When we create subnets within the VPC network, we typically see subnets with IP addresses that are considered to be private IPs from ranges such as 10.0.0.0/16, 172.16.0.0/16, or 192.168.0.0/24. This can sound confusing when we have a VPC with a network of 10.0.0.0/16 that has a public subnet with 10.0.0.0/24 and a private subnet with 10.0.1.0/24. The only difference between public and private subnets is that a public subnet has the following properties:

• An IGW attached to it
• A route pointing to the internet gateway configured
• The ability to attach public or Elastic IPs to instances to make them accessible from the internet

Public IP addresses are addresses from AWS-controlled public IP address pools that are attached to the instance randomly whenever the instance is started. When an instance using a public IP address fails and is recreated or is shut down and then restarted, it will not maintain the same public IP address. However, an Elastic IP address is associated with your account and is persistent, so you have the ability to assign the Elastic IP to your instance to retain the address when it is shut down and restarted, or you can attach the same Elastic IP the failed instance was using to an instance that was recreated.

When we say the public or Elastic IP is attached to the instance, we mean that a virtual connection between the public or Elastic IP address and the instance has been created. From the instance itself, a user will see only the address from within the subnet assigned to the Ethernet adapter of the instance. However, we do have an option to see the public or Elastic IP address from the instance itself by looking at the instance metadata with the following command, which will return either the public or Elastic IP address associated with the instance:

curl http://169.254.169.254/latest/meta-data/public-ipv4

A private subnet is simply a subnet where no internet gateway is attached, thus no public or Elastic IPs can be assigned to the instances. A private subnet can still have outbound access to the internet via a network address translation (NAT) gateway or a NAT instance. A NAT gateway can be easily created within the VPC configuration and has the following features:

• Supports 5 GBps of bandwidth and automatically scales up to 45 GBps.
• Supports up to 55,000 simultaneous TCP, UDP, and ICMP connections to each unique destination.
• Can associate exactly one Elastic IP address with a NAT gateway – once created, it can not be dissociated.
• Cannot associate a security group with a NAT gateway – however, access can be controlled at the instance level with security groups.
• A NAT gateway has an automatically assigned private IP in your subnet that can be viewed in the AWS Management Console.
• NAT gateways do not support IPv6 traffic. In case of IPv6, an egress-only internet gateway can be used.

If any of the characteristics of the NAT instance do not suit your needs, you are able to spin up your own custom NAT instance. There are plenty of open source and commercial options available both online and from the AWS Marketplace for NAT instances.

You would want to build private subnets whenever there is a requirement for running services that are not directly accessible from the internet, such as application backends or database servers. For instance, a general security recommendation is that an RDS database be spun up in a private subnet due to the inherent security within.