Private Subnet
Definition
A network segment without direct internet access, keeping resources hidden from external traffic for enhanced security and privacy.
Use Cases
- Netflix: Protecting stateful data services while serving a high-traffic public application — Netflix commonly uses AWS VPC designs where internet-facing services run behind load balancers in public subnets, while data stores and internal services are placed in private subnets without direct inbound internet routing. Private subnet instances reach external services via controlled egress (for example, NAT) and are accessed internally through security groups and service-to-service networking. (Reduced direct internet exposure of sensitive systems and improved security posture by limiting inbound paths to only approved internal traffic flows.)
- Airbnb: Separating public web tiers from backend services and databases — Airbnb has discussed AWS-based architectures that separate tiers within a VPC. A common pattern is placing web/front-door components behind load balancers while keeping databases and internal services in private subnets, reachable only from application tiers and administrative access paths (such as VPN/bastion). (Improved defense-in-depth by isolating critical backend components from direct internet access and simplifying network-based access control.)
- Capital One: Limiting exposure of sensitive workloads in a regulated environment — Capital One has publicly described using AWS with strong network segmentation patterns. A typical approach is to keep sensitive services (for example, databases and internal APIs) in private subnets and tightly control ingress/egress using security groups, NACLs, and centralized egress controls (NAT/firewall), while exposing only necessary endpoints through public-facing layers. (Stronger security controls aligned with compliance needs by reducing the attack surface and enforcing controlled network paths.)
Provider Equivalents
- AWS: Amazon VPC Subnet (private subnet pattern using route tables + NAT Gateway/Instance)
- Azure: Azure Virtual Network (VNet) Subnet (private subnet pattern using route tables + NAT Gateway/Azure Firewall)
- GCP: VPC Subnetwork (private subnet pattern using Cloud NAT and firewall rules)
- OCI: VCN Subnet (private subnet pattern using route tables + NAT Gateway)
Frequently Asked Questions
- What's the difference between a private subnet and a public subnet?
- A public subnet has a route to the internet (typically via an Internet Gateway) and is used for resources that must be reachable from the internet, like public load balancers or bastion hosts. A private subnet does not provide a direct inbound path from the internet; resources there are reached only from inside the network (other subnets, VPN, or private links). If private subnet resources need outbound internet access (for updates or calling external APIs), they usually use NAT or a firewall for controlled egress.
- When should I use a private subnet?
- Use a private subnet for resources that should not be directly reachable from the internet, such as databases, internal APIs, message brokers, caches, and internal application tiers. It’s especially useful when you want defense-in-depth: expose only the minimum public entry points (like a load balancer) and keep everything else accessible only through internal networking or private connectivity.
- How much does a private subnet cost?
- The subnet itself typically has no direct hourly cost in most clouds, but the components commonly used with private subnets can add cost. Key cost drivers include NAT services (e.g., AWS NAT Gateway, GCP Cloud NAT, Azure NAT Gateway), data processing and egress charges, firewall appliances/services, and additional load balancers or private endpoints. Costs depend on traffic volume, number of NAT gateways/instances, and cross-zone or internet egress usage.
Category: networking
Difficulty: intermediate
Related Terms
See Also