Understanding Subnet CIDRs and Configuration in AWS

Introduction to IP Subnetting and CIDR

IP subnetting is a fundamental practice in network management that involves dividing a larger IP network into smaller, more logical subnetworks, commonly referred to as subnets.1 This process allows for a more organized and efficient allocation of IP addresses, contributing to improved network performance and security.2 By segmenting a network into subnets, network administrators can isolate different parts of an organization's infrastructure, enhancing security by controlling traffic flow and limiting the scope of potential network breaches.2 Furthermore, subnetting helps optimize the utilization of IP addresses, which are a finite resource, by allowing for the creation of networks tailored to the specific number of hosts required, thus preventing wastage.2 This logical division also aids in reducing network congestion by confining broadcast traffic to specific subnetworks.3 The practice of subnetting is a cornerstone of modern IP network design and administration, offering numerous benefits in terms of scalability and manageability.2

Classless Inter-Domain Routing (CIDR) is an IP address allocation and routing method that was introduced in 1993 to overcome the limitations of the older class-based IP addressing system.5 The traditional classful system, which categorized IP addresses into Class A, B, and C networks with fixed subnet masks, proved to be inefficient and led to the rapid depletion of available IP addresses.7 CIDR addresses these issues by allowing for a more flexible and efficient allocation of IP addresses through the use of variable-length subnet masks (VLSM).5 This means that network administrators can create IP address ranges of various sizes, precisely matching the needs of their networks.8 The key advantages of CIDR include a reduction in IP address wastage, improved routing efficiency through a technique called route aggregation or supernetting, and enhanced scalability for networks of different sizes.5 CIDR utilizes a compact notation, represented as an IP address followed by a forward slash and a number (the prefix length), to denote both the network address and the subnet mask.8 This notation simplifies the process of defining and understanding network boundaries.

In the context of Amazon Web Services (AWS), both subnetting and CIDR play a vital role in the architecture and management of Virtual Private Clouds (VPCs).5 A VPC is a logically isolated virtual network within the AWS cloud, providing organizations with a private and secure space to launch their AWS resources.5 When creating a VPC, a primary CIDR block is assigned to define the range of private IP addresses that will be available within the virtual network.10 Subsequently, this CIDR block is divided into smaller, non-overlapping CIDR blocks to create subnets within the VPC.10 These subnets allow for the segmentation of the network, enabling the isolation of different parts of an organization's infrastructure and the deployment of resources in a manner that aligns with security and availability requirements.10 Subnetting within VPCs facilitates the distribution of resources across multiple Availability Zones (AZs), which are distinct data centers within an AWS region, thereby enhancing the resilience and fault tolerance of applications.12 The combination of VPCs, subnetting, and CIDR provides a robust and flexible networking foundation for deploying and managing applications and services in the AWS cloud.

Understanding CIDR Notation

The CIDR notation is a fundamental concept for defining IP address ranges in modern networking. It provides a concise and efficient way to represent both the starting IP address of a network or subnet and the extent of the address range.2 The notation consists of two main parts: the IP address itself, which serves as the base or network address, and a prefix length, which is a number following a forward slash that indicates the number of bits in the IP address that are part of the network portion.2 For instance, in the CIDR notation 192.168.1.0/24, the IP address 192.168.1.0 identifies the network, and the /24 specifies that the first 24 bits of the 32-bit IPv4 address are used for the network prefix. The remaining bits are then available for host addresses within that network.

For IPv4 addresses, which are 32 bits in length, the prefix length can range from /0 to /32.9 A prefix length of /0 would indicate the entire IPv4 address space, while a prefix length of /32 would refer to a single, specific IP address.9 The prefix length essentially defines the boundary between the network portion and the host portion of an IP address. All IP addresses within a given network or subnet share the same network prefix, as determined by the prefix length.14

The prefix length in CIDR notation directly dictates the size of the network and the number of available host addresses. A shorter prefix length, meaning a smaller number following the slash, results in a larger network with more bits available for host addresses.5 Conversely, a longer prefix length, indicated by a larger number after the slash, leads to a smaller network with fewer bits available for hosts.14 For an IPv4 subnet, the number of available host addresses can be calculated using the formula 2^{(32 - prefix length)} - 2.14 The subtraction of 2 accounts for the network address itself and the broadcast address, which are reserved and cannot be assigned to individual hosts.14 For example, a /24 prefix leaves 8 bits for host addresses (32 - 24 = 8), resulting in 2⁸ - 2 = 254 usable host addresses.2 A /20 prefix provides 12 host bits (32 - 20 = 12), yielding 2¹² - 2 = 4094 usable host addresses.15 This inverse relationship between prefix length and network size is crucial for network planning and resource allocation.

