AWS Public Subnets vs Private Subnets

A brief overview on subnets, what are private & public subnets?

What are Subnets?

• A subnet is a segment of a network within a Virtual Private Cloud (VPC) that enables an organization to isolate its resources in a controlled manner.

• Subnets provide better control over network traffic and are used to define IP address ranges for instances and services.

Types of Subnets

Types:

• Public Subnets

• Private Subnets

Public Subnets

A public subnet is a subnet that is connected to the internet via an internet gateway. This subnet contains resources that need to directly communicate with the outside world, such as web servers, load balancers, or bastion hosts.

---

Characteristics of Public Subnets:

• Internet Gateway Connectivity: Instances in public subnets have direct access to the internet through an Internet Gateway.

• Route Table Entries: The route table for a public subnet typically has a default route (0.0.0.0/0) pointing to an Internet Gateway.

• Publicly Accessible Resources: Typically used for resources that must be reachable from the internet, like a web server or a DNS server.

• Elastic IPs (EIPs): Instances in a public subnet can be associated with Elastic IPs, allowing them to be publicly addressable.

---

Use Cases

• Web Servers: These servers host the publicfacing components of an application (e.g., web apps, APIs).

• Load Balancers: In AWS, services like Elastic Load Balancing (ELB) are placed in public subnets to distribute incoming internet traffic to resources in the private subnets.

• Bastion Hosts: A bastion host acts as a jump box to access instances in private subnets. It’s typically a minimal instance that is exposed to the internet.

---

Private Subnets

• A private subnet is a subnet that does not have direct access to the internet.

• Instances in a private subnet are isolated from the outside world and cannot communicate with the internet unless a specific mechanism (like a NAT Gateway or NAT instance) is set up.

Characteristics of Private Subnets:

• No Direct Internet Access: Resources within private subnets cannot directly connect to the internet.

• Security: Private subnets are used for resources that do not need direct exposure to the internet, providing an extra layer of security.

• Routing: Private subnets route traffic through a NAT Gateway/Instance for internet access, e.g. software updates.

• Internal Resources: Private subnets typically host databases, application servers, and other sensitive components.

Use Cases for Private Subnets:

• Databases: Data storage (like SQL or NoSQL databases) often resides in private subnets to prevent exposure to the internet.

• Application Servers: Application servers that perform internal business logic but don’t need to be accessed externally.

• Sensitive Infrastructure: Internal communication tools or business systems that don’t require outside access.

---

Differences

---

Conclusion

Public subnets allow resources to interact with the internet, which is vital for services that need to be publicly accessible, while private subnets protect sensitive infrastructure from external threats.

Businesses leverage this distinction to:

• Improve security by isolating sensitive resources.

• Provide scalability through load balancing and segmented networking.

• Create flexible architectures that can handle multiple layers of service, from front-end user interactions to secure back-end data processing.