Before adding a public IP, you need to attach your VPC to the Internet Gateway router. this will create a bridge between your VPC router and the IGW router. When you add a public IP it sits outside of your VPC on the IGW router, then AWS automation will Nat this to your VPC router with your EC2 private IP. When a request is sent from internet to your EC2. the public IP ends at the IGW router then the request its forwarded to your router then to your EC2 private IP. You can see the communication on the VPC flow logs: End user public IP reaching EC2 private IP. AWS documentation does not explain all this.