What Is Public subnet in Networking?
On This Page
What do you want to do?
Quick Definition
A public subnet is a part of a network in the cloud or on-premises that is connected to the internet. Resources placed in a public subnet, like web servers, can be accessed from anywhere online. It is commonly used to host services that need to be reachable by users, such as websites or APIs. To be truly public, the subnet must have an Internet Gateway attached and resources must have public IP addresses.
Common Commands & Configuration
aws ec2 create-subnet --vpc-id vpc-0abcdef1234567890 --cidr-block 10.0.1.0/24 --region us-east-1Creates a new subnet within a specified VPC and CIDR block. This subnet is not yet public because it lacks a route table with an IGW route.
Tests ability to create a subnet as a prerequisite for making it public. The subnet will be private until you associate a route table with the IGW route.
aws ec2 create-internet-gatewayCreates an Internet Gateway that must be attached to a VPC to allow internet traffic. The IGW is a required component for public subnets.
Often the first step in making a subnet public. You must attach this IGW to the VPC before adding a route to it in the route table.
aws ec2 attach-internet-gateway --internet-gateway-id igw-0xyz --vpc-id vpc-0abcdefAttaches an existing IGW to a VPC. Without attachment, the IGW cannot be used even if listed in route tables.
Common exam trick: an IGW exists but is not attached, so subnet appears to have correct route but still cannot reach internet. Always check attachment state.
aws ec2 create-route --route-table-id rtb-0xy123 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-0xyzAdds a default route to an internet gateway in the route table. This is the defining configuration that makes a subnet public.
This command directly creates the public route. Without it, the subnet remains private even if auto-assign public IP is enabled. Tests understanding that a route to IGW is the key.
aws ec2 associate-route-table --route-table-id rtb-0xy123 --subnet-id subnet-0abc456Associates a route table with a subnet. The subnet inherits the routes from that table. If the table has 0.0.0.0/0 -> IGW, the subnet becomes public.
A subnet can only be associated with one route table at a time. In exams, they may test that a subnet accidentally has a route table pointing to a VPN instead of IGW, making it not public.
az network vnet subnet update --name public-subnet --resource-group MyRG --vnet-name MyVNet --route-table MyPublicRouteTableIn Azure, updates a subnet to use a custom route table. If the route table contains a route 0.0.0.0/0 with next hop 'Internet', the subnet becomes public.
For AZ-104, remember that Azure by default gives subnets internet access without explicit routes, but custom route tables can override. This command is used to secure or modify internet access.
gcloud compute networks subnets update public-subnet --region us-central1 --add-ipv4-ranges 10.10.1.0/24Updates a Google Cloud subnet with additional CIDR ranges. The subnet's public/private nature depends on its routes and firewall rules, not just this command.
Google ACE tests understanding that subnets are public by default due to the default internet gateway. This command is about modifying the address range, not the public status.
ip route 0.0.0.0 0.0.0.0 203.0.113.1Cisco IOS command to set a default route on a router, directing all internet-bound traffic to the next-hop IP (the ISP). This makes the associated subnet(s) public in a traditional CCNA context.
Used in CCNA to configure internet access for a network. Required for any subnet that needs to be publicly reachable. Tests knowledge of static routing for default routes.
Public subnet appears directly in 300exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
Public subnets are a staple across major IT certification exams. In the AWS Certified Solutions Architect (SAA-C03), public subnets are explicitly tested under the domain of “Design Secure Architectures” and “Design Resilient Architectures.” You will see scenario questions where you must choose the correct subnet placement for a web server, a database, or a NAT gateway. Understanding how route tables, Internet Gateways, and security groups interact with public subnets is critical. The exam often presents a VPC diagram and asks you to identify the misconfiguration that prevents internet access.
For the CompTIA Network+ and CompTIA Security+ exams, public subnets appear in the context of network segmentation and defense-in-depth. Network+ covers subnetting, routing, and the difference between public and private IP addresses. Security+ focuses on the security implications of placing resources in public subnets. Both exams may include questions about where to place a firewall or a DMZ host. While the CompTIA exams are more vendor-neutral, the principles of public vs. private subnetting are directly applicable.
In the Cisco CCNA, public subnets relate to the concept of inside and outside interfaces in NAT configurations. CCNA candidates must understand how to configure a router to allow internal hosts to access the internet using NAT overload (PAT). While the CCNA does not use the term “public subnet” exactly, the idea of a DMZ network (which is functionally a public subnet) is tested. The exam may ask about placing a server in the DMZ for internet access while keeping internal hosts private.
For the Microsoft Azure Administrator (AZ-104), public subnets are part of virtual networking and network security. The exam tests your ability to create a VNet with public and private subnets, associate NSGs, and configure public IP addresses. You may need to troubleshoot why a VM in a public subnet cannot be reached from the internet. Azure does not use Internet Gateways in the same way as AWS, so it is important to know the specific Azure mechanisms (public IPs, NSG rules, and default routes).
The Google Cloud Associate Engineer (Google ACE) exam tests public subnets through VPC networking and firewall rules. You must understand that a subnet becomes public simply by having a VM with an external IP and allowing inbound traffic via firewall rules. Google ACE questions may focus on the differences between GCP and other clouds, such as the lack of explicit route table associations at the subnet level.
Across all these exams, public subnet questions commonly appear as multiple-choice scenarios where you must choose the correct configuration to allow internet access while maintaining security. Troubleshooting questions are also frequent. For example, you might be told that a web server is not reachable, and you have to determine whether the issue is a missing Internet Gateway, wrong route table, missing public IP, or restrictive security group. Mastering public subnets is therefore a high-yield study activity for any IT certification candidate.
Simple Meaning
Imagine you live in a large apartment building with many floors. Some apartments have doors that open directly to the street, so anyone can walk up and knock. Other apartments are tucked inside, reachable only through a locked lobby and an elevator. In cloud networking, a public subnet is like those street-facing apartments. It is a section of your virtual network that has a direct door to the internet. Any computer or server you place in a public subnet can be reached from anywhere in the world, provided it has the right permissions.
