What is the difference between Public and Private Subnet in AWS?

  1. Home
  2. AWS
  3. What is the difference between Public and Private Subnet in AWS?
Difference between Public and Private Subnet

A subnet is a set of IP addresses within your VPC, and these sets of IP addresses can be further subdivided into public and private subnets. As you may know, when you create one or more subnets within your VPC, they are all treated as private subnets. To make a subnet public, first set up an internet gateway (igw) and then connect it to your VPC.

After connecting the igw to your VPC, modify your route table [main or custom] to route through that internet gateway. Finally, in order to be considered a public subnet, you must associate the subnet that you want to make public with this route table. Let us know in depth about this topic!

Amazon Virtual Private Cloud (Amazon VPC) allows you to launch AWS resources into a predefined virtual network. This virtual network closely resembles a traditional network that you would run in your own data centre, but with the added benefit of utilizing AWS’s scalable infrastructure.

Types of Subnets

Subnets can be public, private, or VPN-only, depending on how you configure your VPC:

Public subnet: IPv4 or IPv6 traffic on the subnet is routed to an internet gateway or an egress-only internet gateway and can access the public internet. See Connect to the internet using an internet gateway for more information.

Private subnet: IPv4 or IPv6 traffic on the subnet is not routed to an internet gateway or egress-only internet gateway and thus cannot access the public internet.

VPN-only subnet: This subnet has no route to the internet gateway, but its traffic is routed to a virtual private gateway for a Site-to-Site VPN connection. More information can be found in the AWS Site-to-Site VPN User Guide.

Components of VPC

A virtual private cloud (VPC) is a virtual isolated network that is exclusive to your AWS account.

Subnet — An IP address range in your VPC.

Route table — A set of rules known as routes that determine where network traffic is directed.

Internet gateway — A gateway that you connect to your VPC to allow communication between your VPC’s resources and the internet.

VPC endpoint — This allows you to connect your VPC privately to supported AWS services and VPC endpoint services. Instances in your VPC do not need public IP addresses to communicate with service resources.

A public subnet is a subnet that is linked to a routing table and has a route to an Internet gateway. This links the VPC to the Internet as well as other AWS services.

A private subnet is one that is associated with a routing table but does not have a route to an internet gateway. Backend servers are instances in the private subnet that do not accept traffic from the internet.

Why Use a Public Subnet – The public subnet’s resources can send outbound traffic directly to the Internet and vice versa. Users from the internet, for example, must be able to access a web server.

Why a Private Subnet – Resources such as databases may require internet access for updates/patches, but they should not accept requests from the internet. A private subnet is to be used in such cases.


The structure of IP addresses makes it relatively easy for Internet routers to find the appropriate network to route data into. However, in a Class A network, for example, there may be millions of connected devices, and it may take some time for the data to find the correct device. This is where subnetting comes in: subnetting restricts the use of an IP address to a specific set of devices.

				We create a default VPC in each Region, with a default subnet in each Availability Zone.
Image Source – AWS

Because IP addresses are limited to indicating the network and the device address, they cannot be used to indicate which subnet an IP packet should go to. Routers in a network use a subnet mask to divide data into subnetworks.

IPv4 and IPv6 addresses – Public and Private Subnet

IPv4 addresses

Private IPv4 addresses (also referred to as private IP addresses in this topic) are not public and can only be used to communicate between instances within your VPC. When you launch an instance into a VPC, the instance’s default network interface receives a primary private IP address from the IPv4 address range of the subnet (eth0). Each instance is also assigned a private (internal) DNS hostname that resolves to its own IP address. Hostnames are classified into two types: resource-based and IP-based. If you do not specify a primary private IP address, we will assign you an IP address in the subnet range that is available. More information about network interfaces can be found in Elastic Network Interfaces in the Amazon EC2 User Guide for Linux Instances.

Every subnet has an attribute that determines whether a network interface created in the subnet receives a public IPv4 address automatically (also referred to as a public IP address in this topic). As a result, when you launch an instance into a subnet with this attribute enabled; a public IP address is assigned to the instance’s primary network interface (eth0). Through network address translation, a public IP address is mapped to the primary private IP address (NAT).

IPv6 addresses

If an IPv6 CIDR block is associated with your VPC and subnet, and one of the following conditions is met, your instance in a VPC receives an IPv6 address:

  • Your subnet is set up to automatically assign an IPv6 address to an instance’s primary network interface during launch.
  • During the launch process, you manually assign an IPv6 address to your instance.
  • After your instance is ready to launch, you assign it an IPv6 address.
  • After launching your instance, you assign an IPv6 address to a network interface in the same subnet and connect the network interface to it.

When your instance receives an IPv6 address during startup, the address is associated with the instance’s primary network interface (eth0). The IPv6 address can be separate from the primary network interface. For your instance, we do not support IPv6 DNS hostnames.

When you stop and restart your instance, an IPv6 address is retained, and it is released when you terminate it. You cannot reassign an IPv6 address while it is assigned to another network interface; you must first unassign it. IPv6 addresses are globally unique and can be set as private or public on the Internet. By configuring your subnet’s routing or using security groups and network ACL rules, you can control whether instances can reach using their IPv6 addresses.

Points of Differences

The following are the distinctions between public and private subnets:

  • A public subnet connects to the internet via an internet gateway (igw). EC2 instances within the public subnet could connect to the internet using the instance public IP address. Instances on the public side may send outbound traffic to the internet. However, your public subnet blocks all incoming requests to your instance.
  • The instance within the private subnet was unable to connect to the internet. The instances could, however, communicate with other instances within the VPC CIDR. AWS allows instances within a private side to connect to the internet via a Network Address Translation (NAT) instance or NAT gateway. In the public subnet, traffic from the private side is route through NAT. You could also limit the route to to create a private side with no internet access in or out.