Public and private subnet in VPC
IANA established certain blocks of IP as private IP range(shown below)
10.0.0.0 – 10.255.255.255 (255.0.0.0)
172.16.0.0 – 172.31.255.255 (255.255.0.0)
192.168.0.0 – 192.168.255.255 (255.255.255.0)
Public IP addresses will be issued by an Internet Service Provider and will have number ranges from 1
to 191
in the first octet, with the exception of the private address ranges that start at 10.0.0
for Class A private networks and 172.16.0
for the Class B private addresses.
To subnet a VPC into one private subnet and one public subnet per zone (as shown below):
Application server sits in private subnet.
NAT gateway and bastion server sits in public subnet
1) Do I need to use private IP range(only) for two private subnets?
2) Do I need to use public IP range(only) for two public subnets?
The whole VPC has one large private address block, e.g. 10.20.0.0/16
and your subnets have slices of this block, e.g.
-
public-az1 and public-az2 will have
10.20.0.0/24
and10.20.1.0/24
-
private-az1 and private-az2 will have
10.20.2/24
and10.20.3.0/24
In addition the EC2 instances in the public subnets can have a Public IP or Elastic IP assigned as well. These are allocated one by one by AWS and assigned to the individual instances as requested.
Update: refer to my other answer for details: NAT gateway for ec2 instances
Generally you will have 2 kinds of subnets in a VPC:
-
Public subnet
- has IGW and optionally NAT
-
0.0.0.0/0
there points to the IGW - hosts (EC2 instances) get their primary private IPs from the VPC range (10.20.0.0/16), but also ...
- hosts must have public IP or elastic IP attached as they go directly to the internet
- hosts can be contacted from the internet on this public/elastic IP (if Security Group permits)
-
Private subnet
- has no IGW or NAT
- the
0.0.0.0/0
points to the NAT in the public subnet above - hosts only have private IP from the VPC range and all outbound access is "masked" to the NAT gateway IP
- hosts can initiate connections to the internet but can't be contacted from outside as they are "hidden" behind the NAT (Network Address Translation gateway).
- without NAT configured hosts won't have internet access
Hope that clarifies it :)
You can use any IP / CIDR block you want inside your AWS VPC, as the VPC IP / CIDR is only visible by your resources inside the VPC, not outside AWS. Any interaction with the internet is done using Elastic IPs, aka Public IPs.
The only thing to keep in mind is if you want to peer with other VPCs you can't have overlapping CIDR blocks.
You need to use private IP addresses for all subnets.
An instance with a public IPv4 address (whethet auto-assigned/dynamic or static/EIP) in a VPC is unaware of its public IP address. For example, ifconfig
on a Linux server instance with a public IP address will not show the public IP -- it will show the private IP. The Internet Gateway performs 1:1 static NAT between the device's assigned public IP address and the device's actual private IP address.
An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
The Internet Gateway does not do this for instances without a public IP, which is why you need one or more NAT Gateways for those instances to access the Internet.