Public vs private networks

Topic: Networking basics

Public IPs are globally routable on the internet; private IPs (RFC 1918) are for use inside a network and are not routed on the public internet. Learn the private ranges and why NAT is used so you can configure and debug connectivity between internal and external hosts. Use this when planning addressing or fixing 'no route' across the internet.

Intent: How-to

Quick answer

  • Private IPv4 ranges (RFC 1918): 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16; these are not routed on the public internet; use them for internal networks.
  • Public IPs are globally unique and routable; you need them for servers that must be reached from the internet; typically assigned by the ISP or cloud provider.
  • Hosts with only private IPs reach the internet via NAT (router rewrites source to its public IP); external hosts cannot initiate connections to a private IP unless you use port forwarding or a tunnel.

Prerequisites

Steps

  1. Know private ranges

    10.0.0.0/8 (10.0.0.0–10.255.255.255), 172.16.0.0/12 (172.16.0.0–172.31.255.255), 192.168.0.0/16 (192.168.0.0–192.168.255.255). No host on the public internet will route traffic to these; they are for internal use only.

  2. Know public IPs

    Any IPv4 not in the private ranges (and not reserved for other special use) can be used on the public internet; assigned by IANA to RIRs and then to ISPs or organizations; you get them from your ISP or cloud.

  3. Relate to NAT and connectivity

    Hosts with private IPs can reach the internet if the border router does outbound NAT (SNAT). External hosts cannot directly reach a private IP; you need port forwarding (DNAT) or a VPN/tunnel to expose an internal service.

  4. Apply in design

    Use private IPs for internal LANs and VPCs; use public IPs (or a load balancer with a public IP) for services that must be reachable from the internet; document which hosts have public vs private only.

Summary

Public IPs are globally routable; private IPs (RFC 1918 ranges) are for internal use and are not routed on the internet. Outbound NAT lets private hosts reach the internet; port forwarding or tunnels let external clients reach internal services. Use this when planning addressing or debugging internet vs internal access.

Prerequisites

Steps

Step 1: Know private ranges

  • 10.0.0.0/8: 10.0.0.0–10.255.255.255
  • 172.16.0.0/12: 172.16.0.0–172.31.255.255
  • 192.168.0.0/16: 192.168.0.0–192.168.255.255

These addresses are not routed on the public internet. Use them for internal networks only.

Step 2: Know public IPs

Public IPv4 addresses are assigned by ISPs or cloud providers from globally routable space. Hosts with a public IP can be reached from the internet (subject to firewall and routing).

Step 3: Relate to NAT and connectivity

Hosts with only private IPs need a router that performs outbound NAT so their traffic appears to come from the router’s public IP. External hosts cannot send packets to a private IP directly; to expose an internal service you use port forwarding (DNAT) or a VPN/tunnel so that traffic arrives at a public endpoint and is then sent to the private host.

Step 4: Apply in design

Use private addressing for internal segments; use public IPs (or a load balancer with a public IP) for services that must accept internet traffic. Document which hosts are public vs private-only.

Verification

  • You can list the three private ranges and explain why internal hosts need NAT to reach the internet and why external hosts cannot directly reach a private IP.

Troubleshooting

Cannot reach internet from internal host — Check default route and that the border router does outbound NAT; check firewall allows outbound and return traffic.

Cannot reach internal server from internet — Internal server has a private IP; configure port forwarding or a VPN/tunnel to a public endpoint that forwards to that server.

Next steps

Continue to