My understanding is - Yes. For a subnet to be public,
- The VPC to which it belongs to should have an Internet Gateway attached
- Route should exist in Subnet's route table to Internet Gateway
So this makes me believe that just attaching Internet Gateway doesn't make it's subnets public, and private subnets can exist in a VPC with an attached IGW.
Is my understanding correct?
CodePudding user response:
Yes, your understanding is correct. That's exactly how you have both public and private subnets in the same VPC.
CodePudding user response:
You can have private subnets in a VPC that has IGW. You can also have a VPC with private and public subnets with a NAT Gateway, it's not limited to just the IGW. The usual use case is that you may want to have EC2 instances, but not have them be publicly available so they'll use the private subnet, but you still need them to access public internet for packages/updates etc., in which case you can use a NAT Gateway. (The NAT will be on the public subnet however) You can think of it as, the IGW is both-ways, but the NAT Gateway is one way, it simply forwards your outgoing traffic to the public internet.
Main differences you'll encounter between IGW vs NAT boil down to:
- NAT is more expensive
- IGW is the way to go if you want the instances to be publicly accessible, if not you'll use a NAT.
- NAT Gateways are AZ-based so you'll need one in each AZ you use for high availability.
There are more differences such as security groups not being available for NATs but these were the main ones that affect my use cases.