Think of your cloud network as a gated community. Inside the community, there are houses (servers) and streets (subnets). The public subnet is like a house with a front gate that opens directly to the main road outside the community. Anyone driving by can see the house and knock on the door. The private subnet is a house deeper inside, behind security gates and a guard booth, where only residents or invited guests can enter.
When you create a virtual network in Amazon Web Services, Microsoft Azure, or Google Cloud, you decide which parts of that network should be public and which should stay private. For example, you might put your web server in a public subnet so that visitors can load your website. But your database, which holds sensitive customer information, should go in a private subnet where no one from the internet can directly reach it.
The key to making a subnet public is adding an Internet Gateway. This is like a special door in the community wall that lets traffic flow in and out. Without that gateway, even if you give a server a public IP address, it cannot talk to the internet. You also need to set up routing tables, which are like maps that tell traffic which way to go. A public subnet has a route that sends all internet-bound traffic (0.0.0.0/0) to the Internet Gateway.
Another way to picture it: a public subnet is like a shop with its front door open during business hours. Customers can walk in, browse, and buy items. A private subnet is like the stockroom in the back. The stockroom has no door to the street. Employees access it through the shop floor. If a customer tried to go straight to the stockroom from outside, they would not find a way. This separation is critical for security. You want to expose only what is necessary, and keep your sensitive assets locked away.
In the real world, companies use public subnets for web servers, load balancers, and VPN endpoints. They use private subnets for databases, application servers that process orders, and internal services. Understanding public subnets is foundational for anyone studying cloud architecture, network security, or IT infrastructure. It shows up in every major cloud certification exam including AWS Solutions Architect, Microsoft Azure Administrator, and Google Cloud Associate Engineer.
Full Technical Definition
A public subnet is a logically isolated segment within a Virtual Private Cloud (VPC) or traditional TCP/IP network that has a route to the internet via an Internet Gateway (IGW) or equivalent device. In cloud environments such as AWS, Azure, and GCP, a subnet is considered public when its associated route table includes a default route (0.0.0.0/0) pointing to an Internet Gateway. Resources within a public subnet must also have a public IP address (either IPv4 or IPv6) assigned to them to be reachable from the internet.
In AWS, a VPC spans an entire region and consists of subnets within Availability Zones. To make a subnet public, you attach an Internet Gateway to the VPC, then create a custom route table with a route for 0.0.0.0/0 pointing to the IGW. You then associate that route table with the subnet. Resources launched in the subnet must have the auto-assign public IP setting enabled, or you must assign an Elastic IP manually. Without a public IP, the subnet is technically public in routing terms, but no resource can be reached from the internet.
In Microsoft Azure, the equivalent to a public subnet is a subnet within a virtual network (VNet) that is associated with a network security group (NSG) and has a route to the internet via the default system route. Azure automatically provides outbound internet access to all VMs through Source Network Address Translation (SNAT), but inbound access requires a public IP resource attached to the VM or a load balancer with a public frontend. Azure does not use an explicit Internet Gateway; instead, the VNet has a default route for 0.0.0.0/0 that goes to the internet. Public subnets in Azure are simply subnets where resources have public IPs and appropriate NSG rules allow inbound traffic.
Google Cloud Platform uses a similar model. A subnet in a VPC network can have resources with external IP addresses. GCP uses Cloud NAT for outbound-only access, but for inbound public access, a VM must have an external IP. The subnet itself does not have a separate route table concept in the same way as AWS; instead, routes are defined at the VPC level. Every VPC has a default route for 0.0.0.0/0 that points to the internet gateway, which is automatically provisioned when the VPC is created. A subnet in GCP is effectively public if resources within it have external IPs and firewall rules permit inbound traffic.
The routing mechanics are critical. When a packet leaves a resource in a public subnet destined for an internet host, the local route table sends it to the Internet Gateway. The IGW then performs NAT for IPv4 public IPs, translating the private IP to the public IP. For inbound traffic, the IGW receives the packet destined for the public IP, translates it to the private IP of the resource, and forwards it to the subnet. This process is transparent to the resource.
Network Access Control Lists (NACLs) and Security Groups (or NSGs in Azure) operate at the subnet and instance level respectively. For a public subnet to function, both must allow the desired inbound and outbound traffic. A common mistake is to have the correct route table but overly restrictive security groups, which blocks traffic. Conversely, having permissive security groups but no route to the IGW still results in no internet connectivity.
From a protocol standpoint, public subnets handle both IPv4 and IPv6 traffic. IPv6 traffic does not require NAT because global unicast addresses are inherently public. However, IPv4 traffic almost always uses NAT at the IGW. In AWS, an Internet Gateway supports both IPv4 and IPv6. In Azure, an Internet Gateway is not a separate component; the VNet handles both. In GCP, the default internet gateway handles both IP versions.
Public subnets are a foundational concept in cloud networking. They enable multi-tier architectures where front-end servers are exposed, while back-end services remain isolated. They also support load balancers, bastion hosts, and NAT gateways. Understanding how public subnets work with route tables, IGWs, and security layers is essential for designing secure, scalable cloud infrastructure. All major cloud certification exams test this concept thoroughly, often in scenario-based questions about network design and troubleshooting.
Real-Life Example
Imagine a busy city library with several sections. The library has a main entrance that opens directly onto the street. Anyone can walk in from the sidewalk without an appointment. That main entrance area is like a public subnet. It has a direct connection to the outside world. Now, inside the library, there are reading rooms, a children’s section, and a staff-only archive room. The archive room has a locked door and can only be accessed by employees with a key card. That archive room is like a private subnet. No public access is allowed.
Now let’s map this to IT. The library building itself is your Virtual Private Cloud (VPC). The main entrance door is the Internet Gateway. The sidewalk outside is the internet. Anyone on the sidewalk can walk through the main door into the lobby. That lobby is your public subnet. In the lobby, there is a information desk where visitors can ask questions. That desk is your web server. It is meant to be accessible to the public.
