[AWS] VPC – Subnets and Routing Tables

Subnets are the logic network that you group your resources in a single local network. Communication in and out of a subnet is of critical importance, and a routing table contains the rules on how traffic can be directed.


After creating a VPC, you can add one or more subnets in each AZ. Each subnet resides entirely within one AZ and cannot span AZs.

  • A subnet is an isolated local network confined in a single AZ.
  • Different application tiers are in different subnets.
  • 5 IPs are reserved for a subnet (ex. /24 network – 251 IPs available)
    • 0 (first) – Network
    • 1 – Router
    • 2 – DNS
    • 3 – Future
    • X (last) – Broadcast
  • Subnets must be associated with a route table.
  • Subnets are by default private unless created in a default VPC.
  • The CIDR block of a subnet cannot overlap the CIDR blocks of other subnets in the same VPC.
  • A public subnet has a route to the internet. (It is associated with a route table that has an IGW attached.)
  • A private subnet does not have a route to the internet.

Route Tables

A route table contains a set of rules (routes) that are used to determine where traffic is directed.

  • Only one route table can attached to a subnet, but, unlike an IGW, you can have multiple active route tables in a VPC.
  • Every VPC has a virtual routing device called the VPC router.
  • You cannot delete a route table if it has associated subnets.
  • A router has a collection (route table) of rules. A route contains a destination and a target.
    • Destination: the CIDR block range of the target
    • Target: a name identifier
  • Route Table is a set of rules, called routes.
    • By default, all subnets’ traffic is allowed within a VPC, which is called a local route.
    • If multiple routes apply, the most specific one is chosen (/32 is chosen before /24).
    • A default route ( or ::/0) can be added that match any traffic not already matched.
  • The default VPC already has a main route table: local route + IGW
Main route table of the default VPC

Public Subnets

  • Subnets can be public or private.
  • A subnet is public when
    1. The subnet has a public IP or EIP; You can modify auto-assign IP settings for a subnet.
    2. VPC has an Internet Gateway.
    3. The subnet has a route to send all non-local traffic to the Internet Gateway.
    4. And Network ACL and security groups allow sending and receiving traffic from the Internet.


CIDR Visualizer: https://cidr.xyz

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s