Public vs Private Subnets

Concepts Covered

• Public subnets
• Private subnets
• Route tables
• Internet gateways
• Public IPv4 addresses
• Elastic IP addresses
• NAT gateways
• Load balancer placement
• Database subnet placement
• Exam traps around subnet names

1. Plain-English Definition

A public subnet is a subnet whose route table has a route to an internet gateway for internet-bound traffic.

A private subnet is a subnet whose route table does not have a direct route to an internet gateway.

That is the key. The subnet name is not authoritative. A subnet called public-a is not public unless its route table makes it public. A subnet called private-a is not private if it has a route to an internet gateway.

For IPv4 internet access, an instance also needs a public IPv4 address or Elastic IP address. A route alone is not enough. A public IP alone is not enough if the route table does not send internet traffic to an internet gateway.

The useful model is:

public subnet = route to internet gateway + public addressing for resources that need direct internet reachability
private subnet = no direct route to internet gateway

2. Why This Matters In AWS

Subnet placement is one of the first security and availability decisions in AWS architecture.

Internet-facing resources need a public entry path. That often means an Application Load Balancer or Network Load Balancer in public subnets. But the application servers behind the load balancer usually do not need direct internet exposure. They can run in private subnets and only accept traffic from the load balancer security group.

Databases almost never need public subnet placement for normal application architectures. They should live in private database subnets and accept traffic only from application-tier security groups or controlled administrative paths.

Private subnets can still have outbound access. A NAT gateway in a public subnet can allow private IPv4 resources to initiate outbound internet connections. VPC endpoints can let private resources reach supported AWS services without public internet traversal.

For SAA-C03, public/private subnet wording appears in nearly every VPC scenario: web tiers, app tiers, database tiers, NAT gateways, bastion hosts, load balancers, VPC endpoints, and secure access to AWS services.

3. The Beginner Mental Model

Think of a VPC as a building.

A public subnet is a lobby with a controlled door to the street. People from the street can reach public-facing services if the rules allow it.

A private subnet is an internal floor. It can talk to other internal floors. It may be able to send outbound packages through a mailroom, but people from the street cannot walk directly to it.

A common architecture:

internet
  -> internet gateway
  -> public subnets: load balancer, NAT gateway
  -> private app subnets: EC2, ECS, Lambda ENIs
  -> private database subnets: RDS

The load balancer receives user traffic. Application instances stay private. The database is deeper inside. NAT or VPC endpoints provide controlled outbound paths when needed.

4. What That Mental Model Misses

The public/private distinction is about routing, not trust by itself.

A private subnet can still contain a badly configured resource that is reachable from other parts of the network. A public subnet can contain a resource whose security group denies all inbound traffic. Subnet type is only one layer.

IPv6 changes some mental shortcuts. IPv6 addresses are globally routable, and outbound-only internet gateways can support outbound-only IPv6 patterns. The core lesson remains: trace routes and controls, not names.

NAT gateways do not make private instances publicly reachable. They allow instances in private subnets to initiate outbound IPv4 connections and receive response traffic.

VPC endpoints are often better than NAT for reaching AWS services privately. For example, private instances can reach S3 through a gateway endpoint without sending traffic through the public internet.

Multi-AZ design matters. Public and private subnets should usually be created across multiple Availability Zones so load balancers, NAT gateways, and application tiers are not tied to one AZ.

5. AWS Mechanics

An internet gateway attaches to a VPC. A subnet becomes public when its associated route table sends internet-bound traffic, such as 0.0.0.0/0 for IPv4, to that internet gateway.

For an IPv4 EC2 instance to communicate directly with the internet, it needs public IPv4 addressing and a route path to the internet gateway. The instance itself still knows its private address; AWS performs one-to-one NAT at the internet gateway path for public IPv4 communication.

A NAT gateway is created in a public subnet and associated with an Elastic IP address. Private subnet route tables can send outbound internet-bound IPv4 traffic to the NAT gateway. The NAT gateway then uses the public subnet's route to the internet gateway.

A route table is associated with one or more subnets. If a subnet has no explicit association, it uses the main route table. This is why route table inspection is more reliable than subnet names.

Security groups and NACLs still apply. Routing can make a path possible. Security controls decide whether traffic is allowed.

6. Architecture Examples

A public web application might use:

• public subnets across two AZs for an Application Load Balancer
• private subnets across two AZs for EC2 application instances
• private database subnets across two AZs for RDS
• NAT gateways in public subnets for application patching and outbound calls
• S3 gateway endpoint for private S3 access

Users reach the load balancer. The load balancer reaches app instances. App instances reach the database. The database has no public route.

A batch processing system may have no public subnets for compute at all. Workers can live in private subnets, read from SQS and S3 through VPC endpoints, and write results back to S3 or DynamoDB. If no internet access is needed, NAT may be unnecessary.

A bastion host pattern places a tightly controlled administrative jump host in a public subnet, but many modern designs prefer Systems Manager Session Manager to avoid inbound SSH exposure.

7. SAA-C03 Exam Signals

"Internet-facing load balancer" usually belongs in public subnets.

"Application servers should not be directly accessible from the internet" points to private subnets behind a load balancer.

"Database should not be publicly accessible" points to private database subnets and restrictive security groups.

"Private instances need outbound internet access for patching" points to NAT gateway.

"Private instances need access to S3 without public internet" points to VPC endpoint.

"Subnet has route to internet gateway" means public. "No route to internet gateway" means private, regardless of the subnet name.

8. Common Traps

Do not decide public versus private from the subnet name.

Do not think a public IP address alone creates internet access. The route table must support the path.

Do not put a NAT gateway in a private subnet.

Do not put databases in public subnets for normal application access.

Do not assume private subnet means no outbound access. NAT gateways and VPC endpoints can provide outbound or private service access.

Do not forget multiple Availability Zones. One public subnet and one private subnet in one AZ is not a highly available layout.

9. What To Learn Next

Next, study Security Groups vs NACLs. Routing makes paths possible; security groups and NACLs decide which packets are allowed.

Then revisit Amazon EC2, because EC2 is where subnet placement, public IPs, route tables, and instance roles become visible.

Official AWS references:

• Enable internet access for a VPC using an internet gateway
• NAT gateways
• VPC endpoints