AWS VPC Networking Fundamentals
Explain the difference between public and private subnets in AWS VPC. How do instances in private subnets access the internet?
AWS VPC Networking Fundamentals
Explain the difference between public and private subnets in AWS VPC. How do instances in private subnets access the internet?
Public subnets have a route to an Internet Gateway (IGW), allowing direct internet access for instances with public IPs. Private subnets route internet-bound traffic through a NAT Gateway in a public subnet, enabling outbound-only access. This architecture protects backend services while allowing them to fetch updates and reach external APIs.
VPC subnet design is fundamental to AWS security architecture. The public/private split follows the principle of least exposure - only resources that need direct internet access (load balancers, bastion hosts) go in public subnets, while application servers and databases stay in private subnets.
Terraform VPC with public/private subnets
Verify subnet routing
- Placing databases in public subnets for convenience
- Forgetting to create a NAT Gateway, leaving private instances without internet access
- Not using multiple availability zones for NAT Gateway redundancy
- What is the cost implication of using NAT Gateways vs NAT Instances?
- How do VPC Endpoints reduce the need for NAT Gateway traffic?
- What is the difference between a Security Group and a Network ACL?