CIDR notation offers a more streamlined and flexible alternative to traditional subnet masks. In the classful networking system, subnet masks were represented using a dotted decimal format (e.g., 255.255.255.0).2 While this format is still used, CIDR notation provides a more concise way to convey the same information.2 The prefix length in CIDR notation directly corresponds to the number of leading 1s in the binary representation of the subnet mask.17 For example, a /24 prefix is equivalent to a subnet mask of 255.255.255.0, where the first 24 bits are 1s in binary. CIDR notation simplifies network configuration and management by providing a single, easily understandable value that encapsulates the network's size and mask.8 This has led to its widespread adoption as the standard for representing IP address ranges in networking documentation and configuration.

Subnetting in AWS VPCs

Amazon Web Services (AWS) Virtual Private Clouds (VPCs) rely heavily on the principles of IP subnetting and CIDR notation to provide isolated and configurable network environments for their users.5 A VPC acts as a virtual network dedicated to an AWS account, logically isolated from other virtual networks in the AWS Cloud.5 This isolation allows organizations to have full control over their networking environment, including the selection of IP address ranges, the creation of subnets, and the configuration of route tables and security settings.5

A fundamental aspect of VPC networking is the association of CIDR blocks with VPCs.19 When a VPC is created, a primary IPv4 CIDR block must be specified, which defines the overall IP address space for the VPC.19 AWS mandates that the size of this initial IPv4 CIDR block must be between a /16 netmask (providing 65,536 IP addresses) and a /28 netmask (providing 16 IP addresses).19 This range offers a balance between providing a sufficient number of IP addresses for various workloads and ensuring efficient routing within the AWS infrastructure. Notably, after a VPC has been created, it is possible to associate additional IPv4 and IPv6 CIDR blocks with it, allowing for the expansion of the VPC's IP address space as needed.19 However, it is crucial to ensure that the CIDR blocks associated with a VPC do not overlap with each other to prevent routing conflicts.19 There are also limitations on the number of CIDR blocks that can be associated with a single VPC, with default quotas that can be adjusted based on user requirements.20

Within a VPC, the IP address range is further divided into subnets, which are segments of the VPC's IP address range where AWS resources, such as EC2 instances, are launched.12 Each subnet is associated with a CIDR block that is a subset of the VPC's CIDR block, and the CIDR blocks of subnets within the same VPC must not overlap.13 Subnets in AWS are zonal resources, meaning they are confined to a single Availability Zone within an AWS region.12 This design allows for the distribution of resources across multiple, isolated locations to achieve high availability and fault tolerance.12 When creating a subnet within a VPC, the allowed IPv4 CIDR block size is also between /28 and /16.13 For VPCs that have an associated IPv6 CIDR block (which has a fixed size of /56), subnets can also be created with an IPv6 CIDR block, which has a fixed prefix length of /64.13 These limitations on VPC and subnet CIDR block sizes are in place to ensure efficient address space utilization, simplify routing considerations, and enhance security isolation within the AWS environment.21

It is important to note that within each AWS subnet, a certain number of IP addresses are reserved by AWS and are not available for use by instances or other resources.13 For IPv4 subnets, the first four IP addresses and the last IP address of each subnet's CIDR block are reserved.13 These reserved addresses include the network address, the IP address reserved for the VPC router, the IP address for the DNS server, an address reserved for future use, and the network broadcast address.13 Similarly, in IPv6 subnets, the first four IPv6 addresses and the last IPv6 address in each subnet's CIDR block are reserved.13 When planning the size of subnets in AWS, it is crucial to factor in these reserved IP addresses to ensure that a sufficient number of usable IP addresses are available for the intended resources.

