Decide on a CIDR block for VPC

Choose from the Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

AWS recommends that you specify a CIDR block from the private (non-publicly routable) IP address ranges as specified in RFC 1918;
for example, 10.0.0.0/16, or 192.168.0.0/16.

More details on private address assignment available at rfc1918.

Make sure the IP ranges from different regions don’t overlap. You shouldn’t have a 172.31.0.0/16 in us-west eu-ireland, for example. It will make VPN between those two regions a problem requiring double-NAT to solve.

Subnet CIDR block

The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC), or a subset of the CIDR block for the VPC (for multiple subnets). The allowed block size is between a /28 netmask and /16 netmask.
If you create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap.

Some tips:

• Consider making a distinction between private and public subnets, eg
  • private 10.0.1.0/24 (3rd byte < 129)
  • public 10.0.129.0/24 (3rd byte > 128)
• Don’t under-allocate CIDR blocks. If you use a load of Elastic Load Balancers, remember that they will also consume available ip addresses on your subnets. This is particularly true if you use ElasticBeanstalk.