Think - with -Tech: Adding Subnets to AWS VPC

Saturday, November 1, 2025

Adding Subnets to AWS VPC | Deep Dive & Hands-On.

A deep dive on how twtech adds subnets to an AWS VPC.

Focus:

Concepts,
Design patterns,
CLI/Console/Infrastructure-as-Code methods,
Best practices.

Breakdown:

Core Concepts Recap,
Subnet Design Planning,
Methods to Add Subnets,
Route Table Considerations,
Security and Access Considerations,
Best Practices.

1. Core Concepts Recap

Concept	Description
VPC (Virtual Private Cloud)	A logically isolated section of AWS where you define IP ranges, subnets, routing, etc.
Subnet	A range of IP addresses in your VPC. Subnets are tied to a single Availability Zone (AZ).
Public Subnet	A subnet that routes traffic to an Internet Gateway (IGW).
Private Subnet	A subnet without a direct route to the Internet; outbound access is via NAT Gateway or Transit Gateway.
Subnet CIDR	Each subnet has its own CIDR block (subset of the VPC CIDR). For example: VPC = 10.0.0.0/16; Subnet = 10.0.1.0/24.

2. Subnet Design Planning

Before creating subnets, plan:

VPC CIDR range: e.g., 10.0.0.0/16
Number of AZs: Typically 2–3 for high availability.
Subnet segmentation:

Public subnets (for ALBs, bastion hosts)
Private subnets (for app servers)
Isolated subnets (for databases)

CIDR allocations:

10.0.1.0/24 → Public Subnet in AZ-A
10.0.2.0/24 → Public Subnet in AZ-B
10.0.3.0/24 → Private Subnet in AZ-A
10.0.4.0/24 → Private Subnet in AZ-B

3. Methods to Add Subnets

A. Using AWS Management Console

Go to VPC → Your VPCs → Select VPC → Subnets → Create subnet.
Choose:

VPC ID (e.g., vpc-123abc)
Subnet name (e.g., Public-Subnet-A)
Availability Zone (e.g., us-east-1a)
CIDR block (e.g., 10.0.1.0/24)

Repeat for other subnets.
(Optional) Edit Route Tables:

Public subnet route: 0.0.0.0/0 → igw-xxxx
Private subnet route: 0.0.0.0/0 → nat-xxxx (NAT Gateway)

B. Using AWS CLI to : Create subnet

# bash

aws ec2 create-subnet \

--vpc-id vpc-123abc \

--cidr-block 10.0.1.0/24 \

--availability-zone us-east-2a \

--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=twtechPublic-Subnet-A}]'

# Optional: Modify route table for public subnet

# bash

aws ec2 associate-route-table \

--subnet-id subnet-abc123 \

--route-table-id rtb-public

C. Using Infrastructure as Code (Terraform Example)

# hashicorp-configuration-languaga.hcl

resource "aws_subnet" "public_a" {

vpc_id = aws_vpc.main.id

cidr_block = "10.0.1.0/24"

availability_zone = "us-east-2a"

map_public_ip_on_launch = true

tags = {

Name = "twtechPublic-Subnet-A"

}

resource "aws_route_table_association" "public_a" {

subnet_id = aws_subnet.public_a.id

route_table_id = aws_route_table.public.id

}

D. Using CloudFormation (YAML)

# yaml

PublicSubnetA:

Type: AWS::EC2::Subnet

Properties:

VpcId: !Ref twtechVPC

CidrBlock: 10.0.1.0/24

AvailabilityZone: us-east-2a

MapPublicIpOnLaunch: true

Tags:

- Key: Name

Value: twtechPublic-Subnet-A

4. Route Table Considerations

Subnet Type	Default Route	Target
Public	0.0.0.0/0	Internet Gateway
Private	0.0.0.0/0	NAT Gateway
Isolated	None	—

5. Security and Access Considerations

Network ACLs (NACLs): Optional stateless layer; typically leave default unless advanced control needed.
Security Groups: Attach to EC2, ENIs, or ALBs for instance-level control.
Public vs Private IP assignment: Controlled by map_public_ip_on_launch.

6. Best Practices

✅   Always create subnets across multiple AZs for high availability (HA).
✅   Keep CIDR blocks non-overlapping.
✅   Tag subnets clearly (e.g., env, tier, az).
✅   Enable VPC Flow Logs for auditing.
✅   Avoid /32 or /30 subnets — AWS reserves 5 IPs per subnet.
✅   For large environments, use subnet tiers (public/app/db).
✅   Use NAT Gateways in each AZ for failover.