The staff-only archive room in the back is your private subnet. It contains sensitive records, like customer data or financial information. There is no door from the street to the archive room. The only way to get there is to enter through the main lobby, then go through an internal hallway, and finally unlock a secure door. That internal hallway is like a route through a NAT gateway or bastion host. Even if someone from the street tries to go straight to the archive room, they cannot because there is no direct path.
In this library, the route table is like a directory at the entrance that tells people where to go. If the directory says “All visitors go to the lobby”, that is the default route to the internet. If a visitor wants to go to the archive room, the directory says “No entry without a key card”. That is similar to a security group or network ACL that blocks traffic to the private subnet from the internet.
Now suppose the library decides to allow online book reservations. They install a computer terminal in the lobby that connects to the internet. That terminal has a public IP address, because it needs to receive requests from the internet. The archive room computers do not have public IPs. They only talk to the lobby terminal through internal network cables. This is exactly how a public subnet web server communicates with a private subnet database server.
This analogy also highlights security best practices. You would never put the archive room directly on the street. Similarly, you should never put a database server in a public subnet. The library uses locks, alarms, and staff badges to protect the archive. In cloud networking, you use security groups, network ACLs, and private IP addresses to protect private subnets. Understanding this real-world mapping makes the abstract concept of public subnets much easier to grasp for certification exams.
Why This Term Matters
Public subnets are the backbone of cloud-based service delivery. Without them, we would have no way to host websites, APIs, or any internet-facing application in the cloud. Every time you visit a website hosted on AWS, Azure, or GCP, you are connecting to a resource that likely resides in a public subnet. Understanding how public subnets work is not just theoretical; it directly impacts how you design, secure, and troubleshoot network architectures.
In a practical IT context, the decision to place a resource in a public versus private subnet determines its attack surface. A public subnet exposes resources to the entire internet, which is necessary for customer-facing services but also increases risk. Proper use of public subnets, combined with firewalls and security groups, allows organizations to minimize exposure while still delivering services. Misconfiguring a public subnet can lead to data breaches, unauthorized access, or service outages.
For cloud architects, public subnets are a fundamental building block. They are used in conjunction with load balancers, auto-scaling groups, and NAT gateways. For example, a common architecture places a public Application Load Balancer in a public subnet, which forwards traffic to web servers in private subnets. This design keeps the web servers themselves hidden from the internet, reducing the attack surface. Without understanding public subnets, you cannot implement this standard pattern.
From a career standpoint, cloud certifications almost universally test on public subnets. Whether you are studying for the AWS Certified Solutions Architect, Microsoft Azure Administrator, or Google Cloud Associate Engineer, you will encounter questions about subnet placement, internet gateways, route tables, and security. Mastering this concept gives you a strong foundation for more advanced topics like VPC peering, VPNs, and hybrid networking. Simply put, public subnets matter because they are one of the first and most important decisions you make when designing any cloud network.
How It Appears in Exam Questions
Exam questions about public subnets typically fall into three categories: scenario-based design, configuration troubleshooting, and conceptual understanding. In scenario-based design questions, you are given a business requirement and must choose the correct network architecture. For example: “A company wants to host a public-facing website in AWS while keeping its database isolated from the internet. Which subnet placement should you use?” The correct answer places the web server in a public subnet and the database in a private subnet. Distractors might include putting both in public subnets, or putting the web server in a private subnet with a NAT gateway. These questions test your understanding of the purpose of each subnet type.
Configuration troubleshooting questions present a misconfiguration and ask you to identify the root cause. A typical question: “A user launches an EC2 instance in a public subnet with a public IP, but cannot connect via SSH from the internet. What is the most likely issue?” Possible answers: missing route to the Internet Gateway, incorrect security group rules, missing NACL rules, or the instance has a private IP only. These questions require you to know the chain of components needed for internet connectivity: public IP, IGW, route table entry, and permissive security groups/NACLs.
Another common pattern involves multi-tier architecture questions. For instance: “You need to design a three-tier application with web, application, and database tiers. The web tier must be accessible from the internet. The application and database tiers must not be directly accessible. How should you configure the subnets?” Here, the web tier goes in a public subnet, while the application and database tiers go in private subnets. The application tier might need outbound internet access, so you would add a NAT gateway in a public subnet. These questions test your ability to apply the public/private subnet concept to a real architecture.
In Azure-specific questions, you might be asked: “You create a VM in a VNet subnet and assign a public IP. You can connect from the internet to the VM’s public IP. However, the VM cannot access the internet. What is the problem?” The answer: Azure automatically provides outbound access via SNAT, but if the VM has a public IP, it uses that IP for outbound traffic, and the issue might be a missing default route or a firewall rule. These questions emphasize understanding the default behavior of each cloud provider.
Finally, conceptual questions sometimes ask about the difference between public and private subnets, or the role of an Internet Gateway. For example: “Which component is required to make a subnet public in AWS?” The answer: an Internet Gateway attached to the VPC and a route table entry pointing to it. These questions are straightforward but require precise knowledge of the terminology. Being aware of these question patterns will help you approach exam questions with confidence.
Practise Public subnet Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a cloud architect for a small e-commerce company. The company wants to launch an online store using AWS. The store will have a web server that customers use to browse products and place orders. It will also have a database server that stores customer information and order details. The database must never be directly accessible from the internet to prevent data breaches. Your task is to design the network.
You create a VPC with the CIDR range 10.0.0.0/16. Inside this VPC, you create two subnets in the same Availability Zone. The first subnet uses the CIDR 10.0.1.0/24 and will be your public subnet. The second subnet uses 10.0.2.0/24 and will be your private subnet. You attach an Internet Gateway to the VPC and create a custom route table for the public subnet with a route 0.0.0.0/0 pointing to the Internet Gateway. You do not add any internet route to the private subnet’s route table. You then launch your web server EC2 instance in the public subnet with a public IP address. You launch your database server EC2 instance in the private subnet with only a private IP.
