Amazon Web Services

Compute

Storage

Database Services

Networking and Content Delivery

DynamoDB

Redshift

Lambda

Glue

Lambda

Security

🌍 AWS Subnets – Public and Private Subnets within a VPC

In cloud networking, you need a way to divide your network logically so that different parts of your application can be isolated and secured.

This is where AWS Subnets come in.

A subnet (short for subnetwork) is a portion of your Amazon VPC (Virtual Private Cloud) where you can group resources based on security and accessibility needs.

  • Public Subnet: Direct access to the internet (through an Internet Gateway). Typically used for web servers, load balancers, bastion hosts.
  • Private Subnet: No direct internet access. Used for databases, application servers, internal APIs. Outbound access (if needed) is through a NAT Gateway.

Think of a VPC as your house, and subnets as the rooms inside. Some rooms (like the living room) are public, while others (like the bedroom) are private.

βš™οΈ Key Features of AWS Subnets

  1. Segmentation – Split your network into smaller parts for better control.
  2. Security – Control inbound/outbound traffic with security groups and NACLs.
  3. High Availability – Subnets span a single Availability Zone, so you should create multiple for redundancy.
  4. Scalability – Deploy thousands of resources across multiple subnets.
  5. Flexibility – Assign public or private IPs depending on subnet type.

πŸ—‚οΈ Common Use Cases

Use CaseDescription
Public SubnetHosting web applications accessible from the internet.
Private SubnetRunning databases and backend services hidden from the public.
Hybrid NetworkingOn-premise resources can connect securely into private subnets.
Multi-Tier ArchitecturesWeb tier (public), application tier (private), database tier (private).
Secure Analytics WorkloadsKeep sensitive analytics or ML workloads in private subnets.

πŸ› οΈ Programs (Python – boto3)

βœ… 1: Create a Public Subnet

import boto3


ec2 = boto3.client('ec2')


# Create a new VPC
vpc = ec2.create_vpc(CidrBlock='10.0.0.0/16')
vpc_id = vpc['Vpc']['VpcId']


# Create a subnet (public)
public_subnet = ec2.create_subnet(
    VpcId=vpc_id,
    CidrBlock='10.0.1.0/24',
    AvailabilityZone='us-east-1a'
)
print("Created Public Subnet:", public_subnet['Subnet']['SubnetId'])


# Create and attach an Internet Gateway
igw = ec2.create_internet_gateway()
ec2.attach_internet_gateway(InternetGatewayId=igw['InternetGateway']['InternetGatewayId'], VpcId=vpc_id)

Use Case: This subnet is for public-facing resources like EC2 web servers.

βœ… 2: Create a Private Subnet with NAT Gateway

# Create a private subnet
private_subnet = ec2.create_subnet(
    VpcId=vpc_id,
    CidrBlock='10.0.2.0/24',
    AvailabilityZone='us-east-1a'
)
print("Created Private Subnet:", private_subnet['Subnet']['SubnetId'])


# Allocate Elastic IP for NAT Gateway
eip = ec2.allocate_address(Domain='vpc')


# Create NAT Gateway in the public subnet
nat_gw = ec2.create_nat_gateway(
    SubnetId=public_subnet['Subnet']['SubnetId'],
    AllocationId=eip['AllocationId']
)
print("Created NAT Gateway in Public Subnet")

Use Case: This subnet is for databases and backend services that need outbound internet but remain hidden from public access.

βœ… 3: Launch Instances in Public vs Private Subnets

# Launch instance in Public Subnet
ec2.run_instances(
    ImageId='ami-0c55b159cbfafe1f0',
    InstanceType='t2.micro',
    MaxCount=1,
    MinCount=1,
    SubnetId=public_subnet['Subnet']['SubnetId'],
    NetworkInterfaces=[{'AssociatePublicIpAddress': True, 'DeviceIndex': 0}]
)


# Launch instance in Private Subnet
ec2.run_instances(
    ImageId='ami-0c55b159cbfafe1f0',
    InstanceType='t2.micro',
    MaxCount=1,
    MinCount=1,
    SubnetId=private_subnet['Subnet']['SubnetId'],
    NetworkInterfaces=[{'AssociatePublicIpAddress': False, 'DeviceIndex': 0}]
)


print("Instances launched in both Public and Private Subnets")

Use Case: Demonstrates how different workloads can be separated inside public/private subnets.

🧠 How to Remember AWS Subnets for Exams & Interviews

  1. Acronym β€œPUB” vs β€œPRI”

    • PUB: Public, User-facing, Browser-accessible.
    • PRI: Private, Restricted, Internal-only.

  2. Memory Trick: Think of subnets like hotel rooms. Some rooms (public ones) open directly to the lobby (internet). Others (private ones) require a hallway (NAT Gateway) to exit.

  3. Exam Hot Points:

    • Difference between public vs private subnets.
    • NAT Gateway vs Internet Gateway usage.
    • Why subnets must reside in a single Availability Zone.
    • Designing multi-tier architectures with proper subnet placement.

🎯 Why It Is Important to Learn AWS Subnets

  1. Foundation of AWS Networking – Every EC2, RDS, or Lambda (in VPC) runs inside a subnet.
  2. Security & Compliance – Keeping sensitive resources in private subnets reduces risk.
  3. Scalable Architectures – Multi-tier apps rely heavily on subnet segmentation.
  4. Cloud Exam Relevance – Heavily tested in AWS Solutions Architect Associate, SysOps, and Networking Specialty.
  5. Real-World Usage – Without subnet knowledge, you cannot design secure VPC topologies.

πŸ”’ Best Practices

  • Create at least one public and one private subnet in each Availability Zone.
  • Use NAT Gateways for outbound internet access from private subnets.
  • Apply network ACLs and security groups for layered security.
  • Avoid putting databases in public subnets.
  • Enable VPC Flow Logs to monitor traffic.

πŸ“˜ Conclusion

AWS Subnets form the building blocks of VPC networking. By dividing your VPC into public and private zones, you gain control, security, and flexibility.

For exam prep and interviews:

  • Public Subnet = Internet-facing.
  • Private Subnet = Internal-only.
  • Use NAT Gateway for private outbound internet.

Mastering subnets ensures you can design, secure, and scale applications in AWS.