I'm reading everywhere (including the official documentation) that an EC2 instance in a private subnet cannot be reached from the internet, even if it has a public IP.
Let's say I have a 10.0.0.0/16 VPC with a 10.0.0.0/20 public subnet and a 10.0.0.128/20 private subnet containing an EC2 instance with a public IP.
According to me, in this configuration, a packet sent to the EC2 instance would :
10.0.0.1)10.0.0.0/16 should be forwarded to the local networkHowever, the EC2 instance wouldn't be able to reply to that packet (in order to establish a TCP connection for example) because it has no route to an Internet Gateway or a NAT instance.
So according to me the statement "an EC2 instance in a private subnet cannot be reached from the internet, even if it has a public IP" is not true, it is actually reachable (if the network ACLs and the security groups allow the traffic) but it cannot respond to any sollicitation.
Is my reasoning correct?
In the comments, I was advised to test and and answer my own question which I did :
sudo nc -ul 53The text appeared on the EC2 instance, meaning that, as I thought, the sentence "an EC2 instance in a private subnet cannot be reached from the internet" is partially true. If we want to send data to an EC2 instance in this configuration :