Bird
Raised Fist0
AWScloud~10 mins

Public vs private subnets in AWS - Visual Side-by-Side Comparison

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Public vs private subnets
Start: Create VPC
Create Subnets
Public Subnet
Attach Internet Gateway
Public Resources
Direct Internet Access
This flow shows creating a VPC with two subnets: one public with internet access, one private without direct internet access.
Execution Sample
AWS
Create VPC
Create Public Subnet with route to Internet Gateway
Create Private Subnet without direct internet route
Launch EC2 in Public Subnet
Launch EC2 in Private Subnet
This setup creates a network with public and private subnets and launches servers in each to show their internet access differences.
Process Table
StepActionSubnet TypeRoute TableInternet AccessResult
1Create VPCN/AN/AN/AVPC created
2Create Public SubnetPublicRoute to Internet GatewayYesSubnet ready for public resources
3Create Private SubnetPrivateNo direct internet routeNoSubnet isolated from internet
4Launch EC2 in Public SubnetPublicRoute to Internet GatewayYesEC2 can access internet directly
5Launch EC2 in Private SubnetPrivateNo direct internet routeNoEC2 cannot access internet directly
6Add NAT Gateway in Public SubnetPublicRoute to Internet GatewayYesNAT Gateway ready
7Update Private Subnet Route TablePrivateRoute to NAT GatewayIndirectPrivate EC2 can access internet via NAT
8Test Private EC2 Internet AccessPrivateRoute to NAT GatewayIndirectPrivate EC2 accesses internet through NAT
9EndN/AN/AN/ASetup complete
💡 Setup ends after configuring NAT Gateway and verifying private subnet internet access via NAT.
Status Tracker
VariableStartAfter Step 2After Step 3After Step 6After Step 7Final
Public Subnet Route TableNoneRoute to Internet GatewayRoute to Internet GatewayRoute to Internet GatewayRoute to Internet GatewayRoute to Internet Gateway
Private Subnet Route TableNoneNoneNo direct internet routeNo direct internet routeRoute to NAT GatewayRoute to NAT Gateway
Public EC2 Internet AccessN/AN/AN/AN/AN/AYes (direct)
Private EC2 Internet AccessN/AN/ANoNoYes (via NAT)Yes (via NAT)
Key Moments - 3 Insights
Why can't EC2 in the private subnet access the internet directly after creation?
Because the private subnet's route table does not have a route to the Internet Gateway, as shown in execution_table step 5.
How does the private subnet gain internet access indirectly?
By adding a NAT Gateway in the public subnet and updating the private subnet's route table to route internet traffic through the NAT, as shown in steps 6 and 7.
Why is the public subnet able to access the internet directly?
Because its route table includes a route to the Internet Gateway, allowing direct internet access, as shown in step 2 and 4.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 5. What is the internet access status of the EC2 instance in the private subnet?
ANo direct internet access
BDirect internet access
CAccess via NAT Gateway
DInternet access blocked by security group
💡 Hint
Refer to the 'Internet Access' column in execution_table row 5.
At which step does the private subnet gain indirect internet access?
AStep 4
BStep 7
CStep 2
DStep 3
💡 Hint
Check the 'Internet Access' and 'Result' columns in execution_table rows 6 and 7.
If the NAT Gateway was not added, how would the private subnet's internet access change in the variable_tracker?
AIt would become 'Yes (via NAT)' after step 7
BIt would become 'Yes (direct)' after step 7
CIt would remain 'No' for all steps
DIt would be 'No' initially and 'Yes (direct)' after step 6
💡 Hint
Look at the 'Private EC2 Internet Access' row in variable_tracker and consider the role of NAT Gateway.
Concept Snapshot
Public vs Private Subnets in AWS:
- Public subnet has route to Internet Gateway (IGW) allowing direct internet access.
- Private subnet lacks direct IGW route, isolating it from internet.
- NAT Gateway in public subnet enables private subnet internet access indirectly.
- Route tables control traffic flow for each subnet.
- Use public subnets for internet-facing resources, private for internal-only.
Full Transcript
This lesson shows how to set up public and private subnets in AWS. First, a VPC is created. Then, two subnets are made: one public with a route to the Internet Gateway, and one private without. EC2 instances launched in the public subnet can access the internet directly. Those in the private subnet cannot. To allow private subnet instances internet access, a NAT Gateway is added in the public subnet. The private subnet's route table is updated to send internet traffic through the NAT Gateway. This setup keeps private resources secure while allowing them to reach the internet when needed.

