Understanding Subnet CIDR Blocks in Your AWS VPC

When designing a Virtual Private Cloud (VPC), understanding how to allocate IP addresses using Classless Inter-Domain Routing (CIDR) notation is crucial. This guide will walk you through the essentials of subnet CIDR blocks, including examples and best practices for both IPv4 and IPv6.

What is a Subnet CIDR Block?

CIDR notation is used to represent IP addresses for your subnets. The CIDR block of a subnet can either match the CIDR block of the VPC (creating a single subnet) or be a subset of the VPC’s CIDR block (creating multiple subnets). It’s important to note that if you create multiple subnets within a VPC, their CIDR blocks must not overlap.

Example of Subnet CIDR Blocks

Consider a VPC with a CIDR block of 10.0.0.0/24, which supports 256 IP addresses. This block can be divided into two subnets, each supporting 128 IP addresses:

• Subnet 1: 10.0.0.0/25 (addresses 10.0.0.0 – 10.0.0.127)
• Subnet 2: 10.0.0.128/25 (addresses 10.0.0.128 – 10.0.0.255)

Tools for Calculating CIDR Blocks

There are various online tools available to help you calculate and create IPv4 and IPv6 subnet CIDR blocks. Searching for terms like ‘subnet calculator’ or ‘CIDR calculator’ can lead you to resources that suit your needs. Additionally, your network engineering team can assist in determining the appropriate CIDR blocks for your subnets.

Subnet Sizing for IPv4

The allowed IPv4 CIDR block size for a subnet ranges from a /28 netmask to a /16 netmask. Note that the first four IP addresses and the last IP address in each subnet CIDR block are reserved and cannot be assigned to resources like EC2 instances. For example, in a subnet with CIDR block 10.0.0.0/24, the following IP addresses are reserved:

• 10.0.0.0: Network address
• 10.0.0.1: Reserved by AWS for the VPC router
• 10.0.0.2: Reserved by AWS for the DNS server
• 10.0.0.3: Reserved by AWS for future use
• 10.0.0.255: Network broadcast address

If you create a subnet using a command line tool or the Amazon EC2 API, the CIDR block is automatically modified to its canonical form. For instance, specifying 100.68.0.18/18 will create a CIDR block of 100.68.0.0/18.

Subnet Sizing for IPv6

If your VPC has an associated IPv6 CIDR block, you can assign an IPv6 CIDR block to an existing or new subnet. Possible IPv6 netmask lengths range from /44 to /64 in increments of /4. Similar to IPv4, the first four and the last IPv6 addresses in each subnet CIDR block are reserved. For example, in a subnet with CIDR block 2001:db8:1234:1a00/64, the reserved addresses are:

• 2001:db8:1234:1a00::
• 2001:db8:1234:1a00::1: Reserved by AWS for the VPC router
• 2001:db8:1234:1a00::2
• 2001:db8:1234:1a00::3
• 2001:db8:1234:1a00:ffff:ffff:ffff:ffff

Additionally, the following IPv6 addresses are reserved for the default VPC router:

• A link-local IPv6 address in the FE80::/10 range generated using EUI-64
• The link-local IPv6 address FE80:ec2::1

Conclusion

Understanding and correctly configuring subnet CIDR blocks is essential for efficient network management within your VPC. Utilize available tools and consult with your network engineering team to ensure optimal subnet design.