Common questions about AWS VPC networking and our subnet calculator
A Virtual Private Cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch AWS resources, such as EC2 instances, into your VPC. You can specify an IP address range for the VPC, add subnets, associate security groups, and configure route tables.
A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won't be connected to the internet. Each subnet must reside entirely within one Availability Zone and cannot span zones.
CIDR (Classless Inter-Domain Routing) notation is a way to represent an IP address and its network mask. It consists of an IP address, followed by a slash, and then a number that represents the number of bits in the network mask. For example, 10.0.0.0/16 represents a network with 65,536 IP addresses, from 10.0.0.0 to 10.0.255.255.
The number of subnets depends on your specific requirements. A common practice is to create at least one public and one private subnet in each Availability Zone you plan to use. For example, if you're using three AZs, you might create six subnets: three public and three private. Additional subnets might be created for specific purposes like database tiers or isolated workloads.
A public subnet has a route to an Internet Gateway, allowing resources within it to directly access the internet. A private subnet does not have a direct route to the internet. Resources in a private subnet can access the internet via a NAT Gateway or NAT Instance located in a public subnet, which provides outbound internet access while preventing inbound connections from the internet.
When choosing a CIDR block for your VPC, consider your current and future needs. A /16 CIDR block (like 10.0.0.0/16) provides 65,536 IP addresses, which is sufficient for most organizations. If you anticipate needing more, you could use a /15 or /14. For smaller deployments, a /20 (4,096 IPs) or /24 (256 IPs) might be sufficient. Remember that you cannot change the size of your VPC CIDR block after creation, so it's better to allocate more than you currently need.
Yes, you can add secondary CIDR blocks to your VPC after creation. This allows you to expand your VPC's IP address range without having to recreate the VPC. However, there are some limitations: you can add up to 5 CIDR blocks per VPC, and the additional CIDR blocks cannot overlap with existing ones or with your on-premises network if you're using VPN or Direct Connect.
Our AWS Subnet Calculator simplifies the process of planning your VPC network by: