When designing your AWS VPC, one of the most important steps you’ll take is creating up your CIDR Blocks.

What is a VPC?

A Virtual Private Cloud (VPC) is your private section of the AWS cloud, where you can launch resources in a logically isolated virtual network.

Cloud

Other Important Concepts

Prior to understanding how CIDR Blocks work in VPCs, there are several terms we should define first:

IP Address
A numerical label assigned to resources in a VPC. In AWS, these can be private IPs (internal addressing) or Elastic IPs (static public addresses for internet-facing resources).

Subnet
A segmented portion of your VPC’s IP address range. In AWS, subnets are created within a specific Availability Zone and can be public (with route to internet gateway) or private.

Security Group
A virtual firewall at the instance level that controls inbound and outbound traffic using stateful rules. Acts like a whitelist - you specify only allowed traffic. Rules include source/destination, port, and protocol.

Access Control List (ACL)
A network-level firewall that operates at the subnet boundary. Unlike Security Groups, ACLs are stateless and require explicit inbound and outbound rules. Default ACL allows all traffic.

Internet Gateway
A horizontally scaled, redundant VPC component that allows communication between your VPC and the internet. Required for public subnets to access the internet and for internet users to access public resources.

NAT Gateway
Stateless, subnet-level firewall that functions as a numbered list of rules processed in order, from lowest to highest.

Using CIDR Blocks in VPCs

CIDR Blocks in AWS VPCs serve as the fundamental building blocks for your network architecture, starting at the VPC level where they define your entire network’s IP range.

Architecture Plans

Think of them as the blueprint for your virtual network- when you create a VPC, you assign it a CIDR Block (like 10.0.0.0/16) which determines how many IP addresses you’ll have available for all your resources.

From there, you divide this main CIDR Block into smaller chunks (subnets) across different Availability Zones, where each subnet gets its own smaller CIDR range (like 10.0.1.0/24) carved out from the main VPC CIDR.

These subnet CIDR Blocks are where your actual AWS resources like EC2 instances, databases, and load balancers live!

The Power of CIDR Blocks

The real power of CIDR Blocks comes into play when you’re designing your network’s connectivity and security. They’re used in route tables to determine where network traffic should go, in security groups and network ACLs to control which IP addresses can access which resources, and in VPC peering to connect different VPCs together.

Voltmeter For example, when you’re setting up security group rules, you might allow traffic only from specific CIDR ranges, like your corporate office network. Or when you’re configuring VPC peering between your production and development environments, you need to ensure their CIDR Blocks don’t overlap. This makes CIDR Blocks not just a technical requirement, but a crucial part of your network’s security and connectivity strategy.

How-to Determine Your CIDR Block Ranges

CIDR Blocks look almost like a standard IPv4 address with a prefix attached to the end.

Let look at a CIDR Block example: 192.168.100.0/22

Inside 192.168.100.0/22, we’ll want to know how many IP addresses we can use from this CIDR Block.

Calculating this will follow a simple formula:
A /22 subnet mask gives us 32 - 22 = 10 bits for hosts.
And 1,024 total IP addresses

Furthermore, our CIDR block, 192.168.100.0/22, will include:
Start: 192.168.100.0
End: 192.168.103.255

This block covers 192.168.100.x, 192.168.101.x, 192.168.102.x, and 192.168.103.x.

And lastly, AWS reserves 5 IP addresses in each subnet:

.0: Network address
.1: Reserved by AWS for the VPC router
.2: Reserved by AWS for DNS
.3: Reserved by AWS for future use
255: Broadcast address

So instead of 1,024 total IP addresses, we actually will only have:
Available IPs: 1,024 - 5 = 1,019 usable IP addresses

Apartment Building Analogy - CIDR Blocks

I’ve always understood concepts when they are made dynamic through real-world examples or analogies.
Let’s try to look at an apartment building as an analogy for understanding CIDR Blocks and the terms we just covered.

Apartment building
Think of a CIDR Block like an apartment building with a specific numbering system:
The building (VPC) has a base address (i.e. 10.0.0.0)

The CIDR notation (/16, /24, etc.) is like specifying how many floors and apartments are available.

A /16 is like having 16 floors with many apartments (65,536 IP addresses).

A /24 is like having fewer floors with fewer apartments (256 IP addresses).

Just as apartments can’t overlap between buildings, CIDR Blocks can’t overlap in VPCS.

Subnets are like sections of the building, each with their own range of apartment numbers

Apartment Building Analogy - Subnets

Let’s extend the apartment building analogy to explore subnets in more detail.

Each subnet can be though of as a wing or section of the building with its reserved block of apartment numbers. For example:

Wing A (/24): Apartments 10.0.1.0 - 10.0.1.255
Wing B (/24): Apartments 10.0.2.0 - 10.0.2.255
Wing C (/24): Apartments 10.0.3.0 - 10.0.3.255

Just as each wing might serve different purposes (residential, office, retail), each subnet can have different routing rules and security groups.

And just as you can’t assign the same apartment number to multiple units, you can’t assign the same IP address in multiple subnets.

How many CIDR Blocks can I use per VPC?

AWS allows you to set one Primary CIDR Block and four Secondary CIDR Blocks. This can be particularly useful if all the IP addresses within a CIDR Block are taken.

CIDR Block Planning & Best Practices

Some best practices for planning out your CIDR Blocks include:

Always start with a larger CIDR Block than currently needed

Consider your entire network architecture, including on-prem.

Reserve IP ranges for different environments.

Document your CIDR allocations to prevent future conflicts.

Common CIDR Block Sizes

Consider the following CIDR Block sizes based on the size of your application:

Large Deployments
/16: 65,536 IP addresses

Medium Deployments
/20: 4,096 IP addresses

Small Deployments
/24: 256 IP addresses

Minimum AWS Subnet Size
/28: 16 IP addresses

Real-World Impact of CIDR Block Decisions

Imagine building a city without properly planning its roads, neighborhoods, and districts. That’s exactly what deploying a VPC without understanding CIDR blocks is like. Your CIDR block choices directly impact your organization’s ability to:

Scale operations smoothly

Maintain security

Connect with other networks

Support future growth

Avoid costly network redesigns

This planning becomes even more critical as organizations embrace hybrid cloud architectures and complex networking requirements.

Just as a city planner must consider future population growth, traffic patterns, and neighborhood connectivity, cloud architects must carefully design their CIDR Blocks to accommodate future expansion, maintain security boundaries, and ensure seamless communication between different parts of the infrastructure.