Day 6: Build your route tables (connect the roads)
How to create route tables that connect private subnets to NAT Gateway and public subnets to Internet Gateway
Your gates need directionsβ
Day 5: You built the back gate (NAT Gateway)
Today: We build the roads that connect everything
Here's the problem:
You have:
β
Neighborhood front gate (Internet Gateway)
β
Back gate (NAT Gateway)
β
Front yards (public subnets)
β
Back yards (private subnets)
But nothing is connected yet.
Your AI agent containers (in back yards) don't know:
- "Where's the back gate?"
- "How do I reach the internet?"
Your load balancer (in front yards) doesn't know:
- "Where's the front gate?"
- "How do I reach incoming traffic?"
Solution: Route Tables
Think of them like GPS directions:
Route Table = "When you need the internet, go THIS way"
For public subnets: "Exit through the front gate (IGW)"
For private subnets: "Exit through the back gate (NAT)"
Route tables only decide where outbound packets go.
They do not control inbound traffic.
Route tables are exit instructions.
By the end of today, you'll have:
β
Public route table (directs traffic β IGW)
β
Private route table (directs traffic β NAT)
β
All subnets connected to the right routes
β
Traffic flowing (finally!)
Let's build your roads πΊοΈ
What you'll build todayβ
Two route tables:
| Route Table | For | Destination | Target |
|---|---|---|---|
| PublicRouteTable | Public subnets | 0.0.0.0/0 (internet) | Internet Gateway |
| PrivateRouteTable | Private subnets | 0.0.0.0/0 (internet) | NAT Gateway |
Plus:
- Associate
PublicSubnet-1&PublicSubnet-2β PublicRouteTable - Associate
PrivateSubnet-1&PrivateSubnet-2β PrivateRouteTable
What you'll learnβ
- What route tables are (and why you need them)
- How routes work (destination + target)
- What
0.0.0.0/0means (all internet traffic) - How to associate subnets with route tables
- The difference between public and private routes
But if you want:
β
Complete codebase (one clean repo)
β
Complete walkthroughs
β
Support when stuck
β
Production templates
β
Advanced features
Join the waitlist for the full course (launching February 2026):
Building something with AI calling?
Let's chat about your use case!
Schedule a free call β - no pitch, just two builders talking.
Time requiredβ
15 minutes (2 route tables + 4 subnet associations)
Prerequisitesβ
β
Completed Day 3 (VPC with Internet Gateway) β
β
Completed Day 4 (4 subnets) β
β
Completed Day 5 (NAT Gateway) β
β
Access to AWS Console
Understanding Route Tables (3-minute primer)β
What is a route table?β
Route Table = A set of rules (routes) that determine where network traffic goes
Every subnet in your VPC must be associated with a route table.
Think of it like GPS navigation:
You're in your car (container in subnet)
You want to go somewhere (make an API call)
GPS tells you which road to take (route table)
Route Table = A set of rules (routes) that determine where network traffic goes
How routes workβ
Each route has two parts:
- Destination: Where are you trying to go?
- Target: Which gate/path should you use?
Example route:
| Destination | Target | Meaning |
|---|---|---|
0.0.0.0/0 | igw-xxxxx | "For ALL internet traffic, use the Internet Gateway" |
β This does not mean:
"The internet can reach this subnet"
Route tables are exit instructions.
What does 0.0.0.0/0 mean?β
0.0.0.0/0 = All IP addresses on the internet
Think of it as: "Everything outside this VPC"
In routes:
0.0.0.0/0β IGW = "For any internet destination, use the front gate"0.0.0.0/0β NAT = "For any internet destination, use the back gate"
There is also a local route (automatic):
172.31.0.0/16βlocal= "For traffic inside the VPC, stay local"
AWS creates this automatically. You don't touch it.
Public vs private route tablesβ
Because public and private subnets need different directions:
Public Route Table (for front yards):
Destination: 0.0.0.0/0 β Target: Internet Gateway
"Exit through the front gate"
β Meaning:
If you are a resource in your front yard (public subnet) β exit via the front gate
Visual of resources in your front yard β exiting via the front gate
If you are a resource in your front yard (public subnet) β exit via the front gate:
Private Route Table (for back yards):
Destination: 0.0.0.0/0 β Target: NAT Gateway
"Exit through the back gate"
β Meaning:
If you are a resource in your back yard (private subnet) β exit via the back gate
If you are a resource in your back yard (public subnet) β exit via the back gate:
If you are a resource in your back yard (private subnet) β exit via the back gate
If you used the same route table for both:
- Private subnets would try to use the IGW directly (exposes them to internet)
- Defeat the purpose of having private subnets
Two route tables = two different exit strategies.
Two route tables = two different exit strategies
Step 1: Create private route tableβ
Let's start with the private route table (for back yards).
