AWS VPC CIDR Sizing Guide
Choose the right CIDR size for AWS VPCs. Covers minimum and maximum sizes, secondary CIDRs, EKS pod networking requirements, and scaling strategies.
Detailed Explanation
Choosing the Right VPC CIDR Size on AWS
AWS VPCs support CIDR blocks from /16 (65,536 IPs) to /28 (16 IPs). Choosing the right size depends on your workload, growth plans, and connectivity requirements.
AWS VPC CIDR Limits
| Setting | Limit |
|---|---|
| Minimum VPC CIDR | /28 (16 addresses) |
| Maximum VPC CIDR | /16 (65,536 addresses) |
| Secondary CIDRs per VPC | Up to 4 additional blocks |
| Total per VPC | 5 CIDR blocks |
Sizing by Workload
Small / Single-App VPC (/22 - /20)
10.0.0.0/20 (4,096 IPs)
Good for: Simple web apps, small teams, dev environments
Standard Production VPC (/16)
10.0.0.0/16 (65,536 IPs)
Good for: Multi-tier applications, 100+ instances, ECS/EKS clusters
EKS-Optimized VPC (/16 + secondary CIDRs)
10.0.0.0/16 (node network)
100.64.0.0/16 (pod network, secondary CIDR)
EKS assigns IPs to pods from VPC CIDRs. A 100-node cluster with 30 pods each needs 3,000+ IPs just for pods. Secondary CIDRs using the 100.64.0.0/10 (Carrier-Grade NAT) range avoid eating into your RFC 1918 space.
The /16 Default Recommendation
AWS Solutions Architects generally recommend starting with /16 for any VPC that might grow:
- Cost: Zero — IP addresses in a VPC are free until assigned
- Risk of too-small: High — You cannot expand a VPC CIDR in-place
- Flexibility — /16 gives 256 possible /24 subnets, enough for any architecture
When to Use Smaller VPCs
- Isolated sandboxes that will never peer: /20 is fine
- You are running out of 10.x space: Use /18 or /20 to conserve
- VPN with limited remote subnet: Match the remote side's allocation
Use Case
Deciding on VPC CIDR sizes for a new AWS multi-account landing zone, planning for EKS cluster networking with sufficient pod IPs, or evaluating whether to use secondary CIDRs to extend an existing VPC.