Basics of AWS VPC: Understanding Subnets, Route Tables, Internet Gateways, and NAT Gateways

What is AWS VPC?

Amazon Virtual Private Cloud (VPC) is a virtual network allocated to your AWS account. If you are wondering what a virtual network is, it allows communication between computers, servers, or other devices. VPC allows you to start AWS resources like EC2(Server) in your virtual network.

VPC is basically an IP CIDR block that AWS allocates to your AWS account. White creating the AWS VPC, you just need to give inputs to the VPC name and IPv4 CIDR block for example 10.30.0.0/24. There are some advanced configuration options as well but you don't need to worry about them for now.

For example, you have created VPC named dev-vpc with an IP range 10.0.0.0/24

  • VPC Name: dev-vpc
  • IPV4 Range: 10.0.0.0/24

Now, this IP range is allocated to your AWS account and nobody else can have the same IP range.

What is Subnet?

A subnet is a set of IP addresses in your VPC. A subnet must be in a single availability zone. Availability Zones are distinct locations within the AWS Region. For example, one availability zone is ap-south-1: Asia Pacific.

To create a new Subnet, you need to first select the VPC from the VPC dropdown. Second, name your subnet, choose the availability zone and give IPV4 CIDR block. Please note that your IPV4 CIDR block must reside within the IP range of your selected VPC.

Create public subnet

  • Choose VPC: dev-vpc
  • Subnet name: public-subnet-1
  • Availability Zone: ap-south-1
  • IPV4 CIDR Block: 10.0.1.0/24

Create private subnet

  • Choose VPC: dev-vpc
  • Subnet name: private-subnet-1
  • Availability Zone: ap-south-1
  • IPV4 CIDR Block: 10.0.2.0/24

Once you create the subnet, resources within this subnet are not able to connect to the internet or route outbound traffic yet. There are 2 types of subnects.

  1. Public subnet
  2. Private subnet

Difference between the public subnet and private subnet

If we talk in simple language, instances in the public subnet can send traffic to the outside world whereas instances in the private subnet can't.

Now you must be wondering how we define/identify public and private subnets. To understand it better, let's come back to the subnet we created named public-subnet-1. I have named it "public" but it is not public yet.

To understand between the public subnet and private subnet, let's understand the Route table, Internet gateway, and NAT gateway

Route Table: It is used to do routing decisions. It contains existing routes to CIDR blocks outside of the ranges in your VPC. For example, it controls routing to Internet gateways, NAT gateways

Internet Gateway: It is a component that allows communication between VPC and internet. If your VPC doesn't have an internet gateway, resources within your VPC can't be accessed from the internet. For example, a website deployed to one of your EC2 servers.

NAT Gateway: A Network Address Translation (NAT) allows instances in your private subnet to connect to outside services like Databases but restricts external services to connecting to these instances.

One key thing to note while creating NAT Gateway is that "You must create NAT gateway in a public subnet so that other resources within the same VPC can communicate internally"

You just need to give a name to the route table and create. Once the route table is created, you can select that route table, and add routes to it. For example:

RTB-Public: A route table with a target to Internet gateway is a public route table.

RTB-Private: A route table with a target to NAT gateway is a private route table.

Now, let's come to the difference between public and private subnets.

A subnet which is connected to Public route table is Public subnet since the resources under that subnet can route outbound traffic to internet and outside services can also connect to these instances.
A subnet which is connected to Private route table is Private subnet since the resources under that subnet can route outbound traffic to internet but outside services can't connect to these instances.

Create an Internet Gateway named "igw-dev".

Create the NAT Gateway named "nat-dev" under one of the public subnets.

Choose route table RTB-Public, select Routes tab, and select Add Route. Under the Target, select the internet gateway named "igw-dev"

Choose route table RTB-Private, select Routes tab, and select Add Route. Under the Target, select the NAT gateway named "nat-dev"

Now, both public and private route tables are ready. We can assign subnets to these route tables.

  • Select route table RTB-Public again. Select the "Subnet associations" tab and click "Edit subnet associations". There check "public-subnet-1" and click "Save associations"
  • Select route table RTB-Private again. Select the "Subnet associations" tab and click "Edit subnet associations". There check "private-subnet-1" and click "Save associations"

Now, you have successfully created VPC, Subnets (Public & Private), Internet gateway, NAT gateway, Route tables and associations between Route table to Subnets.

It is important to use security groups and network access control lists(ACLs) to control inbound and outbound traffic to your resources. This can help increase the security of your VPC by only allowing the necessary traffic to reach your resources while blocking all other traffic.

One tip for using AWS subnets is to use different subnets for different types of resources and different levels of trust. For example, you can use one subnet for public-facing resources such as a web server, and another subnet for private resources such as a database.

About Author

Mayank Patel