When planning workloads in AWS, you have flexibility in how you connect resources. You can request a VPC with public, private, and/or DB subnets, or choose not to deploy a VPC at all if your workload does not require one. This guide explains each option, its use cases, cost implications, and security considerations.

No VPC

Purpose
  • Some AWS services do not require a VPC, such as:
    • Amazon S3
    • AWS Lambda (when using public endpoints)
    • Amazon CloudFront
When to choose
  • Your workload does not need EC2 instances, RDS databases, or custom networking.
  • You rely on AWS-managed endpoints or global services.
Benefits
  • Simplifies architecture.
  • No NAT Gateway or cross-AZ data transfer costs.
Limitations
  • Cannot host EC2 or RDS resources without a VPC.

Public Subnets

Use Case
  • Internet-facing resources like:
    • Load balancers (ALB/NLB)
    • Bastion hosts
    • Public web servers
  • All VPCs are deployed with a public subnet.
Connectivity
  • Instances have public IPs.
  • Full inbound/outbound internet access via Internet Gateway.
Security
  • Inbound access must be restricted with security groups.
  • Best for edge services only.
Cost
  • No extra cost beyond standard VPC and internet gateway usage.

Private Subnets

Use Case
  • Application servers or internal services that should not be publicly reachable.
Connectivity
  • No public IPs.
  • Outbound internet access requires a NAT Gateway. See NAT Gateway section below.
  • IPv6 outbound-only via Egress-Only Internet Gateway.
Security
  • Strong isolation from the internet.
  • Access controlled via security groups and VPN/campus connectivity.
Cost

DB Subnets

Use Case
  • Amazon RDS database instances
Connectivity Modes
  • Isolated (Recommended): No internet routes. This has no impact on RDS control plane traffic or updates.
  • NAT: Outbound-only internet access. Requires private subnets and a NAT Gateway.
  • Public: Direct internet access (not recommended).
Security
  • Isolation is strongly preferred and appropriate for most RDS workloads.
  • Always configure security groups to limit access to only the necessary hosts/networks and ports.
Cost
  • NAT mode incurs NAT Gateway charges.

NAT Gateway Deployments

Private subnets are typically deployed with a NAT Gateway to enabled outbound internet access. There are two options for NAT gateway deployments.

Single Zonal NAT Gateway

A NAT gateway deployed in a single Availability Zone (AZ).

Pros
  • Lower cost: You pay for one NAT Gateway in a single AZ.
Cons
  • Single point of failure: If the AZ hosting the NAT Gateway goes down, all private subnet traffic loses internet access.
  • Cross-AZ Traffic: The private subnets in other AZs will incur additional charges and network latency for cross-AZ traffic with the NAT Gateway.
Use Cases
  • Non-critical workloads.
  • Development or test environments.
  • Cost-sensitive deployments where high availability is not required.

Regional NAT Gateway

A NAT Gateway that automatically scales in and out with one instance for each AZ hosting an elastic network interface (ENI).

Pros
  • High availability: Automatically spans multiple AZs, eliminating single-AZ failure risk.
  • Simplified routing: Private subnets in any AZ can use the same NAT Gateway without cross-AZ routing.
  • Better resilience: Ideal for production workloads requiring fault tolerance.
Cons
  • Higher cost: A regional NAT Gateway scaled out to three AZs can be up to 3x more expensive than a single zonal NAT Gateway.
  • Potential overkill: For small or single-AZ workloads, the extra cost may not justify the benefit.
  • Campus-to-Cloud VPN Prevents Scale-In: When campus-to-cloud connectivity is deployed in your account, an ENI is created in each AZ to provide resiliency. Due to the presence of the ENI in each AZ, the regional NAT Gateway remains fully scaled-out, regardless of whether actual workloads exist in those AZs.
Use Cases
  • Production environments.
  • Multi-AZ architectures.
  • Applications requiring strong uptime guarantees.

See Also

Last updated
Article number
11386