Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.1.2.2. Network Segmentation: Public vs. Private Subnets

šŸ’” First Principle: Network segmentation isolates application components to limit security incident impact and precisely control data flow, enhancing overall system resilience.

Network segmentation within an Amazon VPC is a critical security and architectural best practice. It involves dividing your VPC into different subnets (network segments) based on the accessibility and sensitivity of the resources within them.

  • Public Subnets: Directly routable to the internet via an Internet Gateway. Host internet-accessible resources like web servers, public load balancers, or public APIs. They allow both inbound and outbound internet access.
  • Private Subnets: Not directly internet-routable. Resources in private subnets can access the internet only via a NAT Gateway (for outbound traffic) or VPC Endpoints (for AWS service access). They are ideal for sensitive resources like databases, application servers, or internal services, ensuring protection from direct internet exposure.
Key Concepts of Network Segmentation:
  • Isolation: Separate components into public/private zones.
  • Control: Define specific routes for internet access.
  • Security: Protect sensitive resources from direct internet exposure.

Scenario: For a secure web application, place internet-facing web servers in a public subnet and sensitive database servers in a private subnet, preventing direct external access to critical data.

Visual: Public vs. Private Subnets in a VPC
Loading diagram...

āš ļø Common Pitfall: Placing databases directly in public subnets. This exposes them to the internet and is a major security vulnerability.

Key Trade-Offs:
  • Accessibility (Public) vs. Security (Private): Public subnets allow internet access but are less secure for internal services. Private subnets are more secure but require NAT Gateways or VPC Endpoints for outbound internet access.

Reflection Question: How does segmenting your VPC into public and private subnets, along with using an Internet Gateway and NAT Gateway, directly contribute to the principle of least privilege and enhance overall cloud security?