Exploring CIDR Prefix Length Examples in AWS

The choice of CIDR prefix length for subnets within an AWS VPC has significant implications for the size of the subnet and the number of IP addresses available to host resources. Different prefix lengths are suitable for various use cases, depending on the anticipated density of resources and the desired level of network segmentation.

A /16 prefix, for example, provides a large address space with 65,536 total IP addresses. After accounting for the five reserved addresses in AWS, this leaves 65,531 usable IP addresses within the subnet.19 A /16 subnet is typically used for very large VPCs or in scenarios where a high density of resources is expected within a single network segment.19

Moving to a /20 prefix, the total number of IP addresses is 4,096, with 4,091 being usable in AWS after the reserved addresses are accounted for.14 Subnets with a /20 prefix are often employed for medium-sized network segments or for grouping resources related to a specific application or service.14

A /24 prefix is a very common subnet size, providing a total of 256 IP addresses, of which 251 are usable in AWS.2 This size is frequently used for subnets hosting a specific tier of an application, such as web servers or application servers, or for isolating a group of related instances.2 The ease of understanding and managing a /24 subnet, as it aligns with the boundaries of an 255.255.255.0 subnet mask, contributes to its popularity.14

At the smaller end of the spectrum, a /28 prefix offers 16 total IP addresses, resulting in 11 usable IP addresses in an AWS subnet.19 Subnets with a /28 prefix are suitable for very small network segments, such as those used for point-to-point links between network devices or for isolating a small number of critical resources.19

The following table summarizes the relationship between common CIDR prefixes and the number of usable host addresses in AWS:

Choosing the appropriate prefix length for a subnet in AWS requires careful consideration of the number of resources that will be hosted within that subnet, as well as potential future growth. It is essential to balance the need for a sufficient number of IP addresses with the principles of efficient IP address utilization and network segmentation for security and manageability.

Practical Configuration Examples in AWS

AWS provides multiple ways to create and configure subnets with specific CIDR blocks within a VPC, catering to different levels of automation and user preferences.

The AWS Management Console offers a graphical interface for creating subnets. To do so, navigate to the VPC service, select "Subnets" in the navigation pane, and click on the "Create subnet" button.13 In the create subnet dialog, you will need to choose the VPC in which to create the subnet, provide a name tag for easy identification, and select the Availability Zone where the subnet will reside.22 The crucial step is to specify the IPv4 CIDR block for the subnet, ensuring that it falls within the IP address range of the selected VPC and does not overlap with any existing subnet CIDR blocks.22 For example, if your VPC has a CIDR block of 10.0.0.0/16, you could create a subnet with a CIDR block of 10.0.1.0/24 in the us-east-1a Availability Zone.22 If the VPC has an associated IPv6 CIDR block, you also have the option to specify an IPv6 CIDR block for the subnet.22 After entering the necessary details, clicking the "Create subnet" button will provision the subnet with the specified CIDR block.

For users who prefer command-line interfaces or need to automate subnet creation, the AWS Command Line Interface (CLI) provides a powerful tool. The aws ec2 create-subnet command is used to create a subnet in a specified VPC.23 This command requires parameters such as the --vpc-id (the ID of the VPC), --cidr-block (the desired IPv4 CIDR block for the subnet), and --availability-zone (the Availability Zone for the subnet).23 You can also specify optional parameters like --tag-specifications to add tags to the subnet for better organization.23 For instance, to create a subnet with the CIDR block 10.0.2.0/24 in the us-east-1b Availability Zone within the VPC vpc-xxxxxxxxxxxxxxxxx, the command would look like: aws ec2 create-subnet --vpc-id vpc-xxxxxxxxxxxxxxxxx --cidr-block 10.0.2.0/24 --availability-zone us-east-1b --tag-specifications ResourceType=subnet,Tags=[{Key=Name,Value=my-second-subnet}].23 This command provides a flexible way to create subnets programmatically.

