Subnets: Dividing a VPC by Availability Zone
A subnet is a range of IP addresses carved out of your VPC's CIDR block and tied to exactly one Availability Zone, which means fault-tolerant architectures always spread subnets across at least two AZs so an outage in one data center doesn't take down your entire application. Subnets are classified as public or private based purely on their route table configuration — specifically, whether traffic has a route to an Internet Gateway — not on any inherent property of the subnet itself, which is a common point of confusion for newcomers. A typical three-tier design uses public subnets for load balancers, private application subnets for EC2 instances or containers, and isolated private subnets for databases with no outbound internet route at all.
Cricket analogy: Splitting a VPC into subnets across Availability Zones is like an IPL franchise fielding separate training camps in Mumbai and Pune — if a monsoon washes out one ground, training continues uninterrupted at the other.
Route Tables Control Traffic Flow
Every subnet is associated with exactly one route table, though a single route table can be shared across multiple subnets, and each table contains rules that determine where network traffic destined for a given IP range is sent next. Every VPC automatically gets a 'main' route table with a local route covering the entire VPC CIDR, ensuring resources can always talk to each other; a subnet becomes 'public' the moment its route table gains an additional entry sending 0.0.0.0/0 traffic to an Internet Gateway. Route tables follow a longest-prefix-match rule, so a more specific route like 10.0.5.0/24 pointing to a NAT Gateway takes precedence over a broader 0.0.0.0/0 default route for traffic within that narrower range.
Cricket analogy: A route table is like a captain's field placement chart specifying exactly where each ball should be directed based on the batsman — a yorker on off-stump routes differently than a bouncer, just as more specific traffic ranges override the general rule.
Internet Gateway vs NAT Gateway
An Internet Gateway (IGW) is a horizontally scaled, redundant VPC component that performs two-way network address translation for resources with public IPs, allowing them to both initiate connections to the internet and receive inbound connections from it. A NAT Gateway, by contrast, lives inside a public subnet and provides one-way outbound-only internet access for resources in private subnets — an EC2 instance in a private subnet can reach out to download a package update, but nothing on the internet can initiate a connection back to it, which is exactly the asymmetry a database tier needs. NAT Gateways are AWS-managed, highly available within their AZ, and billed per hour plus per-GB of data processed, so architects typically deploy one NAT Gateway per AZ for resilience rather than a single shared one.
Cricket analogy: An Internet Gateway is like an open stadium gate letting spectators both enter and exit freely, while a NAT Gateway is like a one-way exit turnstile — players can leave the dressing room to bat, but no outsider can walk back in through it.
# Create a route table and add a default route to an Internet Gateway (public subnet)
aws ec2 create-route-table --vpc-id vpc-0123456789abcdef0 \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=public-rt}]'
aws ec2 create-route \
--route-table-id rtb-0abc123def456 \
--destination-cidr-block 0.0.0.0/0 \
--gateway-id igw-0abc123def456
aws ec2 associate-route-table \
--route-table-id rtb-0abc123def456 \
--subnet-id subnet-0public1a
# Create a NAT Gateway in the public subnet for private subnet outbound access
aws ec2 create-nat-gateway \
--subnet-id subnet-0public1a \
--allocation-id eipalloc-0123456789
aws ec2 create-route \
--route-table-id rtb-0private456 \
--destination-cidr-block 0.0.0.0/0 \
--nat-gateway-id nat-0123456789abcdef0A subnet's public/private classification is entirely determined by its route table, not any flag on the subnet itself. You can have two subnets with identical CIDR sizing where one is public and one is private, purely because their associated route tables differ.
NAT Gateways are billed hourly per gateway plus per-GB of data processed, and a single NAT Gateway is confined to one Availability Zone — if that AZ fails, private subnets in other AZs routed through it lose outbound connectivity. Deploy one NAT Gateway per AZ for true high availability.
- A subnet lives in exactly one Availability Zone; spread subnets across AZs for fault tolerance.
- Public vs private is determined by the route table, specifically the presence of a 0.0.0.0/0 route to an IGW.
- Every VPC has a main route table with a local route covering the full VPC CIDR by default.
- Route tables use longest-prefix-match, so more specific routes override broader default routes.
- An Internet Gateway allows bidirectional traffic for resources with public IPs.
- A NAT Gateway allows only outbound-initiated traffic for private subnet resources.
- Deploy one NAT Gateway per Availability Zone to avoid a single point of failure.
Practice what you learned
1. What determines whether a subnet is considered 'public' in AWS?
2. How many Availability Zones can a single subnet span?
3. Which routing rule does AWS use when multiple route table entries could match a destination?
4. What is the key functional difference between an Internet Gateway and a NAT Gateway?
5. Why should you deploy one NAT Gateway per Availability Zone rather than a single shared one?
Was this page helpful?
You May Also Like
VPC Fundamentals
Learn how Amazon VPC creates an isolated, software-defined network inside AWS, including CIDR planning, default vs custom VPCs, and connectivity options.
Security Groups vs NACLs
Compare AWS's two network-layer firewalls — stateful Security Groups and stateless Network ACLs — and learn when and how to use each for defense in depth.