Now, customers can visit your website by connecting to the public IP of the web server. The web server can communicate with the database server using its private IP, because they are in the same VPC. The database server cannot be reached from the internet because it has no public IP and no route to the Internet Gateway. To further secure the setup, you configure security groups: the web server’s security group allows inbound HTTP and HTTPS traffic from anywhere, and the database server’s security group allows inbound traffic only from the web server’s security group. This arrangement keeps your customer data safe while still allowing the store to function.
Later, the company needs to apply security patches to the database server. Since the database server cannot access the internet directly, you set up a bastion host (jump box) in the public subnet. You SSH into the bastion host first, then from there you connect to the private database server. Alternatively, you could use a NAT gateway or AWS Systems Manager Session Manager. This scenario illustrates the standard design pattern that appears in many cloud certification exams. Understanding why the web server goes in the public subnet and the database in the private subnet is the key takeaway.
Common Mistakes
Putting a database server in a public subnet to make it easy to connect from the internet
Databases contain sensitive data. Placing them in a public subnet exposes them to the entire internet, increasing the risk of unauthorized access and breaches. This violates security best practices and many compliance standards like PCI DSS and HIPAA.
Always place databases in private subnets. Access them only through application servers in public subnets or via bastion hosts with strict access controls.
Thinking that a public IP address alone makes a subnet public
A subnet is only public if its route table has a default route (0.0.0.0/0) pointing to an Internet Gateway. Without that route, traffic cannot leave or enter the subnet to or from the internet, even if resources have public IPs.
Verify that the route table associated with the subnet includes a route for 0.0.0.0/0 pointing to an Internet Gateway. Ensure the Internet Gateway is attached to the VPC.
Assuming that private subnets cannot access the internet at all
Private subnets can access the internet indirectly using a NAT gateway or NAT instance placed in a public subnet. The private subnet traffic is routed to the NAT device, which then forwards it to the Internet Gateway. Outbound internet access is possible; inbound access from the internet is not.
If resources in a private subnet need outbound internet access (e.g., for software updates), deploy a NAT gateway in a public subnet and add a route in the private subnet’s route table pointing 0.0.0.0/0 to the NAT gateway.
Forgetting to allow inbound traffic in security groups or network ACLs for a public subnet resource
Even with a correct route table and a public IP, if the security group (or NSG) blocks inbound traffic, the resource will be unreachable from the internet. Both the stateful security group and stateless NACL must allow the traffic.
Check that the security group attached to the resource has inbound rules allowing the required traffic (e.g., HTTP on port 80, SSH on port 22). Also check the subnet’s NACL for inbound and outbound rules.
Using the main (default) route table for a public subnet without modifying it
The main route table in a VPC typically does not include a route to an Internet Gateway. If you do not create a custom route table and associate it with the public subnet, the subnet will not be public regardless of other settings.
Always create a custom route table for public subnets. Add a route 0.0.0.0/0 -> IGW, and explicitly associate that route table with the public subnet. Avoid relying on the default route table.
Confusing a public subnet with a DMZ in traditional networking
While both are network segments with some internet exposure, a DMZ typically involves a firewall that inspects traffic, whereas a public subnet in the cloud relies on security groups and NACLs. The concepts overlap but are not identical.
Understand that in cloud networking, a public subnet is a broader concept. You can achieve DMZ-like isolation by combining a public subnet with restrictive security groups and load balancers.
Exam Trap — Don't Get Fooled
{"trap":"A question describes an EC2 instance in a public subnet with a public IP, yet the instance cannot reach the internet. The distractor answer suggests the security group is blocking outbound traffic. The correct answer is that the route table does not have a route to the Internet Gateway."
,"why_learners_choose_it":"Learners often fixate on security groups because they are the most common cause of connectivity issues. They may forget that without a correct route table entry, traffic never reaches the Internet Gateway at all.","how_to_avoid_it":"Always check the flow of traffic step-by-step: first, verify the route table for a 0.
0.0.0/0 route to the IGW. Then check the Internet Gateway attachment to the VPC. Only after that should you check security groups and NACLs. Memorize the order: routing, then addressing (public IP), then filtering."
Commonly Confused With
A private subnet has no direct route to the internet. Resources in it cannot be reached from the internet and cannot initiate outbound internet traffic without a NAT gateway. Public subnets have a direct route via an Internet Gateway. The key difference is the presence of a default route to the IGW.
A web server in a public subnet can be visited by anyone. A database server in a private subnet can only be reached by the web server inside the same VPC.
A DMZ (demilitarized zone) is a network segment that sits between the internet and an internal network, typically with firewall controls on both sides. In cloud, a public subnet can serve as a DMZ, but the term DMZ implies more rigorous isolation and inspection. A public subnet is a broader concept without the implied firewall architecture.
A DMZ might host a web server with strict firewall rules allowing only HTTP traffic. A public subnet could host that same server but also allow other services if configured accordingly.
A bastion host is typically placed in a public subnet to allow secure administrative access to private subnets. The bastion subnet is itself a public subnet. However, not all public subnets contain bastion hosts. The difference is purpose: a bastion subnet is specifically for jump boxes, while a public subnet can serve many roles.
You might have a public subnet with a web server and a separate public subnet with a bastion host. Both are public, but one is for customer traffic, the other for admin access.
A NAT gateway is deployed in a public subnet to provide outbound internet access to private subnets. The NAT gateway uses an Elastic IP and routes traffic through the Internet Gateway. The subnet is public because it has a route to the IGW, but it is not meant for hosting public-facing workloads.
You create a public subnet specifically for a NAT gateway. This subnet’s only purpose is to allow private instances to download updates. You would not put a web server in this same subnet.
A VPC is the entire isolated virtual network. Subnets are subdivisions of a VPC. A public subnet is one type of subnet within a VPC. The VPC contains both public and private subnets, along with route tables, gateways, and other components.