Infrastructure as Code (IaC) tools like AWS CloudFormation and Terraform offer a way to define and manage AWS infrastructure, including subnets, in a declarative manner. In AWS CloudFormation, the AWS::EC2::Subnet resource type is used to define a subnet within a CloudFormation template.24 The properties for this resource include VpcId, CidrBlock, and AvailabilityZone, allowing you to specify the VPC, CIDR block, and AZ for the subnet.25 An example snippet in YAML format would be:

YAML

Resources:  MySubnet:    Type: AWS::EC2::Subnet    Properties:      VpcId:!Ref MyVPC      CidrBlock: 10.0.3.0/24      AvailabilityZone: us-east-1c      Tags:        - Key: Name          Value: MySubnet

Similarly, in Terraform, the aws_subnet resource is used to define a subnet in a Terraform configuration file.26 The arguments for this resource include vpc_id, cidr_block, and availability_zone.27 An example Terraform configuration would be:

Terraform

resource "aws_subnet" "my_subnet" {  vpc_id            = aws_vpc.my_vpc.id  cidr_block        = "10.0.3.0/24"  availability_zone = "us-east-1c"  tags = {    Name = "my-subnet"  }}

Both CloudFormation and Terraform enable the automated and repeatable creation of subnets with specific CIDR blocks, promoting consistency and efficiency in infrastructure management.

Subnet CIDR Blocks and Route Tables in AWS

In an AWS VPC, subnets play a crucial role in isolating resources, and the flow of network traffic to and from these subnets is controlled by route tables.12 A route table contains a set of rules, known as routes, that determine where network traffic originating from the subnet is directed.12 Each subnet within a VPC must be associated with a route table, which dictates the allowed paths for outbound traffic leaving the subnet.12

When a VPC is created, it automatically comes with a main route table.12 By default, any subnet created within this VPC is implicitly associated with the main route table if no explicit association is made.12 However, to exert more granular control over the routing behavior of specific subnets, custom route tables can be created and explicitly associated with those subnets.12 This allows for the implementation of different routing policies for various parts of the VPC.

The association between a subnet's CIDR block and a route table is fundamental to controlling network traffic flow.12 When a CIDR block is associated with a VPC, a local route is automatically added to the VPC's route tables.19 This local route enables communication between all CIDR blocks within the VPC. To direct traffic from a subnet to destinations outside the VPC or to specific resources within the VPC, entries are added to the route table associated with that subnet.12 Each entry in a route table specifies a destination CIDR block and a target, which could be an internet gateway (for public subnets to access the internet), a NAT gateway (for private subnets to access the internet), a virtual private gateway (for VPN connections), a VPC peering connection, or a specific instance within the VPC.12

By carefully configuring the route table associated with a subnet, network administrators can control the flow of traffic based on the destination IP address range (CIDR block). For instance, a public subnet, intended to allow instances to communicate with the internet, would have a route in its associated route table that directs all traffic destined for 0.0.0.0/0 (all IPv4 addresses) to an internet gateway.10 Conversely, a private subnet, where instances should not have direct internet access, would typically have a route directing internet-bound traffic to a NAT gateway, allowing outbound communication while preventing unsolicited inbound connections from the internet.10 The effective management of route tables and their association with subnet CIDR blocks is crucial for establishing the desired network topology and security posture within an AWS VPC.

Best Practices for Choosing Appropriate CIDR Block Sizes

Selecting the appropriate CIDR block sizes for subnets in an AWS environment is a critical aspect of network design that impacts scalability, security, and overall efficiency. Several factors should be considered when making these decisions.

Scalability is a primary concern. When choosing a CIDR block size for a subnet, it is essential to anticipate the potential growth of the resources that will reside within it.8 Selecting a subnet size that is too small can lead to IP address exhaustion as more resources are added, necessitating a complex and potentially disruptive resizing process.11 Conversely, choosing a subnet size that is excessively large can lead to inefficient use of the IP address space and potentially larger broadcast domains, which can impact network performance.3 It is recommended to choose a CIDR block size that accommodates the current needs with some buffer for future expansion, without over-provisioning unnecessarily.8

