Public & Private Subnets


VPC Fundamentals
What is a VPC?
VPC Security and Control
VPC Connectivity
VPC Sharing using the AWS Resource Access Manager
Feature Spotlight:
Start course
3h 12m

In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various networking and VPC services currently available in AWS that are relevant to the ANS-C01 exam.

Learning Objectives

  • Identify and describe the various networking services available in AWS
  • Describe how to configure an Amazon Virtual Private Cloud (VPC)
  • Understand how to control network traffic via Security Groups and Network Access Control Lists (NACLs)
  • Describe options for VPC connectivity, subnets, and routing
  • Understand how to share VPC resources using the AWS Resource Access Manager (RAM)
  • Identify how to evaluate the configuration of VPC resources using the VPC Reachability Analyzer


The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking, particularly regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.


Hello, and welcome to this lecture. Where I want to discuss the differences between public and private subnets, and how they are defined. Now we have seen what a subnet looks like, I want to talk to you about both public and private subnets. In a nutshell, public subnets have direct access to the Internet, whereas your private instances do not.

So what makes a subnet public? There are essentially 2 components required to make any one of your subnets classed as a public subnet. Firstly, you need to create and attach an Internet gateway to your VPC. This Internet gateway is a managed service, controlled, configured, and maintained by AWS. It scales horizontally automatically, and is classified as a highly valuable component of your VPC infrastructure.

Once your Internet gateway is attached to your VPC, you have a gateway to the Internet. However, at this point, your instances have no idea how to get out to the Internet. As a result, you need to add a default route to the route table associated with your subnet. The route could have a destination value of 0.0. 0. 0/0, and the target value will be set as your Internet gateway ID.

The destination value of essentially says for any destinations not already known to the route table, then use this route, which points to the target of the Internet gateway. With an Internet gateway attached, and a route in place, the subnet is now considered to be a public subnet.

There are, however, additional elements required before your instances within that public subnet can access the outside world. Any instance that you're required to communicate with external resources on the Internet and beyond, will require a public IP address. Also, you'll need to ensure that your public subnet NACL is not restricting or blocking expected ingress and egress traffic.

For example, if you are using http, and the NACL denied all traffic going over port 80, then you would run into problems very quickly. So to quickly recap, to enable the instances to communicate with the Internet, the following conditions must be true. The VPC must have an Internet gateway attached. The subnet must have a route, for example,, with a target of the attached Internet gateway. The instances must have a public IP address assigned. And the associated NACL must allow ingress and egress traffic. Before moving on from this section, I just want to revisit a point I made about the public IP address allocation for the instances.

Depending on the IP addressing behavior of the subnet, these can either be automatically assigned to new instances launched within the subnet, or you must manually choose to have a public IP address for your instance. By default, all subnets have the automatic assigned of public IP addresses turned off.

Even when a subnet is considered a public subnet. The assignment remains as a manual process for instances. To modify the subnet IP addressing behavior from within the management console, you must first select the subnet within the VPC service, select subnet actions, then select Modify Auto Assign IP Settings.

Select the Tick box to enable auto assign public IPV4 addresses, and then click Save. The subnet will then automatically assign a public IP address to any instances that are launched within that subnet. Do be aware that for each instance created, you can overrule this decision. As you can see, although the default is Enable, it's possible to select Disable for the instance.

Any public IP address assigned by this method is not directly associated to your AWS account. Instead it's taken from a pull of addresses owned by AWS, and when the instance is no longer required, the IP address is released back into the AWS pull. You can't request the same public IP address if you need to use it again.

If you acquire this functionality of being able to reuse, and reassign a public IP address, then you would need to use an elastic IP address, an EIP. Using an EIP is another option we have to give instances public IP addresses. So far, we have looked at VPC CIDR Block Ranges, and subnetting of these blocks into smaller side blocks for subnets, Subnet IP reservation addresses, why you would want and need to subnet your VPC, Public and private subnets within your VPC and subnet IP addressing behavior. However, does any of this change if you have multiple VPCs? What considerations need to be made if you are looking to peer multiple VPCs together?

In the next lecture, we will take a look at VPC peering subnet considerations.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.