Demystifying subnets in AWS

Demystifying subnets in AWS

The Beginning:

Hi there,

If you have ever created a VPC and added subnets to it, it must have been an overwhelming experience with thoughts in your mind going like this:

  1. Is the CIDR of this subnet part of VPC CIDR or not?

  2. Is the CIDR of this subnet overlapping with other subnets or not?

  3. Will this subnet have an Internet connection or not?

  4. Will this subnet's resources be publicly available?

  5. How to make this subnet private with no internet access?

  6. How to make this subnet private but with outbound internet access only?

Let's demystify subnets together in this journey! Ride along :)

Prerequisites: Basic understanding of AWS, VPC and subnets.

The Basics:

Let's go through the basics first:

  1. What is a subnet?

    • In easy terms, subnet is a grouping of IP addresses in your VPC.

    • It is completely up to you how to group IP addresses - you may create many subnets with a small IP address pool or a few subnets with a larger IP address pool.

    • While creating a subnet, you can configure it to have a public IP address or not. If public address allocation is enabled, then resources deployed in that subnet will be reachable via the internet[0].

    • While creating a subnet, you can configure it to have internet access or not. Or you may configure it to have only outbound access to the internet!

[0] In AWS, you also need an Internet Gateway attached to the subnet so that both outbound and inbound connections to/from the Internet can be made.

  1. What is CIDR?

    • In easy terms, CIDR is a representation of a sequential IP address pool.

    • So when someone says CIDR for a subnet - it means the range of IP addresses for this subnet.

    • CIDR block or range of IP addresses are represented via CIDR slash representation like: We will see some examples of how to easily calculate the range from this CIDR slash notation.

  2. What is an Internet gateway?

    • Let's say you have a Load Balancer in your subnet that needs to be reachable via Internet i.e publicly exposed. Then you can attach an internet gateway in your subnet to allow inbound connections to your loadbalancer. Note that you will need to assign a public address to your loadbalancer as well.

    • Also, note that your load balancer also has outbound access to the internet which might not be needed. You can restrict outbound access via security groups in AWS.

  3. What is NAT gateway?

    • NAT gateway is used to give internet outbound-only connections to your subnets.

    • Example - let's say you have a service deployed in a subnet that now has a use-case to use Google Sheets API. This means your subnet needs internet access but does not need an inbound connection from the Internet. We can attach a NAT gateway to your subnet.

    • But note that, NAT Gateway is just attached to your subnet but not deployed in your subnet. The actual location of the NAT Gateway should be inside another subnet which has an Internet Gateway attached to it.

Wait, what is the difference between Internet Gateway and NAT Gateway?

  • Internet Gateway allows instances with public IPs to access the internet.

  • NAT Gateway allows instances with no public IPs to access the internet.

How to create subnets?

In this section, we will cover 2 things:

  1. The Maths part on how to use CIDR notation (the fun part)

  2. Various types of subnets that are possible and their use cases.

The Math:

Important note: The assumption in these examples is that the CIDR slash notation IP address part (before slash) is always the minimum IP address value of that CIDR block.

CIDR range calculation:

  • Let's say you created a VPC with CIDR as, then a range of IP addresses for your VPC is:

  • When a bucket is assigned let's say 2 addresses, then while calculating CIDR range, min range value = (existing value from CIDR) and max range value = (existing value from CIDR + number of buckets assigned -1), example:

CDR slash notation calculation:

  • Now, Let's say we have to create a subnet in the above VPC with 512 IP addresses, the CIDR notation can be calculated as:


  • When a bucket is completely full, then you can choose any number from 0 to 255 to represent the CIDR notation but as a standard practice always choose 0 in this case.

Types of subnets:

We can configure subnets with a combination of 2 factors:

  1. Resources deployed in the subnet have Internet access (either via Internet or NAT gateway) or not?

  2. Resources deployed in the subnet get's Public IPv4 address automatically or not?

TypeInternet-enabled?Auto-assign Public IPv4 address?Examples
Private subnetNoNoStoring sensitive data, spinning up internal use only service.
Private Internet connected subnetYes (via NAT Gateway)NoBackend service talking to public APIs
Public subnetNoYesNo use case
Public Internet connected subnetYes (via Internet Gateway)YesDeploy publicly exposed Load balancers

The terminology above differs a little from AWS! In AWS docs, public subnet means public internet connected subnets.

The Conclusion:

I have attempted to explain the CIDR math calculation in easy to understand manner, along with different types of subnets.

Hope you like the explanation and it will help in setting up your VPC and subnets.

If you find any error or something that can be explained better, hit me up at

Thanks for reading !!

Did you find this article valuable?

Support Sagarpreet Chadha by becoming a sponsor. Any amount is appreciated!