Security is another key factor in determining subnet CIDR block sizes.3 Subnetting itself provides a level of network segmentation, allowing for the isolation of different types of resources or application tiers.3 By using smaller CIDR blocks for subnets that host sensitive resources, such as databases, organizations can limit the potential impact of a security breach in another part of the network.10 Additionally, security controls like Security Groups and Network ACLs are often applied at the subnet level, making well-defined and appropriately sized subnets easier to manage and secure.10

Efficient IP address utilization is also a significant consideration.2 As IP addresses, particularly IPv4 addresses, are a limited resource, it is important to allocate them judiciously.2 CIDR allows for the creation of subnets of varying sizes, enabling network administrators to tailor the address space to the specific requirements of each subnet.8 This flexibility helps to minimize the amount of unused IP addresses within the VPC.5

In an AWS environment, it is a common best practice to create separate subnets for different Availability Zones to enhance the availability of applications.12 When planning CIDR block sizes in this context, ensure that you have a sufficient number of IP addresses available within the VPC's overall CIDR block to allocate appropriately sized subnets across all desired AZs.28

Finally, it is advisable to choose CIDR block sizes that align with the organization's overall IP addressing scheme and are easy to understand and manage.14 Using consistent subnet sizes where appropriate can simplify network administration and troubleshooting.14 However, do not hesitate to use different sizes when the requirements of different parts of the application dictate it.14 Careful planning, considering these factors, will lead to an AWS network environment that is scalable, secure, and efficient in its use of IP addresses.

Conclusion

Understanding IP subnetting and CIDR notation is essential for effectively designing and managing network infrastructure, particularly within the dynamic environment of AWS. This report has explored the fundamental concepts of subnetting and CIDR, highlighting their importance in organizing networks, optimizing IP address utilization, and enhancing security. The flexibility offered by CIDR, especially in contrast to the traditional classful system, allows for the creation of IP address ranges that precisely match the needs of various network segments.

Within AWS VPCs, CIDR blocks serve as the foundation for defining the virtual network's IP address space, which is then further divided into subnets with their own CIDR blocks. These subnets, confined to specific Availability Zones, enable the deployment of resilient and highly available applications. The choice of CIDR prefix length for both the VPC and its subnets directly impacts the network's capacity and the number of available host addresses, necessitating careful planning based on anticipated growth and resource density.

The configuration of subnets with specific CIDR blocks in AWS can be achieved through multiple methods, including the user-friendly AWS Management Console, the command-line interface for automation, and Infrastructure as Code tools like CloudFormation and Terraform for repeatable deployments. The association of subnet CIDR blocks with route tables is crucial for controlling network traffic flow, allowing for the creation of public and private subnets with tailored routing policies.

Adhering to best practices when choosing CIDR block sizes is paramount for building a scalable and secure AWS environment. Considerations such as anticipating future growth, segmenting networks for security, efficiently utilizing IP addresses, and distributing resources across Availability Zones should guide these decisions. By mastering the concepts and techniques discussed in this report, technical professionals can effectively leverage subnetting and CIDR in AWS to create robust and well-managed network architectures that meet the demands of modern cloud applications.

Works cited

1. en.wikipedia.org, accessed on April 2, 2025, https://en.wikipedia.org/wiki/Subnet#:~:text=A%20subnetwork%2C%20or%20subnet%2C%20is,by%20dividing%20the%20host%20identifier

2. Networking Basics: What is IPv4 Subnetting? - CBT Nuggets, accessed on April 2, 2025, https://www.cbtnuggets.com/blog/technology/networking/networking-basics-what-is-ipv4-subnetting

3. What are subnets and subnetting, and how do they work? | Gcore, accessed on April 2, 2025, https://gcore.com/learning/what-is-a-subnet-how-subnetting-works/

4. What is a subnet? | How subnetting works - Cloudflare, accessed on April 2, 2025, https://www.cloudflare.com/learning/network-layer/what-is-a-subnet/

5. What is CIDR? - CIDR Blocks and Notation Explained - AWS, accessed on April 2, 2025, https://aws.amazon.com/what-is/cidr/

6. Subnetting: Enhancing Network Management and Efficiency - Netmaker, accessed on April 2, 2025, https://www.netmaker.io/resources/subnetting

7. www.techtarget.com, accessed on April 2, 2025, https://www.techtarget.com/searchnetworking/definition/CIDR#:~:text=CIDR%20(Classless%20Inter%2DDomain%20Routing%20or%20supernetting)%20is%20a,B%20and%20Class%20C%20networks.

