AWS Public IP vs. Private IP Addresses (IPv4) - Overview.
Scope:
- Intro,
- Comparison Table (Public IP vs. Private IP addresses)
- Key Concepts,
- IPv4 Addressing Fundamentals,
- Private vs. Public IPv4 (Core Difference),
- RFC 1918 – Private IP Ranges,
- Sample Public IPs,
- Public IPs – Internet Routable Space,
- NAT (Network Address Translation),
- Types of NAT (Network Address Translation),
- Cloud Sample of NAT (Network Address Translation),
- Cloud Networking Sample in AWS (VPC Sample),
- Advanced Topics,
- Visual Architecture Summary,
- Key Takeaways.
Intro:
- In AWS, the primary difference between Public IP and Private IP addresses is their scope of accessibility and behavior during resource lifecycles.
| Feature | Private IP | Public IP |
|---|---|---|
| Reachability | Only within the VPC or internal network. | Accessible from the public internet. |
| Persistence | Permanent for the lifetime of the instance. | Dynamic; changes when an instance is stopped and restarted. |
| Visibility | Hidden from the outside world; more secure. | Unique and visible globally to everyone. |
| Cost | Generally no additional cost. | AWS charges for all public IPv4 addresses as of February 2024. |
| Primary Use Case | Internal communication (e.g., app servers to databases). | External access (e.g., hosting a web server or SSH access). |
- Subnet Types: A subnet is considered "public" if its route table includes a path to an Internet Gateway (IGW).
- A "private" subnet has no direct route to the internet.
- A "private" subnet uses a NAT Gateway for outbound-only traffic.
- Elastic IP (EIP): If twtech require a public IP that does not change when an instance is stopped and started, it must allocate an Elastic IP from its AWS account.
- Security Best Practice: twtech Keeps sensitive resources (like databases) in private subnets with only private IPs.
- Keeps sensitive resources (like databases) in private subnets minimizes the attack surface.
- twtech recommends AWS Site-to-Site VPN or Direct Connect (DX) for secure, private access from any on-premises network.
1. IPv4 Addressing
Fundamentals
- IPv4 addresses are 32-bit numbers, written as four octets (e.g., 192.168.1.10), each ranging from 0–255.
- IPv4 addresses identify devices on a network and allow them to communicate.
Each address has:
- A network portion (identifies subnet)
- A host portion (identifies device within that subnet)
Sample IPv4 addresses:
192.168.1.10/24 → Network: 192.168.1.0,
Host Range: 192.168.1.1 – 192.168.1.254.
2. Private vs. Public IPv4 (Core Difference)
|
Aspect |
Private IP |
Public IP |
|
Definition |
Used inside private networks
(LANs, VPCs, on-premises). Not
routable over the internet. |
Used to communicate over the
internet. Routable globally. |
|
Visibility |
Only visible within the internal
network. |
Visible across the global
internet. |
|
Sample Range (RFC
1918) |
-
10.0.0.0
– 10.255.255.255 (10/8) |
Any IPv4 address not in the
private/reserved ranges (e.g., 8.8.8.8, 52.95.245.0). |
|
Routability |
Not routable on the public
internet. Must go through NAT to reach outside. |
Routable directly on the internet. |
|
Typical Usage |
Internal systems, backend servers,
databases, private subnets, on-prem resources. |
Web servers, public APIs, load
balancers, internet gateways. |
|
Security |
Provides isolation by design. |
Requires proper firewalling and
security controls (e.g., Security
Groups, NACLs). |
3. RFC 1918 – Private IP
Ranges
|
Network |
CIDR |
Total Addresses |
Common Usage |
|
10.0.0.0 – 10.255.255.255 |
/8 |
~16.7 million |
Large enterprise or VPC-level
addressing |
|
172.16.0.0 – 172.31.255.255 |
/12 |
~1 million |
Medium-sized networks |
|
192.168.0.0 – 192.168.255.255 |
/16 |
~65,536 |
Home and small office networks |
4. Public IPs – Internet
Routable Space
- Public IP addresses are assigned by Internet Assigned Number Authority (IANA) and distributed by Regional Internet Registries (RIRs) like:
- American Registry for Internet Numbers (ARIN),
- Réseaux IP Européens (RIPE),
- Asia-Pacific Network Information Centre (APNIC).
- Public
IP addresses are globally
unique and are managed
carefully to avoid conflicts.
Sample Public IPs:
- Google DNS → 8.8.8.8
- AWS EC2 Instance (Elastic IP) → 54.213.12.34
- CloudFront Edge → 13.224.0.0/15
5. NAT (Network Address Translation)
- Since IPv4 address space is limited (~4.3 billion total addresses), NAT allows multiple private IPs to share a single public IP.
Types of NAT (Network Address Translation):
- SNAT (Source NAT) → private → public (outbound)
- DNAT (Destination NAT) → public → private (inbound)
- PAT (Port Address Translation) → many private IPs use one public IP via unique ports
Cloud Sample of NAT (Network Address Translation):
- AWS NAT Gateway enables private subnet instances to reach the internet without exposing themselves.
6. Cloud Networking Sample in AWS (VPC Sample):
|
Subnet Type |
CIDR |
Example IP |
Internet Access |
Notes |
|
Public Subnet |
10.0.1.0/24. |
EC2 = 10.0.1.10 (private) + 3.85.120.42 (public EIP) |
Yes, via IGW |
Used
for web servers |
|
Private Subnet |
10.0.2.0/24. |
EC2 = 10.0.2.5 |
Outbound via NAT Gateway only |
Used
for databases, backend apps |
Flow Sample:
- Private instance (10.0.2.5) → NAT Gateway → Internet (via
54.x.x.x).
- Public instance (10.0.1.10 + EIP 3.x.x.x) ↔ Direct internet access.
7. Advanced Topics
- Elastic IPs
- Static public IPs in AWS assigned to EC2, Load Balancers, or NAT Gateways.
- PrivateLink / VPC Peering
- Enables private connectivity between VPCs or services without using public IPs.
- Hybrid Cloud
- Private IPs used in VPN or Direct Connect linking on-prem networks to cloud VPCs.
- IPv4 Exhaustion
- IPv4 addresses are scarce → IPv6 adoption (128-bit addresses) provides a nearly unlimited pool.
8. Visual Architecture Summary
Key Takeaways
- Public IPs = Internet-facing, globally unique.
- Private IPs = Internal, non-routable outside the network.
- NAT bridges the gap between private and public addressing.
- VPC design uses a mix of both for security and functionality.
- IPv6 will eventually reduce dependence on NAT and IPv4 scarcity.
No comments:
Post a Comment