Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

The Not So Private Subnet

Max room.

The subnet is named private. The route table says otherwise. Find it, fix it, and build it right.

medium

45 min

0

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

A team deploys a new backend server. They place it in a subnet named backend-private and assume it is isolated from the internet. Months later, a security scan reveals the instance has a public IP and a direct route to the Internet Gateway. The name on the subnet said "private." The route table said otherwise.

In , a subnet is not private because of its name or tag. It is private because its route table has no route to an Internet Gateway. This is one of the most commonly misunderstood networking concepts in , and it has played a role in multiple real-world breaches.

In this room, you will investigate an internal server running in a subnet intended to be private, but is actually publicly routable. You will identify the misconfiguration, fix it, and build a properly segmented from scratch.

Learning Objectives

  • Understand how route tables determine whether a subnet is public or private
  • Identify unintended internet routes on subnets using the
  • Explain why naming and security groups alone are an insufficient defense in depth
  • Remediate a publicly routable private subnet by replacing its route table and disabling public IP auto-assignment
  • Design a properly segmented with distinct public and private tiers from scratch

Prerequisites

Answer the questions below

Rise and shine. Your subnet has been... waiting.