A subnet is a collection of IP addresses within your VPC. These IP addresses can then be further subdivided into private and public subnets. As you might know, subnets created within your VPC are treated as private subnets. First, create an internet gateway (igw), and then connect it with your VPC to make a subnet publicly available.
After connecting the internet gateway to your VPC, you can modify your route table (main or custom) to route 0.0.0.0/0 through the internet gateway. To be considered a public network, you must associate the subnet you wish to make public with this routing table. Let’s talk more about this topic!
Amazon Virtual Private Cloud (Amazon VPC), allows you to launch AWS resources in a predefined virtual network. This virtual network is very similar to a traditional network you would run in your data center, but with the added benefit that AWS has scalable infrastructure.
Types of subnets
Depending on how your VPC is configured, subnets can be either public, private, or VPN only.
Public subnet: IPv4 and IPv6 traffic from the subnet is routed through an internet gateway or an access-only internet gateway to an internet gateway that can access the public internet. For more information, see Connect to the Internet using an internet Gateway.
Private subnet: IPv4 and IPv6 traffic from the subnet are not routed to an Internet Gateway or egress-only gateway. They cannot therefore access the public internet.
VPN-only subnet. This subnet does not have a route to the internet gateway. However, its traffic is routed through a virtual private gateway to establish a Site-to–Site VPN connection. The AWS Site to-Site VPN User Guide has more information.
VPC Components
A virtual private cloud (VPC), is a virtual isolated network that you can only access through your AWS account.
Subnet — An IP range within your VPC.
Route table — A set or rules that determine the direction of network traffic.
Internet gateway — A gateway that connects to your VPC to allow communication among your VPC’s resources.
VPC endpoint — This allows your VPC to connect privately to AWS services and VPC-endpoint services. Your VPC instances do not require public IP addresses to communicate directly with service resources.
A public subnet refers to a subnet that is linked with a routing table and has a route leading to an Internet gateway. This connects the VPC to the Internet and other AWS services.
A private subnet is one that has a routing table, but not a route to an Internet gateway. Backend servers are instances of the private subnet that don’t accept traffic from the Internet.
Why use a public subnet? – The public network’s resources can send outbound data directly to the Internet, and vice versa. For example, users accessing the internet must be able connect to a web server.
Why a Private Subnet? Resources such as databases may need internet access to update/patches. However, they should not receive requests from the internet. In such cases, a private subnet should be used.
Functioning
Internet routers are able to quickly find the right network to route data to because of the structure of IP addresses. For example, in a Class A network, there may be many connected devices and it may take some time to locate the right device. Subnetting is a way to limit the IP addresses that are used by a particular set of devices.
Image Source – AWS Routers in a network use a subnet mask to divide data into subnetworks.
IPv4 and IPv6 addresses, Public and Private Subnet
IPv4 addresses
Private IPv4 addresses, also known as private IP addresses in this article, are not public and can only communicate between instances within your VPC. Instances are launched into a VPC by receiving a primary private IP address (eth0) from the subnet’s IPv4 address range. Each instance also gets a private (internal DNS hostname) that resolves to its IP address. There are two types of hostnames: resource-based and IP based. If you don’t specify a primary private address, we will assign an IP address within the subnet range that is currently available. Elastic Network Interfaces is a guide for Linux instances that provides more information about network interfaces.
Each subnet has an attribute that determines if a network interface created within the subnet gets a public IPv4 address (also known as a “public IP address” in this topic). This attribute is enabled when an instance is launched into a subnet. A public IP address will be assigned to the instance’s primary interface (eth0). Network address translation maps a public IP address to the primary private address (NAT).
IPv6 addresses
If your subnet and IPv6 CIDR blocks are associated with your VPC, and one of these conditions is met, your instance will receive an IPv6 address.
When an instance launches, a subnet is configured to automatically assign an IPv6 adress to its primary network interface.
During the launch process you manually assign an IPv6 to your instance.
Once your instance is ready for launch, you can assign it an IPv6 adress.
After you have launched your instance, assign an IPv6 address and connect the network interface.
Your instance will receive an IPv6 address when it starts. This address is associated to the instance’s primary networking interface (eth0). The IPv6 address may be different from the primary network interface. We do not support IPv6 DNS hostnames.
An IPv6 address is stored when you stop and start your instance. It is then releasable.