Question 1

What's the difference between a private subnet and a public subnet?

Accepted Answer

A public subnet has a route to the internet (typically via an Internet Gateway) and is used for resources that must be reachable from the internet, like public load balancers or bastion hosts. A private subnet does not provide a direct inbound path from the internet; resources there are reached only from inside the network (other subnets, VPN, or private links). If private subnet resources need outbound internet access (for updates or calling external APIs), they usually use NAT or a firewall for controlled egress.

Question 2

When should I use a private subnet?

Accepted Answer

Use a private subnet for resources that should not be directly reachable from the internet, such as databases, internal APIs, message brokers, caches, and internal application tiers. It’s especially useful when you want defense-in-depth: expose only the minimum public entry points (like a load balancer) and keep everything else accessible only through internal networking or private connectivity.

Question 3

How much does a private subnet cost?

Accepted Answer

The subnet itself typically has no direct hourly cost in most clouds, but the components commonly used with private subnets can add cost. Key cost drivers include NAT services (e.g., AWS NAT Gateway, GCP Cloud NAT, Azure NAT Gateway), data processing and egress charges, firewall appliances/services, and additional load balancers or private endpoints. Costs depend on traffic volume, number of NAT gateways/instances, and cross-zone or internet egress usage.

Private Subnet

Definition

Real-World Example

Related Terms

Cloud Provider Equivalencies

Explore More Cloud Computing Terms