8. What IS CIDR? Everything You Need to Know About This IP Addressing Method, accessed on April 2, 2025, https://www.auvik.com/franklyit/blog/what-is-cidr/

9. What Is CIDR? - IT Glossary | SolarWinds, accessed on April 2, 2025, https://www.solarwinds.com/resources/it-glossary/cidr

10. CIDR Blocks in AWS: Understanding the Basics and Beyond | by Hilda Machando | Medium, accessed on April 2, 2025, https://medium.com/@hildamachando4/cidr-blocks-in-aws-understanding-the-basics-and-beyond-f74506a84b83

11. what is IPv4 CIDR while launching a custom VPC in AWS? - Stack Overflow, accessed on April 2, 2025, https://stackoverflow.com/questions/76520302/what-is-ipv4-cidr-while-launching-a-custom-vpc-in-aws

12. Subnets for your VPC - Amazon Virtual Private Cloud, accessed on April 2, 2025, https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html

13. Subnet CIDR blocks - Amazon Virtual Private Cloud, accessed on April 2, 2025, https://docs.aws.amazon.com/vpc/latest/userguide/subnet-sizing.html

14. Subnetting: What It Is and How It Works | Auvik, accessed on April 2, 2025, https://www.auvik.com/franklyit/blog/subnetting-primer/

15. Classless Inter-Domain Routing - Wikipedia, accessed on April 2, 2025, https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

16. CIDR Notation: A Beginner's Guide to IP Addressing, accessed on April 2, 2025, https://whatismyipaddress.com/cidr

17. Understanding CIDR Subnet Mask Notation | pfSense Documentation, accessed on April 2, 2025, https://docs.netgate.com/pfsense/en/latest/network/cidr.html

18. CIDR to Subnet Mask Explained: Simplify IP Addressing - Netmaker, accessed on April 2, 2025, https://www.netmaker.io/resources/cidr-to-subnet-mask

19. VPC CIDR blocks - Amazon Virtual Private Cloud - AWS Documentation, accessed on April 2, 2025, https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html

20. Add or remove a CIDR block from your VPC - Amazon Virtual Private Cloud, accessed on April 2, 2025, https://docs.aws.amazon.com/vpc/latest/userguide/add-ipv4-cidr.html

21. AWS VPC CIDR BLOCK SIZE LIMITATION | by Sri | Medium, accessed on April 2, 2025, https://medium.com/@sridevi.suganya/aws-vpc-cidr-block-size-limitation-b229873f6422

22. Create a subnet - Amazon Virtual Private Cloud, accessed on April 2, 2025, https://docs.aws.amazon.com/vpc/latest/userguide/create-subnets.html

23. create-subnet — AWS CLI 2.8.7 Command Reference, accessed on April 2, 2025, https://awscli.amazonaws.com/v2/documentation/api/2.8.7/reference/ec2/create-subnet.html

24. Cloudformation: How to create multiple subnets using Fn::Cidr | by Abhay Pore - Medium, accessed on April 2, 2025, https://abhaypore.medium.com/cloudformation-how-to-create-multiple-subnets-using-fn-cidr-964101b04655

25. AWS::EC2::Subnet - AWS CloudFormation - AWS Documentation, accessed on April 2, 2025, https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html

26. Creating multiple subnets in order per availability zone with Terraform - Stack Overflow, accessed on April 2, 2025, https://stackoverflow.com/questions/75678808/creating-multiple-subnets-in-order-per-availability-zone-with-terraform

27. aws_subnet | Resources | hashicorp/aws - Terraform Registry, accessed on April 2, 2025, https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet

How to Create a VPC and Subnets in AWS | AWS Tutorial for Beginners - YouTube, accessed on April 2, 2025, https://www.youtube.com/watch?v=HbTfONoekyM