How to differentiate between public and private subnet in AWS VPC

Manmohan Singh Bohara
4 min readMay 12, 2023
Photo by Wesley Tingey on Unsplash

When you are starting with AWS VPC and specially when you are working with an existing VPC setup, it’s difficult to differentiate between public and private subnets. As we know, the name is just a tag in AWS, and that doesn’t make sure what it says. So many times, it turns out that the subnet that is named as private isn’t actually private.

In this article, we will try to understand the concept of public/private subnet in AWS VPC and see how to differentiate between them.

First of all, let’s get familiarize ourselves with some terminologies.

VPC : stands for Virtual Private Cloud and is a logically isolated virtual network on top of AWS physical network. So that we can have an isolated environment for our resources and have better control over security.

Subnet: Subnet is a network inside a network (in our case, sub-network inside VPC). Subnets provide better control over the traffic flows in VPC. You can have different IP ranges (CIDRs) for your subnet as per your needs. If you are wondering how to do CIDR calculation and allocation, you might want to look at my article.

IGW (Internet Gateway) : as per AWS documentation, “An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.” Basically, IGW provides access to internet with an associated public IP.

NAT (Network Address Translation) Gateways : NAT gateway allows instances to have access to internet without public IPs. This is important because it ensures one way traffic i.e. only your instances can initiate a request to internet. (If you use IPv6, then you can use Egress only internet gateways instead of NAT Gateways.)

Route table: Route table is the one who controls the traffic flow in/out subnets. As per AWS documentation, “A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed”.