What makes a subnet as private in aws

Question

I have some beginner question doubt. I have a subnet whose route table is pointing to internet gateway (0.0.0.0/0). However the public ip address assignation is not enabled. Does that make this as private or public subnet? There are no nat gateway attached. It's just the internet gateway with no public ip assigned to subnet instances. I am aware about the differences between public and private. But the above case seems not so clear for me. What are the exact conditions that makes the subnet as private or public.

Answer 1

It is a public subnet only actually it doesn't matter if you have enabled public IP or not, as you have attached the internet gateway your subnet is connected with the internet. It works like it's a private subnet because your internet gateway is unreachable from the internet as you have not enabled public IP for it. But as soon as you will enable the public IP it will become reachable from the internet.

Answer 2

All the answers are correct, but I think they do not clearly address your concern yet, so let me take a stab.

Whether a subnet is private or public depends only on the existence of route to an Internet Gateway. I think you know this.

Regarding your question:

However the public ip address assignation is not enabled.

Does it make the subnet private?

The answer is no, because during instance launch, you can override the subnet's public IP addressing attribute. You can try to launch an EC2 instance in your subnet. Even though Public IP addressing is not enabled in the subnet, you can still choose to assign a Public IP to the instance.

Likewise, you can have a public subnet, but your NACL is configured to block traffic to public IPs. Does this make the subnet private?

The answer is no, because NACL is typically used to allow or deny specific IP and Port ranges. For example, in a public subnet, if you have identified a set of malicious activity coming from certain IPs, you probably want to block them in your NACL. Likewise in a private subnet, you likely don't block traffic to the internet by specifying a deny rule in the NACL. You just don't configure a route to an internet gateway.

Answer 3

What are the exact conditions that makes the subnet as private or public.

What makes a subnet public or private is:

Public subnet: The subnet's IPv4 or IPv6 traffic is routed to an internet gateway or an egress-only internet gateway and can reach the public internet.

Private subnet: The subnet’s IPv4 or IPv6 traffic is not routed to an internet gateway or egress-only internet gateway and cannot reach the public internet.

So in your case as your subnet has a route to the Internet Gateway then that subnet is a public one.

However, despite the fact that the subnet is public, if you launch instances without public IP these instances will not be accessible from internet neither have internet connectivity.

Answer 4

The definition of a Public Subnet in an Amazon VPC is:

• The Route Table attached to the Subnet has a Route with a destination of 0.0.0.0/0 that points to an Internet Gateway

To communicate with the Internet, resources in the Public Subnet also need a Public IP address.

Answer 5

Does that make this as private or public subnet?

Its public, as you can start instance with public IP. There is not need to enable public IP at the subnet level, to have an instance with public IP and being accessed from the internet.

In contrast resources in a private subnet are not accessible from the internet, even if they have public IP. And yes, you can create instance with public IP in private subnet, but such instance will be not reachable from the internet.