AWSGlossary

VPC Subnet: What It Is and When to Use It

Definition

A subnet (subnetwork) is a CIDR-delimited slice of a VPC's IP address space, pinned to a single Availability Zone (AZ). Subnets are the unit at which AWS attaches route tables, network ACLs, and many services (Lambda ENIs, RDS DB subnet groups, EKS node groups). They come in three conceptual flavors — public, private, and VPN-only — distinguished entirely by what routes their associated route table contains.

Subnets exist only within one VPC and one AZ; they cannot span Availability Zones, and they cannot move between VPCs. For a highly available workload, you create at least two subnets (in different AZs) per tier.

How It Works

A subnet is defined by its CIDR block (e.g., 10.0.1.0/24) carved out of the parent VPC's CIDR (e.g., 10.0.0.0/16). Each AWS Region contains multiple Availability Zones, and each subnet is bound to exactly one of them.

Each subnet has:

  • An associated route table — a set of destination-CIDR → target routes. Every subnet has one main route table by default; you can explicitly associate a custom one.
  • An associated network ACL — a stateless, subnet-level firewall (allow and deny rules, order matters).
  • An auto-assign public IP flag — when on, new instances in the subnet get a public IPv4. Charged hourly per public IP since February 2024.
  • An IPv6 CIDR (optional) — if the VPC has an IPv6 CIDR (/56 from AWS), each subnet gets a /64.

Subnet types are determined by routes:

  • Public subnet — route table has 0.0.0.0/0 pointing at an Internet Gateway (IGW). Instances with public or Elastic IPs are reachable from and can initiate traffic to the internet.
  • Private subnet — no IGW route. Outbound internet access (if needed) goes through a NAT Gateway or NAT Instance in a public subnet. Instances have no public IPs.
  • VPN-only subnet — route table points internet-bound traffic at a Virtual Private Gateway (VGW) or a Transit Gateway VPN attachment rather than an IGW. Used for air-gapped hybrid environments.
  • Isolated subnet — no IGW, no NAT, no VPN. Communicates only with other subnets in the VPC or via VPC Endpoints.

Key Features and Limits

  • CIDR size: minimum /28 (16 IPs, 11 usable), maximum /16 (65,536 IPs). The VPC CIDR itself must be /16 to /28.
  • Five reserved IPs per subnet:
    • .0 — network address
    • .1 — VPC router
    • .2 — DNS (VPC's base CIDR + 2)
    • .3 — reserved for future use
    • .255 — broadcast (AWS does not support broadcast, but the address is reserved)
  • IPv6 — subnets get a fixed /64 from the VPC's /56.
  • Default subnets — every default VPC has a default subnet in each AZ, auto-assign public IP on.
  • One AZ per subnet — you cannot span AZs with a single subnet.
  • Subnet sharing — with AWS RAM, a subnet can be shared to other accounts in the same organization.
  • Subnet limit — 200 subnets per VPC (soft limit).
  • Edge association — route tables can be associated with the internet-facing side of an IGW (gateway route tables) for traffic inspection patterns.

Common Use Cases

  1. Three-tier web app — public subnet for ALB/NAT Gateway, private app subnet for EC2/ECS, private DB subnet for RDS/Aurora with no outbound internet.
  2. Serverless networking — Lambda ENIs placed in private subnets so the function can reach RDS, ElastiCache, or VPC Endpoints.
  3. Multi-AZ HA — one subnet per tier per AZ, giving resilient deployments behind cross-zone load balancers.
  4. Isolated compliance workloads — subnets with no IGW/NAT, using VPC Endpoints to reach S3, DynamoDB, KMS.
  5. Hybrid connectivity — VPN-only subnets that route everything through a Direct Connect gateway or Transit Gateway.
  6. Shared services VPC — one VPC hosts platform services; subnets are shared with application accounts via AWS RAM.
  7. Database subnet groups — RDS, ElastiCache, and Redshift require a subnet group spanning at least two AZs for Multi-AZ.

Pricing Model

Subnets themselves are free. You pay for:

  • NAT Gateway — per hour per gateway + per GB processed (if you put one in the subnet or route through it).
  • Interface VPC Endpoints — per hour per AZ + per GB processed.
  • Public IPv4 addresses — per-hour charge per allocated address (attached or idle), since February 2024.
  • Data transfer — inter-AZ, inter-Region, internet egress.
  • Elastic Network Interfaces (ENIs) — free when attached to a running instance; otherwise they consume nothing but capacity.

Because NAT Gateway and cross-AZ data-transfer costs dominate many VPC bills, subnet-placement decisions have a direct financial impact.

Pros and Cons

Pros

  • Clean isolation boundary for routing, security, and IAM.
  • Familiar model to network engineers — maps directly to traditional subnetting.
  • Flexible: any mix of public, private, and VPN-only subnets inside one VPC.
  • Required building block for Multi-AZ services (RDS, MSK, ElastiCache subnet groups).