Open the AWS Console βIn the search bar at the top, type VPC and click VPC from the dropdown:
In the search bar at the top, type VPC and click VPC from the dropdown
Click Route tables in the left menu
You'll see existing route tables:
- AWS creates a default one for a local route
- A route table generated for our NAT Gateway
You'll see existing route tables
Click Create route table
Fill in the settings:
| Field | Value |
|---|---|
| Name | |
| VPC | Select your VPC |
Select your VPC from the dropdown
Click Create route table
β You should see: "PrivateRouteTable was created successfully":
Route table created successfully
Step 2: Add NAT Gateway route to private route tableβ
Now we need to add a route: "For internet traffic, use NAT Gateway"
Click Edit routes from the route table overview:
Click Edit routes from the route table overview
Click Add route
Fill in the new route:
| Field | Value | Meaning |
|---|---|---|
| Destination | All internet traffic | |
| Target | NAT Gateway β Select Fargate-NAT-Gateway | Use the back gate |
Select NAT Gateway as Target then click on Fargate-NAT-Gateway:
Select NAT Gateway as Target then click on Fargate-NAT-Gateway
Click Save changes
β You should see two routes now:
| Destination | Target | Status |
|---|---|---|
0.0.0.0/0 | nat-xxxxx | Active |
172.31.0.0/16 | local | Active |
You should see two routes now
Perfect! Private subnets can now reach the internet via NAT.
Step 3: Associate private subnets with private route tableβ
Now we need to tell PrivateSubnet-1 and PrivateSubnet-2 to use this route table.
Click the Subnet associations tab
Click Edit subnet associations:
- PrivateSubnet-1
- PrivateSubnet-2
Select *both private subnets
Click Save associations
β You should see: "Successfully updated subnet association"
Your private subnets now know to use NAT Gateway for internet traffic:
You should see: "Successfully updated subnet association"
Step 4: Create public route tableβ
Now, let's do the same for public subnets.
Go back to Route tables in the left menu, then click Create route table:
Go back to Route tables in the left menu, then click Create route table
Fill in the settings:
| Field | Value |
|---|---|
| Name | |
| VPC | Select your VPC |
Select your VPC from the dropdown
Click Create route table
β You should see: "Route table created successfully"
Step 5: Add Internet Gateway route to public route tableβ
Click Edit routes:
Click Edit routes
Click Add route
Fill in the new route:
| Field | Value | Meaning |
|---|---|---|
| Destination | All internet traffic | |
| Target | Internet Gateway β Select your IGW | Use the front gate |
Select Internet Gateway as target in the dropdown:
Select Internet Gateway as target in the dropdown
Select your Internet Gateway as the target in the new dropdown:
Select your Internet Gateway as the target in the new dropdown
Click Save changes
β You should see two routes now:
| Destination | Target | Status |
|---|---|---|
172.31.0.0/16 | local | Active |
0.0.0.0/0 | igw-xxxxx | Active |
You should see two routes now
Step 6: Associate public subnets with public route tableβ
Click the Subnet associations tab:
Click the Subnet associations tab
Click Edit subnet associations
Select both public subnets:
PublicSubnet-1PublicSubnet-2
Select both public subnets
Click Save associations
β You should see: "Subnet associations updated successfully"
Your public subnets now know to use Internet Gateway for internet traffic.
Your public subnets now know to use Internet Gateway for internet traffic
Step 7: Verify everything is connectedβ
Let's make sure everything is set up correctly.
Click Subnets in the left menu:
Click Subnets in the left menu
Click on PrivateSubnet-1 and check the Route table tab
Check the Route table tab:
Check the Route table tab
You should see:
| Destination | Target |
|---|---|
172.31.0.0/16 | local |
0.0.0.0/0 | nat-xxxxx (Fargate-NAT-Gateway) |
Perfect β
Now click on PublicSubnet-1 and check the Route table tab:
Now click on PublicSubnet-1 and check the Route table tab
Check the Route table tab:
Check the Route table tab
You should see:
| Destination | Target |
|---|---|
172.31.0.0/16 | local |
0.0.0.0/0 | igw-xxxxx (Internet Gateway) |
Perfect β
If both look good β your routing is complete.
β Today's winβ
If you completed all steps:
β
Created PrivateRouteTable with NAT Gateway route
β
Associated PrivateSubnet-1 & PrivateSubnet-2 with it
β
Created PublicRouteTable with Internet Gateway route
β
Associated PublicSubnet-1 & PublicSubnet-2 with it
β
Verified all connections
You just built the GPS for your networks.
Traffic can now flow:
- Private subnets β NAT β Internet (secure)
- Public subnets β IGW β Internet (exposed)
Tomorrow, we'll add the smart locks (security groups).
Understanding what you builtβ
Route tables are outbound-only. Always.
