Task Statement 1.2: Design secure workloads and applications.
📘AWS Certified Solutions Architect – (SAA-C03)
Network segmentation is a very important security concept in AWS. For the SAA-C03 exam, you must clearly understand:
- What network segmentation means
- How it works inside a Virtual Private Cloud (VPC)
- The difference between public and private subnets
- When and why to use each type
- How routing, gateways, and security controls support segmentation
- How to design secure architectures using these components
This topic appears frequently in scenario-based questions.
1. What Is Network Segmentation?
Network segmentation means dividing a network into smaller, isolated sections to improve:
- Security
- Control
- Performance
- Manageability
Instead of placing all resources in one large network, you separate them into logical groups.
In AWS, segmentation is mainly done using:
- VPCs
- Subnets (public and private)
- Route tables
- Internet Gateways
- NAT Gateways
- Security Groups
- Network ACLs
2. Understanding VPC (Virtual Private Cloud)
A VPC is a logically isolated virtual network inside AWS.
Entity reference:
Inside a VPC, you define:
- IP address range (CIDR block)
- Subnets
- Route tables
- Gateways
- Security controls
Everything starts with proper VPC design.
3. What Is a Subnet?
A subnet is a smaller section of a VPC’s IP address range.
Each subnet:
- Exists inside one Availability Zone
- Has its own route table (explicitly or implicitly)
- Can be public or private depending on routing
Subnets are the foundation of segmentation.
4. Public Subnet
A subnet is called public when:
- It has a route to an Internet Gateway
- Resources inside it can directly access the internet
To make a subnet public, you must:
- Attach an Internet Gateway to the VPC
- Add a route in the subnet’s route table:
- Destination:
0.0.0.0/0 - Target: Internet Gateway
- Destination:
Entity reference:
Typical Resources in Public Subnets
- Load balancers
- Bastion hosts
- Public-facing web servers
- NAT Gateways
Entity reference:
Entity reference:
Important Exam Concept
A subnet is NOT public just because:
- An EC2 instance has a public IP
It becomes public only if:
- Its route table points to an Internet Gateway
This is a very common exam trick.
5. Private Subnet
A subnet is called private when:
- It does NOT have a route to an Internet Gateway
- Resources inside it cannot be accessed directly from the internet
Private subnets are used for:
- Application servers
- Databases
- Internal services
- Backend processing systems
For example:
Entity reference:
Databases should almost always be placed in private subnets.
6. How Private Subnets Access the Internet (Outbound Only)
Sometimes private resources need outbound internet access (for example, to download updates).
To allow this securely, AWS uses:
- NAT Gateway
Entity reference:
How NAT Works
- NAT Gateway is placed in a public subnet.
- Private subnet route table points:
- Destination:
0.0.0.0/0 - Target: NAT Gateway
- Destination:
- NAT Gateway sends traffic to Internet Gateway.
Result:
- Private resources can access the internet.
- Internet cannot initiate connections to them.
This is secure outbound access.
7. Secure Multi-Tier Architecture (Very Important for Exam)
Most secure AWS architectures follow a multi-tier design:
Tier 1 – Public Tier
- Load balancer
- Accepts internet traffic
Tier 2 – Application Tier (Private Subnet)
- Application servers
- No direct internet access
Tier 3 – Database Tier (Private Subnet)
- Databases
- Strictly internal communication only
This structure ensures:
- Only the load balancer is exposed
- Backend systems remain protected
8. Route Tables and Segmentation
Route tables control traffic flow.
Each subnet is associated with a route table.
Public subnet route table:
0.0.0.0/0 → Internet Gateway
Private subnet route table:
0.0.0.0/0 → NAT Gateway
Or no default route at all (fully isolated).
Exam Tip:
If a question says “resource should not be publicly accessible,” make sure:
- No route to Internet Gateway
- No public IP
- Security groups restrict access
9. Security Groups vs Network ACLs in Segmentation
Segmentation is strengthened by security layers.
Security Groups
- Attached to EC2 instances
- Stateful
- Control inbound and outbound traffic
Network ACLs
- Attached to subnets
- Stateless
- Add extra control at subnet level
Entity reference:
Exam Focus:
Security Groups are the primary protection layer.
Network ACLs provide additional filtering.
10. Designing for High Availability
For the exam, always design across multiple Availability Zones.
Example:
- Public subnet in AZ1
- Public subnet in AZ2
- Private subnet in AZ1
- Private subnet in AZ2
This ensures:
- Fault tolerance
- High availability
- Better exam answer choice
Entity reference:
11. Fully Isolated Subnets
Sometimes workloads must have:
- No internet access at all
- No NAT
- No Internet Gateway route
These are called isolated subnets.
Used for:
- Internal databases
- Highly secure systems
- Sensitive workloads
12. VPC Endpoints (Important for Secure Design)
Private subnets often need access to AWS services without using the internet.
For that, AWS provides:
Entity reference:
Entity reference:
Using VPC endpoints:
- Traffic stays inside AWS network
- No Internet Gateway needed
- More secure architecture
Exam Tip:
If question says:
“Access S3 without using the internet”
Answer: Use VPC Gateway Endpoint for S3.
13. Common Exam Scenarios
You must recognize patterns.
Scenario 1:
Application must be publicly accessible but database must not.
Correct Design:
- Load balancer in public subnet
- EC2 in private subnet
- RDS in private subnet
- NAT Gateway for outbound updates
Scenario 2:
Backend servers must download patches but not accept internet traffic.
Answer:
- Place in private subnet
- Use NAT Gateway
Scenario 3:
Highly sensitive database with no external access.
Answer:
- Isolated private subnet
- No route to Internet Gateway
- No NAT
14. Key Security Principles Tested in Exam
You must understand:
1. Least Privilege Network Access
Only expose what is necessary.
2. Defense in Depth
Use:
- Subnets
- Security Groups
- NACLs
- IAM
3. Minimize Public Exposure
Only load balancers or bastion hosts should be public.
4. Separate Layers
Never place database in public subnet.
15. Quick Comparison Table
| Feature | Public Subnet | Private Subnet |
|---|---|---|
| Internet Gateway Route | Yes | No |
| Public IP Allowed | Yes | No |
| Direct Internet Access | Yes | No |
| Typical Resources | Load balancer | App servers, databases |
| Secure for Database? | No | Yes |
16. Important Exam Warnings
- Public IP alone does NOT make subnet public.
- NAT Gateway must be in public subnet.
- Internet Gateway is attached to VPC, not subnet.
- Private subnet can still access internet via NAT.
- Use VPC endpoints to avoid internet routing.
17. Final Exam Strategy
When reading a question:
- Identify which components must be internet-facing.
- Everything else should go into private subnets.
- Check route tables.
- Verify no direct internet access to databases.
- Ensure high availability across Availability Zones.
If answer choice exposes unnecessary components to internet → eliminate it.
Conclusion
Determining network segmentation strategies in AWS means:
- Designing VPC properly
- Separating public and private subnets
- Controlling routes
- Using NAT and Internet Gateway correctly
- Protecting backend systems
- Minimizing exposure
- Following least privilege and defense in depth
This is one of the most heavily tested security design topics in SAA-C03. Mastering public vs private subnet design will help you correctly answer many scenario-based exam questions.
