What Is Private subnet in Networking?
On This Page
What do you want to do?
Quick Definition
A private subnet is a part of a network that is hidden from the internet. It can only be reached from inside the network or through a secure gateway. You use it to keep sensitive resources like databases or application servers safe. Traffic to and from a private subnet must go through a controlled entry point.
Common Commands & Configuration
aws ec2 create-subnet --vpc-id vpc-12345678 --cidr-block 10.0.1.0/24 --availability-zone us-east-1aCreates a subnet in the specified VPC and Availability Zone. By default, new subnets are private (no public IP assignment), but to ensure no internet access, you must not associate an internet gateway in the route table.
The AWS SAA exam tests the difference between public and private subnets. A subnet becomes public only when you attach an internet gateway and add a route to it. This command creates the subnet but leaves it private until you modify the route table.
aws ec2 create-nat-gateway --subnet-id subnet-public1 --allocation-id eipalloc-12345678Creates a NAT gateway in a public subnet with an Elastic IP. This gateway enables instances in private subnets to initiate outbound internet traffic. Must be in a public subnet with an internet gateway.
Common exam question: Where do you place a NAT gateway? Always in a public subnet. The AWS SAA exam tests that NAT gateways are single-AZ, so you might need one per AZ for high availability.
aws ec2 create-route --route-table-id rtb-12345678 --destination-cidr-block 0.0.0.0/0 --nat-gateway-id nat-12345678Adds a default route to the NAT gateway in the private subnet's route table. This allows private instances to reach the internet via the NAT gateway.
The route table is the key differentiator. A private subnet's route table has a default route pointing to a NAT gateway, while a public subnet's points to an internet gateway. The CCNA exam tests similar routing concepts with CLI.
az network vnet subnet create --resource-group MyRG --vnet-name MyVNet --name PrivateSubnet --address-prefixes 10.0.1.0/24Creates a subnet in Azure. By default, subnets do not have internet access unless you assign a public IP or use a NAT gateway. You must also associate a network security group to control traffic.
For AZ-104, remember that Azure subnets are private by default. You explicitly enable outbound internet via a NAT gateway or assign a public IP. The exam tests NSG rules that must allow traffic through the NAT gateway.
gcloud compute networks subnets create private-subnet --network my-vpc --region us-central1 --range 10.0.1.0/24 --private-google-accessCreates a private subnet with private Google access enabled. Instances without external IPs can reach Google APIs and services through this feature.
Google ACE exam tests the --private-google-access flag. This is a cost-saver because you avoid NAT gateways for Google services. It's a unique feature not directly available in AWS or Azure.
ip route add 0.0.0.0/0 via 10.0.0.1 (on a Linux router acting as NAT instance)Configures the default route on a Linux instance used as a NAT device. This is a manual way to provide internet access to a private subnet, often tested in the CCNA and Network Plus exams in the context of static routing.
The Network Plus exam covers static routes. This command is typical for a NAT instance scenario where the instance has two network interfaces (public and private). The CCNA exam tests routing table manipulations for private networks.
aws ec2 modify-subnet-attribute --subnet-id subnet-12345678 --map-public-ip-on-launchModifies a subnet so that new instances launched in it automatically receive a public IP address. This makes the subnet 'public' if combined with an internet gateway route.
This is a common trick in exams. A subnet with public IP auto-assign is not necessarily public unless it has an internet gateway route. The AWS SAA exam might test this nuance.
Private subnet appears directly in 640exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
Private subnet is a core concept across multiple IT certification exams, and its importance varies slightly depending on the exam focus. For the AWS Solutions Architect Associate (AWS-SAA) exam, private subnets are a primary topic. You will be asked to design a VPC with public and private subnets, choose when to use a NAT gateway versus a NAT instance, and understand how to enable internet access for private resources. Scenario questions often present a requirement like 'An application must be highly available and secure. The database should not be accessible from the internet.' You need to know to place the database in private subnets across two Availability Zones and configure security groups accordingly. The exam tests your ability to read a network diagram and identify which resources should be in private subnets.
For the CompTIA Network+ and Security+ exams, private subnets are covered under network segmentation and secure network architecture. Network+ questions might ask you to explain the difference between a public and private subnet in terms of routing and default gateways. Security+ will focus on the security benefits, such as limiting the blast radius of a breach. You might see a question like 'A security engineer wants to ensure that internal application servers cannot be directly accessed from the internet. Which network design should be used?' The correct answer is to place those servers in a private subnet.
For the CCNA exam, private subnets are taught as part of VLANs and routing. You will configure subinterfaces or switches to create separate broadcast domains. The CCNA focuses on the mechanics: how to set up a router to route between a public and private subnet, and how to configure access control lists to block inbound traffic. Questions might ask you to identify the correct configuration for a private subnet on a Cisco router.
For Azure (AZ-104), private subnets exist within Azure Virtual Networks. The exam will test your knowledge of Azure Private Link, service endpoints, and NAT gateway. You might need to decide whether to use a NAT gateway or Azure Bastion to provide outbound or inbound access to a private subnet. The AZ-104 exam also covers VNet peering and how private subnets interact across different virtual networks.
