AWS VPC Subnets
Learn CIDR basics, understand public and private subnets, and see how AWS subnets map to Availability Zones inside a VPC.
Subnets divide a VPC into smaller IP ranges that align with Availability Zones. They are one of the first networking abstractions you touch in AWS because nearly every resource must live in a subnet. Good subnet design helps with isolation, scaling, and availability long before you start tuning route tables or security groups.
CIDR notation describes the size of the address range. A VPC might use 10.0.0.0/16, and then subnets carve that into smaller blocks such as 10.0.1.0/24 or 10.0.2.0/24. The smaller the prefix number’s host portion, the larger the available address pool. Planning ahead matters because changing subnet layout later is harder than starting clean.
| Example range | Typical use |
|---|---|
| 10.0.1.0/24 | Public app entry tier in one AZ |
| 10.0.11.0/24 | Private application tier in one AZ |
| 10.0.21.0/24 | Private database tier in one AZ |
Public versus private is about routing, not a special subnet checkbox. A subnet is commonly called public when its route table sends 0.0.0.0/0 traffic to an Internet Gateway and resources inside can receive internet traffic if other controls allow it. A private subnet lacks that direct inbound internet path and usually relies on NAT for outbound connectivity.
Each subnet belongs to exactly one Availability Zone. That means high availability requires creating equivalent subnets across multiple AZs, such as app-public-a and app-public-b. Load balancers, Auto Scaling groups, and managed databases often depend on that multi-subnet layout to spread or fail over cleanly.
Pair this lesson with AWS Global Infrastructure and AWS VPC Route Tables so the subnet plan matches the traffic design.
aws ec2 describe-subnets --output table
aws ec2 create-subnet --vpc-id vpc-1234567890abcdef0 --cidr-block 10.0.11.0/24 --availability-zone us-east-1a
Operational note
When network troubleshooting gets confusing, reduce the problem to layers: subnet placement, route table association, security group rules, and the presence of the correct gateway or endpoint. AWS networking becomes much easier to reason about when you verify those four items in order instead of changing everything at once. Shared standards like this make future environments easier to launch, review, and support.
CIDR basics
What does CIDR notation in a subnet definition describe?
AZ mapping
How many Availability Zones can a single AWS subnet span?