Your VPC is like a building. The public subnet is the lobby, and the private subnet is the back office. They are both part of the same building but serve different purposes.
Step-by-Step Breakdown
Create a Virtual Private Cloud (VPC)
The VPC is your isolated network in the cloud. You define an IP address range (CIDR block) such as 10.0.0.0/16. All subnets you create will fall within this range. The VPC is the container for all your networking components.
Create subnets within the VPC
Divide your VPC IP range into smaller segments. For example, create a subnet with CIDR 10.0.1.0/24 for public resources and another with 10.0.2.0/24 for private resources. Subnets are tied to specific Availability Zones for high availability.
Attach an Internet Gateway (IGW) to the VPC
An Internet Gateway is a horizontally scaled, redundant component that allows communication between your VPC and the internet. It is a target for routes in your route tables. Without it, no internet traffic can enter or leave the VPC.
Create a custom route table for the public subnet
A route table contains rules (routes) that determine where network traffic is directed. For the public subnet, you add a route with destination 0.0.0.0/0 (all internet traffic) and target the Internet Gateway ID.
Associate the custom route table with the public subnet
Route table association links the route table to a specific subnet. Without explicit association, the subnet uses the main route table (which usually has no IGW route). This step makes the subnet behavior explicitly public.
Configure resource-level settings for public access
For resources like EC2 instances launched in the public subnet, you must enable auto-assign public IP or manually assign an Elastic IP. This gives the resource a public IPv4 address reachable from the internet.
Configure security groups and network ACLs
Security groups act as virtual firewalls at the instance level. Network ACLs act at the subnet level. For the public subnet to function, both must allow inbound traffic on the required ports (e.g., 80 for HTTP) and outbound traffic for responses.
Test connectivity
Launch a test instance in the public subnet and try to connect from the internet (e.g., via SSH or HTTP). If connectivity fails, verify each step: route table, IGW, public IP, security groups, and NACLs. This step validates your configuration.
Practical Mini-Lesson
In real-world cloud engineering, the public subnet is rarely used in isolation. It is almost always part of a multi-tier architecture. The most common pattern is to place a load balancer in a public subnet, which then distributes traffic to web servers in private subnets. This pattern enhances security because the web servers themselves are not directly exposed to the internet. The load balancer handles SSL termination and can also provide DDoS protection via services like AWS Shield or Azure DDoS Protection.
When configuring a public subnet, professionals must also consider high availability. In AWS, you should create at least two public subnets in different Availability Zones. This ensures that if one Availability Zone goes down, your load balancer and public-facing services remain available. The same principle applies to Azure and GCP, where you would use zone-redundant resources.
Another practical consideration is the use of Elastic IPs in AWS. Each public subnet resource that needs a static public IP can use an Elastic IP. However, Elastic IPs are a limited resource and incur charges if not used. Professionals often use load balancers instead of assigning individual public IPs to multiple instances. Load balancers provide a single public endpoint and handle traffic distribution automatically.
In Azure, you use a public IP address resource that can be assigned to a VM, a load balancer, or a VPN gateway. Azure public IPs can be dynamic or static. The choice affects cost and manageability. For production workloads, you almost always use a standard SKU public IP with a load balancer. In GCP, external IPs can be ephemeral (change on stop/start) or static (reserved). GCP also offers Cloud Load Balancing with a single anycast IP.
Security is a major concern for public subnets. You should never open all ports to the internet. Instead, use the principle of least privilege. For example, if you need to administer a web server, do not open SSH to 0.0.0.0/0. Instead, restrict SSH access to your office IP range or use a bastion host. Use security groups to allow only necessary traffic. Also, enable VPC Flow Logs to monitor traffic patterns and detect anomalies.
A common mistake in production is to place a NAT gateway in the same public subnet as web servers. While technically possible, it is better practice to create a separate public subnet for NAT gateways. This keeps the architecture clean and avoids accidental exposure of the NAT gateway’s public IP. Similarly, bastion hosts should be in their own public subnet with minimal security group rules.
Finally, professionals must understand the cost implications. Internet Gateways themselves are free, but data transfer out to the internet incurs charges. NAT gateways have hourly charges and data processing fees. Elastic IPs that are not attached to running instances also incur costs. A well-architected public subnet minimizes costs by using load balancers and consolidating public endpoints.
Troubleshooting public subnet issues often involves checking the correct order of components. Start with the route table, then the Internet Gateway attachment, then the public IP assignment, then security groups, and finally NACLs. Use tools like ping, traceroute, and telnet to test connectivity from the instance to the internet and vice versa. Cloud provider consoles also have Reachability Analyzer (AWS) or Network Watcher (Azure) to diagnose issues.
What Is a Public Subnet and Why Does It Matter?
A public subnet is a network segment within a Virtual Private Cloud (VPC) that has a direct route to and from the internet via an Internet Gateway (IGW). In cloud platforms such as AWS, Azure, and Google Cloud, a subnet is designated as public when its associated route table contains a default route (0.0.0.0/0) pointing to an internet gateway. This configuration allows resources launched within the subnet, such as EC2 instances, web servers, or load balancers, to be assigned public IPv4 or IPv6 addresses and to communicate with the internet without requiring a separate NAT device or VPN.
The primary purpose of a public subnet is to host internet-facing resources. For example, a web server running in a public subnet can serve web pages to users across the globe. Similarly, a bastion host or jump box placed in a public subnet allows administrators to securely access private subnets via SSH or RDP without exposing those private resources directly to the internet. Public subnets are a cornerstone of the well-architected network design known as the 'web-tier' or 'public-facing tier' in a multi-tier application architecture.