For Google ACE (Associate Cloud Engineer), private subnets are part of VPC design. You will need to know when to use Cloud NAT to allow private instances to access the internet. The exam also covers private Google Access, which allows private subnets to reach Google APIs without public IPs.
Across all exams, common question types include multiple-choice scenario questions, drag-and-drop architecture design, and configuration identification. Some exams include troubleshooting questions where you are given a network configuration and must identify why a private instance cannot reach the internet. The answer often involves a missing or misconfigured NAT gateway, incorrect route table, or security group blocking traffic. Understanding private subnets thoroughly will help you answer these correctly and avoid traps.
Simple Meaning
Think of a private subnet like a secure room inside a office building. The building has a main lobby that anyone can walk into from the street, that is your public subnet. The secure room, however, has no door to the outside world. The only way to get into that room is by first entering the building, showing your ID at a security desk, and then being escorted through a locked door. In computer terms, the private subnet is a network segment that does not have a direct path to the internet. Computers in a private subnet can send requests out to the internet through a router or a Network Address Translation (NAT) gateway, but internet users cannot start a conversation with those computers. This is incredibly important for security. For example, if you run a website that stores customer credit card information, you would put the web server in a public subnet so people can reach it, but you would put the database containing the credit card data in a private subnet. Even if an attacker breaks into the web server, they cannot directly access the database because it is in a private subnet with no internet route. The database can only be reached from the web server or from a secure management connection. This layered approach is a core principle of network security, often called defense in depth. In cloud environments like AWS or Azure, private subnets are the standard way to protect backend systems. They reduce the attack surface dramatically because there are fewer points where an outsider can try to break in. For IT certification learners, understanding private subnets is essential because they appear in almost every networking and security exam. They are the foundation of secure architecture, whether you are setting up a virtual private cloud, a corporate LAN, or a hybrid network. Without private subnets, your internal resources would be exposed to constant scanning and attack from the internet. They give you control over who can talk to your most important systems.
Let us use an analogy of a house with a fenced yard. The front yard with a gate open to the sidewalk is your public subnet, anyone can walk up to your front door. The inside of the house is your private subnet. You would not leave the front door wide open all the time. Instead, you have a locked door and maybe a peephole. Visitors knock, and you decide whether to let them in. In networking, the knock is a request coming from the internet. If a resource is in a private subnet, the internet cannot even knock. It is like having a house with no doors or windows on the outside walls, only an internal door connected to the garage. To get in, you have to go through the garage first. That garage is your bastion host or VPN server. This extra step might seem inconvenient, but it drastically improves security. For businesses handling sensitive data, private subnets are not optional, they are required by compliance standards like PCI DSS or HIPAA. So when you study for exams like AWS SAA, Security+, or Network+, you will see private subnets as a primary concept. They are the building block for secure network design.
Full Technical Definition
A private subnet is a logically isolated network segment within a larger Virtual Private Cloud (VPC) or local area network that has no direct route to the public internet. In cloud computing platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, a subnet is a range of IP addresses within a VPC. The subnet is designated as private by the absence of an internet gateway (IGW) attached to its route table. Instead, the route table for a private subnet typically has a default route (0.0.0.0/0) pointing to a NAT gateway, NAT instance, or a virtual private network (VPN) connection. This configuration allows resources in the private subnet to initiate outbound connections to the internet (for software updates, API calls, etc.) but prevents any unsolicited inbound traffic from the internet.
From a networking standards perspective, private subnets rely on RFC 1918 address ranges, which are designated for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These addresses are not routable on the public internet. In cloud environments, you can also use public IP addresses within a private subnet, but that is uncommon because it defeats the purpose of isolation. The core mechanism that makes a subnet private is the route table. A route table contains rules that determine where network traffic is directed. If the route table for a subnet includes a route to an internet gateway for 0.0.0.0/0, that subnet is public. If it does not, or if it routes 0.0.0.0/0 to a NAT device or VPN, the subnet is private. The subnet's network access control lists (NACLs) and security groups filter traffic at the subnet and instance level respectively, but the defining characteristic is the route table.
In real IT implementations, private subnets are used for multi-tier applications. A typical three-tier architecture places web servers in public subnets, application servers in private subnets, and databases in separate private subnets with even stricter access controls. For example, in AWS, an application server in a private subnet can receive traffic only from the web server via a security group rule, and it can connect to the database via another security group rule. The database itself has no direct path to the internet. This compartmentalization limits the blast radius of a security breach. If a web server is compromised, the attacker cannot directly reach the database because there is no network route from the internet to the database subnet. They would have to go through the application server, which has its own security controls.
For on-premises networks, private subnets are created using VLANs and routers. The concept is identical: a router separates the network into segments, and the router's access control lists (ACLs) or firewall rules determine which segments can communicate with the internet. In Cisco CCNA and Network+ contexts, a private subnet is essentially a VLAN with a default gateway that does not have a route to the internet. Instead, outbound traffic goes through a firewall or proxy server. The technical implementation involves configuring the router or Layer 3 switch to use policy-based routing or NAT to handle outbound connections.
