What it is: A subnet that does not have a direct route to the Internet Gateway.

What it’s for:

• Host internal resources like databases, app servers, internal services.
• Reduce attack surface.

Common pattern:

• Private subnet route table may include `0.0.0.0/0 → NAT Gateway` for outbound internet (updates, package installs).
• Inbound from internet is blocked (no IGW route).

Exam cues:

• “DB must not be publicly accessible” → private subnet.
• “instances need outbound internet but not inbound” → NAT Gateway.

Hard words:

• *attack surface* /əˈtæk ˈsɝːfɪs/: bề mặt bị tấn công (điểm có thể bị tấn công)
• *outbound* /ˈaʊtbaʊnd/: lưu lượng đi ra
• *inbound* /ˈɪnbaʊnd/: lưu lượng đi vào