Practice

(1/5)
1. Which statement best describes a public subnet in AWS?
easy
A. It has direct internet access and assigns public IPs automatically.
B. It does not assign public IPs and blocks all internet traffic.
C. It is used only for internal communication within the VPC.
D. It requires a VPN connection to access the internet.

Solution

  1. Step 1: Understand public subnet characteristics

    A public subnet allows resources to communicate directly with the internet by assigning public IP addresses.

  2. Step 2: Compare with other subnet types

    Private subnets do not assign public IPs and restrict internet access, unlike public subnets.

  3. Final Answer:

    It has direct internet access and assigns public IPs automatically. -> Option A

  4. Quick Check:

    Public subnet = direct internet access [OK]
Hint: Public subnet = direct internet access + public IPs [OK]
Common Mistakes:
  • Confusing private subnet with public subnet
  • Thinking all subnets have internet access
  • Assuming VPN is needed for public subnet
2. Which AWS subnet configuration correctly creates a private subnet?
easy
A. AssignPublicIpOnLaunch: true
B. EnableInternetGateway: true
C. MapPublicIpOnLaunch: false
D. RouteTable: 0.0.0.0/0 via IGW

Solution

  1. Step 1: Identify private subnet IP assignment

    Private subnets do not assign public IPs automatically, so MapPublicIpOnLaunch must be false.

  2. Step 2: Understand routing and gateway settings

    Internet Gateway (IGW) and routing to 0.0.0.0/0 are for public subnets, not private.

  3. Final Answer:

    <code>MapPublicIpOnLaunch: false</code> -> Option C

  4. Quick Check:

    Private subnet = no public IP assignment [OK]
Hint: Private subnet disables public IP assignment [OK]
Common Mistakes:
  • Setting public IP assignment to true for private subnet
  • Confusing internet gateway with subnet config
  • Using public route table for private subnet
3. Given this route table for a subnet:
Destination: 0.0.0.0/0, Target: igw-12345
What type of subnet is this likely to be?
medium
A. Public subnet with internet access
B. Private subnet with no internet access
C. Isolated subnet with VPN only
D. Subnet with NAT gateway only

Solution

  1. Step 1: Analyze route table destination and target

    The route directs all internet traffic (0.0.0.0/0) to an internet gateway (igw), which enables internet access.

  2. Step 2: Determine subnet type from routing

    Routing to an internet gateway means the subnet is public and can access the internet directly.

  3. Final Answer:

    Public subnet with internet access -> Option A

  4. Quick Check:

    Route to IGW = public subnet [OK]
Hint: Route 0.0.0.0/0 to IGW means public subnet [OK]
Common Mistakes:
  • Assuming NAT gateway means public subnet
  • Confusing IGW with VPN or NAT
  • Ignoring route table targets
4. You created a subnet with MapPublicIpOnLaunch: false but instances still get public IPs. What is the likely issue?
medium
A. The subnet is associated with a route table that routes to an internet gateway.
B. The instance launch configuration overrides subnet settings to assign public IPs.
C. The VPC has no internet gateway attached.
D. The subnet CIDR block overlaps with another subnet.

Solution

  1. Step 1: Understand subnet vs instance IP assignment

    Subnet setting disables automatic public IP assignment, but instance launch settings can override this.

  2. Step 2: Identify cause of public IP despite subnet config

    If instance launch config explicitly assigns public IPs, it overrides subnet default behavior.

  3. Final Answer:

    The instance launch configuration overrides subnet settings to assign public IPs. -> Option B

  4. Quick Check:

    Instance config can override subnet IP assignment [OK]
Hint: Instance launch config can override subnet IP settings [OK]
Common Mistakes:
  • Blaming route table for IP assignment
  • Ignoring instance-level settings
  • Confusing CIDR overlap with IP assignment
5. You want to host a web server accessible from the internet and a database only accessible internally. How should you design your subnets?
hard
A. Place both web server and database in private subnets and use a VPN for access.
B. Place both web server and database in a public subnet with security groups restricting access.
C. Place the web server in a private subnet and the database in a public subnet.
D. Place the web server in a public subnet and the database in a private subnet.

Solution

  1. Step 1: Identify subnet roles for internet access

    The web server needs internet access, so it belongs in a public subnet with a route to the internet gateway.

  2. Step 2: Secure the database internally

    The database should be in a private subnet without direct internet access to keep it secure.

  3. Final Answer:

    Place the web server in a public subnet and the database in a private subnet. -> Option D

  4. Quick Check:

    Internet-facing resources in public, internal in private [OK]
Hint: Web server public, database private subnet [OK]
Common Mistakes:
  • Putting database in public subnet
  • Putting web server in private subnet
  • Relying only on security groups without subnet design