You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Subnets are the building blocks of a VPC. Every resource you deploy — an EC2 instance, an RDS database, a Lambda function with VPC access — must be placed in a subnet. Designing your subnet layout correctly is one of the most important decisions in any AWS architecture.
A subnet is a logical division of a VPC's IP address range. Each subnet:
You cannot stretch a single subnet across multiple AZs. If you need resources in two AZs, you need at least two subnets.
The terms "public" and "private" are not formal AWS resource types — they describe how routing is configured.
| Characteristic | Public Subnet | Private Subnet |
|---|---|---|
| Route to IGW | Yes — 0.0.0.0/0 → igw-xxxx | No |
| Public IP on launch | Usually enabled | Usually disabled |
| Direct internet access | Yes (inbound and outbound) | No direct access |
| Typical workloads | Load balancers, bastion hosts, NAT gateways | Application servers, databases, caches |
| Outbound internet | Via IGW | Via NAT Gateway in a public subnet |
A subnet is public when its route table contains a route that sends internet-bound traffic (0.0.0.0/0) to an Internet Gateway (IGW). Additionally, instances in a public subnet typically need a public IPv4 address (or Elastic IP) to communicate with the internet.
A subnet is private when its route table does not have a route to an IGW. Traffic destined for the internet is instead routed through a NAT Gateway (or NAT Instance) sitting in a public subnet.
For most workloads, a /16 CIDR gives you plenty of room:
VPC CIDR: 10.0.0.0/16 → 65,536 addresses
Best practice is to use at least two AZs for high availability — three if budget allows:
AZ-a: eu-west-2a
AZ-b: eu-west-2b
AZ-c: eu-west-2c (optional third AZ)
Divide the VPC range evenly across tiers and AZs. Here is a common three-tier, two-AZ layout:
| Subnet Name | CIDR | AZ | Type | Purpose |
|---|---|---|---|---|
| public-a | 10.0.1.0/24 | AZ-a | Public | ALB, NAT GW |
| public-b | 10.0.2.0/24 | AZ-b | Public | ALB, NAT GW |
| app-a | 10.0.10.0/24 | AZ-a | Private | Application servers |
| app-b | 10.0.11.0/24 | AZ-b | Private | Application servers |
| data-a | 10.0.20.0/24 | AZ-a | Private | RDS, ElastiCache |
| data-b | 10.0.21.0/24 | AZ-b | Private | RDS, ElastiCache |
Using non-contiguous ranges (1–2 for public, 10–11 for app, 20–21 for data) leaves room to add more subnets later without renumbering.
Choosing the right prefix length depends on how many resources you plan to run:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.