AWS Networking: Mastering Subnets (SAA-C03)
In the AWS ecosystem, a Subnet is a range of IP addresses in your VPC. It is the fundamental building block for isolating resources and defining communication paths. For the SAA-C03 exam, understanding how subnets interact with Route Tables, Gateways, and Security Layers is critical.
The Real-World Analogy
Think of a VPC as a large office building. The Subnets are the individual floors. You might have a “Public Floor” (Lobby) where anyone can enter, and a “Private Floor” (Server Room) that requires a special badge and can only be accessed by employees already inside the building.
Topics covered:
Summary of key subtopics covered in this guide:
- Public vs. Private Subnet architecture
- IPv4 CIDR sizing and the “Reserved 5” IPs
- Route Table associations and Internet Gateways (IGW)
- Network ACLs vs. Security Groups
- Multi-AZ Design for High Availability
Core Concepts & Configuration
1. Public vs. Private Subnets
The distinction between a public and private subnet is determined solely by its Route Table:
- Public Subnet: Has a route entry specifically pointing to an Internet Gateway (IGW) (e.g.,
0.0.0.0/0 -> igw-xxxx). - Private Subnet: Does not have a direct route to the IGW. It typically uses a NAT Gateway located in a public subnet to reach the internet for updates.
2. CIDR Blocks and Reserved IPs
When you create a subnet, you assign it an IPv4 CIDR block. AWS reserves 5 IP addresses in every subnet. If you have a /28 subnet (16 addresses), only 11 are usable.
| IP Address | Purpose |
|---|---|
| x.x.x.0 | Network Address |
| x.x.x.1 | VPC Router |
| x.x.x.2 | DNS (AmazonProvidedDNS) |
| x.x.x.3 | Future Use (Reserved by AWS) |
| x.x.x.255 | Network Broadcast Address (AWS does not support broadcast) |
Security: NACLs vs. Security Groups
Subnets are protected by Network Access Control Lists (NACLs). Unlike Security Groups (which are stateful and applied at the instance level), NACLs are stateless and applied at the subnet level.
Decision Matrix: If-Then Guide
- If you need to block a specific malicious IP address… Then use a NACL (Security Groups cannot deny specific IPs).
- If you need to allow web traffic to an EC2 instance… Then use a Security Group.
- If your instances in a private subnet need to download patches… Then route traffic through a NAT Gateway in a Public Subnet.
Exam Tips and Gotchas
- AZ Limitation: A subnet resides in exactly one Availability Zone. It cannot span multiple AZs. For High Availability, you must create subnets in at least two different AZs.
- Size Constraints: The smallest allowed CIDR block is
/28and the largest is/16. - Default VPC: Every default VPC comes with one public subnet in every AZ by default.
- NACL Statelessness: If you allow inbound traffic on port 80 in a NACL, you must also allow outbound ephemeral ports (1024-65535) for the response to return.
- NAT Gateway: Remember that NAT Gateways are managed by AWS and scale automatically, but they are AZ-specific. For regional fault tolerance, use one NAT Gateway per AZ.
AWS Subnet Architecture Infographic
Ecosystem Service Integration
- IAM: Control who can create/delete subnets.
- CloudWatch: Monitor Subnet-level metrics via VPC Flow Logs.
- Auto Scaling: Deploy instances across multiple subnets for HA.
Performance Scaling & Limits
- Elasticity: Use larger CIDRs (/24 or /20) for Lambda or EKS subnets to avoid IP exhaustion.
- Latency: Resources in the same subnet/AZ have the lowest latency.
Cost Optimization
- NAT Gateway: Charged per hour + data processed. Use VPC Endpoints for S3/DynamoDB to save costs.
- Data Transfer: Traffic between AZs costs money; traffic within the same AZ is usually free.