Private subnets also interact with other network services like DNS. Resources in a private subnet typically use private DNS resolvers or forwarders to resolve internal hostnames. They may also use VPC endpoints (AWS) or Private Link (Azure) to access cloud services like S3 or Azure SQL without going over the internet. This keeps all traffic within the cloud provider's network, reducing latency and increasing security.
From a protocol perspective, private subnets do not change how TCP/IP works. Packets still have source and destination IP addresses, and routing decisions are made based on the destination. The difference is that the router or gateway does not have a public interface that can be reached from the internet. In cloud environments, the hypervisor or software-defined networking layer enforces this isolation. When a packet arrives at the VPC's edge, the internet gateway checks if the destination is a public subnet. If not, the packet is dropped. This is why private subnets are considered a fundamental security boundary.
For certification exams like AWS SAA, AZ-104, and Google ACE, you need to know how to design a VPC with both public and private subnets, configure route tables, set up NAT gateways, and troubleshoot connectivity issues. For CCNA and Network+, you need to understand the routing and VLAN aspects. Security+ and A+ focus more on the security implications, why you would use a private subnet to protect sensitive data. In all cases, the technical definition remains consistent: a private subnet is a network segment with no direct internet ingress.
Real-Life Example
Imagine you live in a large apartment building. The building has a main entrance with a doorman. Anyone can walk in from the street and enter the lobby, that is your public subnet. But to get to your actual apartment, you need a key or a keycard. The apartment itself is a private subnet. Now, suppose you order food delivery. The delivery person comes to the lobby, but they cannot enter your apartment. You have to go down to the lobby, pick up the food, and bring it up yourself. In networking terms, your apartment is the private subnet, the lobby is the public subnet, and you are the NAT gateway. The delivery person (internet traffic) can only reach the lobby. You initiate the connection by going down, and you bring the data (food) back up.
Now consider a different scenario: your apartment building has a package room. Packages are delivered there, and only residents with a code can access it. The package room is like a private subnet with a VPN. You can access it securely from inside the building, but outsiders cannot. If a thief tries to break into the package room, they cannot because it has no external door. This is exactly how a private subnet protects your database.
Let us extend the analogy to a bank. The bank's lobby is open to the public, anyone can walk in and talk to a teller. That is the public subnet. The vault, however, is in the basement behind multiple locked doors and alarms. Only authorized employees can enter the vault. The vault is a private subnet. If you need to deposit cash, you hand it to the teller (the web server in the public subnet), and the teller then takes it to the vault (the private subnet). The vault never communicates directly with the public. Even if a robber storms the lobby, they cannot get to the vault because there is no direct path. The teller acts as the intermediary, much like a security group rule that allows traffic from the web server to the database.
In a corporate office, think of the server room. It is locked and has no windows. Employees cannot just walk in, they need a keycard and possibly a second factor like a fingerprint. The server room is a private subnet. The office floor where employees work is the public subnet. When an employee needs to access a file on the server, they do so over the internal network, not from the internet. If the company has a remote worker, that worker must first connect through a VPN to the office network, and only then can they reach the server room. That VPN is the equivalent of a NAT gateway or bastion host.
These analogies help you remember that private subnets are about controlled access. They are not about stopping all traffic, they are about ensuring that traffic enters and exits only through authorized channels. For your exams, always remember the core idea: a private subnet has no direct route from the internet. Everything must go through an intermediate device that you control.
Why This Term Matters
In practical IT, private subnets matter because they are the primary mechanism for implementing the principle of least privilege in network architecture. By placing sensitive resources in a private subnet, you reduce the attack surface to only those entry points you explicitly allow. This is not just a best practice, it is often a compliance requirement. Regulations like PCI DSS (Payment Card Industry Data Security Standard) require that cardholder data be stored in a network segment that is not directly accessible from the internet. Similarly, HIPAA for healthcare data and GDPR for personal data often mandate network segmentation.
Private subnets also improve network performance in some scenarios. Because resources in a private subnet can use internal IP addresses, traffic between them does not need to traverse a NAT device or internet gateway, reducing latency. In cloud environments, data transfer between resources in the same Availability Zone over private IPs is faster and free of charge. This makes private subnets ideal for high-throughput applications like database replication or microservice communication.
private subnets enable better monitoring and logging. All outbound traffic from a private subnet must go through a centralized NAT gateway or proxy, which can log every connection. This gives security teams a single point to audit traffic. If a resource in a private subnet suddenly tries to connect to a suspicious external IP, the NAT gateway logs will capture that, allowing for rapid incident response. In a public subnet, each instance could have its own public IP, making it harder to track and control outbound traffic.
For IT professionals, understanding private subnets is essential for designing cost-effective and secure architectures. For example, in AWS, NAT gateways cost money per hour and per gigabyte of data processed. If you misdesign your subnets and put resources that need internet access into a private subnet, you might incur higher costs than necessary. On the other hand, putting a database in a public subnet to save on NAT gateway costs is a massive security risk. Balancing security, cost, and performance is a key skill tested in certifications and real-world jobs.
