Subnets are the logic network that you group your resources in a single local network. Communication in and out of a subnet is of critical importance, and a routing table contains the rules on how traffic can be directed.
After creating a VPC, you can add one or more subnets in each AZ. Each subnet resides entirely within one AZ and cannot span AZs.
- A subnet is an isolated local network confined in a single AZ.
- Different application tiers are in different subnets.
- 5 IPs are reserved for a subnet (ex. /24 network 251 IPs available)
- 0 (first) – Network, 1 – Router, 2 – DNS, 3 – Future, X (last) – Broadcast
- Subnets must be associated with a route table.
- Subnets are by default private unless created in a default VPC.
- The CIDR block of a subnet cannot overlap the CIDR blocks of other subnets in the same VPC.
- A public subnet has a route to the internet. (It is associated with a route table that has an IGW attached.)
- A private subnet does not have a route to the internet.
A route table contains a set of rules (routes) that are used to determine where traffic is directed.
- Only one route table can attached to a subnet, but, unlike an IGW, you can have multiple active route tables in a VPC.
- Every VPC has a virtual routing device called the VPC router.
- You cannot delete a route table if it has associated subnets.
- A router has a collection (route table) of rules. A route contains a destination and a target.
- Destination: the CIDR block range of the target
- Target: a name identifier
- Route Table is a set of rules, called routes.
- By default, all subnets’ traffic is allowed within a VPC, which is called a local route.
- If multiple routes apply, the most specific one is chosen (/32 is chosen before /24).
- A default route (0.0.0.0/0 or ::/0) can be added that match any traffic not already matched.
- The default VPC already has a main route table: local route + IGW
- Subnets can be public or private.
- A subnet is public when
- (1) The subnet has a public IP or EIP; You can modify auto-assign IP settings for a subnet.
- (2) VPC has an Internet Gateway.
- (3) The subnet has a route to send all non-local traffic to the Internet Gateway.
- And (4) Network ACL and security groups allow sending and receiving traffic from the Internet.