Private Subnets

Best practices.

What private subnets are

Private subnets deny direct internet exposure by default. Application workloads belong here, not in public subnets; the missing internet-gateway route is the load-bearing security control that makes "private" actually private.

• No internet-gateway route. Missing IGW route per subnet; resources cannot directly reach the internet, and the internet cannot directly reach them.
• Egress through NAT. NAT gateway in a public subnet per VPC; presents a single public IP for outbound traffic.
• Default for application workloads. Public subnets reserved for load balancers, NAT, bastion; the app tier sits private.
• Explicit route table per subnet. Named route table per subnet supports auditing and prevents accidental cross-tier routing.

Design pattern per VPC

The canonical VPC has three subnet tiers per AZ: public, private app, private data. Three tiers per AZ across at least two AZs is the minimum production shape.

• Three tiers per AZ. Public, private app, private data subnet per AZ; the standard pattern that survives audit.
• Routes by tier. IGW for public, NAT for private app, no-internet for private data; explicit per tier.
• Per-AZ NAT gateways. Dedicated NAT gateway per AZ for HA; single-AZ NAT means AZ outage kills VPC egress.
• Security group per tier. Dedicated SG per tier supports least-privilege traffic patterns between tiers.

Egress patterns

Egress patterns are the cost lever. NAT gateways are expensive; VPC endpoints are cheaper for AWS services; centralised egress consolidates NAT capacity at org scale.

• NAT gateway. Standard NAT per AZ; expensive at about $45/month minimum plus per-GB processing.
• VPC endpoints. AWS service endpoints; free for S3 and DynamoDB, cheaper than NAT for heavy AWS-service usage.
• Centralised egress VPC. Shared NAT capacity across VPCs per org; cost optimisation that pays off at meaningful scale.
• Egress-cost report per account. Data-processing line in the bill catches noisy egress sources before they dominate the cloud bill.

Ingress patterns

Ingress to private subnets goes through specific controlled paths. Public load balancer with private targets is the standard; PrivateLink and VPN cover the rest.

• Public LB to private targets. LB in public, targets in private per VPC; the standard pattern that exposes the load balancer rather than the application.
• PrivateLink endpoint. SaaS-style endpoint per service; private connectivity from consumer VPCs without internet routing.
• VPN or Direct Connect. Hybrid connectivity per org; private subnets accessible through corporate networks for admin paths.
• Named owner per ingress. Team responsibility per ingress path supports operational reviews and incident response.

Operating private subnets

Operating private subnets is a discipline. VPC Flow Logs on every subnet, IAM-based access control as defence in depth, quarterly NACL and SG reviews, network IaC for change review.

• Flow logs on every subnet. VPC Flow Logs per subnet support egress auditing and anomalous-traffic detection.
• IAM-based access control. IAM layer per resource on top of network isolation; defence in depth rather than network-only security.
• Quarterly NACL and SG review. Rule-list audit per quarter; drift accumulates between reviews and review prunes it.
• Network IaC per VPC. Terraform definition per VPC supports change review and prevents click-ops drift.