VPC Subnet Planning with CIDR Blocks
Plan VPC subnet architecture using CIDR blocks. Covers public/private/database tiers, multi-AZ layout, AWS reserved IPs, and sizing recommendations.
Cloud Infrastructure
Detailed Explanation
VPC Subnet Planning Guide
Proper subnet planning is the foundation of a well-architected cloud network. This guide covers how to divide a VPC CIDR into functional tiers using CIDR blocks.
Three-Tier Subnet Architecture
The standard VPC design uses three subnet tiers per Availability Zone:
10.0.0.0/16 (VPC CIDR)
│
├── Public Tier (/24 per AZ)
│ ├── 10.0.1.0/24 AZ-a (ALB, NAT Gateway, Bastion)
│ ├── 10.0.2.0/24 AZ-b
│ └── 10.0.3.0/24 AZ-c
│
├── Private Tier (/22 per AZ)
│ ├── 10.0.16.0/22 AZ-a (App servers, containers)
│ ├── 10.0.20.0/22 AZ-b
│ └── 10.0.24.0/22 AZ-c
│
└── Database Tier (/26 per AZ)
├── 10.0.48.0/26 AZ-a (RDS, ElastiCache)
├── 10.0.48.64/26 AZ-b
└── 10.0.48.128/26 AZ-c
Sizing Considerations
| Tier | Recommended Size | Hosts | Rationale |
|---|---|---|---|
| Public | /24 | 254 | Few resources (ALB, NAT, bastion) |
| Private/App | /22 or /20 | 1,022 - 4,094 | ECS tasks, EC2 instances |
| Database | /26 or /27 | 62 or 30 | RDS instances + replicas |
AWS IP Reservations
AWS reserves 5 IPs per subnet:
.0— Network address.1— VPC router.2— DNS server.3— Reserved for future use- Last address — Broadcast
A /24 (256 IPs) has only 251 usable in AWS.
Common Mistakes
- Too-small VPC — A /24 VPC cannot be meaningfully subdivided
- No room for growth — Use /16 even if you only need /20 today
- Inconsistent AZ sizing — All AZs should have equal allocations
- Overlapping with on-prem — Check corporate network CIDRs first
Use Case
Designing a new production VPC on AWS, GCP, or Azure with properly sized public, private, and database subnets spread across multiple Availability Zones, with room for future growth.