Private subnets also matter for disaster recovery and high availability. You can have private subnets in multiple Availability Zones, each with its own NAT gateway, ensuring that if one zone fails, resources in the private subnet can still reach the internet through another zone. This architectural pattern is used in production systems that require 99.99% uptime. Private subnets are not just a theoretical concept, they are a daily tool for network engineers, cloud architects, and security professionals.
How It Appears in Exam Questions
Private subnet questions appear in certification exams in several distinct patterns. The most common is the scenario-based design question. For example, an AWS SAA question might describe a company that needs to host a web application with a database backend. The requirement is that the database should not have a public IP address. The question will offer several architecture options, and you must select the one that places the database in a private subnet with a route to a NAT gateway for outbound updates. The trap option might suggest putting the database in a public subnet but restricting access with a security group, which is incorrect because a public IP still exposes the database to the internet.
Another pattern is the configuration question. You might be shown a route table and asked to identify whether a subnet is public or private. For instance, the route table shows a destination of 0.0.0.0/0 with a target of an internet gateway. In that case, the subnet is public. If the target is a NAT gateway or no default route, it is private. This type of question tests your understanding of the route table's role.
Troubleshooting questions are also common. A question might state that an EC2 instance in a private subnet cannot download updates from the internet. You are given several potential causes, such as a missing NAT gateway, incorrect security group rules, or a misconfigured NACL. You must identify the most likely issue. The correct answer is often that the route table for the private subnet does not have a route to the NAT gateway, or the NAT gateway itself is not in a public subnet.
On the Network+ and Security+ exams, questions often use real-world language like 'network segmentation' or 'DMZ'. You might be asked: 'Which of the following best describes a private subnet?' The answer choices might include 'A subnet that uses RFC 1918 addresses and has no direct internet route' versus 'A subnet that uses public IP addresses but has a firewall'. The former is correct. Security+ may present a scenario where a company has a web server and a database server. The question asks how to protect the database from direct internet access. The correct answer is to place the database in a private subnet.
For CCNA, questions might be more command-line oriented. You could be asked to review a router configuration and determine which interface is connected to a private subnet. The interface might have an IP address from the 192.168.0.0 range and no 'ip nat outside' command. You would infer that it is private.
In Azure AZ-104, a typical question might ask: 'You have a virtual network with two subnets. Subnet A has a route table with a route to 0.0.0.0/0 via a NAT gateway. Subnet B has no default route. Which subnet is private?' The answer is Subnet B. Another question might ask you to configure an Azure SQL database that should only be accessible from a specific subnet. You need to create a private endpoint in that subnet, which effectively places the database in a private subnet context.
Across all exams, the key is to recognize that private subnet questions are testing your ability to apply network isolation principles. They rarely ask the definition directly, they test through scenarios and troubleshooting. Understanding the interplay between route tables, NAT gateways, security groups, and NACLs is essential.
Practise Private subnet Questions
Test your understanding with exam-style practice questions.
Example Scenario
Imagine you work for a small company that runs a customer portal website. The website is built with a front-end web server and a back-end database. The web server needs to be reachable by customers on the internet, but the database must be hidden. You are in charge of designing the network on AWS.
You create a VPC with the IP range 10.0.0.0/16. Inside that VPC, you create two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). The public subnet has a route table that includes a route to an internet gateway for 0.0.0.0/0. The private subnet has a route table with no internet gateway, it routes 0.0.0.0/0 to a NAT gateway that is itself in the public subnet.
You launch the web server EC2 instance in the public subnet with a public IP address. Customers can now access it over the internet. You launch the database EC2 instance in the private subnet with only a private IP address (10.0.2.10). The database has a security group that allows inbound traffic only from the web server's security group on port 3306 (MySQL). The web server's security group allows inbound traffic from the internet on ports 80 and 443.
Now, test the scenario. A customer visits your website. Their request goes to the web server, which queries the database using the private IP 10.0.2.10. The database responds, and the web server sends the page to the customer. The database never sees the customer's IP address, it only sees the web server. If an attacker tries to scan the internet for open databases, they will not find yours because your database has no public IP. Even if they somehow compromise the web server, they still cannot reach the database from outside the VPC because the database's security group only trusts the web server. The attacker would have to launch an attack from within the web server itself, which is much harder.
Suppose the database needs to download software updates. It initiates a connection to the internet through the NAT gateway. The NAT gateway forwards the request using its own public IP, receives the response, and sends it back to the database. The database never gets a public IP. This example shows the complete flow: public subnet for incoming traffic, private subnet for sensitive data, NAT for outbound-only internet access.
Common Mistakes
Thinking a private subnet cannot access the internet at all.
Resources in a private subnet can initiate outbound connections to the internet through a NAT gateway or proxy, but unsolicited inbound connections are blocked.
Remember that private subnets can reach the internet outbound, but the internet cannot reach them inbound.
Confusing private subnets with RFC 1918 addresses only.
