Subnets in AWSLearn how subnets organize your AWS VPC into public and private zones, ensuring efficient, secure, and high-availability architecture.
ByAnis Mer_

Subnets in AWS

Organizing Your Virtual Neighborhood

When you create a Virtual Private Cloud (VPC), it’s like setting up a blank city — wide open and ready to be divided into neighborhoods. These neighborhoods, called subnets, allow you to organize and secure your resources. Think of them as the public-facing streets and private back alleys of your digital city.

Let’s dive deeper into what subnets are, how they work, and how they interact with AWS Availability Zones.

What Are Subnets?

A subnet (short for subnetwork) is a smaller section of your VPC, carved out of your main CIDR block. Subnets allow you to:

  • Organize resources based on their function, accessibility, or security needs.
  • Isolate traffic and ensure that resources communicate efficiently and securely.

Subnets are tied to specific Availability Zones (AZs). AZs are isolated data centers within an AWS region, designed to ensure high availability and fault tolerance. This means:

  • Each subnet lives in a single AZ.
  • To build fault-tolerant systems, you can create subnets across multiple AZs, ensuring redundancy.

Mental Model:
Imagine your VPC as a city. Subnets are the neighborhoods within that city:

  • Some neighborhoods are public, with open roads that connect to highways (the internet).
  • Others are private, with gated communities that restrict access to outsiders.
  • Availability Zones are like separate districts in your city—each with its own infrastructure but connected to the broader region.

Public vs. Private Subnets

Subnets are typically classified into two types: public and private. The difference lies in whether their resources can communicate directly with the internet.

1. Public Subnets
  • Definition: A public subnet is connected to the internet via an Internet Gateway. Any resource (like a web server) placed in this subnet can send and receive traffic from the internet.
  • Use Case: Ideal for resources that need to be accessible to users, such as:
    • Web servers
    • Load balancers

Mental Model:
Think of a public subnet as a storefront facing a busy street. Customers (internet users) can easily visit, interact, and leave.

2. Private Subnets
  • Definition: A private subnet is isolated from the internet and cannot directly communicate with it. However, resources in a private subnet can still initiate outbound traffic to the internet using a NAT Gateway or NAT Instance.
  • Use Case: Perfect for resources that need to stay hidden from the public, such as:
    • Databases
    • Backend servers
    • Internal application services

Mental Model:
A private subnet is like the back office of a store. It’s where important internal work happens, but customers (the internet) can’t just walk in.

How Subnets Work with Availability Zones

Subnets are defined within a single Availability Zone (AZ). This means:

  • If you want redundancy, you can create subnets across multiple AZs in a region.
  • For example:
    • Public Subnet 1 (10.0.1.0/24) in AZ us-east-1a
    • Private Subnet 1 (10.0.2.0/24) in AZ us-east-1b

By distributing your subnets across AZs, you protect your infrastructure from AZ-specific failures, ensuring high availability for your application.

High Availability with Subnets Across AZs

To ensure your application remains operational during an AZ failure, you need redundancy across AZs for both public and private subnets.

Example Setup:

  1. Public Subnet 1 (10.0.1.0/24) in AZ us-east-1a: Hosts Web Server 1.
  2. Public Subnet 2 (10.0.2.0/24) in AZ us-east-1b: Hosts Web Server 2.
  3. Private Subnet 1 (10.0.3.0/24) in AZ us-east-1a: Hosts Database Replica 1.
  4. Private Subnet 2 (10.0.4.0/24) in AZ us-east-1b: Hosts Database Replica 2.

How It Works:

  • Both web servers are placed behind a load balancer. If AZ us-east-1a fails, the load balancer automatically routes traffic to the web server in us-east-1b.
  • The databases use multi-AZ replication, ensuring that the secondary database in us-east-1b can take over seamlessly if us-east-1a goes down.

Step-by-Step: Creating Subnets in AWS

Here’s how to create subnets in the AWS Management Console:

  1. Go to the VPC Dashboard

    • In the AWS console, navigate to the VPC Dashboard and select your VPC.

  2. Click “Create Subnet”

    • Assign a Name Tag (e.g., PublicSubnet-1) for easy identification.
    • Choose the Availability Zone where you want the subnet to live.

  3. Assign a CIDR Block

    • Define a smaller range of IP addresses for the subnet.
      • Example: If your VPC has 10.0.0.0/16, assign 10.0.1.0/24 to the public subnet.
    • The /24 block provides up to 256 IP addresses, perfect for many use cases.

  4. Repeat for Additional Subnets

    • Create another subnet (e.g., PrivateSubnet-1) in a different AZ with a CIDR block like 10.0.2.0/24.

  5. Designate Subnets as Public or Private

    • Public Subnet: Attach an Internet Gateway and update the routing table to send traffic to the internet.
    • Private Subnet: Attach a NAT Gateway to allow outbound traffic while blocking inbound access.

Big Words Defined

  • Subnet: A segment of a VPC that helps organize and isolate resources.
  • Public Subnet: A subnet with resources that can connect to the internet.
  • Private Subnet: A subnet with resources isolated from the internet.
  • NAT Gateway: A service that allows private subnets to initiate outbound internet traffic while blocking inbound traffic.
  • Availability Zone (AZ): A physical data center in an AWS region, designed for fault tolerance and high availability.

What’s Next?

Next, we’ll explore CIDR Blocks — the addressing system that defines the range of IP addresses in your VPC and helps organize your network efficiently.

Back