Private and public subnets

AWS defines two types of subnets that can be created within a VPC network – public and private. By design, the only difference that makes a subnet public rather than private is that instances running in a public network will be able to access the internet by default and also be made public by attaching a public or Elastic IPs to them. The public subnet would also be identified easily as it will have an IGW attached to it and a route for all addresses pointing to the IGW.

We can think of a public subnet as a sort of DMZ in classical network terms. The subnet is hidden from public view via a router (the IGW) with 1:1 DNAT rules attached that map the public or Elastic IPs to the IPs of our instances running in the subnet. 

Private networks are completely cut off from any access to the internet by default, but can communicate with any instances running in all subnets that exist in the VPC. We can also control the traffic between all subnets through the VPC's network access control lists (NACLs) and define rules that will prevent certain subnets from communicating from each other. Private subnets are also able to connect to other networks via a NAT gateway that will allow outbound traffic, as well as through a VPN Gateway or Direct Connect connection that will allow the private subnets to communicate without on-premise systems. 

This holds true for IPv4, but when we're using IPv6, there is no such concept as NAT due to the fact that all IPv6 addresses are global unicast addresses. This means that the only way to allow an IPv6 subnet to communicate with the internet is to attach an IGW to the subnet. All IPv6 addresses in a subnet with an IGW attached are inherently able to access the internet and instantly become accessible from the internet. But what if we want to keep our instances private and still communicate with the internet? For this purpose, AWS has introduced a so-called egress-only gateway that can be used to allow instances with IPv6 addresses to communicate with the internet, but does not allow any traffic into the subnet since ingress traffic is automatically blocked. This is an easy way of making an IPv6 subnet private.