AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

public subnet vs. private subnet with IGW’s and NAT’s — please be clear…:-)

This is not just an issue with this course.  This is a problem with the cloudy (get it?) pictures drawn for public and private subnets and what they really mean.  

This course says that public subnets are subnets with a route "to the Internet".  Using that logic a private subnet with a NAT is also a public subnet.  Both cannot be correct — and they aren’t.  I see this confusing message used a lot.  Please be more specific using AWS’ own documentation:

Public Subnets:

"If a subnet’s traffic is routed to an internet gateway, the subnet is known as a public subnet."

You should also state that the instances in the public subnet have publicly routable IP addresses.  That means traffic to AND originating from the Internet can access instances in a public subnet (as long as NACLs, Security Groups, and WAF’s allow it).

Private Subnets:

"A private subnet can access the Internet by using a network address translation (NAT) gateway that resides in a public subnet"

Instances in a private subnet don’t have publicly routable IP addresses.  That means traffic TO the internet is allowed if a NAT is setup for the private subnet.  Traffic originating FROM the Internet cannot get to an instance on a private subnet.

There might be better ways of explaining this topic, but I hope my basic message gets across.

2 Answers

Hi lecube,

I applaud your specificity here but In this lecture, I am referring to a direct default route to the Internet.  Machines in public subnets can also use NAT gateways as well if they want…depending on the routing.   I can setup a route to a specific IP to use an internet gateway directly, then setup a default route for everything else to use a NAT Gateway.  For example, I might need to use a specific whitelisted IP to access some vendor’s API server from some of my public instances.  I can also launch instances in a public subnet that don’t have a public IP assigned.

Additionally, traffic to and from the Internet can get to my private instances via an ALB or NLB…which are not technically a NAT.  And I can certainly have public IP’s on my instances living in private VPCs.   Lots of crazy things I’d probably never do but it’s hard to lay down such definitive rules.

Practically speaking, public and private subnets are more of a network design concept…I don’t select "private" or "public" when creating a subnet.  So, I don’t want students to get wrapped up in memorizing a checklist criteria for a public or private subnet.



I agree, public or private subnets are primarily determined based on their route tables. However, I found your first example to be interesting, to be truly public, the IGW needs go be routed to, but if the IGW is whitelisted to a specific CIDR, and the NAT is pointed to, it is unlikely that the NAT will have outbound internet access, if it is depending on the same IGW. Unless maybe you have other public subnets with with separate route tables and the NAT resides in there. I’d rather route the traffic through an ALB with WAF, (sometimes NLB with endpoint) rather than attaching public IP to each node. With that

Thanks guys for both of these posts, helping me understand networking in AWS.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?