grained control over internet exposure. Alternatives like flat networks lacked this control, so subnet separation became a best practice for secure, scalable cloud infrastructure.
┌───────────────┐       ┌─────────────────┐
│  Public Subnet│──────▶│ Internet Gateway│
│ (with IGW)    │       └─────────────────┘
│               │
│  ┌─────────┐  │
│  │ NAT GW  │◄─┘
│  └─────────┘
└─────┬─────────┘
      │
      ▼
┌───────────────┐
│ Private Subnet│
│ (no IGW)      │
└───────────────┘
Myth Busters - 4 Common Misconceptions
Quick: Do you think resources in private subnets can receive unsolicited internet traffic? Commit yes or no.
Common Belief:Resources in private subnets can be accessed directly from the internet if you know their IP.
Tap to reveal reality
Reality:Private subnets do not have a route to the internet gateway, so they cannot receive unsolicited internet traffic directly.
Why it matters:Believing this leads to false security assumptions and misconfigurations that expose sensitive resources.
Quick: Is a subnet's public or private status determined by its name or tag? Commit yes or no.
Common Belief:A subnet is public or private based on its name or label in the cloud console.
Tap to reveal reality
Reality:Subnet accessibility depends on routing tables and gateways, not on names or tags.
Why it matters:Relying on names causes misconfigurations and security gaps because the actual network behavior is ignored.
Quick: Can NAT gateways allow inbound internet connections to private subnet resources? Commit yes or no.
Common Belief:NAT gateways let internet users connect directly to private subnet resources.
Tap to reveal reality
Reality:NAT gateways only allow outbound connections from private subnets; inbound connections are blocked.
Why it matters:Misunderstanding NAT leads to incorrect network designs that either expose private resources or block needed access.
Quick: Do you think placing all resources in public subnets is simpler and safer? Commit yes or no.
Common Belief:Putting everything in public subnets is easier and just as secure with firewalls.
Tap to reveal reality
Reality:Public subnets expose resources to the internet, increasing attack surface and risk despite firewalls.
Why it matters:Ignoring subnet separation can cause serious security breaches and compliance failures.
Expert Zone
1
Some cloud providers allow 'auto-assign public IP' on instances in public subnets, but this is separate from subnet routing and affects accessibility.
2
Network ACLs operate at the subnet level and can override security groups, adding a second layer of traffic filtering that experts must carefully configure.
3
Hybrid cloud setups often require complex routing between on-premises networks and cloud subnets, where public/private distinctions influence VPN and Direct Connect configurations.
When NOT to use
Avoid strict public/private subnet separation when building simple, single-instance test environments or when using serverless architectures that do not require subnet management. Alternatives include fully managed services or flat network designs for small-scale projects.
Production Patterns
In production, multi-tier applications place web servers in public subnets and databases in private subnets with strict security groups. NAT gateways are scaled for outbound traffic. Logging and monitoring track subnet traffic. Hybrid clouds use private subnets for secure connections to on-premises data centers.
Connections
Firewall rules
Builds-on
Understanding subnet separation helps grasp how firewall rules control traffic flow between network segments for security.
Zero Trust Security Model
Supports
Subnet isolation aligns with Zero Trust principles by limiting network access and verifying every connection.
Urban Planning
Analogy
Just like city zoning separates residential and commercial areas for safety and function, subnetting organizes network resources for security and efficiency.
Common Pitfalls
#1Assigning a subnet as public by name but missing the internet gateway route.
Wrong approach:Create subnet 'PublicSubnet' without adding route to internet gateway in its routing table.
Correct approach:Create subnet and add a routing table entry sending 0.0.0.0/0 traffic to the internet gateway.
Root cause:Confusing subnet naming with actual network routing configuration.
#2Placing database servers in public subnets exposing them to the internet.
Wrong approach:Launch database instances in a subnet with internet gateway route and public IPs.
Correct approach:Launch database instances in private subnets without internet gateway routes and no public IPs.
Root cause:Lack of understanding of subnet roles and security implications.
#3Not using NAT gateways for private subnet outbound internet access.
Wrong approach:Private subnet routing table sends 0.0.0.0/0 traffic to internet gateway directly.
Correct approach:Private subnet routing table sends 0.0.0.0/0 traffic to NAT gateway in public subnet.
Root cause:Misunderstanding that private subnets cannot access the internet directly.
Key Takeaways
Public subnets allow direct internet access through an internet gateway, while private subnets do not.
Routing tables and gateways define whether a subnet is public or private, not names or tags.
NAT gateways enable private subnet resources to access the internet securely without exposing them.
Separating resources into public and private subnets improves security by limiting exposure to the internet.
Subnet design involves trade-offs and must be tailored to application needs, balancing security, cost, and complexity.

