How it works...

Resources inside the subnet only understand the private IP (internal) assigned to them from the CIDR range of that subnet. The default VPC has an IG attached to it and the subnet's route is associated with the IG. The IG works as a Network Address Translation (NAT) for instances that have public IP/Elastic IP attached to them. When outside instances send requests to the AWS resources with a public IP/Elastic IP, the IG translates the address and sends the request to the internal IP of the resource. Similarly, when resources inside a subnet send requests to services outside the VPC, the reply address is set by the IG as public/Elastic IP of that resource. Thus, if a subnet route has an IG attached to it, the resources hosted inside it are accessible from the internet. This type of subnet is called a public subnet. All default subnets are public subnets. If no IG is attached to the subnet route, the resources hosted inside it can't be accessed from the internet and is hence called a private subnet.