so I'm just learning about AWS VPC networking. From what I understand the main difference between a public subnet and private subnet is whether or not traffic in that subnet can be routed to the Internet Gateway (through route table rules).
However, this doesn't seem to be the only difference between the two. I notice public subnet would always have auto-assign public IP address
enabled, while private subnets would have it disabled.
So as a thought experiment I wonder what would happen if I disable the auto-assign feature in a public subnet, or enable it in a private subnet?
I can kind of guess that probably nothing would happen if I enable it in a private subnet because no traffic can be routed to the Internet Gateway anyway. So the auto-assigned IP addresses would simply go to waste.
But what about the first scenario? If I disable auto-assign in the public subnet, would the traffic still be able to be routed to the Internet Gateway and eventually to the Internet? Can I just create a NAT in that public subnet and route all Internet traffic to the NAT, so that we don't need to assign public IP to all public instances? I know we can just move those instances to the private subnet and route them to NAT, but I'm just curious if we have to assign individual IP addresses to all instances in the public subnet, because that seems a bit unnecessary to me.
CodePudding user response:
NAT is your one-way out to the internet: instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.
-> This means that you still need to assign public IP for your instance in order for service outside of your VPC to access to that instance.
CodePudding user response:
From what I understand the main difference between a public subnet and private subnet is whether or not traffic in that subnet can be routed to the Internet Gateway (through route table rules).
This is correct.
However, this doesn't seem to be the only difference between the two. I notice public subnet would always have auto-assign public IP address enabled, while private subnets would have it disabled.
This is also correct. Any entity that wants to talk to another over the public internet needs a public ip.
When you use a public subnet, the ip that "comes out" of AWS is that of the network interface associated with the resource (e.g. EC2), whereas when you use a private subnet with a NAT gateway (since this is the only way to give internet connectivity to a private subnet) , the ip that "comes out" of AWS is that of the network interface associated with the NAT gateway.
So as a thought experiment I wonder what would happen if I disable the auto-assign feature in a public subnet, or enable it in a private subnet?
If you were to disable the auto-assign feature in a public subnet, then any network interface created (whether that associated with an EC2 instance or whether that associated with an elastic IP for a NAT gateway) in that subnet will not have a public ip. This will indeed prevent traffic from going out to the internet.
If you were to enable the auto-assign feature in a private subnet, you wouldn't actually be impacting anything.