Practice

(1/5)
1. Which statement best describes a public subnet in AWS?
easy
A. It has direct internet access and assigns public IPs automatically.
B. It does not assign public IPs and blocks all internet traffic.
C. It is used only for internal communication within the VPC.
D. It requires a VPN connection to access the internet.

Solution

  1. Step 1: Understand public subnet characteristics

    A public subnet allows resources to communicate directly with the internet by assigning public IP addresses.

  2. Step 2: Compare with other subnet types

    Private subnets do not assign public IPs and restrict internet access, unlike public subnets.

  3. Final Answer:

    It has direct internet access and assigns public IPs automatically. -> Option A

  4. Quick Check:

    Public subnet = direct internet access [OK]
Hint: Public subnet = direct internet access + public IPs [OK]
Common Mistakes:
  • Confusing private subnet with public subnet
  • Thinking all subnets have internet access
  • Assuming VPN is needed for public subnet
2. Which AWS subnet configuration correctly creates a private subnet?
easy
A. AssignPublicIpOnLaunch: true
B. EnableInternetGateway: true
C. MapPublicIpOnLaunch: false
D. RouteTable: 0.0.0.0/0 via IGW

Solution

  1. Step 1: Identify private subnet IP assignment

    Private subnets do not assign public IPs automatically, so MapPublicIpOnLaunch must be false.

  2. Step 2: Understand routing and gateway settings

    Internet Gateway (IGW) and routing to 0.0.0.0/0 are for public subnets, not private.

  3. Final Answer:

    <code>MapPublicIpOnLaunch: false</code> -> Option C

  4. Quick Check:

    Private subnet = no public IP assignment [OK]
Hint: Private subnet disables public IP assignment [OK]
Common Mistakes:
  • Setting public IP assignment to true for private subnet
  • Confusing internet gateway with subnet config
  • Using public route table for private subnet
3. Given this route table for a subnet:
Destination: 0.0.0.0/0, Target: igw-12345
What type of subnet is this likely to be?
medium
A. Public subnet with internet access
B. Private subnet with no internet access
C. Isolated subnet with VPN only
D. Subnet with NAT gateway only

Solution

  1. Step 1: Analyze route table destination and target

    The route directs all internet traffic (0.0.0.0/0) to an internet gateway (igw), which enables internet access.

  2. Step 2: Determine subnet type from routing

    Routing to an internet gateway means the subnet is public and can access the internet directly.

  3. Final Answer:

    Public subnet with internet access -> Option A

  4. Quick Check:

    Route to IGW = public subnet [OK]
Hint: Route 0.0.0.0/0 to IGW means public subnet [OK]
Common Mistakes:
  • Assuming NAT gateway means public subnet
  • Confusing IGW with VPN or NAT
  • Ignoring route table targets
4. You created a subnet with MapPublicIpOnLaunch: false but instances still get public IPs. What is the likely issue?
medium
A. The subnet is associated with a route table that routes to an internet gateway.
B. The instance launch configuration overrides subnet settings to assign public IPs.
C. The VPC has no internet gateway attached.
D. The subnet CIDR block overlaps with another subnet.

Solution

  1. Step 1: Understand subnet vs instance IP assignment

    Subnet setting disables automatic public IP assignment, but instance launch settings can override this.

  2. Step 2: Identify cause of public IP despite subnet config

    If instance launch config explicitly assigns public IPs, it overrides subnet default behavior.

  3. Final Answer:

    The instance launch configuration overrides subnet settings to assign public IPs. -> Option B

  4. Quick Check:

    Instance config can override subnet IP assignment [OK]
Hint: Instance launch config can override subnet IP settings [OK]
Common Mistakes:
  • Blaming route table for IP assignment
  • Ignoring instance-level settings
  • Confusing CIDR overlap with IP assignment
5. You want to host a web server accessible from the internet and a database only accessible internally. How should you design your subnets?
hard
A. Place both web server and database in private subnets and use a VPN for access.
B. Place both web server and database in a public subnet with security groups restricting access.
C. Place the web server in a private subnet and the database in a public subnet.
D. Place the web server in a public subnet and the database in a private subnet.

Solution

  1. Step 1: Identify subnet roles for internet access

    The web server needs internet access, so it belongs in a public subnet with a route to the internet gateway.

  2. Step 2: Secure the database internally

    The database should be in a private subnet without direct internet access to keep it secure.

  3. Final Answer:

    Place the web server in a public subnet and the database in a private subnet. -> Option D

  4. Quick Check:

    Internet-facing resources in public, internal in private [OK]
Hint: Web server public, database private subnet [OK]
Common Mistakes:
  • Putting database in public subnet
  • Putting web server in private subnet
  • Relying only on security groups without subnet design