Day 4: Create subnets (front yards vs back yards)
How to create 4 subnets (2 public, 2 private) in different availability zones for high availability
Your neighborhood needs housesโ
Day 1: Your AI agent's first phone call Day 1 โ
Day 2: Give your AI agent a real-world mission Day 2 โ
Day 3: You claimed your territory (VPC) Day 3 โ
Today: We'll build our neighborhood with subnets
Think of it like this:
You own a plot of land (VPC)
Now you need to build houses and divide the plots into:
- Front yard (public subnet) - visitors can visit
- Back yard (private subnet) - only you can access
We'll build our neighborhood with public subnets (front yards) and private subnets (back yards)
By the end of today, you'll have:
โ
4 subnets (2 public front yards, 2 private back yards)
โ
Resources split across 2 availability zones
โ
Foundation for security and high availability
Let's build your neighborhood.
What you'll build todayโ
4 subnets in your VPC:
| Subnet | Type | CIDR Block | Zone | Purpose |
|---|---|---|---|---|
| PublicSubnet-1 | Public | 172.31.96.0/20 | us-east-1a | Load balancer |
| PublicSubnet-2 | Public | 172.31.112.0/20 | us-east-1b | Load balancer |
| PrivateSubnet-1 | Private | 172.31.128.0/20 | us-east-1a | AI containers |
| PrivateSubnet-2 | Private | 172.31.144.0/20 | us-east-1b | AI containers |
Why 4 subnets?
- 2 public = Load balancer (needs internet access)
- 2 private = AI agent containers (hidden from internet)
- 2 zones = High availability (if one fails, other works)
What you'll learnโ
- What subnets are (and why you need them)
- Public vs private subnets
- What availability zones are
- How CIDR blocks divide your VPC
- How to calculate IP ranges
But if you want:
โ
Complete codebase (one clean repo)
โ
Complete walkthroughs
โ
Support when stuck
โ
Production templates
โ
Advanced features
Join the waitlist for the full course (launching February 2026):
Building something with AI calling?
Let's chat about your use case!
Schedule a free call โ - no pitch, just two builders talking.
Time requiredโ
15 minutes (4 subnets x ~3 minutes each)
Prerequisitesโ
โ
Completed Day 3 (you have a VPC) โ
โ
Access to AWS Console
Understanding subnets (3-minute primer)โ
What is a subnet?โ
Subnet = Sub-network
It's a logical subdivision of your VPC.
Think of it like:
Your VPC is a city block
Subnets are the individual plots:
- Some face the street (public)
- Some are in the back (private)
Every resource in AWS lived in a subnet:
- Your load balancer โ public subnet
- Your AI agent containers โ private subnet
- Databases โ private subnet
Public vs private subnetsโ
What's the difference?
| Type | Internet Access | Use Case | Example |
|---|---|---|---|
| Public | โ Direct access | Web servers, load balancers | ALB |
| Private | โ No direct access | App servers, databases | Fargate |
Key point:
Public subnets have a route to the Internet Gateway
Private subnets don't
We'll set up those routes on Day 6.
Why you need bothโ
Public subnets:
- Your load balancer lives here
- Accepts connections from the internet
- Routes traffic to private subnets
Private subnets:
- Your AI agent containers love here
- Can't be accessed directly from the internet
- More secure
It's like a restaurant:
- Public subnet = dining room (customers enter here)
- Private subnet = kitchen (customers can't enter)
Availability zonesโ
What are availability zones?
AWS regions (like us-east-1) have multiple physically separate data centers called availability zones.
Example in us-east-1:
us-east-1a= Data center Aus-east-1b= Data center Bus-east-1c= Data center C
Why this matters:
If one data center has a power outage, the others keep running.
That's why we create 2 subnets of each type:
- 1 in
us-east-1a - 1 in
us-east-1b
If one availability zone fails, your AI agent keeps working.
Understanding CIDR blocksโ
Remember from Day 3 โ: Your VPC uses 172.31.0.0/16
That gives you: 172.31.0.0 โ 172.31.255.255 (65,536 IPs)
Now we need to divide those IPs into subnets.
