Subnets

Subnets

A subnet is a segment of the IP address range that you use when provisioning your Amazon VPC. It directly provides the active network range to the AWS resources that may run within it, such as Amazon EC2 and Amazon RDS (Amazon Relational Database Service). Subnets are identified through CIDR blocks (e.g., 10.0.1.0/24 and 192.168.0.0/24), and the subnet’s CIDRs must be within the VPC’s CIDR.

An Availability Zone (AZ) is a single or multi-data center located within a Region and identified based on geographical location. Within an AZ, there can be one or more subnets. However, a subnet can only reside in a single AZ and cannot extend to other AZs.

Subnets are categorized as:

  • Public subnet – The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet.
  • Private subnet – The subnet does not have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet.
  • VPN-only subnet – The subnet has a route to a Site-to-Site VPN connection through a virtual private gateway. The subnet does not have a route to an internet gateway.
  • Isolated subnet – The subnet has no routes to destinations outside its VPC. Resources in an isolated subnet can only access or be accessed by other resources in the same VPC.

Regardless of the subnet type, the internal IP addresses within the subnet are always private, meaning they cannot be directly connected to from outside the Internet.

When selecting CIDR for subnets, consider the number of IPs needed for allocated resources (such as EC2, Lambda, etc.). For example, creating a subnet with 10.0.1.0/24 allows for 256 IPs, excluding AWS’s 5 reserved IPs, leaving 251 available IPs. Plan the quantity of subnets to be created in the future for easy management.

Utilize subnetting tools.

ConnectPrivate