Labs ICT
Pro Login

Subnets

What are Subnets?

Subnets are subdivisions of your VPC's IP address range. They let you organize and isolate resources within your VPC. Each subnet lives in a specific Availability Zone, which provides redundancy if an AZ goes down.

Think of your VPC as a large building. Subnets are the individual floors or rooms. You can put different types of resources in different rooms and control who can move between them.

Public vs Private Subnets

A public subnet has a route to an internet gateway, meaning resources in it can be directly accessed from the internet. Web servers, load balancers, and bastion hosts typically go in public subnets.

A private subnet has no direct internet route. Resources here can't be reached from the internet but can still reach out (through a NAT gateway) for updates and API calls. Databases and application servers usually live in private subnets for security.

Creating a Subnet

You can create subnets through the console or CLI. Each subnet needs a CIDR block that's a subset of the VPC's range:

aws ec2 create-subnet \
  --vpc-id vpc-0123456789abcdef0 \
  --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=public-subnet-1}]'

A /24 CIDR block gives you 256 IP addresses per subnet. Plan your subnets based on how many resources you'll need in each one.

Subnet Sizing

Each subnet reserves 5 IP addresses for AWS internal use — the network address, the VPC router, the DNS server, a future use address, and the broadcast address. So a /24 subnet with 256 addresses really gives you 251 usable IPs.

When planning, give yourself room to grow. It's easier to create a larger subnet now than to re-create everything with larger subnets later. Most architectures use a mix of /24 and /28 subnets.

Best Practices

Always use at least two Availability Zones for high availability. Distribute your public and private subnets across multiple AZs so that if one AZ goes down, your application keeps running.

Use separate subnets for different purposes: web servers, application servers, and databases. This layered approach makes it easier to apply security rules and troubleshoot issues.