Private subnets are defined by route tables and network access, not just IP address ranges. A subnet using RFC 1918 addresses can be public if it has an internet gateway route.
A subnet is private only if its route table has no direct route to an internet gateway, regardless of its IP range.
Believing security groups alone make a subnet private.
Security groups act as virtual firewalls at the instance level, but if the subnet has a public IP and an internet gateway route, the instance is still reachable from the internet. Security groups are not a substitute for network isolation.
Use private subnets to remove the internet route first, then add security groups for fine-grained control.
Assuming all subnets in a VPC are private by default.
By default, a new subnet in AWS does not have a route to an internet gateway, but it can be made public by attaching an internet gateway and updating the route table. The default state is private, but many learners mistakenly think subnets are public until configured otherwise.
A subnet is private until you explicitly add a route to an internet gateway.
Thinking a NAT gateway provides inbound access to a private subnet.
A NAT gateway only translates outbound traffic. It does not accept inbound connections from the internet. If you need inbound access to a private subnet (e.g., for SSH), you must use a bastion host or VPN.
NAT is for outbound only. Use a bastion host or VPN for inbound management access.
Placing NAT gateway in a private subnet.
A NAT gateway must be in a public subnet with a route to the internet gateway. If placed in a private subnet, it cannot reach the internet and will not work.
Always deploy NAT gateways in a public subnet with an internet gateway route.
Exam Trap — Don't Get Fooled
{"trap":"A question states that a database instance is in a subnet with a route table that has a route to 0.0.0.0/0 via a NAT gateway. The database has a security group that allows inbound traffic from the web server's security group.
The question asks: Is the database publicly accessible?","why_learners_choose_it":"Learners see the NAT gateway and think it provides some kind of public access. They also may confuse NAT with port forwarding, or they think that because the web server can reach the database, the internet can too."
,"how_to_avoid_it":"Remember that a NAT gateway does not allow inbound connections. The database is in a private subnet, so even though it can reach the internet outbound, no one can initiate a connection to it from the internet. The answer should be 'No, the database is not publicly accessible.'
The security group rules are irrelevant to internet accessibility in this context."
Commonly Confused With
A public subnet has a route to an internet gateway, allowing direct inbound and outbound internet traffic. A private subnet has no such route. The key difference is the route table, not the IP addresses or security groups.
A web server in a public subnet can be reached via a public IP, while a database in a private subnet cannot.
A NAT gateway is a service that enables outbound internet access for resources in a private subnet. It is not a subnet itself. Many learners confuse the NAT gateway's public IP with the private subnet being accessible.
A NAT gateway is like a receptionist who makes outgoing calls for employees but never gives out employees' direct phone numbers.
A security group is a stateful firewall that controls traffic at the instance level. A private subnet is a network segmentation at the infrastructure level. A security group cannot make a subnet private; it only filters allowed traffic to instances.
Putting a firewall on your apartment door does not make your apartment building's lobby private, you still need a locked building entrance.
A VLAN is a Layer 2 segmentation that separates broadcast domains on a switch. A private subnet is a Layer 3 concept involving IP routing. In on-premises networks, private subnets often run on VLANs, but they are different concepts.
VLANs are like separate rooms in a house; private subnets are like rooms that have no windows to the street.
A bastion host is a server in a public subnet used to securely manage instances in private subnets. It is not a subnet itself, but a tool to access private subnets. Learners often confuse the bastion host as being equivalent to a private subnet.
A bastion host is like a security guard who escorts you into the secure room; the room itself is the private subnet.
Step-by-Step Breakdown
Define your network requirements
Determine which resources must be publicly accessible and which must be isolated. For example, web servers need public access, databases do not. This guides subnet design.
Create a VPC with an IP range
Choose a CIDR block, typically from RFC 1918 private ranges, e.g., 10.0.0.0/16. This defines the overall address space for your virtual network.
Create subnets within the VPC
Divide the VPC IP range into smaller segments. For example, create a public subnet 10.0.1.0/24 and a private subnet 10.0.2.0/24. Subnets are logical subdivisions that map to Availability Zones for high availability.
Attach an internet gateway to the VPC
An internet gateway is a horizontally scaled, redundant component that allows communication between the VPC and the internet. It must be attached for any subnet to become public.
Configure route tables for each subnet
Create a public route table with a default route (0.0.0.0/0) pointing to the internet gateway. Create a private route table with no internet gateway route, or with a route to a NAT gateway for outbound access.
Associate subnets with their route tables
Explicitly associate the public subnet with the public route table and the private subnet with the private route table. This association determines the subnet's behavior.
Deploy a NAT gateway in the public subnet
A NAT gateway (or NAT instance) must be placed in a public subnet to allow resources in private subnets to initiate outbound internet connections. It requires an Elastic IP.
Update private route table with NAT gateway route
Add a route to 0.0.0.0/0 with the NAT gateway as the target in the private route table. This enables outbound internet access for private subnet resources.
Launch resources in appropriate subnets
Place publicly accessible resources (web servers, load balancers) in the public subnet. Place backend resources (databases, application servers) in the private subnet. Assign security groups to restrict traffic further.
