BrainyBeeBrainyBee
Study Guide875 words

Network Segmentation Strategies: Public and Private Subnets

Determining network segmentation strategies (for example, using public subnets and private subnets)

Network Segmentation Strategies: Public and Private Subnets

This guide covers the architectural principles of designing secure Virtual Private Clouds (VPCs) on AWS, focusing on the strategic use of public and private subnets to protect application workloads.

Learning Objectives

  • Differentiate between public and private subnets based on routing and internet accessibility.
  • Calculate the number of usable IP addresses in a CIDR block, accounting for AWS-reserved addresses.
  • Design a multi-tier network architecture that separates web, application, and database layers.
  • Configure route tables to provide internet egress for private resources using NAT Gateways.
  • Evaluate the use of Security Groups and Network ACLs for defense-in-depth.

Key Terms & Glossary

  • VPC (Virtual Private Cloud): A logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network you define.
  • CIDR (Classless Inter-Domain Routing): A method for allocating IP addresses and IP routing (e.g., 10.0.0.0/16).
  • Internet Gateway (IGW): A horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
  • NAT Gateway (Network Address Translation): A service that enables instances in a private subnet to connect to the internet while preventing the internet from initiating a connection with those instances.
  • Route Table: A set of rules (routes) used to determine where network traffic from your subnet or gateway is directed.
  • Elastic Network Interface (ENI): A logical networking component in a VPC that represents a virtual network card.

The "Big Idea"

[!IMPORTANT] The Principle of Least Privilege (Network Edition): Network segmentation is the implementation of "Defense in Depth." By placing sensitive resources (like databases) in private subnets and only exposing necessary components (like load balancers) in public subnets, you reduce the attack surface of your infrastructure. If a public-facing web server is compromised, the attacker still faces a secondary network barrier before reaching the data layer.

Formula / Concept Box

Usable IP Address Calculation

For any CIDR block with prefix length n,thetotaladdressesare2(32n)n, the total addresses are 2^{(32-n)}. However, AWS reserves 5 IP addresses in every subnet:

  1. .0: Network address.
  2. .1: VPC router.
  3. .2: Amazon-provided DNS.
  4. .3: Future use.
  5. .255: Network broadcast (though VPCs do not support broadcast, this is reserved).

Formula: Usable IPs=2(32n)5\text{Usable IPs} = 2^{(32-n)} - 5

CIDR PrefixTotal IPsAWS Usable IPsCommon Use Case
/24256251Standard Subnet
/281611Small specialized subnet
/1665,53665,531Standard VPC Size

Hierarchical Outline

  • I. VPC Fundamentals
    • CIDR Range Selection: Must be between /16 and /28.
    • Secondary CIDRs: VPCs can have multiple blocks; subnets must stay within one block.
  • II. Subnet Segmentation
    • Public Subnets: Defined by a route to an Internet Gateway (IGW) in their route table. Host ELBs and NAT Gateways.
    • Private Subnets: No direct route to IGW. Access the internet via a NAT Gateway located in a public subnet.
  • III. Security Controls
    • Security Groups (SGs): Stateful firewalls at the instance/ENI level. (Rules: Allow only).
    • Network ACLs (NACLs): Stateless firewalls at the subnet level. (Rules: Allow and Deny).
  • IV. High Availability
    • Multi-AZ Deployment: Subnets are bound to a single Availability Zone (AZ). Replicate subnets across AZs for fault tolerance.

Visual Anchors

Network Traffic Flow

Loading Diagram...

Architectural Diagram (2-Tier)

\begin{tikzpicture}[node distance=2cm, every node/.style={font=\small}] \draw[thick, dashed] (0,0) rectangle (8,5) node[pos=0.9, above] {VPC (10.0.0.0/16)}; \draw[fill=blue!10] (0.5,2.8) rectangle (7.5,4.5) node[pos=0.5, above=15pt] {Public Subnet (10.0.1.0/24)}; \draw[fill=green!10] (0.5,0.5) rectangle (7.5,2.2) node[pos=0.5, above=15pt] {Private Subnet (10.0.2.0/24)}; \node[draw, rounded corners, fill=white] (LB) at (4,3.5) {Load Balancer}; \node[draw, rounded corners, fill=white] (DB) at (4,1.2) {RDS Database}; \draw[<->, thick] (LB) -- (DB) node[midway, right] {Port 3306}; \end{tikzpicture}

Definition-Example Pairs

  • Public Subnet
    • Definition: A subnet whose route table directs traffic to an Internet Gateway.
    • Example: Hosting an Application Load Balancer (ALB) that receives HTTPS requests from global users.
  • Private Subnet
    • Definition: A subnet whose route table does not contain a route to an IGW.
    • Example: Hosting an Amazon RDS MySQL instance that should only be reachable by the application servers.
  • Stateless Filtering
    • Definition: A security mechanism that evaluates every packet individually and requires separate rules for inbound and outbound traffic.
    • Example: Using a Network ACL to block a specific malicious IP range from even reaching the subnet.

Worked Examples

Example 1: Calculating Available IPs

Scenario: You create a subnet with the CIDR block 10.0.5.0/26. How many instances can you launch?

  1. Calculate total IPs: 2(3226)=26=642^{(32-26)} = 2^6 = 64.
  2. Subtract AWS reserved IPs: $64 - 5 = 59$.
  3. Result: 59 usable IP addresses.

Example 2: Designing the Route Table

Scenario: A private instance needs to download security patches from the internet.

  • Requirement: The instance is in Private Subnet A.
  • Solution:
    1. Create a NAT Gateway in Public Subnet B.
    2. In the Route Table for Private Subnet A, add a route: 0.0.0.0/0 -> nat-gateway-id.
    3. Ensure Public Subnet B has a route: 0.0.0.0/0 -> igw-id.

Checkpoint Questions

  1. What is the main difference between a public subnet and a private subnet in AWS?
  2. Why can't you launch 256 instances in a /24 subnet?
  3. If a Security Group allows inbound traffic on port 80, do you need to manually add an outbound rule for the response? Why or why not?
  4. In a three-tier architecture (Web, App, DB), which tiers should ideally be in private subnets?
  5. What is the purpose of a Bastion Host (or Jump Box)?
Click to see answers
  1. A public subnet has a route to an Internet Gateway; a private subnet does not.
  2. AWS reserves 5 IP addresses for internal networking functions.
  3. No; Security Groups are stateful, so they automatically allow return traffic.
  4. The App and DB tiers should be private; the Web tier (or its Load Balancer) should be public.
  5. A Bastion Host allows administrators to securely SSH/RDP into instances in a private subnet from the internet.
All AWS Certified Solutions Architect - Associate (SAA-C03) Study Resources

Ready to study AWS Certified Solutions Architect - Associate (SAA-C03)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free