This post is part of my note taking while studying for the AWS Certified Advanced Networking - Specialty certification.
There are four subnet types you can have in an AWS VPC:
- VPC Only
- VPN Only
Private subnets do not have instances with Public IPs a route to an Internet Gateway
- Default route table: local route allows access to other subnets in the VPC
- Access to other VPCs: can access other VPCs via VPC peer
- Internet access: only through a rotue to a NAT instance or NAT Gateway
- Use cases: database layer, middleware layer, application layer, etc.
This rare subnet architecture provides access to only subnets within the VPC. It’s similar to a private subnet but more restrictive.
- Default route table: local route allows only access to the VPC, no default route
- Access to other VPCs: no access
- Internet access: none
- Use cases: Only used when governance or legal restrictions mandate a subnet with no access outside a VPC
This architecture lets a subnet communicate within its VPC and over a VPN to an on-premises data center.
- Default route table: local route allows access to the VPC, default route is the VGW over the VPN
- Access to other VPCs: via VPC peering or over VPN, through data center routes, over another connection to another VPC
- Internet access: If allowed through on-premises routes
- Use cases: Legal or regulatory restrictions, extend data center to cloud for on-demand compute, data warehousing, and other services that don’t need Internet access. Could be used to run database layer in the cloud and front end on-premises.
This architecture is used for public services.
- Default route table: local route allows access to other subnets in the VPC and access to the Inernet via an Internet Gateway
- Access to other VPCs: via VPC peering
- Access to VPN: If added to route table, but not a best practice
- Use cases: used for public services, such as a web frontend, or for providing public services to a private subnet such as a NAT instance.