In exam contexts, understanding the relationship between a public subnet and an internet gateway is critical. Questions often test whether a subnet is public based on the route table configuration. For instance, if a route table for subnet A includes a 0.0.0.0/0 route pointing to an IGW and subnet A also has auto-assign public IP settings enabled, then subnet A is public. Without the IGW route, even if a resource has a public IP, it cannot reach the internet or be reached from the internet. This is a common trick point in AWS SAA, Network+, and CCNA exams.
public subnets require that the network ACLs and security groups allow inbound and outbound traffic for the intended services. For example, a public subnet hosting a web server must have security group rules allowing HTTP (port 80) and HTTPS (port 443) inbound from 0.0.0.0/0. Network ACLs should also permit ephemeral ports for return traffic. Overly restrictive ACLs can make a public subnet effectively private.
Public subnets are not just about cloud; the concept extends to on-premises and hybrid networks. In traditional CCNA networking, a public subnet refers to a subnet that uses globally routable IP addresses (as opposed to RFC 1918 private addresses). In Azure, a subnet is made public by associating it with a route table that has a default route to the internet via the Azure default gateway. In Google Cloud, a VPC subnet can have a default route to the internet if it is not configured to use a private Google access channel.
For exam purposes, remember that a public subnet is a subnet with a direct path to the internet. It is the opposite of a private subnet, which routes traffic through a NAT gateway or instance for outbound internet access but cannot be directly reached from the internet. This distinction is fundamental for security architectures, cost allocation, and network design scenarios across all the listed exams.
Security Considerations and Best Practices for Public Subnets
Public subnets inherently expose resources to the internet, so security is paramount. The primary defense layers are Security Groups (stateful firewalls at the instance level) and Network ACLs (stateless firewalls at the subnet level). Security groups should follow the principle of least privilege, allowing only the necessary ports and protocols. For example, a web server security group should allow inbound HTTP/HTTPS from 0.0.0.0/0 but restrict SSH access to a specific admin IP range or a bastion host in the same subnet.
Network ACLs act as a secondary stateless filter. Because they are stateless, you must explicitly allow both inbound and outbound rules for traffic to flow. A common mistake is forgetting to allow ephemeral ports (1024-65535) for return traffic, which can break connectivity. In exam questions, this often appears as a scenario where clients can connect but no data returns, and the correct answer is to check the NACL outbound rules.
Another best practice is to never place database servers or storage systems with sensitive data directly in a public subnet. Instead, use a private subnet for such resources and only allow access from the public subnet via internal IP addresses. This is a classic 'three-tier architecture' pattern: public subnet for the web tier, private subnet for the application tier, and another private subnet for the database tier.
For AWS exams specifically, remember that public subnets can have 'Auto-assign public IPv4 address' enabled, which automatically assigns a public IP to launched instances. However, a public IP alone does not make a subnet public; the route table must point to an IGW. On the other hand, even if auto-assign is disabled, you can manually assign Elastic IPs to instances, making them publicly reachable if the route table is properly configured.
In Azure, public subnets can be associated with a Network Security Group (NSG) that functions similarly to a security group. Azure also supports Application Security Groups for grouping VMs with similar security requirements. For the AZ-104 exam, you should know that a subnet is public if it has a default route to the internet (0.0.0.0/0 via virtual gateway or IGW), and that you cannot directly associate a public IP with a VM in a subnet that lacks internet connectivity.
Google Cloud’s VPC uses a slightly different model: by default, subnets have routes to the internet via the default internet gateway. You can make a subnet private by creating a custom route that blocks 0.0.0.0/0 or by using Private Google Access. In the Google ACE exam, you may be asked how to restrict internet access for instances while still allowing them to reach Google APIs. The answer often involves using Private Google Access with a private subnet.
Security best practices also include using AWS WAF or Azure WAF to protect web applications in public subnets, enabling VPC Flow Logs to monitor traffic, and deploying a bastion host in the public subnet for administrative access. Never expose RDP or SSH directly to the internet from a public subnet without multi-factor authentication or a VPN. These concepts are frequently tested in Security+ and CISSP (though not listed here) as well as in the specific cloud exams.
Finally, cost implications: data transfer out of a public subnet to the internet incurs charges. For AWS, you pay for data transfer out to the internet, but ingress is free. For Azure, both ingress and egress can have charges depending on the region. Understanding these costs is part of the AWS SAA and AZ-104 cost optimization domains. Best practice is to use a NAT gateway in a public subnet for private subnet outbound traffic, but be aware that NAT gateways themselves are billed per hour and per GB processed.
Configuring Routing for a Public Subnet: IGW, Route Tables, and NAT
The central configuration element of a public subnet is its route table. A route table is a set of rules, called routes, that determine where network traffic from the subnet is directed. For a subnet to be public, it must have a route in its associated route table that sends all traffic destined for the internet (0.0.0.0/0) to an Internet Gateway (IGW). This IGW is a horizontally scaled, redundant, and highly available VPC component that allows communication between the VPC and the internet.
In AWS, creating a public subnet involves three steps: first, create an IGW and attach it to your VPC. Second, create a custom route table and add a route for 0.0.0.0/0 pointing to the IGW. Third, associate that route table with the subnet. Optionally, enable auto-assign public IPv4 address on the subnet so that instances automatically receive public IPs. This process is tested heavily in the AWS SAA and Network+ exams, often in scenario-based questions where you need to identify why a newly launched instance cannot be accessed from the internet.
In Azure, the process is different but analogous. An Azure VNet (Virtual Network) has a default route table that includes a route to the internet. To make a subnet public, you simply assign a public IP to a VM or service in that subnet, and the Azure platform automatically handles the routing to the internet. However, you can also create custom route tables (User-Defined Routes, UDRs) to override default behavior. For example, you might force-tunnel all internet traffic through a firewall appliance. For the AZ-104 exam, you must know that you need to add 0.0.0.0/0 route pointing to the firewall (NVA) to make traffic go through it, which then makes the subnet effectively controlled.
