Bird
Raised Fist0
AWScloud~5 mins

Public vs private subnets in AWS - Quick Revision & Key Differences

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a public subnet in AWS?
A public subnet is a subnet that has a route to the internet through an internet gateway. Resources in this subnet can communicate directly with the internet.
Click to reveal answer
beginner
What is a private subnet in AWS?
A private subnet is a subnet that does not have a direct route to the internet. Resources here cannot be accessed directly from the internet but can access the internet through a NAT device.
Click to reveal answer
intermediate
Why use private subnets instead of public subnets?
Private subnets increase security by keeping sensitive resources away from direct internet access, reducing exposure to attacks.
Click to reveal answer
intermediate
How does a NAT gateway help private subnets?
A NAT gateway allows resources in private subnets to access the internet for updates or downloads without exposing them to inbound internet traffic.
Click to reveal answer
beginner
What AWS component enables internet access for a public subnet?
An Internet Gateway attached to the VPC enables internet access for public subnets by routing traffic between the subnet and the internet.
Click to reveal answer
Which AWS subnet type has a direct route to the internet?
AVPN subnet
BPrivate subnet
CIsolated subnet
DPublic subnet
What device allows private subnet resources to access the internet safely?
ANAT Gateway
BLoad Balancer
CVPN Gateway
DInternet Gateway
Which subnet type is best for hosting a public web server?
APrivate subnet
BIsolated subnet
CPublic subnet
DBackend subnet
What is a key security benefit of private subnets?
ANo inbound internet traffic
BNo internet access at all
CDirect internet access
DAutomatic backups
Which AWS component must be attached to a VPC to enable public subnet internet access?
ANAT Gateway
BInternet Gateway
CVirtual Private Gateway
DTransit Gateway
Explain the difference between a public subnet and a private subnet in AWS.
Think about how resources connect to the internet and security.
You got /4 concepts.
    Describe how a NAT gateway works with private subnets to allow internet access.
    Focus on the path outbound traffic takes from private subnet.
    You got /4 concepts.

      Practice

      (1/5)
      1. Which statement best describes a public subnet in AWS?
      easy
      A. It has direct internet access and assigns public IPs automatically.
      B. It does not assign public IPs and blocks all internet traffic.
      C. It is used only for internal communication within the VPC.
      D. It requires a VPN connection to access the internet.

      Solution

      1. Step 1: Understand public subnet characteristics

        A public subnet allows resources to communicate directly with the internet by assigning public IP addresses.

      2. Step 2: Compare with other subnet types

        Private subnets do not assign public IPs and restrict internet access, unlike public subnets.

      3. Final Answer:

        It has direct internet access and assigns public IPs automatically. -> Option A

      4. Quick Check:

        Public subnet = direct internet access [OK]
      Hint: Public subnet = direct internet access + public IPs [OK]
      Common Mistakes:
      • Confusing private subnet with public subnet
      • Thinking all subnets have internet access
      • Assuming VPN is needed for public subnet
      2. Which AWS subnet configuration correctly creates a private subnet?
      easy
      A. AssignPublicIpOnLaunch: true
      B. EnableInternetGateway: true
      C. MapPublicIpOnLaunch: false
      D. RouteTable: 0.0.0.0/0 via IGW

      Solution

      1. Step 1: Identify private subnet IP assignment

        Private subnets do not assign public IPs automatically, so MapPublicIpOnLaunch must be false.

      2. Step 2: Understand routing and gateway settings

        Internet Gateway (IGW) and routing to 0.0.0.0/0 are for public subnets, not private.

      3. Final Answer:

        <code>MapPublicIpOnLaunch: false</code> -> Option C

      4. Quick Check:

        Private subnet = no public IP assignment [OK]
      Hint: Private subnet disables public IP assignment [OK]
      Common Mistakes:
      • Setting public IP assignment to true for private subnet
      • Confusing internet gateway with subnet config
      • Using public route table for private subnet
      3. Given this route table for a subnet:
      Destination: 0.0.0.0/0, Target: igw-12345
      What type of subnet is this likely to be?
      medium
      A. Public subnet with internet access
      B. Private subnet with no internet access
      C. Isolated subnet with VPN only
      D. Subnet with NAT gateway only

      Solution

      1. Step 1: Analyze route table destination and target

        The route directs all internet traffic (0.0.0.0/0) to an internet gateway (igw), which enables internet access.

      2. Step 2: Determine subnet type from routing

        Routing to an internet gateway means the subnet is public and can access the internet directly.

      3. Final Answer:

        Public subnet with internet access -> Option A

      4. Quick Check:

        Route to IGW = public subnet [OK]
      Hint: Route 0.0.0.0/0 to IGW means public subnet [OK]
      Common Mistakes:
      • Assuming NAT gateway means public subnet
      • Confusing IGW with VPN or NAT
      • Ignoring route table targets
      4. You created a subnet with MapPublicIpOnLaunch: false but instances still get public IPs. What is the likely issue?
      medium
      A. The subnet is associated with a route table that routes to an internet gateway.
      B. The instance launch configuration overrides subnet settings to assign public IPs.
      C. The VPC has no internet gateway attached.
      D. The subnet CIDR block overlaps with another subnet.

      Solution

      1. Step 1: Understand subnet vs instance IP assignment

        Subnet setting disables automatic public IP assignment, but instance launch settings can override this.

      2. Step 2: Identify cause of public IP despite subnet config

        If instance launch config explicitly assigns public IPs, it overrides subnet default behavior.

      3. Final Answer:

        The instance launch configuration overrides subnet settings to assign public IPs. -> Option B

      4. Quick Check:

        Instance config can override subnet IP assignment [OK]
      Hint: Instance launch config can override subnet IP settings [OK]
      Common Mistakes:
      • Blaming route table for IP assignment
      • Ignoring instance-level settings
      • Confusing CIDR overlap with IP assignment
      5. You want to host a web server accessible from the internet and a database only accessible internally. How should you design your subnets?
      hard
      A. Place both web server and database in private subnets and use a VPN for access.
      B. Place both web server and database in a public subnet with security groups restricting access.
      C. Place the web server in a private subnet and the database in a public subnet.
      D. Place the web server in a public subnet and the database in a private subnet.

      Solution

      1. Step 1: Identify subnet roles for internet access

        The web server needs internet access, so it belongs in a public subnet with a route to the internet gateway.

      2. Step 2: Secure the database internally

        The database should be in a private subnet without direct internet access to keep it secure.

      3. Final Answer:

        Place the web server in a public subnet and the database in a private subnet. -> Option D

      4. Quick Check:

        Internet-facing resources in public, internal in private [OK]
      Hint: Web server public, database private subnet [OK]
      Common Mistakes:
      • Putting database in public subnet
      • Putting web server in private subnet
      • Relying only on security groups without subnet design