Bastion hosts are used to gain access to your instances that reside within your private subnets from the internet and the bastion itself resides within the public subnet. The difference between a public subnet and a private subnet is this: subnets only become classed as public when an IGW is attached to a VPC and a route exists within the route table associated with the subnet with a Destination value of 0.0.0.0/0 via the target of an IGW, for example:
Any subnet associated with a route table pointing to an IGW with a destination address of 0.0.0.0/0 is considered a public subnet as it has direct access to the internet. Any subnet without this route is considered private, as there is no route to get out to the internet or vice versa.
So, to clarify, for a subnet to be public, the following must be the case:
- The VPC must have an IGW attached.
- The subnet must have a route pointing to the internet (0.0.0.0/0) with a target of the IGW.
When a subnet is public...