Google Cloud's VPC uses a similar concept. Each subnet can have its own route table. By default, all subnets have a route to the internet because the default internet gateway is part of the VPC. To make a subnet private, you can create a route that blocks 0.0.0.0/0 or configure a private Google access. In the Google ACE exam, you might be asked to troubleshoot why an instance in a subnet cannot reach the internet even though it has a public IP. The answer might be that the subnet's route table lacks an internet gateway route or that the instance is in a subnet without an external IP assigned.
A common configuration that appears in exams is the use of a NAT Gateway or NAT Instance to provide internet access to instances in private subnets. The NAT Gateway must reside in a public subnet because it needs a direct path to the internet. Then, private subnets have a route 0.0.0.0/0 pointing to the NAT Gateway's private IP. This ensures that instances in private subnets can initiate outbound connections (e.g., for software updates) but cannot be reached directly from the internet. This architecture is a key concept for AWS SAA, Network+, and Security+ exams.
For CCNA, the concept of public subnet routing is more about static and dynamic routing protocols. A public subnet in a traditional network requires a default route on the router pointing to the internet service provider. This is analogous to the 0.0.0.0/0 route pointing to the IGW in cloud. In exam questions, you might need to configure a default route on a Cisco router for a subnet that needs internet access. The command would be 'ip route 0.0.0.0 0.0.0.0 [next-hop-IP]' or 'ip default-gateway' for a switch.
Misconfigurations in route tables are a common troubleshooting topic. For example, if you have multiple route tables associated with a subnet accidentally, or the route table points to a different IGW, connectivity fails. In exam questions, they often present a VPC with two IGWs (one attached, one not) and ask why a subnet is not reaching the internet. The correct answer is usually that the route table for the subnet does not have a route to the correct IGW, or the IGW is not attached to the VPC. Understanding the exact flow of packets from an instance to the internet is crucial for all these certifications.
Exam Scenarios and Troubleshooting Public Subnet Issues
Exams across AWS, Azure, Google, CompTIA, and Cisco frequently present scenario-based questions where you must diagnose and resolve issues related to public subnets. A common scenario: 'An administrator created a new EC2 instance in a VPC with public IP auto-assigned, but cannot SSH into it. What is the most likely cause?' The answer often involves checking the security group inbound rules (port 22 open to your IP) and the network ACL rules. When SSH still fails, the next step is to verify that the subnet's route table has a 0.0.0.0/0 route to an IGW.
Another classic issue is that an instance in a public subnet can reach the internet (e.g., can ping google.com) but cannot be reached from the internet. This typically points to a misconfigured security group or network ACL inbound rule, or that the instance does not have a public IP. In AWS, you can have a public IP assigned after launch by associating an Elastic IP, but if the subnet's route is missing, it still won't work. In exam questions, they may present a VPC Flow Log entry showing traffic being rejected, and you need to identify whether it's a security group deny (stateful) or a NACL deny (stateless).
A particularly tricky scenario involves the use of a NAT Gateway in a public subnet. Suppose a private subnet instance cannot access the internet. The NAT Gateway is in a public subnet and has an Elastic IP. The private subnet route points to the NAT Gateway. The issue could be that the NAT Gateway's security group (if used) is too restrictive, or the NAT Gateway's Elastic IP is not correctly allocated. For AWS exams, remember that NAT Gateways do not use security groups; they rely on network ACLs of the public subnet. So, check the NACL of the public subnet hosting the NAT Gateway.
For Azure, a common scenario is that a VM with a public IP in a subnet cannot be RDP'd into. The solution often involves checking the NSG inbound rules for port 3389 from the internet, and also verifying that the subnet is not part of a forced-tunneling configuration. If the subnet has a route 0.0.0.0/0 to a VPN gateway or a firewall, the inbound traffic might be blocked or misrouted. This is called 'asymmetric routing' and is a frequent exam trap.
In Google Cloud, a similar issue: 'An instance in a VPC has an external IP but cannot be reached from the internet.' The answer may be that the VPC has a firewall rule that denies ingress traffic from 0.0.0.0/0, or that the instance is in a subnet that is configured with Private Google Access and no internet route. Google ACE exams also test the concept of 'default deny' ingress firewall rules. All ingress traffic is denied unless explicitly allowed, so you must create a firewall rule allowing HTTP or SSH from the internet.
For CCNA and Network+, the scenarios often involve on-premises routers. For example, a PC in a public subnet cannot reach the internet. The troubleshooting steps include: check the default gateway configuration on the PC, verify the router's default route, check ACLs on the router interface, and confirm that the public IP is correctly assigned. These fundamentals are still tested in cloud exams, but with a cloud abstraction layer.
Another common issue is the 'curl localhost works but external does not' scenario. This tests the understanding that the instance's web server is listening on 127.0.0.1 or only on private IP. The solution is to bind the server to 0.0.0.0. In AWS exam questions, this may be presented as a configuration issue in the application's web server configuration file, not a networking issue.
Finally, remember that public subnets can also have IPv6. If IPv6 is enabled, the subnet can be public if it has a route to an egress-only internet gateway (for IPv6) or an internet gateway (for both IPv4 and IPv6). Troubleshooting IPv6 connectivity involves similar checks: route table, security groups, and network ACLs. In exams, they may ask why an instance with an IPv6 address cannot be reached. The answer might be that the subnet's route table does not have a route for ::/0 to the IGW, or that the security group does not allow IPv6 traffic.
Troubleshooting Clues
No internet access from instance in public subnet
Symptom: EC2 instance, Azure VM, or GCE instance cannot ping 8.8.8.8 or browse the web, even though it has a public IP.
The instance may have a public IP, but the subnet's route table lacks a 0.0.0.0/0 route pointing to an internet gateway (or equivalent). Alternatively, the network ACL or security group outbound rules are blocking traffic. In AWS, the route table must have the IGW route; in Azure, the subnet must not have a forced-tunneling route; in GCP, the firewall rule must allow egress.
Exam clue: Exam questions often present this as 'Instance in public subnet cannot reach the internet. What to check first?' The correct answer is to check the route table for a default route to an IGW.
