Hello and welcome to this lecture, where I try to answer the question of why we may want to Subnet our VPCs and what the benefits are by doing so.

Starting with logical network division. Creating multiple Subnets allows you to create logical network divisions between your resources. By doing so, you could have a Subnet for database instances, another for application servers, and another for web infrastructure.

By splitting up your Subnets this way, helps to enforce a greater level of security. Logical grouping of similar resources also helps you to maintain an ease of management across your infrastructure.

On this point, I remember being in a meeting with a network engineer many years ago. And someone around the table asked, "Why do we need to Subnet?" He responded with a question. "Does your house have more than one room? " He then continued by saying, "It's a similar thought process, your house has more than one room, as each room serves a different purpose, A kitchen, a lounge, a dining room, etc. Think of these as Subnets. The space in your house, your CIDR block, has been divided into smaller more manageable purpose specific rooms rather than one large room in which you can cook, clean and sleep in, which would soon become very disjointed."

Security. By having multiple Subnets with similar resources grouped together, as per the previous point, it allows for greater security management. By implementing network level virtual firewalls, called network access control lists, or NACLs, it's possible to filter traffic on specific ports from both an ingress and egress point at the Subnet level.

For example, if you had a Subnet that only held my SQL RTS databases within it, you could allow communication between your application service Subnet to talk to your database Subnet on port 1443 for my SQL. And then block and drop all other packets that do not meet this criteria. If you had web servers and application servers within the same Subnet as your RTS instances, you would have to open up a lot of other ports, reducing the level of security within that Subnet.

Having multiple Subnets allows you to create both private and public Subnets. Public Subnets allows the resources within it to access and connect to the internet, and the outside world to connect to those resources, depending on certain security controls. Private Subnets are not directly accessible from the internet. And so private Subnets are protected from the outside world, providing a greater level of security by its very nature.

You may want some of your Subnets to route out to the internet, some to remain private, and some to communicate back to your corporate on premise network over a VPN link. Through the use of routing tables associated to each specific Subnet, you can route traffic as required to cater for these communication paths.

A Subnet can only belong to one route table at any time. Therefore, by creating multiple Subnets, you can restrict some resources in those Subnets to specific routes. If your solution requires a level of high availability, and it most likely will, then it's best practice to deploy services across multiple availability zones within a region.

Here becomes a restriction of VPC Subnets in that a single Subnet cannot span across two availability zones. As a result, this best practice forces you to create an additional Subnet in the second availability zone. So if you want high availability within your environment, you'll need Subnets in at least two availability zones in any region.

As we go through this course, you'll see the benefits that this provides. As you can see, there are many advantages over creating multiple Subnets within your VPC. And as you design, architect and secure your infrastructure, you will quickly see how multiple Subnets enables ease of network management, rooting and security.

In the next lecture, I want to look at what a VPC Subnet actually looks like and what its configurable components are.