Reputation: 5972
I have some beginner question doubt. I have a subnet whose route table is pointing to internet gateway (0.0.0.0/0). However the public ip address assignation is not enabled. Does that make this as private or public subnet? There are no nat gateway attached. It's just the internet gateway with no public ip assigned to subnet instances. I am aware about the differences between public and private. But the above case seems not so clear for me. What are the exact conditions that makes the subnet as private or public.
Upvotes: 4
Views: 2667
Reputation: 41
It is a public subnet only actually it doesn't matter if you have enabled public IP or not, as you have attached the internet gateway your subnet is connected with the internet. It works like it's a private subnet because your internet gateway is unreachable from the internet as you have not enabled public IP for it. But as soon as you will enable the public IP it will become reachable from the internet.
Upvotes: 0
Reputation: 3703
All the answers are correct, but I think they do not clearly address your concern yet, so let me take a stab.
Whether a subnet is private or public depends only on the existence of route to an Internet Gateway. I think you know this.
Regarding your question:
However the public ip address assignation is not enabled.
Does it make the subnet private?
The answer is no, because during instance launch, you can override the subnet's public IP addressing attribute. You can try to launch an EC2 instance in your subnet. Even though Public IP addressing is not enabled in the subnet, you can still choose to assign a Public IP to the instance.
Likewise, you can have a public subnet, but your NACL is configured to block traffic to public IPs. Does this make the subnet private?
The answer is no, because NACL is typically used to allow or deny specific IP and Port ranges. For example, in a public subnet, if you have identified a set of malicious activity coming from certain IPs, you probably want to block them in your NACL. Likewise in a private subnet, you likely don't block traffic to the internet by specifying a deny rule in the NACL. You just don't configure a route to an internet gateway.
Upvotes: 2
Reputation: 4077
What are the exact conditions that makes the subnet as private or public.
What makes a subnet public or private is:
Public subnet: The subnet's IPv4 or IPv6 traffic is routed to an internet gateway or an egress-only internet gateway and can reach the public internet.
Private subnet: The subnet’s IPv4 or IPv6 traffic is not routed to an internet gateway or egress-only internet gateway and cannot reach the public internet.
So in your case as your subnet has a route to the Internet Gateway then that subnet is a public one.
However, despite the fact that the subnet is public, if you launch instances without public IP these instances will not be accessible from internet neither have internet connectivity.
Upvotes: 2
Reputation: 270104
The definition of a Public Subnet in an Amazon VPC is:
0.0.0.0/0
that points to an Internet GatewayTo communicate with the Internet, resources in the Public Subnet also need a Public IP address.
Upvotes: 6
Reputation: 238747
Does that make this as private or public subnet?
Its public, as you can start instance with public IP. There is not need to enable public IP at the subnet level, to have an instance with public IP and being accessed from the internet.
In contrast resources in a private subnet are not accessible from the internet, even if they have public IP. And yes, you can create instance with public IP in private subnet, but such instance will be not reachable from the internet.
Upvotes: 1