Cannot SSH/RDP to instance in public subnet from the internet
Symptom: Connection timeout or 'No route to host' when trying to connect to the instance's public IP on port 22 or 3389.
Likely cause: security group inbound rule does not allow port 22/3389 from 0.0.0.0/0, or network ACL inbound rule denies the traffic. Also, verify the instance has a public IP assigned and the correct route exists. On AWS, if the subnet's 'auto-assign public IP' is disabled and no Elastic IP is associated, the instance will have no public IP even if the subnet is public.
Exam clue: Common scenario in AWS SAA and Security+: you launch an instance in a public subnet, assign a security group allowing SSH, but still cannot connect. The missed step is often that the network ACL rules need to allow inbound ephemeral ports for return traffic.
Traffic flows out but no response comes back (one-way connectivity)
Symptom: Instance can send packets (e.g., ping google.com shows 'Request timed out' but packets leave), or curl returns no response.
This is typical of a stateless firewall (network ACL in cloud, or ACL on a router) that blocks return traffic. For network ACLs, you must allow both inbound and outbound ephemeral ports (1024-65535). In security groups (stateful), the return traffic is automatically allowed, so this issue is almost always NACL-related.
Exam clue: Directly tests understanding of stateless vs stateful firewalls. Exam questions will ask: 'Why can the instance send but not receive?' and the answer involves checking outbound rules of the stateless ACL.
Public subnet's route table is correct but still no internet
Symptom: Route table shows 0.0.0.0/0 -> IGW, but instance cannot access internet. Security groups and NACLs allow all traffic.
Possible causes: The IGW is not attached to the VPC, or the IGW is attached to a different VPC. Also, the subnet may be associated with a different route table than expected (check the 'main' route table association). In Azure, the IGW equivalent (internet gateway) is automatic, but if you have a custom route overriding 0.0.0.0/0 to a VPN, that breaks internet. In GCP, the default route may be deleted or the firewall may deny egress.
Exam clue: This is a trick: the route looks correct but the IGW itself is not properly attached. The exam question will say 'The subnet has a route 0.0.0.0/0 to IGW, but still no internet. What is missing?' The answer is that the IGW is not attached to the VPC.
Multiple public IPs on one instance cause intermittent connectivity
Symptom: Instance has an Elastic IP and an auto-assigned public IP; sometimes traffic works, sometimes it fails.
AWS EC2 instances can have only one public IP (either auto-assigned or Elastic) at a time, not both. If both are present, the auto-assigned IP is released when an Elastic IP is associated, but confusion can lead to misconfiguration. In Azure, a VM can have multiple IPs with different effects on routing. The issue is typically that the instance is responding on both IPs but the route table expects only one.
Exam clue: Questions may ask: 'An instance has both a dynamic public IP and an Elastic IP. Why is connectivity inconsistent?' The answer: disassociate the Elastic IP or release the auto-assigned IP to have a single stable public IP.
Private subnet instances cannot reach internet via NAT gateway in public subnet
Symptom: EC2 instance in private subnet cannot download software updates or reach external APIs. NAT gateway is in public subnet and has an Elastic IP.
Common issues: The NAT gateway's subnet (public subnet) does not have a route 0.0.0.0/0 to an IGW, or the private subnet's route table does not have 0.0.0.0/0 pointing to the NAT gateway's private IP. Also, the NAT gateway's security group (if applied) might block traffic, but NAT gateways do not use security groups; they rely on NACLs. Finally, the NAT gateway may be in a different availability zone than the private subnet's instances, causing cross-zone costs but communication is still possible.
Exam clue: Exam question: 'A private subnet instance cannot reach the internet even though a NAT gateway is deployed. What is the likely cause?' The answer often is that the private subnet's route table is missing the 0.0.0.0/0 to the NAT gateway, or the public subnet's NACL does not allow outbound traffic.
Bastion host in public subnet cannot connect to private subnet instances
Symptom: SSH from bastion into private instance fails with 'Permission denied' or timeout.
This is usually due to private instance's security group not allowing SSH from the bastion's private IP or security group. Also, check the private subnet's route table: it should allow communication within the VPC (local route is automatic). If the bastion is in a different VPC, needs VPC peering or VPN. The NACL of the private subnet might also block inbound SSH from the bastion's source IP range.
Exam clue: Tests the principle of least privilege: allow SSH only from the bastion's security group, not from 0.0.0.0/0. Exam scenario: 'Bastion can ping private instance but cannot SSH. Why?' Answer: private instance's security group inbound rule for port 22 does not include the bastion's security group.
Memory Tip
Public subnet = IGW + route table with 0.0.0.0/0 to IGW + public IP on resource. Remember the three-legged stool: Route, Gateway, Address.
Learn This Topic Fully
This glossary page explains what Public subnet means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →200-301Cisco CCNA →N10-009CompTIA Network+ →AZ-104AZ-104 →ACEGoogle ACE →SAA-C03SAA-C03 →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →SC-900SC-900 →SOA-C02SOA-C02 →PCAGoogle PCA →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Quick Knowledge Check
1.Which configuration is required to make a subnet public in AWS?
2.A security engineer creates a public subnet in AWS VPC with an IGW attached. The route table has 0.0.0.0/0 -> IGW. An EC2 instance is launched with a security group allowing SSH from 0.0.0.0/0. The instance has an auto-assigned public IP. Still, SSH connections from the internet time out. What is the most likely cause?
3.In Google Cloud Platform, a VM instance in a VPC subnet has an external IP address but cannot be reached from the internet. Which of the following is the most likely reason?
4.An Azure VM with a public IP and NSG allowing RDP (port 3389) inbound from any source cannot be connected to. The VM is in a subnet that has a route table with a 0.0.0.0/0 route pointing to a VPN gateway. What is the problem?
5.A network administrator sets up a Cisco router for a subnet with public IP addresses. Hosts in the subnet cannot reach the internet. The router's configuration shows 'ip route 0.0.0.0 0.0.0.0 203.0.113.1'. What is missing?