Describe public and private subnets

Summary

There are two (2) types of subnets: private; and public. Both can have egress to the Internet. However, only the public subnet can have ingress from the Internet.

References

General Description

The help text for the oci network subnet create command says:

Creates a new subnet in the specified VCN. You can’t change the size of the subnet after creation, so it’s important to think about the size of subnets you need before creating them. For more information, see VCNs and Subnets. For information on the number of subnets you can have in a VCN, see Service Limits.

For the purposes of access control, you must provide the OCID of the compartment where you want the subnet to reside. Notice that the subnet doesn’t have to be in the same compartment as the VCN, route tables, or other Networking Service components. If you’re not sure which compartment to use, put the subnet in the same compartment as the VCN. For more information about compartments and access control, see Overview of the IAM Service. For information about OCIDs, see Resource Identifiers.

You may optionally associate a route table with the subnet. If you don’t, the subnet will use the VCN’s default route table. For more information about route tables, see Route Tables.

You may optionally associate a security list with the subnet. If you don’t, the subnet will use the VCN’s default security list. For more information about security lists, see Security Lists.

You may optionally associate a set of DHCP options with the subnet. If you don’t, the subnet will use the VCN’s default set. For more information about DHCP options, see DHCP Options.

You may optionally specify a display name for the subnet, otherwise a default is provided. It does not have to be unique, and you can change it. Avoid entering confidential information.

You can also add a DNS label for the subnet, which is required if you want the Internet and VCN Resolver to resolve hostnames for instances in the subnet. For more information, see DNS in Your Virtual Cloud Network.

General Considerations

The critical parameter is prohibit_public_ip_on_vnic. This parameter determine whether the subnet is public or private. Setting this parameter to false forces the subnet to be public. Setting this parameter to true forces the subnet to be private.

Only one (1) CIDR block can be specified for a subnet.

Create Public Subnet

The terraform code to create a public subnet can be expressed as:

resource "oci_core_subnet" "sandbox_public_subnet" {
  cidr_block                    = "10.0.1.0/24"
  compartment_id                = local.sandbox_comp_ocid
  vcn_id                        = oci_core_vcn.sandbox_vcn.id
  display_name                  = "public subnet-sandbox-vcn"
  dns_label                     = "public"
  prohibit_internet_ingress     = false
  prohibit_public_ip_on_vnic    = false
}

The equivalent OCI CLI code is:

oci network subnet create                                     \
  --cidr-block                  "10.0.1.0/24"                 \
  --compartment-id              ${sandbox_comp_ocid}          \
  --vcn-id                      ${sandbox_vcn_id}             \
  --display-name                "public subnet-sandbox-vcn"   \
  --dns-label                   "public"                      \
  --prohibit-internet-ingress   false                         \
  --prohibit-public-ip-on-vnic  false

Create Private Subnet

The terraform code to create a private subnet can be expressed as:

resource "oci_core_subnet" "sandbox_private_subnet" {
  cidr_block                    = "10.0.2.0/24"
  compartment_id                = local.sandbox_comp_ocid
  vcn_id                        = oci_core_vcn.sandbox_vcn.id
  display_name                  = "private subnet-sandbox-vcn"
  dns_label                     = "private"
  prohibit_internet_ingress     = true
  prohibit_public_ip_on_vnic    = true
}

The equivalent OCI CLI code is:

oci network subnet create                                     \
  --cidr-block                  "10.0.2.0/24"                 \
  --compartment-id              ${sandbox_comp_ocid}          \
  --vcn-id                      ${sandbox_vcn_id}             \
  --display-name                "private subnet-sandbox-vcn"  \
  --dns-label                   "private"                     \
  --prohibit-internet-ingress   true                          \
  --prohibit-public-ip-on-vnic  true