How CIDR blocks workโ
We'll use /20 blocks: Each gets 4,096 IP addresses
Our plan:
VPC: 172.31.0.0/16 (65,536 IPs)
โโ PublicSubnet-1: 172.31.96.0/20 (172.31.96.0 โ 172.31.111.255)
โโ PublicSubnet-2: 172.31.112.0/20 (172.31.112.0 โ 172.31.127.255)
โโ PrivateSubnet-1: 172.31.128.0/20 (172.31.128.0 โ 172.31.143.255)
โโ PrivateSubnet-2: 172.31.144.0/20 (172.31.144.0 โ 172.31.159.255)
Key rules:
- Subnets can't overlap
- All subnets must be within the VPC range
- Use the same
/20size for consistency
Deep dive into CIDR blocks.
Understanding the IP ranges
Your VPC might already have subnetsโ
AWS creates default ones.
Check your existing subnets:
- Go to VPC
- Click subnets
- Note the CIDR blocks already in use
Common existing ranges:
172.31.0.0/20โ172.31.15.255172.31.16.0/20โ172.31.31.255172.31.32.0/20โ172.31.47.255
We're using 172.31.96.0/20 and higher to avoid conflicts.
Rule: Pick ranges that don't overlap with existing subnets.
Calculator: Use CIDR.xyz โ to visualize ranges.
Step 1: Check existing subnetsโ
Before creating new subnets, let's see what already exists.
Open the AWS Console โIn the search bar at the top, type VPC and click VPC from the dropdown:
In the search bar at the top, type VPC and click VPC from the dropdown
Click Subnets in the left menu
You'll see your existing subnets:
You'll see your existing subnets
Note the CIDR blocks already used:
Note the CIDR blocks already used
Common defaults:
| Common default CIDR blocks |
|---|
| 172.31.0.0/20 |
| 172.31.16.0/20 |
| 172.31.32.0/20 |
| 172.31.48.0/20 |
| 172.31.64.0/20 |
We'll create new subnets starting at 172.31.96.0/20 to avoid conflicts.
Click and select one of the subnets and you'll see if it is a default one
Step 2: Create PublicSubnet-1โ
Click Create subnet:
Click Create subnet
Select your VPC from the dropdown:
Select your VPC from the dropdown
Fill in the details:
Click the icon
and copy each value from the table below โฌ| Field | Value |
|---|---|
| VPC ID | Select your VPC |
| Subname name | |
| Availability zone | |
| IPv4 VPC CIDR block | Keep pre-selected 173.31.0.0/16 |
| IPv4 CIDR block |
You can also copy and paste the availability zone to make sure you get it right:
Copy and paste the availability zone to make sure you get it right
Fill in the details:
Fill in the details
Fill in the details and click Create subnet
You should now see a successfully created subnet:
You should now see a successfully created subnet
Step 3: Create PublicSubnet-2โ
Repeat for the second public subnet.
Click Create subnet:
Repeat for the second public subnet. Click Create subnet
Fill in the details for PublicSubnet-2:
| Field | Value |
|---|---|
| VPC ID | Same VPC |
| Subnet name | |
| Availability Zone | โ Different zone! |
| IPv4 VPC CIDR block | Keep pre-selected 173.31.0.0/16 |
| IPv4 CIDR block | โ Different block! |
Fill in the details for PublicSubnet-2 and click Create subnet
โ You now have 2 public subnets in 2 availability zones
Step 4: Create PrivateSubnet-1 and PrivateSubnet-2โ
Click Create subnet again:
Click Create subnet again
Select your VPC from the dropdown.
Now create the first private subnet with these values:
| Field | Value |
|---|---|
| VPC ID | Same VPC |
| Subnet name | |
| Availability Zone | |
| IPv4 VPC CIDR block | Keep pre-selected 173.31.0.0/16 |
| IPv4 CIDR block | โ Different block! |
This time, click on Add new subnet
Create the second private subnet with these values:
Click and copy each value from the table below.