Test connectivity and security
Verify that public resources can be reached from the internet. Verify that private resources can reach the internet outbound (if needed) and that no inbound internet traffic reaches them. Confirm security group rules allow only necessary traffic.
Practical Mini-Lesson
In practice, designing and managing private subnets requires understanding several moving parts. Let us walk through a real-world scenario using AWS as the platform, because it is the most common environment for certification questions.
First, you need to decide how many private subnets you need. A production application typically uses at least two private subnets in different Availability Zones for high availability. If your database is in one private subnet and that Availability Zone goes down, you lose access. By having a replica in another private subnet in a different AZ, you ensure continuity. This is why you often see a VPC with one public subnet in each AZ and one private subnet in each AZ.
Second, you must consider cost. Each NAT gateway costs roughly $0.045 per hour plus data processing charges. If you have a NAT gateway in each AZ for fault tolerance, you pay per NAT gateway. Some architects use a single NAT gateway for cost savings, but that creates a single point of failure. In exams, the trade-off between cost and high availability is a frequent topic. You might be asked to design a solution that minimizes cost while still providing internet access to private subnets. The correct answer is often to use a single NAT gateway shared across private subnets in multiple AZs, but you must understand that if that AZ fails, private resources lose internet access.
Third, security groups and network ACLs add layers of protection. A common best practice is to use security groups for stateful traffic filtering at the instance level and NACLs for stateless filtering at the subnet level. For a private subnet, you typically allow all inbound traffic from the VPC CIDR range in the NACL, and then rely on security groups to restrict inter-instance traffic. For example, the database security group might allow only port 3306 from the application server's security group. This way, even if another instance in the same private subnet is compromised, it cannot easily access the database.
Another practical consideration is DNS resolution. Resources in a private subnet need to resolve internal hostnames. In AWS, you can enable DNS resolution and DNS hostnames at the VPC level. Private subnets can use the VPC's internal DNS (Route 53 Resolver) to resolve private IP addresses. This is important for service discovery. If an application server needs to connect to a database using a DNS name, the name must resolve to the private IP of the database instance, not a public IP.
What can go wrong? One common issue is that the NAT gateway does not have an Elastic IP attached, or it is placed in a private subnet by mistake. Another issue is that the route table for the private subnet is correctly configured, but the security group on the NAT gateway (if using a NAT instance) blocks outbound traffic. In cloud environments, NAT gateways are managed services, so you do not have to worry about their security groups, but NAT instances require careful configuration.
Finally, you must understand the concept of 'keepalive' or 'idle timeout'. NAT gateways have an idle timeout of 350 seconds for TCP connections. If a resource in a private subnet maintains an idle connection to the internet for longer than that, the NAT gateway may drop the connection, requiring the application to re-establish it. This can cause issues with long-lived connections like database replicas or SSH sessions. Professionals often configure TCP keepalive packets to prevent timeouts.
working with private subnets is not just about clicking a checkbox. It involves designing for availability, cost, security, and performance. The best way to learn is to build a simple two-tier application in a cloud console and test the connectivity. You will quickly see how route tables, NAT gateways, and security groups interact. For exams, focus on the decision points: when to use NAT gateway vs NAT instance, how many NAT gateways, and how to troubleshoot connectivity.
Private Subnet Network Access Control Mechanics
In cloud networking, a private subnet is a segment of a virtual network where resources have no direct route to the public internet. This isolation is achieved by not attaching an internet gateway to the subnet's route table. Instead, traffic destined for the internet might be routed through a NAT gateway or NAT instance placed in a public subnet. The core principle is that instances in a private subnet can initiate outbound connections to the internet (for updates, patches, or API calls) but cannot receive unsolicited inbound connections from outside. This design is fundamental for security-sensitive workloads like databases, application servers, or internal microservices.
For AWS, a private subnet in a VPC uses a route table that has no default route (0.0.0.0/0) pointing to an internet gateway. Instead, the route table points to a NAT gateway or NAT instance for outbound traffic. In Azure, a private subnet is typically associated with a network security group (NSG) that blocks inbound traffic from the internet, and outbound traffic is often routed through a firewall or a NAT gateway. In Google Cloud, private subnets are part of a VPC network, and private Google access enables instances without external IPs to reach Google APIs.
This concept appears heavily in the AWS Certified Solutions Architect Associate (AWS SAA) exam, where you must decide when to use public vs. private subnets for different tiers. For example, a three-tier architecture places web servers in public subnets and application servers and databases in private subnets. The AZ-104 exam for Azure tests similar scenarios, emphasizing NSG rules and Azure Firewall integration. Security Plus and Network Plus focus on the security implications: private subnets reduce attack surface and are a best practice for isolating sensitive resources. The CCNA exam covers the routing aspects, where private IP addresses are combined with NAT to allow limited internet connectivity. Always remember that private subnets require a NAT device for outbound internet access, and this device must reside in a public subnet with an internet gateway.
