Private Subnets

Best practices.

What private subnets are

Subnets without a route to an internet gateway. Resources in private subnets cannot directly reach the internet, and the internet cannot directly reach them.

Egress to the internet, if needed, goes through a NAT gateway in a public subnet. The NAT presents a single public IP.

Default for application workloads. Public subnets are reserved for load balancers, NAT gateways, bastion hosts.

Design pattern per VPC

Three tiers: public (load balancers, NAT), private app (services), private data (databases). One per AZ.

Public subnet: 0.0.0.0/0 to internet gateway. Private app: 0.0.0.0/0 to NAT gateway. Private data: no internet route.

Per-AZ NAT gateways for HA. Single-AZ NAT means an AZ outage takes down all egress for the VPC.

Egress patterns

Default: NAT gateway. Standard, expensive ($45/month minimum plus per-GB).

VPC endpoints for AWS services. Free for S3 and DynamoDB; cheaper than NAT for most heavy AWS service usage.

Egress through a centralised egress VPC. Multiple VPCs share NAT capacity. Cost optimisation at scale.

Ingress patterns

Public load balancer in public subnet, targets in private subnet. Standard pattern.

PrivateLink endpoint for SaaS-style internal services. Private connectivity from consumer VPCs.

VPN or Direct Connect for hybrid cloud connectivity. Private subnets accessible through the corporate network.

Operating private subnets

Flow logs on every subnet. Audit egress. Detection for anomalous traffic.

IAM-based access control on top of network isolation. Defence in depth.

Quarterly review of NACLs and security groups. Drift accumulates; review prunes.