Networking

Why Is the Default VPC CIDR /16? - IP Address Design Trivia and Common Pitfalls

Learn why the default VPC CIDR is set to /16, the history of RFC 1918 private address space, the 5 reserved IP addresses in each subnet, and common CIDR design mistakes.

約 5 分で読めます

RFC 1918 and the History of Private IP Addresses

To understand VPC CIDR design, you first need to know the history of RFC 1918. Published in 1996, RFC 1918 reserved three address ranges for private networks not directly connected to the internet: 10.0.0.0/8 (approximately 16.77 million addresses), 172.16.0.0/12 (approximately 1.04 million addresses), and 192.168.0.0/16 (approximately 65,000 addresses). These three ranges were reserved due to the rapid growth of the internet in the 1990s. The IPv4 address space contains only about 4.3 billion addresses, and it was clear that assigning a global IP address to every device would lead to exhaustion. By combining private addresses with NAT (Network Address Translation), many devices could be placed behind a single global IP address, mitigating address exhaustion. The default VPC CIDR of 10.0.0.0/16 is a /16 block carved out of the RFC 1918 10.0.0.0/8 range.

Why /16 - The Sweet Spot Between Too Large and Too Small

A /16 CIDR block contains 65,536 IP addresses. AWS chose /16 as the default because it provides sufficient IP address space for most workloads while allowing 256 /16 blocks to be carved from the 10.0.0.0/8 range, striking a good balance. VPC CIDRs can range from /16 to /28. A /28 has 16 addresses (11 usable), making it the smallest VPC. A /16 has 65,536 addresses and is the default maximum size. In practice, /16 is overkill for many use cases. If you are running just 100 EC2 instances, a /24 (256 addresses) is more than enough. However, since VPC CIDRs cannot be shrunk after creation (only expanded), starting with a larger allocation is the safer choice. A /16 is a reasonable default that provides room for future growth. That said, in multi-VPC environments, handing out /16 blocks freely will quickly exhaust the 10.0.0.0/8 space. With only 256 VPCs, the space runs out, so planned CIDR allocation is essential.

The 5 Reserved IP Addresses in Every Subnet

In VPC subnets, the first 4 and last 1 IP addresses (5 total) in each subnet are reserved by AWS and cannot be assigned to EC2 instances or other resources. For a /24 subnet (10.0.1.0/24): 10.0.1.0 is the network address, 10.0.1.1 is reserved for the VPC router, 10.0.1.2 is reserved for the DNS server, 10.0.1.3 is reserved by AWS for future use, and 10.0.1.255 is the broadcast address. This means that out of 256 addresses in a /24 subnet, only 251 are actually usable. This "5 reserved addresses" rule has a proportionally larger impact on smaller subnets. In a /28 subnet (16 addresses), 5 are reserved, leaving only 11 usable, meaning about 31% is unavailable. Even for resources like Lambda VPC connections or NAT Gateways that need only a few ENIs (Elastic Network Interfaces), a minimum of /28 is required. Designing subnets without knowing about these reserved addresses can lead to "not enough IP addresses" problems.

Common CIDR Design Mistakes

The most common CIDR design mistake is overlapping CIDRs. When connecting VPCs via VPC Peering or Transit Gateway, overlapping CIDRs between connected VPCs make routing impossible. Using the default 10.0.0.0/16 for every VPC means no VPC-to-VPC connectivity is possible. The same issue arises with on-premises connectivity (Direct Connect, Site-to-Site VPN). If your on-premises network uses 10.0.0.0/8, any VPC CIDR in the 10.x.x.x range will cause routing conflicts. In such cases, you need to use the 172.16.0.0/12 or 100.64.0.0/10 (CGN address space, RFC 6598) ranges for your VPCs. Another common mistake is over-fragmenting subnets. Creating many /24 subnets limits each to 251 IP addresses, which can lead to IP address exhaustion when Auto Scaling increases instance counts. Conversely, subnets that are too large risk uneven distribution across AZs.

