Introduction
When you first set up a Virtual Cloud Network (VCN) in Oracle Cloud Infrastructure, understanding the difference between public and private subnets is critical. Get this wrong and you either expose resources that should be internal, or lock yourself out of systems you need to reach.
What is a VCN?
A VCN is your private network inside OCI. Think of it as your own data centre network that Oracle manages the physical layer for. You define the IP address space, create subnets, and control traffic using security lists and route tables.
Public Subnet
A public subnet routes outbound traffic through an Internet Gateway. Resources placed here, such as load balancers and bastion hosts, can receive inbound connections from the internet if the security list allows it.
- Has a route to an Internet Gateway
- Resources can be assigned a public IP
- Suitable for: load balancers, bastion hosts, web-facing APIs
Private Subnet
A private subnet has no direct route to the internet. Outbound traffic goes through a NAT Gateway for software updates and API calls, while inbound traffic from the internet is blocked entirely.
- No Internet Gateway route
- Uses NAT Gateway for outbound-only internet access
- Suitable for: application servers, databases, internal services
Recommended Architecture for Small Teams
A simple, secure starting point for most small teams:
- Public subnet: Load balancer only
- Private subnet: Application servers + database tier
- Bastion host in public subnet for SSH access to private resources
Summary
Keep your application logic and data in private subnets. Only expose what genuinely needs to be internet-facing. This single principle eliminates the most common OCI security mistakes for small teams.
