How to set up public and private subnets in a VPC

Topic: Cloud aws core

Create subnets with the right route tables so some are public (route to Internet Gateway) and others private (route to NAT for outbound only). Place load balancers and bastions in public subnets; app and DB in private. Use this when building a layered network in AWS.

Intent: How-to

Quick answer

  • Public subnet: create subnet; create route table with 0.0.0.0/0 -> Internet Gateway; associate route table with subnet. Enable auto-assign public IP for the subnet if instances should get public IPs.
  • Private subnet: create subnet; create route table with 0.0.0.0/0 -> NAT Gateway (in a public subnet); associate with private subnet. Instances in private subnet have no public IP; they reach internet via NAT.
  • Place NAT Gateway in a public subnet so it can reach IGW. Use one NAT per AZ for HA or one shared NAT to save cost. Security groups must allow outbound from private instances and from NAT to internet.

Prerequisites

Steps

  1. Create subnets

    Create at least one public and one private subnet per AZ (e.g. 10.0.1.0/24 public, 10.0.2.0/24 private). Ensure CIDRs do not overlap and fit in the VPC CIDR.

  2. Public route table

    Create route table; add 0.0.0.0/0 -> Internet Gateway (attach IGW to VPC first). Associate this route table with the public subnet(s). Enable auto-assign public IP on the public subnet if needed.

  3. NAT and private route table

    Create NAT Gateway in a public subnet (allocates an Elastic IP). Create route table for private subnet(s); add 0.0.0.0/0 -> NAT Gateway. Associate with private subnet(s).

  4. Place resources

    Launch load balancers and bastions in public subnets; launch app and DB instances in private subnets. Ensure security groups allow required traffic between tiers and from NAT.

Summary

Create public subnets with a route to the IGW and private subnets with a route to a NAT Gateway. Place NAT in a public subnet; place app and DB in private subnets. Use this to build a layered VPC design.

Prerequisites

Steps

Step 1: Create subnets

Create public and private subnets per AZ with non-overlapping CIDRs inside the VPC.

Step 2: Public route table

Create a route table with 0.0.0.0/0 to the IGW; associate with public subnets. Enable auto-assign public IP if needed.

Step 3: NAT and private route table

Create a NAT Gateway in a public subnet; create a route table with 0.0.0.0/0 to the NAT; associate with private subnets.

Step 4: Place resources

Put LB and bastions in public subnets; put app and DB in private. Configure security groups for tier-to-tier and outbound.

Verification

Instances in public subnets can be reached from the internet (if allowed by SG); instances in private subnets can reach the internet via NAT but are not directly reachable.

Troubleshooting

Private instance has no internet — Check route table points to NAT; check NAT is in a public subnet and has IGW route; check security groups. NAT cost — One NAT per AZ for HA; one NAT for cost; consider NAT instance as a cheaper option with more ops.

Next steps

Continue to