Private Subnet NAT Gateway Costs and Performance Considerations
When deploying resources in a private subnet, the need for outbound internet connectivity often necessitates a NAT gateway, which incurs additional costs. AWS charges for NAT gateways per hour and per gigabyte of data processed. For high-throughput workloads, this cost can be significant. Each NAT gateway is tied to a specific Availability Zone and provides up to 45 Gbps of throughput. For redundancy, you can deploy one NAT gateway per Availability Zone, but this multiplies the cost. An alternative is a NAT instance (an EC2 instance configured as a NAT), which is cheaper but requires manual management and scaling.
Azure's Virtual Network NAT similarly incurs costs based on the number of NAT gateway resources and data processing. Google Cloud offers Cloud NAT, which is priced per hour plus data processing. Exam scenarios often test the trade-offs: for cost-sensitive environments with low traffic, a NAT instance might be acceptable; for production systems, a managed NAT gateway is preferred for availability and throughput. The AWS SAA exam frequently asks about optimizing NAT gateway costs by using a single shared NAT gateway for multiple private subnets in the same VPC, or by using VPC endpoints for AWS services instead of routing traffic through a NAT gateway to reduce data processing costs.
Performance is another key factor. NAT gateways can become a bottleneck if not sized correctly. In AWS, each NAT gateway supports up to 55,000 simultaneous connections to a single destination, but can handle millions of packets per second. However, if your workload involves heavy file transfers or streaming, the data processing charges can skyrocket. The AZ-104 exam might present a scenario where you need to decide between Azure Firewall (which includes NAT capabilities) and a standalone Azure NAT gateway. Similarly, the Google ACE exam tests the understanding that Cloud NAT supports dynamic port allocation and scales automatically. For the CCNA, you might configure NAT statically on a router to simulate private subnet internet access. Always consider both cost and performance when designing private subnets, and remember that using VPC endpoints for specific services (like S3 or DynamoDB) bypasses the NAT gateway entirely, reducing both latency and cost.
Private Subnet Security Groups and Network ACLs
Private subnets are not inherently secure just because they lack internet access. You must also implement stateful security groups and stateless network ACLs to control traffic within the VPC. In AWS, security groups act as virtual firewalls at the instance level, while network ACLs operate at the subnet level. For a private subnet, a typical security group rule might allow inbound traffic only from the public subnet's security group (for web servers to talk to app servers) and restrict all other inbound traffic. Outbound rules might allow all traffic to go to the internet via the NAT gateway, or restrict to specific destinations.
Network ACLs provide an additional layer of defense. For a private subnet, you might set inbound rules to allow traffic from the VPC CIDR range and deny all other inbound traffic. Outbound rules might allow traffic to the internet through the NAT gateway's IP. The difference between security groups (stateful) and network ACLs (stateless) is a classic exam question. Security groups track connection state, so if you allow inbound SSH from a specific IP, the return traffic is automatically allowed. Network ACLs require separate inbound and outbound rules. In AZ-104, you configure Azure Network Security Groups and Application Security Groups for private subnets, which are similar but integrated with Azure's virtual networking.
In the Security Plus exam, the focus is on the principle of least privilege. Private subnets should only allow traffic that is necessary for the application. For example, a database in a private subnet should only accept traffic from the application tier's security group, not from the entire VPC. The Network Plus exam tests understanding of subnetting and ACL placement, while the CCNA exam dives into configuring extended ACLs on routers to simulate private subnet access lists. The AWS SAA exam often presents a scenario where a security group rule is too permissive (e.g., all traffic from public subnet) and asks how to tighten it. Always configure security groups to reference other security groups (instead of IP addresses) for dynamic scaling, and use network ACLs as a defensive layer for broader subnet-level controls.
Private Subnet Use Cases in Exam Scenarios
Exam scenarios across multiple certifications consistently test the understanding of when to use private subnets versus public subnets. Common use cases include hosting databases that should never be directly accessible from the internet, running backend application servers that process sensitive data, and deploying internal load balancers. For example, in a typical AWS three-tier architecture: the web tier is in a public subnet with an internet gateway, the application tier is in a private subnet that only accepts traffic from the web tier's security group, and the database tier is in a separate private subnet with even stricter rules. The AWS SAA exam will ask you to design such an architecture, ensuring that you place the NAT gateway in the public subnet and configure route tables correctly.
In Azure, the AZ-104 exam tests the configuration of Azure SQL Database within a private subnet using Azure Private Link. This ensures that the database is not exposed to the public internet, even if misconfigured. The Google ACE exam includes scenarios where you use private Google access to allow private subnet instances to reach Google APIs without external IPs. For hybrid networks, private subnets are used for VPN-connected on-premises resources, where traffic passes through a virtual private gateway. The Network Plus exam covers the fundamentals of private IP addressing, while the CCNA exam tests routing protocols and NAT configuration for private subnets in a hybrid environment.
