Public and Private Subnet Design

A Virtual Private Cloud (VPC) is your logically isolated network in AWS. Within it you carve out subnets, ranges of IP addresses tied to a single Availability Zone. How you divide a VPC into subnets is the first and most important security decision, because it determines what can reach what.

A public subnet has a route to an internet gateway, so resources in it can be reached from and reach the internet. A private subnet has no direct internet route. The distinction is defined entirely by the route table, not by any property of the subnet itself.