AWS VPC identify private and public subnet
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
In AWS, a subnet is considered public or private based on its routing, not on its name. The key question is whether the subnet's route table sends internet-bound traffic directly to an internet gateway or keeps that traffic behind a NAT gateway or other private path.
What Makes a Subnet Public
A subnet is public when its associated route table contains a default route to an internet gateway attached to the VPC. In IPv4 terms, that usually means a route like 0.0.0.0/0 -> igw-....
A minimal public-subnet route table looks like this:
That route table makes the subnet internet-routable. However, an instance in that subnet still needs a public IPv4 address or Elastic IP if you want direct internet communication.
So the practical checklist for a public subnet is:
- the subnet is associated with a route table that points default traffic to an internet gateway
- the VPC has that internet gateway attached
- the instance has a public IP if inbound or outbound internet access is expected
- security groups and network ACLs allow the intended traffic
What Makes a Subnet Private
A private subnet does not have a default route to the internet gateway. If instances in that subnet need outbound internet access for package downloads or API calls, the usual pattern is a NAT gateway in a public subnet.
A typical private-subnet route table looks like this:
With this setup, instances in the private subnet can initiate outbound connections, but unsolicited inbound traffic from the internet cannot reach them directly.
That is why databases, internal services, and application workers are often placed in private subnets.
How to Identify Subnet Type in the AWS Console
In the AWS console, the fastest way to classify a subnet is:
- open the VPC service
- select
Subnets - note the subnet's route table association
- inspect the routes in that route table
If the default route goes to an internet gateway, treat the subnet as public. If it goes to a NAT gateway or there is no default internet route at all, treat it as private.
The name field is not authoritative. Teams often rename resources, and those names can drift away from reality.
CLI-Based Identification
You can also inspect the route table using the AWS CLI.
If the output contains a route whose destination is 0.0.0.0/0 and whose target is an internet gateway such as igw-..., the subnet is public. If the target is a NAT gateway such as nat-..., it is private for normal internet-access purposes.
You can also list subnet details directly:
That helps confirm CIDR range, availability zone, and whether public IP auto-assignment is enabled, but the route table is still the decisive factor.
Public IP Auto-Assignment Is Not the Main Test
Some people assume Auto-assign public IPv4 address = Yes means the subnet is public. That setting is useful, but it is not the actual definition.
A subnet without a route to the internet gateway is still effectively private even if you enable public IP auto-assignment. Likewise, a subnet with an internet-gateway route is structurally public even if an individual instance does not currently have a public IP.
That distinction matters when debugging connectivity.
A Common VPC Layout
A standard highly available VPC often looks like this across two availability zones:
- public subnet A for load balancers and NAT gateway
- public subnet B for load balancers and NAT gateway
- private app subnet A for application servers
- private app subnet B for application servers
- private data subnet A for databases
- private data subnet B for databases
The public subnets route to the internet gateway. The private app subnets usually route to NAT gateways. The database subnets may have no internet route at all.
Common Pitfalls
A common mistake is classifying a subnet by its name instead of its route table. Resource names are conventions, not guarantees.
Another issue is forgetting that an instance in a public subnet still needs a public IP for direct internet communication. A public route table alone does not make the instance reachable.
Teams also sometimes place a NAT gateway in a private subnet, which breaks the design because the NAT gateway itself needs internet access through a public subnet.
Finally, be careful with security groups and network ACLs. A subnet may be public from a routing perspective and still look unreachable because the traffic is blocked elsewhere.
Summary
- A subnet is public if its route table sends default traffic to an internet gateway.
- A subnet is private if it lacks that route or sends default traffic through a NAT gateway.
- Route tables define subnet type more reliably than naming conventions.
- Public instances still need public IP addresses for direct internet communication.
- Always check routes, public IPs, and security controls together when debugging access.

