====== Private Subnet ======

**What it is:** A subnet that does not have a direct route to the Internet Gateway.

**What it’s for:**
  * Host internal resources like databases, app servers, internal services.
  * Reduce attack surface.

**Common pattern:**
  * Private subnet route table may include `0.0.0.0/0 → NAT Gateway` for outbound internet (updates, package installs).
  * Inbound from internet is blocked (no IGW route).

**Exam cues:**
  * “DB must not be publicly accessible” → private subnet.
  * “instances need outbound internet but not inbound” → NAT Gateway.

**Hard words:**
  * *attack surface* /əˈtæk ˈsɝːfɪs/: bề mặt bị tấn công (điểm có thể bị tấn công)
  * *outbound* /ˈaʊtbaʊnd/: lưu lượng đi ra
  * *inbound* /ˈɪnbaʊnd/: lưu lượng đi vào