Private IP

What is Private IP?

A Private IP is an internal network address assigned to a cloud resource (such as an instance or database) within a Virtual Private Cloud (VPC) or subnet that remains isolated from the internet. These addresses follow RFC 1918 standards, using reserved ranges like 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Private IPs enable communication between resources within your VPC while preventing direct inbound connections from the public internet.

Private IPs are automatically assigned when you launch an instance in a VPC. Unlike public IPs that change when you stop and restart an instance, private IPs remain associated with the network interface unless you explicitly release them.

Why Private IP Exists

Cloud networks needed a way for resources to communicate securely without exposing them to the entire internet. Private IPs solve this by creating an isolated address space where instances, databases, and containers can exchange traffic at high speed with low latency. This addresses two critical problems: reducing the attack surface by limiting what's reachable from the internet, and conserving the limited pool of public IPv4 addresses by reserving them only for resources that need direct internet access.

What Does Private IP Actually Do?

• Enables communication between instances, databases, and services within the same VPC at low latency
• Prevents direct inbound connections from the public internet to the resource
• Persists across instance restarts (unlike public IPs that are released when stopped)
• Allows outbound internet access when paired with a NAT gateway or NAT instance
• Supports VPC peering and VPN connections so resources can communicate with on-premises networks
• Reduces the number of public IPs needed by limiting them to edge resources like load balancers

When Would I Use Private IP?

You use private IPs for any resource that should not accept direct connections from the internet. Databases should always have private IPs—this prevents attackers from discovering and attacking your database directly. Backend application servers typically use private IPs, accepting traffic only from a load balancer or API gateway with a public IP. Internal caching layers (Redis, Memcached), message queues, and internal APIs all use private IPs. Even resources that need internet access (like application servers) should use private IPs for their primary communication, with a load balancer handling public traffic.

When Would I NOT Use Private IP?

You should not rely on private IP alone for resources that need direct public access. If you're building a website or API, the edge resource facing users (load balancer, CDN, or API gateway) needs a public IP. Similarly, if you need to SSH into an instance from outside your VPC, you'll need either a public IP or a bastion host. Private IPs also won't work if you need to communicate with an on-premises network that isn't connected via VPN—you'd need public IPs and internet routing for that.

Real-World Example

Company A runs an e-commerce platform on three-tier architecture. Their load balancer has a public IP (203.0.113.25) that users connect to. Behind it, five application servers have private IPs (10.0.1.10 through 10.0.1.14) that only receive traffic from the load balancer. Their PostgreSQL database has a private IP (10.0.2.5) that only the application servers can reach. An attacker scanning the internet discovers the load balancer's public IP but cannot directly attack the application servers or database—they only accept traffic from specific sources within the VPC. The company later opens a branch office and connects it via VPN. The branch office can now reach the database at its private IP through the VPN tunnel without exposing it to the public internet.

FAQ

Q: Can I change a private IP after launching an instance? A: Yes, you can modify the private IP of an instance while it's running, though the change requires updating your VPC routing if other resources reference that address. It's generally simpler to create a new instance with the correct private IP rather than modifying running instances.

Q: Will my instance still have a private IP if I remove its public IP? A: Yes. Private IPs and public IPs are separate assignments. Removing a public IP leaves the private IP intact, so the instance can still communicate with other resources in the VPC. If you need internet access, you'll need a NAT gateway in your subnet.

Q: How do private IPs work with security groups? A: Security groups control inbound and outbound traffic based on IP addresses or other security groups. You can create rules that allow traffic only from specific private IP ranges, so a database security group might allow access only from your application servers' private IPs.

Q: What happens to a private IP when I stop an instance? A: The private IP remains assigned to the network interface. When you restart the instance, it receives the same private IP. This is different from public IPs, which are released when stopped and may not be reassigned on restart.

Q: Can multiple instances in different subnets have the same private IP? A: No, private IPs must be unique within a VPC. However, different VPCs can use overlapping private IP ranges. If you peer two VPCs with overlapping ranges, routing becomes complex and requires manual configuration.

Summary

• Private IPs are non-routable internal addresses that keep cloud resources isolated from the internet
• They follow RFC 1918 standards (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and persist across instance restarts
• Use private IPs for all resources except those that need direct public access (load balancers, CDNs, bastion hosts)
• Private IPs enable secure, low-latency communication between resources within a VPC
• Pairing private IPs with security groups and NACLs creates defense-in-depth network security

Related Terms

• Public IP: A globally routable IP address assigned to edge resources that need to accept direct internet connections, such as web servers or API gateways
• VPC: The isolated network environment where private IPs are assigned and where you define routing and security rules
• Security Group: A virtual firewall that controls inbound and outbound traffic to instances by IP address, protocol, or port, often allowing traffic only from specific private IP ranges
• NAT Gateway: A managed service that allows instances with private IPs to initiate outbound internet connections while remaining unreachable from the public internet
• Network Address Translation: The process that translates between private and public IP addresses, enabling internet communication for private resources