AWS VPC subnet route table best practices

Question

In AWS we have subnets tired like public and private subnets.

To simplify the question, I am only referring to the private subnet.

I know we can use single routing table for private subnets in all AZs, or we can use multiple routing table per private subnets in all AZs (One per AZ).

My question is, what is the best practice to design this? should I create different routing table for subnets in each AZs or should create single routing table for subnets in all AZs? what would be the recommended approach and what is advantage of the recommended approach?

Please note, the reason I'm asking this is, I have seen this both approaches being used in different environments and trying to understand what would be the good approach.

Answer 1

Ultimately it depends on your own requirements, however here are points to consider.

Public Subnets

Are any of your public subnets uniquely different? If they're all the same in a pattern many people follow (a public subnet per AZ) then you might find it simpler to have a single route table for your public subnets. As an internet gateway is highly available and a VPC can only have one attached it just adds to complexity to add a route table per subnet if they're all the same.

Private Subnets

The first factor to consider is, are all your private subnets meant to be able to reach the internet. If you have specific subnets which should and those which shouldn't you'll want to keep their routing separate. Bear in mind that internet will be required to interact with third party APIs or to patch the system.

For those private subnets that do require internet you will need to use a NAT device (either a NAT Gateway or NAT instance). Generally the best practice is to have each AZ (not subnet) have its own NAT device, this prevents devices in other AZs being unable to connect to the internet if the NATs AZ is facing issues.

In this case you would consider a route table per availability zone, then bind the subnets to the correct route table as appropriate.

VPC to Network Communication

The final thing to consider is your VPC speaking to external networks (be it in AWS, another cloud provider or even on-premise).

If you're connecting to an external source you need to understand whether that external source should be able to speak to every subnet (and vice-versa) or if there's just a specific range in which it should be able to communicate to).

If you want to have only specific subnets be able to speak to the external source then you should consider route tables for those subnets taking above sections into account to.

Summary

In summary there are a few factors that decide on the routing setup you create.

• Is the subnet public or private?
• Is there any unique routing requirements for specific subnets? (Such as no internet)
• For private subnets are you going to use best practice of a NAT per AZ?
• Is there routing between specific subnets and an external network required?

Take these all into account, above all security is generally the highest factor (don't allow communication that is not required) but also consider the management of these. If you have 100 subnets and 90 of them are private with the same routing, then create the minimum number of routes tables required. If requirements change you can change them when they are needed.