Public Subnet vs Private Subnet in AWS: Key Differences and Usage
public subnet is a subnet that has a route to the internet via an internet gateway, allowing resources to be accessed from outside. A private subnet does not have direct internet access and is used for internal resources, typically routed through a NAT gateway for outbound internet access.Quick Comparison
This table summarizes the main differences between public and private subnets in AWS.
| Factor | Public Subnet | Private Subnet |
|---|---|---|
| Internet Access | Direct access via Internet Gateway | No direct access; uses NAT Gateway for outbound |
| Route Table | Has route to Internet Gateway | No route to Internet Gateway |
| Use Case | Hosts public-facing resources like web servers | Hosts internal resources like databases |
| Security | More exposed; requires strict security groups | More secure; isolated from internet |
| IP Addressing | Can assign public IPs to instances | Instances usually have only private IPs |
| Outbound Traffic | Direct outbound internet access | Outbound via NAT Gateway or NAT Instance |
Key Differences
A public subnet in AWS is designed to allow resources to communicate directly with the internet. This is achieved by associating the subnet's route table with a route to an Internet Gateway. Instances launched in a public subnet can have public IP addresses, making them reachable from outside AWS.
In contrast, a private subnet does not have a route to the internet gateway. Instances in private subnets cannot be accessed directly from the internet. To allow these instances to access the internet for updates or external communication, a NAT Gateway or NAT Instance is used. This setup keeps the instances secure and isolated from inbound internet traffic.
Security is a major difference: public subnets require careful configuration of security groups and network ACLs to protect resources exposed to the internet. Private subnets provide a safer environment for sensitive resources like databases or application servers that should not be publicly accessible.
Public Subnet Code Example
resource "aws_vpc" "example" { cidr_block = "10.0.0.0/16" } resource "aws_internet_gateway" "gw" { vpc_id = aws_vpc.example.id } resource "aws_subnet" "public" { vpc_id = aws_vpc.example.id cidr_block = "10.0.1.0/24" map_public_ip_on_launch = true availability_zone = "us-east-1a" } resource "aws_route_table" "public" { vpc_id = aws_vpc.example.id route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.gw.id } } resource "aws_route_table_association" "public_assoc" { subnet_id = aws_subnet.public.id route_table_id = aws_route_table.public.id }
Private Subnet Equivalent
resource "aws_subnet" "private" { vpc_id = aws_vpc.example.id cidr_block = "10.0.2.0/24" map_public_ip_on_launch = false availability_zone = "us-east-1a" } resource "aws_eip" "nat" { vpc = true } resource "aws_nat_gateway" "nat" { allocation_id = aws_eip.nat.id subnet_id = aws_subnet.public.id } resource "aws_route_table" "private" { vpc_id = aws_vpc.example.id route { cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.nat.id } } resource "aws_route_table_association" "private_assoc" { subnet_id = aws_subnet.private.id route_table_id = aws_route_table.private.id }
When to Use Which
Choose a public subnet when you need resources accessible from the internet, such as web servers, load balancers, or bastion hosts. These resources require public IPs and direct internet routing.
Choose a private subnet for backend resources like databases, application servers, or internal services that should not be exposed to the internet. Use NAT Gateways to allow these resources to access the internet securely for updates or external API calls.
This separation improves security and network organization by isolating public-facing and internal resources.