Your VPC how has complete routing:
PUBLIC TRAFFIC FLOW:
Internet β IGW β PublicSubnet (ALB) β PrivateSubnet (Fargate)
PRIVATE OUTBOUND FLOW:
PrivateSubnet (Fargate) β NAT β IGW β Internet (OpenAI, Twilio)
PRIVATE INBOUND FLOW:
β BLOCKED (no route from internet β private subnets)
This is production-ready networking:
β
Public resources accessible from internet
β
Private resources can reach internet
β
Private resources protected from inbound traffic
Route table best practicesβ
1. Name your route tables clearlyβ
β
PrivateRouteTable / PublicRouteTable
β rtb-123abc (default names are confusing)
2. One route per subnet typeβ
- Private subnets β
PrivateRouteTable(NAT) - Public subnets β
PublicRouteTable(IGW)
3. Don't modify the local routeβ
- AWS creates
172.31.0.0/16 β localautomatically - Leave it alone - it's essential for VPC-internal traffic
4. Verify associationsβ
- Each subnet should be associated with exactly one route table
- Check VPC β Subnets to confirm
Common mistakes (and how to avoid them)β
β Mistake #1: Associating private subnets with public routeβ
Result: Private subnets try to use IGW directly β security issue
Fix: Always verify subnet association
β Mistake #2: Forgetting to add 0.0.0.0/0 routeβ
Result: Subnet has no internet access
Fix: Every route table needs an internet route:
0.0.0.0/0 β NATor0.0.0.0/0 β IGW
β Mistake #3; Using wrong targetβ
Result: Private subnets can't reach internet, or public subnets aren't accessible
Fix:
- Private subnets β NAT Gateway
- Public subnets β Internet Gateway
Troubleshootingβ
Private subnets can't reach the internet
Symptoms:
- Container can't pull Docker images
- OpenAI API calls fails
- Timeout errors
Check:
PrivateRouteTablehas route0.0.0.0/0 β nat-xxxxPrivateSubnet-1&PrivateSubnet-2are associated withPrivateRouteTable- NAT Gateway status is "Available"
- NAT Gateway is in a public subnet
PublicRouteTablehas route:0.0.0.0/0 β igw-xxxx
Most common issue: Subnet associated with wrong route table
Public subnet can't be assessed from internet
Symptoms:
- Can't access load balancer
- Can't SSH to EC2 instance
Check:
PublicRouteTablehas route:0.0.0.0/0 β igw-xxxxPublicSubnet-1&PublicSubnet-2are associated withPublicRouteTable- Internet Gateway is attached to VPC
- Resources have public IPs or Elastic IPs
- Security groups allow inbound traffic (we'll cover this on Day 7)
Both private and public subnets have no internet access
Check:
- Internet Gateway exists and is attached to VPC
- Go to VPC β Internet Gateways
- Status should be "attached"
- If detached, select it β click Actions β click Attach to VPC
Route not showing up after adding it
Steps:
- Refresh the page
- Check if you clicked "Save changes"
- Verify you're looking at the correct route table
- If still missing, add the route again
Tomorrows previewβ
Today: You built the roads (route tables)
Tomorrow (Day 7): We add the smart locks (security groups SG)
What we'll do:
Right now, your routing works, but there's NO security layer.
Tomorrow, well create:
- ALB-SG (for the load balancer)
- Allow inbound: HTTP (80) + HTTPS (443) from anywhere
- Allow outbound: All traffic
- Fargate-SG (for AI containers)
- Allow inbound: Port 6060 from ALB-SG only
- Allow outbound: All traffic
This adds a security layer:
- Only the load balancer can talk to containers
- Containers can't be accessed directly from internet
- Even if someone finds your container's IP, they can't connect
Think of security groups like smart locks on each building's door:
- Each door has rules for who can enter
- They decide who's allowed in and through which door
What we learned todayβ
1. What route tables areβ
GPS for network traffic, tells packets where to go
Route tables = GPS for network traffic, tells packets where to go
2. How routes workβ
Destination + Target = "Where are you going? Use this path"
3. What 0.0.0.0/0 meansβ
All internet traffic (everywhere outside the VPC)
4. Public vs Private routingβ
- Public β Internet Gateway (bidirectional)
- Private β NAT Gateway (one-way out)
5. Subnet associationβ
Each subnet needs to be associated with a route table
The foundation is almost completeβ
Days 1-2: Local development (your laptop) β
Day 3: VPC (your territory) β
Day 4: Subnets (front yards vs back yards) β
Day 5: NAT Gateway (back gate) β
Day 6: Route Tables (the roads) β YOU ARE HERE β
Day 7: Security Groups (smart locks on each building)
Day 8: Test Your Network
Days 9-12: Load Balancer & DNS
Days 13-17: Deployment (Docker, ECS, production!)
Days 18-24: Features (API, frontend, polish)
Share your progressβ
Got your routes working? Share it!
Twitter/X:
"Day 6: Built route tables - the GPS for my VPC. Private subnets now know to use NAT Gateway, public subnets use Internet Gateway. Traffic is flowing! Following @norahsakal's advent calendar π"
LinkedIn:
"Day 6 of building AI calling agents: Created route tables to connect everything. My private subnets can now reach OpenAI securely while staying hidden from the internet. Networking is finally clicking!"
Tag me! I want to celebrate your progress! π
Want the full course?β
But if you want:
β
Complete codebase (one clean repo)
β
Complete walkthroughs
β
Support when stuck
β
Production templates
β
Advanced features
Join the waitlist for the full course (launching February 2026):
Let's chat about your use case!
Schedule a free call β - no pitch, just two builders talking.
Tomorrow: Day 7 - Security Groups (Add the smart locks) π
See you then!
β Norah