6.1.1. VPC Subnets, Route Tables, and Internet Access

💡 First Principle: A subnet's routing determines whether it's public or private — not its name. A subnet becomes "public" the moment its route table has a route to an internet gateway (IGW). A subnet with no IGW route is private, regardless of what you call it. Understanding this routing model is the foundation for all VPC troubleshooting.

VPC and Subnet Sizing:

What Makes a Subnet Public:

NAT Gateway: Allows instances in private subnets to initiate outbound internet connections (software updates, API calls) without being reachable from the internet inbound. The NAT gateway lives in a public subnet and has an Elastic IP. Private subnet route tables point 0.0.0.0/0 to the NAT gateway.

High-availability NAT: Deploy one NAT gateway per AZ, each in its own public subnet. Private subnets in each AZ route to their local NAT gateway. This prevents an AZ failure from affecting outbound internet access in other AZs.

Egress-Only Internet Gateway: IPv6 equivalent of a NAT gateway — allows IPv6 instances in private subnets to initiate outbound connections without receiving inbound IPv6 traffic.

⚠️ Exam Trap: NAT gateways are AZ-scoped — a NAT gateway in us-east-1a serves only instances whose route tables point to it. If you have one NAT gateway and route all private subnets through it, an AZ failure takes down outbound internet access for all private subnets — even those in healthy AZs. One NAT gateway per AZ is the HA pattern.

Reflection Question: An EC2 instance in a private subnet cannot reach the internet to download software updates. The NAT gateway exists in a public subnet. List the four routing and configuration items you would check, in order.