CIDR Blocks & IP Addressing
Every network in AWS needs a range of private IP addresses to hand out to its resources, and that range is written using CIDR notation. Get the planning right and your networks grow cleanly, connect to each other, and link back to your office without conflict. Get it wrong and you may have to rebuild a whole Virtual Private Cloud (VPC) just to fix an overlap. This page explains CIDR, how block size maps to address count, and how to lay out ranges that never collide.
What is CIDR notation
CIDR stands for Classless Inter-Domain Routing. It is just a compact way to describe a block of IP addresses. A CIDR block looks like 10.0.0.0/16. It has two parts:
- The base address (
10.0.0.0) — where the range starts. - The prefix length (
/16) — how many bits at the front are fixed (the “network” part).
An IPv4 address is 32 bits long. The number after the slash tells you how many of those bits are locked. The bits that are left over are free to vary, and each combination of those free bits is one IP address.
So the maths is simple: usable bits = 32 − prefix, and total addresses = 2 ^ (usable bits).
| CIDR | Free bits | Total IPs | Common use |
|---|---|---|---|
/16 | 16 | 65,536 | A whole VPC |
/20 | 12 | 4,096 | A large subnet |
/24 | 8 | 256 | A normal subnet |
/27 | 5 | 32 | A small subnet |
/28 | 4 | 16 | The smallest subnet AWS allows |
A smaller prefix number means a bigger block. A /16 is far larger than a /24. Think of the prefix as a magnifying glass: the higher the number, the more zoomed in (smaller) the range.
Tip: AWS VPCs accept a primary CIDR between
/16(largest) and/28(smallest). Subnets must also sit between/16and/28. You cannot make a subnet bigger than its VPC.
AWS reserves 5 IPs in every subnet
This is the gotcha that surprises almost everyone. In any subnet, AWS takes 5 addresses for itself, so you never get the full count. For a CIDR block 10.0.1.0/24, the reserved addresses are:
| Address | Reserved for |
|---|---|
10.0.1.0 | Network address |
10.0.1.1 | VPC router |
10.0.1.2 | AWS DNS (Domain Name System) resolver |
10.0.1.3 | Reserved for future use |
10.0.1.255 | Network broadcast (AWS does not support broadcast, but still reserves it) |
Because of this, a /28 block (16 total addresses) gives you only 11 usable IPs, not 16. A /24 gives 251, not 256. Always subtract 5 when you size a subnet.
Warning: Do not pick a subnet that is exactly the size you need today. If you plan for 16 instances and choose a
/28, you will run out at 11 and have to recreate the subnet. Leave headroom.
Planning non-overlapping ranges
Two networks can talk to each other only if their address ranges do not overlap. If your VPC uses 10.0.0.0/16 and a partner VPC also uses 10.0.0.0/16, the router cannot tell which network an address like 10.0.5.4 belongs to. This is why overlapping CIDRs make VPC peering impossible to route — and why you must plan address space before you ever peer or connect to on-premises (your own physical office network).
When to use this
Plan your CIDR layout up front whenever you expect to: peer VPCs together, use a Transit Gateway, set up a VPN (Virtual Private Network) to your office, or use AWS Direct Connect (a dedicated physical line to AWS). If a VPC will live alone forever and never connect to anything, the planning matters less — but that is rarely true in practice, so plan anyway.
A simple, safe scheme is to give each environment its own slice of the private 10.0.0.0/8 space:
| Environment | VPC CIDR | Avoids |
|---|---|---|
| Production | 10.0.0.0/16 | dev, staging, on-prem |
| Staging | 10.1.0.0/16 | prod, dev, on-prem |
| Development | 10.2.0.0/16 | prod, staging, on-prem |
| On-premises office | 192.168.0.0/16 | all AWS VPCs |
Each VPC then divides its /16 into subnets per Availability Zone, for example 10.0.1.0/24 and 10.0.2.0/24.
Creating a VPC and subnets with a chosen CIDR
Console steps
- Open the VPC console and choose Your VPCs then Create VPC.
- Select VPC only, give it a name, and enter the IPv4 CIDR
10.0.0.0/16. - Choose Create VPC.
- Go to Subnets then Create subnet, pick your new VPC, choose an Availability Zone, and enter the subnet CIDR
10.0.1.0/24. - Choose Create subnet.
AWS CLI
# Create the VPC with a /16 block
aws ec2 create-vpc --cidr-block 10.0.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=prod-vpc}]'
# Create a /24 subnet inside it
aws ec2 create-subnet --vpc-id vpc-0a1b2c3d \
--cidr-block 10.0.1.0/24 --availability-zone us-east-1aOutput:
{
"Vpc": {
"VpcId": "vpc-0a1b2c3d",
"CidrBlock": "10.0.0.0/16",
"State": "available"
}
}
{
"Subnet": {
"SubnetId": "subnet-0a1b2c3d",
"VpcId": "vpc-0a1b2c3d",
"CidrBlock": "10.0.1.0/24",
"AvailableIpAddressCount": 251,
"AvailabilityZone": "us-east-1a"
}
}Notice AvailableIpAddressCount is 251, not 256 — the 5 reserved IPs are already gone.
Terraform
resource "aws_vpc" "prod" {
cidr_block = "10.0.0.0/16"
tags = { Name = "prod-vpc" }
}
resource "aws_subnet" "app_a" {
vpc_id = aws_vpc.prod.id
cidr_block = "10.0.1.0/24"
availability_zone = "us-east-1a"
}Adding more space later
If a VPC runs low on addresses, you do not have to rebuild it. You can attach a secondary CIDR block.
aws ec2 associate-vpc-cidr-block --vpc-id vpc-0a1b2c3d \
--cidr-block 10.0.0.0/16 --amazon-provided-ipv6-cidr-blockThe secondary block must also avoid overlapping with peers and on-prem. Adding a CIDR block has no direct charge; you pay only for the resources (such as NAT Gateways or data transfer) that run inside the VPC.
Best practices
- Subtract 5 from every subnet’s total when you size it — a
/28gives 11 usable IPs. - Choose a VPC
/16and carve/24subnets from it; that leaves plenty of room to grow. - Give every VPC and your on-prem network a unique, non-overlapping range before you peer or connect.
- Reserve separate
10.x.0.0/16slices for prod, staging, and dev so they never collide. - Document your address plan (a spreadsheet or IPAM) so no team accidentally reuses a range.
- Consider AWS IP Address Manager (IPAM) for large estates — it automatically hands out non-overlapping blocks.
- Never pick a subnet that is exactly the size you need today; leave headroom for scaling.