Why do we need subnets?

After designing a custom VPC, we can now consider launching resources like EC2 Elastic Compute Cloud instances inside the VPC. However, we still need to configure our VPCs for it.

Although a VPC offers a private network environment, resources can’t be directly added to a VPC. In order to add the resources, we must first create a subnet.

A subnet, also known as a subnetwork, is a smaller network within a VPC that is built using the subset of the VPC CIDR block. A subnet is always created within one AWS Availability Zone, making it AZ-resilient. If the selected AZ fails, the subnet and any resources inside will also fail.

It’s crucial to place the resources in different subnets within various Availability Zones in order to maintain fault tolerance and high availability for the services. As a result, the running services won’t experience any downtime due to a single AZ failure.

Types of subnets

The various subnets can be categorized as follows:

Public subnet

Public subnets enable the resources within to connect to and be accessible from the public internet via an internet gateway or egress-only internet gateway.

For example, we can SSH (Secure Shell) into an EC2 (Elastic Compute Cloud) instance on a public subnet from our local computer, and the EC2 instance can also connect to the public internet to download any software updates.

Private subnet

Private subnets don’t allow resources contained within to be accessible from the public internet. They are completely isolated and unreachable from the internet. A Network Address Translation (NAT) gateway can optionally be used to enable outgoing-only internet access from private subnet resources.

For example, we can’t SSH into an EC2 instance placed within a private subnet from our local computer. However, an EC2 instance can connect to the public internet to download software updates if a NAT gateway is also used.

VPN-only subnet

With VPN-only subnets, subnet traffic can be sent through a virtual private gateway to a Site-to-Site VPN connection.

Reserved IPs in a subnet

It’s important to note that not all IP addresses assigned to a subnet are usable; instead, AWS reserves a small number of IP addresses in each subnet for internal usage.

Let’s consider our subnet CIDR,, which gives us the IP range

  • The first IP address is reserved for the network address, e.g.,

  • The second IP address, the Network+1 address, is reserved for the Amazon VPC router, e.g.,

  • The third IP address, the Network+2 address, is reserved for DNS, e.g.,

  • The fourth IP address, the Network+3 address, is reserved for future use, e.g.,

  • The last IP address of the subnet is the broadcast address, e.g.,

Create a private subnet

Let’s assume our VPC CIDR is, and we want to create a /20 netmask private subnet in each Availability Zone in the eu-west-1 region. Because the eu-west-1 region has three AZs, we’ll create a total of three private subnets.

Get hands-on with 1200+ tech skills courses.