AWS VPC Networking Fundamentals
Explain the difference between public and private subnets in AWS VPC. How do instances in private subnets access the internet?
Public subnets have a route to an Internet Gateway (IGW), allowing direct internet access for instances with public IPs. Private subnets route internet-bound traffic through a NAT Gateway in a public subnet, enabling outbound-only access. This architecture protects backend services while allowing them to fetch updates and reach external APIs.
VPC subnet design is fundamental to AWS security architecture. The public/private split follows the principle of least exposure - only resources that need direct internet access (load balancers, bastion hosts) go in public subnets, while application servers and databases stay in private subnets.
Terraform VPC with public/private subnets
Verify subnet routing
- Placing databases in public subnets for convenience
- Forgetting to create a NAT Gateway, leaving private instances without internet access
- Not using multiple availability zones for NAT Gateway redundancy
- What is the cost implication of using NAT Gateways vs NAT Instances?
- How do VPC Endpoints reduce the need for NAT Gateway traffic?
- What is the difference between a Security Group and a Network ACL?