Interview AWS

Difference between a public and a private subnet, and how does each reach the internet?

AWS · Basic level

Answer

A public subnet has a route to an internet gateway and can host internet-facing resources if public addressing and security rules allow it. A private subnet has no direct inbound internet path; it usually reaches outbound internet through NAT or uses private VPC endpoints.

Technical explanation

A subnet is public because of routing to an IGW, not because of its name; public IP assignment and security rules also matter.

In AWS networking, always separate placement, routing, and filtering: subnets place resources, route tables decide next hops, and SG/NACL rules filter traffic.

Design for failure domains by spreading public, private, and data subnets across multiple AZs and avoiding single-AZ dependencies where production availability matters.

Troubleshooting should follow packet flow: source, SG, NACL, route table, endpoint/NAT/IGW/TGW, destination SG, and service listener.

Hands-on example

1. Create a sandbox VPC with two AZs, public subnets, private subnets, route tables, IGW, NAT Gateway, security groups, and one VPC endpoint relevant to the topic.

2. Deploy a small test instance or pod in the correct subnet and validate routing with curl, traceroute where allowed, and VPC Flow Logs.

3. Change one control at a time - route, SG, NACL, endpoint policy, NAT, or TGW route - and observe exactly how connectivity changes.

4. Document the final production pattern as an architecture diagram plus a troubleshooting checklist.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More AWS interview questions

← All AWS questions