Cons

  • Cannot span AZs — HA requires explicit multi-subnet design.
  • Five reserved IPs per subnet means /28 gives only 11 usable addresses — too small for large EKS node groups.
  • Changing a subnet's CIDR is not allowed; you must add a secondary VPC CIDR and new subnets instead.
  • NAT Gateways are per-subnet (really per-AZ) — an HA design needs one per AZ, doubling cost.

Comparison with Alternatives

| Subnet type | Route to internet | Typical workloads | Public IP? | | --- | --- | --- | --- | | Public | 0.0.0.0/0 → IGW | Load balancers, bastion, NAT Gateway | Yes (optional) | | Private (with NAT) | 0.0.0.0/0 → NAT GW | App servers, containers, Lambda ENIs | No | | VPN-only | 0.0.0.0/0 → VGW/TGW | Regulated workloads needing on-prem egress | No | | Isolated | No default route | Databases, sensitive workloads | No |

Compared to Google Cloud subnets (Region-scoped, not AZ-scoped) and Azure subnets (VNet-level, no AZ pinning), AWS subnets are uniquely AZ-bound — which is why Multi-AZ HA requires multiple subnets in AWS but often just one in GCP.

Exam Relevance

  • Solutions Architect Associate (SAA-C03) — very heavy topic: public vs private subnet design, NAT Gateway placement, Multi-AZ patterns, subnet groups for RDS, database subnet segregation.
  • SysOps Administrator (SOA-C02) — troubleshooting subnet routing, flow logs, ENI attachment problems.
  • Developer Associate (DVA-C02) — placing Lambda in a subnet, understanding cold-start implications of VPC Lambda.
  • Advanced Networking Specialty (ANS-C01) — IPv6 /64 subnets, secondary CIDRs, subnet sharing via RAM, gateway route tables, dual-stack design.

Classic exam traps: a subnet is public only if its route table has 0.0.0.0/0 → IGW (not just "it has a public IP"). There are five reserved IPs per subnet (not four). The smallest subnet is /28, not /30. A subnet cannot span AZs — Multi-AZ requires at least two subnets. Auto-assign public IP is a subnet-level setting but can be overridden at instance launch.

Frequently Asked Questions

Q: What makes a subnet "public" in AWS?

A: A subnet is public when its associated route table contains a route 0.0.0.0/0 (or ::/0 for IPv6) pointing to an Internet Gateway (IGW) attached to the VPC. The subnet's "auto-assign public IPv4" setting is a convenience for newly launched instances, but it is the IGW route that makes the subnet public. Without that route, even an instance with a public IP cannot reach the internet.

Q: Why are 5 IP addresses reserved in every subnet?

A: AWS reserves the first four IPs and the last IP of every subnet. .0 is the network address, .1 is the VPC router (implicit default gateway), .2 is the DNS resolver (VPC base CIDR + 2), .3 is reserved for future use, and .255 is the broadcast address (AWS doesn't support broadcast, but the address is reserved). That means a /28 subnet has 16 total IPs but only 11 usable ones — an important gotcha when sizing subnets for large clusters.

Q: Can a single subnet span multiple Availability Zones?

A: No. Every subnet belongs to exactly one AZ. To achieve Multi-AZ high availability, you create multiple subnets (usually one per AZ you want to deploy into) and register each with services that need AZ redundancy — ALB listeners, Auto Scaling groups, RDS DB subnet groups, ElastiCache subnet groups, etc. This is one of the most important differences between AWS and Google Cloud, where subnets are regional and span zones natively.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official Amazon VPC documentation before making production decisions.

Published: 4/17/2026 / Updated: 4/17/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

Amazon VPC: Subnets, Gateways & Networking Explained

Amazon VPC is a logically isolated AWS network. Learn subnets, route tables, internet gateway vs NAT gateway, security groups vs NACLs, peering, and exam tips.

AWS Transit Gateway: VPC Hub for Hybrid Networking

AWS Transit Gateway is a regional hub connecting VPCs, VPNs, and Direct Connect. Learn transitive routing, 5000 attachments, multicast, cross-Region peering, and exam tips.

AWS Security Group: Stateful Instance-Level Firewall Guide

AWS Security Groups are stateful, instance-level firewalls with allow-only rules. Learn inbound/outbound rules, SG references, the 60-rule limit, and exam tips for SAA-C03.

Security Group vs NACL: AWS Firewall Comparison Guide

Compare AWS Security Groups vs Network ACLs: stateful vs stateless, instance vs subnet, allow-only vs allow+deny, SG references vs CIDR only, and defense-in-depth patterns.

Amazon Route 53: DNS, Routing Policies & Health Checks

Amazon Route 53 is AWS's DNS service with 100% availability SLA. Learn routing policies (Simple, Weighted, Latency, Failover, Geo), health checks, alias records, and domain registration.

View all Networkingterms →