Mantra Networking Mantra Networking

AWS Networking: Subnets

AWS Networking: Subnets
Created By: Lauren R. Garcia

Table of Contents

  • Overview
  • Types of Subnets
  • Table: Types of Subnets in AWS
  • Conclusion

Overview: AWS Networking – Types of Subnets

What Is It?

In AWS, a subnet (short for subnetwork) is a logical subdivision of an Amazon Virtual Private Cloud (VPC). Subnets let you divide your VPC’s IP address range into smaller segments, grouping resources based on security and operational requirements. Each subnet exists within a single Availability Zone in an AWS region.

Why Do You Need to Know About It?

Understanding AWS subnets is foundational for designing resilient, secure, and scalable cloud environments. Here’s why they matter:

  • Security: Subnets help you segment and isolate resources, providing the ability to tightly control which workloads are internet-facing and which remain private.
  • Compliance: Many compliance frameworks require network segmentation for sensitive data, which is easier to achieve using subnets.
  • Performance and Availability: Placing resources in different subnets across multiple Availability Zones ensures higher availability and disaster recovery capabilities.
  • Cost Management: Network design impacts data transfer costs; understanding subnets helps optimize for both performance and budget.
  • Custom Routing: Subnets work with route tables and security groups, giving fine-grained control over inbound and outbound traffic.

How Does It Work?

A subnet operates by assigning a subset of IP addresses from the VPC’s overall address space. Each resource you launch within AWS—such as EC2 instances, databases, or containers—must reside in a subnet. Associating a subnet with different network components determines its connectivity:

  • Public Subnet: Connected to an Internet Gateway, making its resources internet-accessible.
  • Private Subnet: No direct internet access, typically using a NAT Gateway/Instance for outbound requests.
  • VPN-Only/Isolated Subnet: Used for purely internal applications or connections to on-premises networks, without internet exposure.

Routing tables associated with each subnet control the flow of network traffic. Additional layers of control, such as Network ACLs and Security Groups, can be applied at the subnet or resource level for further protection and traffic management.

In essence, subnets are critical to defining your application’s network surface area, controlling access, and ensuring that AWS infrastructure meets both technical and business needs.

Types of Subnets

AWS subnets are categorized by their routing configuration and network accessibility. Understanding the types of subnets helps you properly architect secure and efficient cloud environments. Below is a practical overview, presented step by step:

  1. Public Subnet:
    • Has a direct route to an Internet Gateway (IGW).
    • Resources inside can communicate with the public internet.
    • Common use: web servers or any resource needing public inbound/outbound connectivity.
  2. Private Subnet:
    • Does not have a direct route to an Internet Gateway.
    • Resources cannot receive traffic from the internet directly.
    • Outbound internet possible via a NAT device (NAT Gateway or NAT Instance).
    • Common use: databases, application servers, backend services.
  3. VPN-Only Subnet:
    • Has routes to a Site-to-Site VPN connection via a Virtual Private Gateway.
    • No route to the Internet Gateway.
    • Common use: resources securely connected to on-premises networks.
  4. Isolated Subnet:
    • Does not have routes outside of the VPC; completely isolated.
    • No access to the internet or VPN.
    • Common use: highly sensitive workloads or compliance-restricted data.
  5. Dual Stack Subnet:
    • Configured with both IPv4 and IPv6 CIDR blocks.
    • Resources can use both protocols as needed for hybrid workloads or transitions.
  6. IPv4-Only and IPv6-Only Subnets:
    • IPv4-Only: Subnet has only an IPv4 CIDR block.
    • IPv6-Only: Subnet has only an IPv6 CIDR block; resources require IPv6 connectivity.

Each subnet must be associated with a route table that defines its allowed outbound routes. The type of subnet primarily depends on how its route table is configured and what gateways or endpoints are included in its routes.

Subnet Type Internet Access Typical Use Case Routing Configuration
Public Direct via Internet Gateway Web servers, public APIs Route to Internet Gateway
Private No direct internet (outbound via NAT) Databases, app servers No IGW route; uses NAT for outbound
VPN-Only No direct internet; access via VPN On-premises connectivity Route to VPN Gateway only
Isolated None Sensitive, isolated systems Only local VPC routes
Dual Stack IPv4 & IPv6 (as configured) Hybrid protocol workloads Table: Types of Subnets in AWS

This table summarizes the main types of AWS subnets, outlining their internet access, typical use cases, and routing configurations. Use this reference to choose the most appropriate subnet type for your AWS architecture:

Subnet Type Internet Access Typical Use Case Routing Configuration
Public Subnet Direct via Internet Gateway Hosting web servers or applications accessible from the internet Route table includes a route to the Internet Gateway
Private Subnet No direct internet; outbound via NAT Databases, internal app servers, backend systems No route to Internet Gateway; uses NAT Gateway/Instance for outbound access
VPN-Only Subnet No direct internet; access through VPN Resources communicating with on-premises environments Route to Virtual Private Gateway (VPN connection)
Isolated Subnet None Sensitive workloads or compliance-restricted resources No outbound routes; local VPC-only communication
Dual Stack Subnet IPv4 & IPv6 as configured Hybrid or transitional workloads requiring both IP protocols Routes for both IPv4 and IPv6 traffic
IPv4-Only Subnet Only IPv4 protocol permitted Standard workloads using legacy IPv4 addressing Only IPv4 routes configured
IPv6-Only Subnet Only IPv6 protocol permitted Emerging workloads using IPv6 native networking Only IPv6 routes configured

Tip: The correct routing and gateway associations are crucial for enforcing security and enabling the expected connectivity for each subnet type.

Conclusion

Throughout this blog post on AWS Networking: Types of Subnets, we explored the core concepts behind subnets and their critical role within the Amazon Virtual Private Cloud (VPC) ecosystem.

Key takeaways include:

  • Subnets are logical subdivisions of a VPC that help organize resources, segment networks, and implement security boundaries.
  • Each subnet resides in a single Availability Zone, supporting fault isolation and high availability.
  • The main types of subnets include:
    • Public Subnets — internet-accessible via an Internet Gateway.
    • Private Subnets — isolated from direct internet access and typically use NAT devices for outbound traffic.
    • VPN-Only Subnets — used for secure on-premises connectivity through VPN.
    • Isolated Subnets — no external connectivity; ideal for sensitive or internal-only workloads.
  • AWS also supports IPv4-onlyIPv6-only, and dual stack (both IPv4 and IPv6) subnets for flexible networking support.
  • Proper routing and firewall rules at both the subnet and resource level (via route tables, NACLs, and security groups) ensure traffic flows securely and efficiently.

Designing your AWS infrastructure with the right mix of subnets helps improve security posture, performance, and overall manageability. Whether you are orchestrating a scalable web application or building a secure enterprise architecture, subnets are a foundational element you can’t overlook.

Thanks for reading, and we hope this helps you on your cloud journey. If you’re building your next architecture, now you know—start with subnets! 🚀

Share Share Share Share Share Email