Private and Public Subnets

Understanding the differences between private and public subnets is fundamental when designing AWS environments. Knowing when to use each type is key to maintaining secure and scalable infrastructure. When deciding whether a subnet should be public or private, ask yourself: Should internet devices interact directly with the resources deployed on the subnet? If the answer is yes, that subnet should be public; if no, it should be private. For instance, consider a web server that serves content to internet users. This web server should reside in a public subnet. In contrast, a backend database that stores sensitive data must not be directly accessible from the internet. Instead, the database should be placed in a private subnet, where only trusted resources—like the aforementioned web server—can access it.

Place internet-facing resources, such as web servers, in public subnets while keeping sensitive backend services like databases in private subnets to ensure enhanced security.

In practice, this configuration means that end users interact with a public-facing web server, which in turn securely communicates with a private database. This setup prevents direct internet access to the database, significantly reducing potential attack vectors. Another common scenario involves extending a private on-premises data center into AWS. In such cases, the cloud resources are treated as an extension of your existing private network and are typically deployed in private subnets. A secure VPN connection links your on-premises data center to the AWS infrastructure, thereby eliminating the need to expose these resources to the internet.

The image illustrates a use case for a private subnet, showing a connection from a private data center to an AWS private subnet via a VPN.

Resources in public subnets are designed to be accessible from the internet, while resources in private subnets remain isolated from direct external access. Gateways and routing configurations play a crucial role in defining these access levels.

Watch Video

Practice Lab

NAT Gateways VPC Demo

DNS VPC

Introduction

Services - Networking

Services - Storage

Services - Compute

Services - Database

Services - Application Integration

Services - Data and ML

Services - Migration and Transfer

Services - Management and Governance

Services - Security

Bringing it all together

Designing for Security

Designing for Reliability

Designing for Performance

Designing for Cost-Optimization

Applying your Design Skills

Private and Public Subnets

Watch Video

Practice Lab

Introduction

Services - Networking

Services - Storage

Services - Compute

Services - Database

Services - Application Integration

Services - Data and ML

Services - Migration and Transfer

Services - Management and Governance

Services - Security

Bringing it all together

Designing for Security

Designing for Reliability

Designing for Performance

Designing for Cost-Optimization

Applying your Design Skills

Documentation Index

Watch Video

Practice Lab