| Field | Value |
|---|---|
| VPC ID | Same VPC |
| Subnet name | |
| Availability Zone | โ Different zone! |
| IPv4 VPC CIDR block | Keep pre-selected 173.31.0.0/16 |
| IPv4 CIDR block | โ Different block! |
Click Create subnet
โ Done! you have now 4 new subnets:
โ Done! you have now 4 new subnets
Step 5: Verify your subnetsโ
Click on either Subnets in the left menu or Clear filters:
Click on either Subnets in the left menu or Clear filters
You should see all 4 new subsets in the list:
You should see all 4 new subsets in the list
Verify:
| Name | CIDR | Zone | Status |
|---|---|---|---|
| PublicSubnet-1 | 172.31.96.0/20 | us-east-1a | Available |
| PublicSubnet-2 | 172.31.112.0/20 | us-east-1b | Available |
| PrivateSubnet-1 | 172.31.128.0/20 | us-east-1a | Available |
| PrivateSubnet-2 | 172.31.144.0/20 | us-east-1b | Available |
If all 4 show "Available" โ you're done! โ
โ Today's winโ
If you completed all steps:
โ
4 new subnets created
โ
2 public (for load balancers)
โ
2 private (for AI agent containers)
โ
Split across 2 availability zones
โ
IP ranges don't overlap
Tomorrow, we'll build the exit (NAT Gateway)
Understanding what we builtโ
Let's visualize your VPC now:
Let's visualize your VPC now
What you have:
โ
1 neighborhood (VPC)
โ
2 properties (availability zones)
โ
2 front yards (public subnets)
โ
2 back yards (private subnets)
โ
Public/private separation
What you don't have yet:
โ Routes (Day 6)
โ NAT Gateway (Day 5)
โ Security rules (Day 7)
We're building the foundation piece by piece.
Troubleshootingโ
CIDR block overlaps with existing subnet
Error: "CIDR block overlaps with existing subnet"
Solution:
- Check your existing subnets (VPC โ Subnets)
- Note which CIDR blocks are used
- Pick different blocks that don't overlap
Example: If 172.31.96.0/20 is taken, use 172.31.160.0/20
Rule: Each subnet needs a unique range.
Can't select availability zone
Problem: Availability zone dropdown is grayed out
Solution:
- Make sure you selected the correct VPC
- Refresh the page
- Try a different browser
If still stuck: Delete the subnet and try again.
What if I pick the wrong CIDR block?
No problem โ just delete and recreate:
- Select the subnet
- Click Actions โ Delete subnet
- Create a new one with the correct CIDR
Click Actions โ Delete subnet
Note: You can only delete subnets that have no resources in them.
Tomorrow's previewโ
Today: You divided your VPC into plots with front yards and back yards (subnets)
Tomorrow (Day 5): We build the exit (NAT Gateway)
Why you need it:
Your private subnets (where your AI agent will live) can't access the internet directly.
But your AI agent needs to:
- Pull Docker images from ECR
- Call OpenAI API
- Send audio to Twilio
Solution: NAT Gateway
It's a one-way door:
โ
Private subnet โ Internet (outbound)
โ Internet โ Private subnet (inbound blocked)
This keeps you AI secure while letting it work.
What we learned todayโ
1. What subnets areโ
Logical divisions of your VPC (like neighborhoods in a city)
2. Public vs privateโ
- Public = accessible from internet
- Private = hidden
3. Availability zonesโ
Multiple data centers for high availability
4. CIDR mathโ
How to divide IP ranges without overlaps
The foundation is growingโ
Days 1-2: Local development (your laptop) โ
Day 3: VPC (your territory) โ
Day 4: Subnets (your neighborhood) โ YOU ARE HERE โ
Days 5-8: Networking (NAT, routes, security)
Days 9-12: Gateway (load balancer, DNS, SSL)
Days 13-17: Deployment (Docker, ECS, production!)
Days 18-24: Features (API, frontend, polish)
Share your progressโ
Got all 4 subnets created? Share it!
Twitter/X:
"Day 4: Created 4 subnets (2 public, 2 private) across 2 availability zones. My AI calling agent's neighborhood is taking shape. Following @norahsakal's advent calendar ๐"
LinkedIn:
"Day 4 of building AI calling agents: Created subnets for high availability. 2 public for the load balancer, 2 private for the AI containers. Foundation is solid!"
Tag me! I want to celebrate your progress! ๐
Want the full course?โ
But if you want:
โ
Complete codebase (one clean repo)
โ
Complete walkthroughs
โ
Support when stuck
โ
Production templates
โ
Advanced features
Join the waitlist for the full course (launching February 2026):
Need help with deployment? Want to brainstorm your AI calling idea? Grab a free 30-min call โ - happy to help.
Tomorrowโ
Tomorrow: Day 5 - NAT Gateway (build your one-way door) ๐ช
Your AI agent needs to call OpenAI and Twilio, but you can't give it a public IP. Solution: NAT Gateway - a one-way door in your back fence.
See you then!
โ Norah