Subnet Management
Public vs private subnets, availability zones, auto-assign IPs, subnet routing, and internet gateway.
Subnets divide a VPC into smaller network segments. They enable you to control routing, assign resources to specific availability zones, and separate public-facing from internal workloads.
Public vs Private Subnets
Public Subnets
Resources in a public subnet can:
- Receive inbound traffic from the internet (via an internet gateway)
- Send outbound traffic to the internet directly
Use cases: Load balancers, API gateways, bastion hosts, web servers
Internet ──────► Internet Gateway ──────► Public Subnet (10.0.1.0/24)
│
▼
[Load Balancer]
[API Gateway]Private Subnets
Resources in a private subnet:
- Cannot receive unsolicited inbound traffic from the internet
- Can send outbound traffic via a NAT gateway (if configured)
- Can communicate with other resources in the VPC
Use cases: Storage proxy, agent service, databases, Redis
Private Subnet (10.0.2.0/24)
│
├── [Storage Proxy] ──► NAT Gateway ──► Internet (for external APIs)
├── [Agent Service]
└── [PostgreSQL]Availability Zones
Deploy subnets across multiple availability zones for high availability:
| Subnet | AZ | CIDR | Type |
|---|---|---|---|
| subnet-pub-1 | us-east-1a | 10.0.1.0/24 | Public |
| subnet-priv-1 | us-east-1a | 10.0.2.0/24 | Private |
| subnet-pub-2 | us-east-1b | 10.0.3.0/24 | Public |
| subnet-priv-2 | us-east-1b | 10.0.4.0/24 | Private |
If one AZ fails, resources in the other AZ continue to operate.
Auto-Assign IPs
NFYio can automatically assign private IP addresses to resources when they’re launched in a subnet:
- Auto-assign enabled — Resources get an IP from the subnet’s CIDR range
- Auto-assign disabled — You must manually specify IPs
Enable auto-assign when creating a subnet:
{
"name": "private-subnet-1",
"vpc_id": "vpc_abc123",
"cidr_block": "10.0.2.0/24",
"availability_zone": "us-east-1a",
"auto_assign_ip": true,
"public": false
}Subnet Routing
Route Tables
Each subnet has an associated route table that determines how traffic is routed:
Public subnet route table:
| Destination | Target |
|---|---|
| 10.0.0.0/16 | local |
| 0.0.0.0/0 | internet-gateway |
Private subnet route table:
| Destination | Target |
|---|---|
| 10.0.0.0/16 | local |
| 0.0.0.0/0 | nat-gateway |
Local Route
The local route ensures traffic within the VPC stays internal and is not sent to the internet gateway.
Internet Gateway
An internet gateway allows bidirectional traffic between your VPC and the internet. It’s attached at the VPC level and referenced in public subnet route tables.
Creating an internet gateway (API):
curl -X POST https://api.yourdomain.com/v1/vpcs/vpc_abc123/internet-gateways \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "prod-igw"}'Response:
{
"id": "igw_xyz789",
"vpc_id": "vpc_abc123",
"name": "prod-igw",
"status": "attached"
}Creating a Subnet
Via API
curl -X POST https://api.yourdomain.com/v1/subnets \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "private-app-1",
"vpc_id": "vpc_abc123",
"cidr_block": "10.0.2.0/24",
"availability_zone": "us-east-1a",
"public": false,
"auto_assign_ip": true
}'Via Console
- Go to Networking → VPCs → Select your VPC
- Click Add Subnet
- Enter name, CIDR block, availability zone
- Choose public or private
- Enable/disable auto-assign IP
- Click Create
Next Steps
- Security Groups — Control traffic to resources in subnets
- Network ACLs — Subnet-level firewall rules
- VPC — VPC architecture and CIDR planning