AWS VPC - Private subnet added to the public route table attached to internet gateway

Question

Hope you are all doing good.

AWS allows us to attach a private subnet (created in a Customer VPC) with a route table having route to the internet via internet gateway. Does it make any difference to the instance launched in the private sub-net? or it is as good as having the private subnet not linked to the route table having route to the internet

Regards AJ

Answer 1

A subnet is not private if it has routes to/from the internet. The instances launched in a private subnet cannot access the internet and cannot be reached from the internet.

For eg if you have a database instance and you don't want anyone but the instances to access the instance, you can launch the instance in the private subnets.

Also if you want the instances in the private subnet to access internet, you need to setup a Nat Gateway (or a Nat Instance)

Hope this helps

Answer 2

First, we need to know what's the difference between a public subnet and a private subnet.


Public Subnet means this subnet has an Internet Gateway attached to it. Private Subnet means this subnet has a NAT Gateway attached to it.

And the Internet Gateway can have both inbound and outbound but the NAT only can have outbound to the Internet.

And A NAT will be built in a public subnet but attach to a private subnet.


You can have lots of public/private subnets at the same time and attached NAT or IGW for them, but the IGW only can have one in each VPC.

In some use cases, we will not attach any kinds of NAT and IGW for a subnet. that's because it might be a database subnet and won't expect it to communicate with the Internet. Normally, we will use a subnet with NAT attached for our application such as EC2 or ECS, Internal Load Balancers. On the other hand, we will use a subnet with IGW attached for Internet-facing Load balancers, Nginx, Apache.

AWS VPC Design: https://aws.amazon.com/tw/answers/networking/aws-single-vpc-design/

Answer 3

I think the hidden magic here is that the instance in the private subnet needs a public IP to communicate with outside, we never ever think this an issue in our lives. When our computer connect to the router, it get access to internet without any issue, why it works so smoothly? All because the router handles everything for us, including allocating a private IP for us, making recursively DNS query for us, and the most important, translating the private IP using the router's public IP so that our computer can communicate with the outside bidirectionally.

Let's go back to this AWS VPC scenario, you attached a route table with a default route to the Internet Gateway to your private subnet, which makes it looks like a public subnet. However, the instances still have no public IPs, and, not like our router, the Internet Gateway of AWS VPC doesn't do NAT works! So how can an instance with no public IP and no NAT access the internet? It's impossible.