Skip to main content
IMHCloud Logo
Back to glossary

Subnet

A subnet is a logical subdivision of an IP network within a cloud environment that partitions a larger network into smaller, manageable segments for grouping and isolating resources.

Networking

What is a Subnet in cloud hosting?

A subnet is a logical subdivision of an IP network within a cloud environment. It partitions a larger network into smaller, manageable segments where you can group and isolate resources based on function, security requirements, or access patterns. Each subnet operates within a defined IP address range and connects resources that need to communicate directly.

In cloud hosting, subnets control where instances launch, how they access the internet, and which resources can communicate with each other. Subnets exist inside a VPC (Virtual Private Cloud) and determine the routing and security boundaries for your cloud infrastructure.

Why Subnets Exist

Cloud networks need organization and isolation. Without subnets, all resources would exist in one flat network where every instance could reach every other instance. This creates security risks because compromised resources could access sensitive data. It also creates management problems because you cannot control traffic patterns or separate workloads by function.

Subnets solve this by dividing your network into controlled segments. You can place web servers in one subnet with internet access, databases in another subnet without internet access, and internal services in a third subnet. Each subnet gets different routing rules and security policies based on what resources inside it need to do.

What Do Subnets Actually Do?

  • Assigns a specific IP address range to a network segment so instances receive addresses from a predictable pool
  • Determines which route table controls traffic leaving the subnet and where that traffic can go
  • Defines whether instances can receive public IP addresses and communicate directly with the internet
  • Controls which availability zone contains the subnet's resources in regions with multiple zones
  • Enforces network boundaries so traffic between subnets must pass through routing rules and security controls
  • Isolates failures so problems in one subnet do not automatically affect resources in other subnets

When would I use a Subnet?

You use subnets whenever you deploy resources in a VPC. Every instance must launch into a specific subnet because the subnet determines the instance's IP address and network connectivity.

Common subnet strategies include creating public subnets for resources that need internet access like web servers and load balancers, private subnets for databases and application servers that should not be directly accessible from the internet, and management subnets for administrative tools and bastion hosts. Multi-tier applications typically use separate subnets for each tier so you can apply different security rules to web, application, and database layers.

Organizations with compliance requirements use subnets to isolate sensitive workloads from general-purpose infrastructure. Development teams use separate subnets for production and non-production environments within the same VPC.

When would I NOT use a Subnet?

You would not create separate subnets if all your resources have identical security requirements and routing needs. A simple application with one web server that does not handle sensitive data may only need one subnet. Overcomplicating the network with unnecessary subnets adds management overhead without security or operational benefits.

You would not use multiple subnets if you need instances to communicate with extremely low latency and cannot accept any routing delay. Resources in the same subnet communicate directly at Layer 2, while resources in different subnets must route through Layer 3 which adds microseconds of latency. For most applications this difference is irrelevant, but high-frequency trading systems or real-time data processing may keep related resources in the same subnet.

You would not create many tiny subnets with very small CIDR ranges because you may run out of IP addresses as your infrastructure grows. Each subnet reserves several IP addresses for network, broadcast, and cloud provider use, so many small subnets waste more addresses than fewer large subnets.

Real-world example

Company A runs an e-commerce platform in a VPC with a 10.0.0.0/16 address space. They create three subnets to separate their architecture by function and security needs.

The first subnet uses 10.0.1.0/24 as a public subnet for load balancers and web servers that serve customer traffic. This subnet's route table sends internet-bound traffic to an internet gateway so instances can receive requests from the public internet.

The second subnet uses 10.0.2.0/24 as a private subnet for application servers that process orders and manage inventory. This subnet's route table does not include the internet gateway, so instances cannot be reached directly from the internet. Application servers communicate with external APIs through a NAT gateway in the public subnet.

The third subnet uses 10.0.3.0/24 as an isolated subnet for the PostgreSQL database that stores customer and order data. This subnet has no route to the internet at all. Only application servers in the 10.0.2.0/24 subnet can connect to the database through security group rules.

When a customer places an order, the request hits a load balancer in the public subnet, routes to an application server in the private subnet, and the application server queries the database in the isolated subnet. Each subnet enforces its security boundaries through routing and security groups.

Frequently Asked Questions

Do I need more than one subnet?

You need multiple subnets if you have different security or routing requirements for different types of resources. Putting web servers and databases in separate subnets lets you apply different security rules and prevent public internet access to the database. If all your resources have identical networking needs, one subnet may be sufficient.

Does creating a subnet affect existing resources?

Creating a new subnet does not affect existing resources because each subnet is isolated. Instances continue running in their original subnets. You cannot move an existing instance to a new subnet. You must launch a new instance in the new subnet and migrate your application.

What happens if I delete a subnet?

You cannot delete a subnet that contains running instances or attached network interfaces. You must first terminate all instances and detach all interfaces in the subnet. Once the subnet is empty, deleting it releases its IP address range back to the VPC but does not affect resources in other subnets.

Can instances in different subnets communicate?

Instances in different subnets can communicate if routing rules and security groups allow it. By default, all subnets in the same VPC can route to each other through the VPC's implicit router. You must configure security groups on each instance to permit the specific protocols and ports needed for communication.

How do I choose the right CIDR range for a subnet?

Choose a CIDR range based on how many IP addresses you need now and in the future. A /24 subnet provides 251 usable IP addresses (256 minus 5 reserved by cloud providers). A /20 subnet provides 4091 usable addresses. Plan for growth and remember that changing a subnet's CIDR range later requires recreating the subnet and moving all resources to a new subnet.

Summary

  • A subnet divides a VPC into smaller network segments with defined IP address ranges
  • Each subnet controls routing and determines whether instances can access the internet
  • Subnets isolate resources by function and security requirements so you can apply different rules to different workloads
  • Every instance must launch into a specific subnet which assigns its IP address and network connectivity
  • Common patterns include public subnets for internet-facing resources and private subnets for internal resources

Related terms

  • VPC (Virtual Private Cloud): An isolated network environment where you define IP ranges and create subnets, such as a VPC with a 10.0.0.0/16 address space containing multiple subnets.
  • Router: A networking device that forwards traffic between subnets and external networks, such as a router that connects your private subnet to the internet through a NAT gateway.
  • Security Group: A set of firewall rules that control traffic to instances within a subnet, such as allowing SSH access only from specific IP addresses.
  • CIDR (Classless Inter-Domain Routing): The notation that defines a subnet's IP address range, such as 10.0.1.0/24 which provides 256 IP addresses.
  • Instance: A virtual machine that launches into a specific subnet and receives an IP address from that subnet's range, such as a web server running at 10.0.1.50.