Public, elastic, and private IPs

When we use IPv4 networks and have created some resources in a VPC subnet, we will need to make them available on the internet. As we've already mentioned, we can attach an IGW to the subnet and make it public. Once we have spun up some instances in the subnet, we can either attach a public IP address or an Elastic IP address.

Public IPs are sourced from one or more AWS-controlled public IP address pools and are attached to the instance randomly whenever an instance is started. When an instance using a public IP address fails and is recreated or shut down and restarted, it will not maintain the same public IP address.

This is probably the biggest advantage of Elastic IPs. An Elastic IP address is associated with your account and is persistent. This means that you have the ability to assign the Elastic IP to your instance to retain the address when it is shut down and restarted, or you can attach the same Elastic IP the failed instance was using to an instance that was recreated.

A public or Elastic IP attachment means that a virtual 1:1 DNAT connection between the public or Elastic IP is established with the instance's private IP. When the user inspects the IP address within the instance with operating system tools, they will not be seeing the public or Elastic IP. However, we do have an option to see the public or Elastic IP address from the instance itself by looking at the instance metadata. The instance metadata is available on an APIPA address of 169.254.169.254. We can see the contents of the metadata by browsing or issuing a command to inspect the address and retrieve information about our instance that would normally be invisible in the operating system. For example, when searching for the public IP, we can browse to the following URL: http://169.254.169.254/latest/meta-data/public-ipv4.

The following diagram represents a fully redundant VPC deployment with two private subnets and two public subnets. The following numbers correspond to what is labelled in the diagram:

1. The VPC is deployed within an AWS region.
2. The VPC network address range is designated as 10.0.0.0/20.
3. Two public subnets are created with IP ranges 10.0.1.0/24 and 10.0.2.0/24.
4. Two private subnets are created with IP ranges 10.0.3.0/24 and 10.0.4.0/24.
5. All traffic between any subnets in the VPC is allowed by default as the local route points to the VPC address range of 10.0.0.0/20. Any additional subnets that are created in this network will also be accessible to all subnets.

1. The public subnets have a connection to the internet gateway.
2. Any EC2 instances with public or Elastic IPs assigned are accessible on the public subnet.
3. Any private EC2 instances in the private subnet can reach the NAT gateway.
4. The NAT gateway needs to be deployed in a public subnet and will NAT all the traffic from the EC2 instances in the public subnet in the outbound direction to the internet.
5. The NAT gateway has an Elastic IP assigned, and any traffic being sent to the internet through the NAT gateway will always be seen as originating from this EIP: