Login/Register
How does the auto-assign public IP setting affect private and public subnets?
Asked Answered
Solved amazon-web-servicesip-addressamazon-vpcsubnetroutetable
R

2

6

so I'm just learning about AWS VPC networking. From what I understand the main difference between a public subnet and private subnet is whether or not traffic in that subnet can be routed to the Internet Gateway (through route table rules).

However, this doesn't seem to be the only difference between the two. I notice public subnet would always have auto-assign public IP address enabled, while private subnets would have it disabled.

So as a thought experiment I wonder what would happen if I disable the auto-assign feature in a public subnet, or enable it in a private subnet?

I can kind of guess that probably nothing would happen if I enable it in a private subnet because no traffic can be routed to the Internet Gateway anyway. So the auto-assigned IP addresses would simply go to waste.

But what about the first scenario? If I disable auto-assign in the public subnet, would the traffic still be able to be routed to the Internet Gateway and eventually to the Internet? Can I just create a NAT in that public subnet and route all Internet traffic to the NAT, so that we don't need to assign public IP to all public instances? I know we can just move those instances to the private subnet and route them to NAT, but I'm just curious if we have to assign individual IP addresses to all instances in the public subnet, because that seems a bit unnecessary to me.

Relent answered 16/9, 2022 at 4:43 Comment(0)
M
3

From what I understand the main difference between a public subnet and private subnet is whether or not traffic in that subnet can be routed to the Internet Gateway (through route table rules).

This is correct.

However, this doesn't seem to be the only difference between the two. I notice public subnet would always have auto-assign public IP address enabled, while private subnets would have it disabled.

This is also correct. Any entity that wants to talk to another over the public internet needs a public ip.

When you use a public subnet, the ip that "comes out" of AWS is that of the network interface associated with the resource (e.g. EC2), whereas when you use a private subnet with a NAT gateway (since this is the only way to give internet connectivity to a private subnet) , the ip that "comes out" of AWS is that of the network interface associated with the NAT gateway.

So as a thought experiment I wonder what would happen if I disable the auto-assign feature in a public subnet, or enable it in a private subnet?

If you were to disable the auto-assign feature in a public subnet, then any network interface created (whether that associated with an EC2 instance or whether that associated with an elastic IP for a NAT gateway) in that subnet will not have a public ip. This will indeed prevent traffic from going out to the internet.

If you were to enable the auto-assign feature in a private subnet, you wouldn't actually be impacting anything.

Markley answered 16/9, 2022 at 17:27 Comment(3)
Thanks Paolo! I also found this answer: #62085145 which explains part of my question. So if I remove the public IP of an instance in the public subnet, it can still route traffic to the internet gateway using its private IP, but the IGW won't be able to forward its traffic to the Internet because it doesn't have a public IP.Relent
if its got a public IP, then whats the point of the gateway? I thought the whole purpose of a gateway is to be a bridge between networks - to turn internal IPs into external IPs?Tearjerker
@johnk are you asking about NAT gateway? if your instance has a public IP then you certainly don't need a NAT gatewayMarkley
S
0

NAT is your one-way out to the internet: instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

-> This means that you still need to assign public IP for your instance in order for service outside of your VPC to access to that instance.

Smallminded answered 16/9, 2022 at 4:56 Comment(2)
What if I create an Internet-facing ALB and have my instances registered to this ALB? Then they don't need to have public IP and still are able to be accessible from the InternetRelent
Look, there is a lot of ways to access to an instance without public IP ok! But like I said, you assign public IP to an instance when you want to DIRECTLY access to that very instance from outside of your VPC, not by using ALB or using any proxy. Just answer me this simple question: How can you SSH to a public EC2 ?Smallminded

© 2022 - 2024 — McMap. All rights reserved.