AWS VPC CIDR Blocks: Choosing the Right Subnet Size

AWS VPC CIDR Blocks

When creating an AWS VPC (Virtual Private Cloud), you must assign a CIDR block that defines the IP address range for all resources within the VPC. Choosing the right size is critical for scalability.

VPC CIDR Requirements

• Minimum size: /28 (16 addresses)
• Maximum size: /16 (65,536 addresses)
• Must be from RFC 1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or other non-public ranges
• Cannot overlap with other VPCs you want to peer with

Recommended VPC Sizing

Size	Addresses	Subnets (/24)	Use Case
/16	65,536	256	Large production
/20	4,096	16	Medium workloads
/22	1,024	4	Small environments
/24	256	1	Minimal/dev

Best practice: Start with /16 for production VPCs. You cannot resize a VPC CIDR after creation (though you can add secondary CIDRs).

Subnet Placement

AWS subnets exist within a single Availability Zone. A typical multi-AZ architecture:

VPC: 10.0.0.0/16
  Public Subnet AZ-a:   10.0.1.0/24
  Public Subnet AZ-b:   10.0.2.0/24
  Private Subnet AZ-a:  10.0.10.0/24
  Private Subnet AZ-b:  10.0.11.0/24
  DB Subnet AZ-a:       10.0.20.0/24
  DB Subnet AZ-b:       10.0.21.0/24

AWS Reserved Addresses

AWS reserves 5 addresses in every subnet:

• .0 — Network address
• .1 — VPC router
• .2 — DNS server
• .3 — Reserved for future use
• .255 — Broadcast (not supported but reserved)

So a /24 subnet has 251 usable addresses, not the standard 254.

VPC Peering Considerations

If you plan to peer VPCs (or connect to on-premises networks), their CIDR blocks must not overlap. Plan your IP addressing scheme globally before creating VPCs to avoid costly redesigns later.