Subnetting¶
From AWS Re/Start (June 2025) — the maths behind IP addressing and network design.
Ultra-Short Summary¶
Subnetting is splitting a large block of IP addresses into smaller blocks. You need it to design VPCs, understand CIDR notation, and reason about routing. Every VPC subnet is defined by a CIDR block — understanding the maths means you can calculate network ranges, broadcast addresses, and available hosts without a calculator.
IP Address Basics¶
An IPv4 address is 32 bits written as 4 octets:
192.168.1.100
│ │ │ └─ 4th octet (bits 25–32)
│ │ └──── 3rd octet (bits 17–24)
│ └──────── 2nd octet (bits 9–16)
└──────────── 1st octet (bits 1–8)
Binary: 11000000.10101000.00000001.01100100
CIDR Notation¶
CIDR = Classless Inter-Domain Routing. Written as address/prefix.
10.0.0.0/16
/16 means the first 16 bits are the NETWORK portion
The remaining 16 bits are available for HOSTS
Network: 10.0. (fixed)
Hosts: 0.0 → 255.255 (variable)
Total addresses: 2^16 = 65,536
Usable hosts: 65,534 (subtract network address + broadcast)
Common CIDR blocks:
| CIDR | Total Addresses | Typical Use |
|---|---|---|
/8 |
16,777,216 | Very large org |
/16 |
65,536 | VPC (typical) |
/24 |
256 | Subnet (typical) |
/28 |
16 | Small subnet |
/32 |
1 | Single host (Security Group rules) |
Subnet Mask¶
The subnet mask tells you which part of an IP is the network vs host:
IP: 10.0.1.50
Mask: 255.255.255.0 = /24
Binary AND:
IP: 00001010.00000000.00000001.00110010
Mask: 11111111.11111111.11111111.00000000
─────────────────────────────────────
Network: 10.0.1.0 (the network address)
Hosts: .1 → .254 (usable)
Broadcast: 10.0.1.255
Quick shortcut:
| Prefix | Subnet Mask | Hosts Available |
|---|---|---|
/24 |
255.255.255.0 | 254 |
/25 |
255.255.255.128 | 126 |
/26 |
255.255.255.192 | 62 |
/27 |
255.255.255.224 | 30 |
/28 |
255.255.255.240 | 14 |
Rule: each time you add 1 to the prefix, you halve the number of hosts.
AWS VPC Subnetting¶
AWS reserves 5 IP addresses per subnet (not 2 like standard networking):
10.0.1.0/24 → 256 total addresses
.0 → Network address
.1 → AWS reserved (VPC router)
.2 → AWS reserved (DNS)
.3 → AWS reserved (future use)
.255 → Broadcast address
Usable: 10.0.1.4 → 10.0.1.254 = 251 hosts
AWS Reserves 5, Not 2
This catches people out. A /28 gives 16 addresses, minus 5 = 11 usable in AWS — not 14.
Designing a VPC¶
Practical example — design a VPC for a 3-tier app across 2 AZs:
VPC: 10.0.0.0/16 (65,536 addresses — plenty of room)
Public subnets (load balancers):
10.0.0.0/24 → AZ-a (251 usable)
10.0.1.0/24 → AZ-b
Private subnets (app servers):
10.0.10.0/24 → AZ-a
10.0.11.0/24 → AZ-b
Private subnets (databases):
10.0.20.0/24 → AZ-a
10.0.21.0/24 → AZ-b
Good practice: leave gaps between subnet ranges. 10.0.0.x for public, 10.0.10.x for app tier, 10.0.20.x for data tier — easy to reason about at a glance.
Private IP Ranges (RFC 1918)¶
These ranges are not routable on the public internet — used for internal networks:
| Range | CIDR | Typical Use |
|---|---|---|
10.0.0.0 – 10.255.255.255 |
10.0.0.0/8 |
Large enterprise / VPCs |
172.16.0.0 – 172.31.255.255 |
172.16.0.0/12 |
Medium networks |
192.168.0.0 – 192.168.255.255 |
192.168.0.0/16 |
Home routers / small offices |
AWS default VPC uses 172.31.0.0/16.
Classful Addressing (Historical)¶
Before CIDR, IP addresses were divided into fixed classes:
| Class | Range | Default Mask | Hosts per Network |
|---|---|---|---|
| A | 1–126.x.x.x | /8 | ~16 million |
| B | 128–191.x.x.x | /16 | ~65,000 |
| C | 192–223.x.x.x | /24 | 254 |
| D | 224–239.x.x.x | Multicast | — |
Classful addressing was wasteful (a company needing 300 hosts had to take a whole Class B). CIDR replaced it with flexible prefix lengths.
Mental Model¶
IP address = your street address
Subnet mask = defines which part is the "suburb" and which is the "house number"
CIDR /24 = "everyone on the same .x.x street"
CIDR /16 = "everyone in the same .x suburb"
Subnetting = drawing fences inside your land allocation to separate departments
= public areas (reachable from outside) vs private areas (internal only)
Useful Tools¶
- subnetting.net — practice subnetting questions (good for SAA prep)
- cidr.xyz — visual CIDR calculator
SAA Patterns¶
| Scenario | Answer |
|---|---|
| VPC needs 1,000 EC2 instances | Use /22 or larger subnet |
| Subnet with exactly 14 hosts in AWS | /28 gives 11 usable — need /27 (27 usable) |
| Block of IPs not routable on internet | Use RFC 1918 range |
| Two VPCs need to peer — what to avoid? | Overlapping CIDR ranges (peering won't work) |
| Security Group rule for one specific IP | Use /32 |
Self-Quiz¶
- How many usable host addresses in a
/25subnet? - AWS reserves 5 addresses per subnet. In a
/28, how many are usable? - What is the network address and broadcast address of
192.168.5.0/27? - Why did CIDR replace classful addressing?
- You're designing a VPC for 3 tiers across 2 AZs. Sketch the CIDR plan.
- Two VPCs both use
10.0.0.0/16— can you peer them? Why not? - What does
/32mean? When would you use it? - What's the difference between a subnet mask and a CIDR prefix?