For the purposes of learning, I'm trying to setup a public/private VPC in AWS without using the wizard, and I'm trying to determine how AWS decides if a subnet is private/public.
For argument sake, let's say I have in my vpc 1 ig, 2 routing tables, 2 elbs, 4 instances, 4 subnets, and 2 availability zones.
[
ig,
routepub,
routepriv (default),
elbpub,
elbpriv,
{ az1: [
subnet1pub: { range: "10.0.0.0/25", instances: [ instance1pub ] },
subnet1priv: { range: "10.0.1.0/25", instances: [ instance1priv ] }
] },
{ az2: [
subnet2pub: { range: "10.0.0.128/25", instances: [ instance2pub ] },
subnet2priv: { range: "10.0.1.128/25", instances: [ instance2priv ] }
] }
]
I have traffic coming from the greater internet to elbpub which then balances across my availability zones to instance1pub and instance2pub. I have some internal application (say a database or something such) on instance1priv and instance2priv which only instance1pub and instance2pub can access, and traffic to these is balanced via elbpriv.
When I try to set this up, I am told that I must attach my Internet-Facing ELB to a public subnet. So, how does AWS decide if a subnet is public or private?
And more specifically, I understand that private means it must go through a NAT and public means it goes through the IG, but how do I set up and/or link up my route tables/security groups to reflect this so that it lets me get public traffic into my public elb?
Best Answer
Only difference between the Private Subnets and Public Subnets is that, the latter one has connectivity to Internet Gateway established by the Subnet's Route table entry [ example : 10.0.10.0/24 ig-abcdef12 ].
So in your example you would put the ELB in front of the Instances which are in Public Subnet. For the record, you can also create an Internal Load Balancer [ for scenarios like Web Servers in public subnet talking to App Servers fronted by an ELB fully insider the VPC - Private Subnet ]