AWS
VPC
private subnet
public subnet
cloud networking

AWS VPC identify private and public subnet

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

In AWS, a subnet is considered public or private based on its routing, not on its name. The key question is whether the subnet's route table sends internet-bound traffic directly to an internet gateway or keeps that traffic behind a NAT gateway or other private path.

What Makes a Subnet Public

A subnet is public when its associated route table contains a default route to an internet gateway attached to the VPC. In IPv4 terms, that usually means a route like 0.0.0.0/0 -> igw-....

A minimal public-subnet route table looks like this:

text
Destination     Target
10.0.0.0/16     local
0.0.0.0/0       igw-123456

That route table makes the subnet internet-routable. However, an instance in that subnet still needs a public IPv4 address or Elastic IP if you want direct internet communication.

So the practical checklist for a public subnet is:

  • the subnet is associated with a route table that points default traffic to an internet gateway
  • the VPC has that internet gateway attached
  • the instance has a public IP if inbound or outbound internet access is expected
  • security groups and network ACLs allow the intended traffic

What Makes a Subnet Private

A private subnet does not have a default route to the internet gateway. If instances in that subnet need outbound internet access for package downloads or API calls, the usual pattern is a NAT gateway in a public subnet.

A typical private-subnet route table looks like this:

text
Destination     Target
10.0.0.0/16     local
0.0.0.0/0       nat-abcdef

With this setup, instances in the private subnet can initiate outbound connections, but unsolicited inbound traffic from the internet cannot reach them directly.

That is why databases, internal services, and application workers are often placed in private subnets.

How to Identify Subnet Type in the AWS Console

In the AWS console, the fastest way to classify a subnet is:

  1. open the VPC service
  2. select Subnets
  3. note the subnet's route table association
  4. inspect the routes in that route table

If the default route goes to an internet gateway, treat the subnet as public. If it goes to a NAT gateway or there is no default internet route at all, treat it as private.

The name field is not authoritative. Teams often rename resources, and those names can drift away from reality.

CLI-Based Identification

You can also inspect the route table using the AWS CLI.

bash
aws ec2 describe-route-tables \
  --filters Name=association.subnet-id,Values=subnet-12345678

If the output contains a route whose destination is 0.0.0.0/0 and whose target is an internet gateway such as igw-..., the subnet is public. If the target is a NAT gateway such as nat-..., it is private for normal internet-access purposes.

You can also list subnet details directly:

bash
aws ec2 describe-subnets --subnet-ids subnet-12345678

That helps confirm CIDR range, availability zone, and whether public IP auto-assignment is enabled, but the route table is still the decisive factor.

Public IP Auto-Assignment Is Not the Main Test

Some people assume Auto-assign public IPv4 address = Yes means the subnet is public. That setting is useful, but it is not the actual definition.

A subnet without a route to the internet gateway is still effectively private even if you enable public IP auto-assignment. Likewise, a subnet with an internet-gateway route is structurally public even if an individual instance does not currently have a public IP.

That distinction matters when debugging connectivity.

A Common VPC Layout

A standard highly available VPC often looks like this across two availability zones:

  • public subnet A for load balancers and NAT gateway
  • public subnet B for load balancers and NAT gateway
  • private app subnet A for application servers
  • private app subnet B for application servers
  • private data subnet A for databases
  • private data subnet B for databases

The public subnets route to the internet gateway. The private app subnets usually route to NAT gateways. The database subnets may have no internet route at all.

Common Pitfalls

A common mistake is classifying a subnet by its name instead of its route table. Resource names are conventions, not guarantees.

Another issue is forgetting that an instance in a public subnet still needs a public IP for direct internet communication. A public route table alone does not make the instance reachable.

Teams also sometimes place a NAT gateway in a private subnet, which breaks the design because the NAT gateway itself needs internet access through a public subnet.

Finally, be careful with security groups and network ACLs. A subnet may be public from a routing perspective and still look unreachable because the traffic is blocked elsewhere.

Summary

  • A subnet is public if its route table sends default traffic to an internet gateway.
  • A subnet is private if it lacks that route or sends default traffic through a NAT gateway.
  • Route tables define subnet type more reliably than naming conventions.
  • Public instances still need public IP addresses for direct internet communication.
  • Always check routes, public IPs, and security controls together when debugging access.

Course illustration
Course illustration

All Rights Reserved.