IPv6 and the Future of VPC

AWS has supported IPv6 in VPCs since 2016. IPv6 VPC CIDRs are /56, automatically assigned by AWS. With an address space of 2^128 (approximately 340 undecillion), IPv6 effectively eliminates the CIDR design challenges of IPv4. However, a full transition to IPv6 is still a long way off. Many enterprise on-premises networks are IPv4-only, and some AWS services do not yet fully support IPv6. The practical approach is to configure VPCs with dual-stack (IPv4 + IPv6) and gradually adopt IPv6 starting with new workloads. VPC CIDR design is critically important because once set, it is difficult to change (CIDRs can be added but not removed or modified). In multi-account, multi-region environments, using IPAM (IP Address Manager) to centrally manage the organization's entire IP address space is recommended. To systematically learn the fundamentals of network design, specialized books (Amazon) can be a helpful reference.

Related Services

Amazon VPCBuild a logically isolated virtual network on AWSAWS Transit GatewayA network hub that connects multiple VPCs and on-premises networks in a hub-and-spoke topology

Related Articles

Amazon VPC Network Design - Subnet Architecture and NAT Gateway OptimizationLearn how to design public/private subnet separation, layered security group management, and reduce NAT Gateway costs with Gateway VPC Endpoints.Building a Hub-and-Spoke Network with AWS Transit Gateway - Multi-VPC Connectivity DesignConsolidate multiple VPCs and on-premises networks in a hub-and-spoke topology, establish security boundaries with route table isolation, and enable multi-region connectivity through peering.Private Connectivity with AWS PrivateLink - VPC Endpoints and Endpoint ServicesConnect to AWS services privately without traversing the internet. Learn about free Gateway Endpoints and building Endpoint Services.

More on This Topic

Building a Service Mesh with AWS App Mesh - Controlling and Observing Microservice CommunicationLearn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.Service Discovery with AWS Cloud Map - Dynamic Name Resolution for MicroservicesDynamically discover microservice endpoints using DNS-based and API-based approaches. Learn how to automate service registration and deregistration through integration with ECS and EKS.How CloudFront's 600+ PoPs Work - Anycast Routing and the Cache HierarchyLearn how CloudFront routes user requests to the nearest PoP using Anycast, the two-tier structure of edge locations and regional edge caches, and the design factors that determine cache hit rates.Dedicated Connection Design - Achieving Stable Private Network Connectivity with Direct ConnectLearn about dedicated connection design with AWS Direct Connect, including choosing between dedicated and hosted connections, redundancy configurations, and achieving stable private network connectivity through VPC integration.Building Dedicated Connections with AWS Direct Connect - Redundancy Design and Traffic ControlDesign redundant dedicated connections and connect to VPCs across multiple regions with Direct Connect Gateway. This article also covers bandwidth aggregation with LAG and MACsec encryption.Elastic IP Address Management and Design - Static IP Usage and Cost OptimizationLearn about Elastic IP allocation, EC2 association, cost implications of unused EIPs, and alternative approaches to consider.Why ELB Has Three Types - The Design Rationale Behind ALB, NLB, and CLBExplore why ALB, NLB, and CLB (Classic) coexist rather than being unified into a single service, examining OSI model layers, performance characteristics, and historical context.Global Network Optimization with AWS Global Accelerator - Low-Latency Delivery and FailoverLearn how to route traffic onto the AWS global network using Anycast IPs, design endpoint groups, and achieve failover through health checks.

Similar Articles and Services

Amazon VPCA service for building a logically isolated virtual network within the AWS cloud, giving you full control over IP address ranges, routing, and securityCross-Account Resource Sharing with AWS RAM - Sharing VPC Subnets and Transit GatewaysLearn how to share VPC subnets and Transit Gateways across accounts to centralize IP address space management and reduce VPC peering connections.Elastic IP AddressA static public IPv4 address that you associate with EC2 instancesElastic IP Address Management and Design - Static IP Usage and Cost OptimizationLearn about Elastic IP allocation, EC2 association, cost implications of unused EIPs, and alternative approaches to consider.