Another critical use case is the use of VPC endpoints (AWS Gateway Endpoint for S3 and DynamoDB, Interface Endpoints for other services) to keep traffic within the AWS network, avoiding the public internet and NAT gateways. The Security Plus exam emphasizes that this reduces exposure to threats like man-in-the-middle attacks. In exam questions, you might be given a scenario where an application in a private subnet needs to access S3. The correct answer often involves using a VPC endpoint rather than routing through a NAT gateway, as it is more secure and cost-effective. Always consider the full picture: private subnets are not just about hiding resources but about controlling the network path, reducing the blast radius, and complying with security frameworks like PCI DSS or ISO 27001.
Troubleshooting Clues
Private subnet instance cannot reach the internet
Symptom: An EC2 instance in a private subnet fails to download packages or access external APIs.
The private subnet's route table lacks a default route (0.0.0.0/0) pointing to a NAT gateway or NAT instance. Even if a NAT device exists, the route must be explicitly added.
Exam clue: The AWS SAA exam presents a scenario where an instance in a private subnet cannot reach the internet. The answer is to add a route to the NAT gateway in the subnet's route table.
NAT gateway in a private subnet
Symptom: NAT gateway creation fails or instances cannot reach the internet even with a route.
A NAT gateway must be deployed in a public subnet (one with an internet gateway route). If placed in a private subnet, it has no route to the internet itself.
Exam clue: Exam questions often test the requirement that NAT gateways must be in public subnets. The AZ-104 exam might ask about Azure NAT gateway placement relative to the subnet type.
Private subnet instance cannot communicate with other VPC resources
Symptom: An instance in a private subnet cannot reach an RDS database in a different private subnet within the same VPC.
Security groups or network ACLs might be blocking traffic. Check that the security group of the target resource allows inbound traffic from the source's security group or CIDR. Also verify VPC route tables have routes for all subnet CIDRs.
Exam clue: The Security Plus exam emphasizes that private subnets still need proper security group rules. A common error is allowing traffic from 0.0.0.0/0 instead of specific security groups.
Outbound traffic from private subnet bypasses NAT
Symptom: Traffic from a private subnet appears to come from a public IP that isn't the NAT gateway's Elastic IP.
The instance might have been assigned a public IP address directly (e.g., if the subnet's auto-assign public IP attribute is enabled). This would let the instance bypass the NAT gateway.
Exam clue: The AWS SAA exam tests that instances in private subnets should not have public IPs. If they do, they bypass security controls. Always use separate subnets for public and private resources.
NAT gateway becomes a bottleneck
Symptom: High latency or packet loss for traffic from private subnet to the internet during peak load.
Each NAT gateway supports up to 45 Gbps. If traffic exceeds this, you need to distribute across multiple NAT gateways in different Availability Zones. Also check for connection limits per instance.
Exam clue: The AWS SAA exam may ask about scaling NAT gateways. The answer is to deploy one per AZ and use a round-robin or random selection of NAT gateways from application instances.
Private subnet cannot access S3 through VPC endpoint
Symptom: Instances in private subnet fail to list S3 buckets despite a gateway endpoint configured.
The route table for the private subnet must include a route to the S3 prefix list via the VPC endpoint. The S3 bucket policy must trust the VPC endpoint.
Exam clue: The Security Plus exam tests that VPC endpoints are more secure than NAT gateways for AWS services. A common screw-up is forgetting to add the route for the prefix list.
Azure private subnet cannot reach on-premises via VPN
Symptom: Traffic from Azure private subnet to on-premises network fails despite VPN connection.
The subnet's network security group might be blocking traffic, or the route table does not have a route for the on-premises CIDR pointing to the VPN gateway. Also check the VPN gateway's BGP or static routes.
Exam clue: The AZ-104 exam tests that private subnets need User-Defined Routes (UDRs) for hybrid connectivity. A missing route is a typical fault scenario.
Google Cloud private subnet cannot reach internet via Cloud NAT
Symptom: Instances without external IPs in a private subnet cannot reach the internet, even though Cloud NAT is configured.
The Cloud NAT gateway must be associated with the correct region and subnet. Also, the VPC's route table must have a default route pointing to the Cloud NAT for that subnet.
Exam clue: The Google ACE exam often tests that Cloud NAT requires either a default route or a specific route for 0.0.0.0/0. Without it, private instances are fully isolated.
Memory Tip
Private subnet has No direct Route to the Internet, remember 'NRI' (No Route Inbound). Or think: P for Private = Protected from the public.
Learn This Topic Fully
This glossary page explains what Private subnet means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →SAA-C03SAA-C03 →200-301Cisco CCNA →N10-009CompTIA Network+ →AZ-104AZ-104 →ACEGoogle ACE →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →SC-900SC-900 →SOA-C02SOA-C02 →PCAGoogle PCA →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
The 24-pin motherboard connector is the main power cable that connects the computer's power supply unit (PSU) to the motherboard, supplying electricity to the motherboard and its components.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
A 3D printer is a device that creates physical objects by depositing layers of material based on a digital model.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
The 8-pin CPU connector is a power cable from the power supply that delivers dedicated electricity to the processor on a computer's motherboard.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
A/B testing is a controlled experiment that compares two versions of a single variable to determine which one performs better against a predefined metric.