Making Sense of AWS CIDRs and Subnets
Subnets are used for many AWS tasks (like creating an EC2 VM), so Brien Posey sheds some light on common errors to end some of the frustration around subnetting.
There are any number of tasks within AWS that require the use of subnets. For example, you can't create an EC2 virtual machine (VM) without first defining a subnet within which the VM will operate. Even so, the task of creating a subnet in AWS can be anything but straightforward. Those who are new to AWS are often plagued by error messages stating that the "CIDR address is not within the CIDR address from VPC" or that your "CIDR address overlaps with the existing subnet CIDR." In this post, I want to try to shed some light on these errors and end some of the frustration around subnetting.
Before I get into a discussion of subnetting, I need to first talk about Virtual Private Clouds (VPCs). A VPC is essentially just a virtual network. It is isolated from resources located on other VPCs that you might create. When you create a VPC, you create it within a specific region. The VPC can service all of the availability zones within the region, but it cannot extend to other regions.
When you create a VPC, AWS asks you to associate a CIDR block with the VPC. CIDR is an acronym that stands for Classless Inter-Domain Routing. In simpler terms, a CIDR block is an IP address range. A VPC can accommodate two CIDR blocks, one for IPv4 and another for IPv6, but for the sake of simplicity I am going to limit my discussion to IPv4.
When you create a CIDR block, you must enter it as an IP address range. In the case of an IPv4 CIDR, this means entering a network prefix and a subnet mask. The subnet mask determines how many IP addresses can be created from the CIDR block. Amazon requires that a CIDR block include a subnet mask ranging from 16 to 28. The two most commonly used subnet sizes are 16 bits and 24 bits.
If you were to create a CIDR block with a 16-bit subnet, then the network portion of the IP address would contain two eight-bit numbers, followed by two zeros, each separated by periods. Here is an example of a CIDR block with a 16-bit subnet: 10.10.0.0/16. This block would allow for the creation of up to 65,536 IP addresses. Each address would start with 10.10, but you can enter any value between 0 and 255 into the last two positions.
A CIDR block with a 24-bit address would contain three eight-bit numbers, followed by a single 0. Here is an example of what such a block would look like: 10.10.10.0/24. This block could accommodate up to 256 IP addresses. The first three octets (10.10.10) would be common to each address, but the last digit can be populated with a number ranging between 0 and 255.
The key to understanding the way that subnetting works in AWS is to keep in mind that when you create a CIDR block, you are not actually creating any subnets. Subnets have to be created separately and must fall within the range of the CIDR block. It's perfectly acceptable to create a single subnet that consumes the entire CIDR block, but you also have the option of dividing the block into multiple subnets as is often done with very large CIDR blocks.
So now that I have explained the basics, let's go ahead and create a VPC and its corresponding CIDR block. Then I will show you how to create a subnet within the block.
To get started, open the VPC service, and click on Your VPC, followed by Create VPC. This will take you to the screen shown in Figure 1.
As you can see in the figure, there are only two things that you absolutely have to do when creating a VPC. You must give the VPC a name and you have to create a CIDR block. If you are completely lost and don't quite understand the concept of CIDR blocks, you can always follow the example shown in the figure and create a block using 10.0.0.0/24. That would create an address range of 256 addresses. For the sake of demonstration however, I am going to create a CIDR of 10.10.0.0/16. You can see my CIDR block in Figure 2. You can see the completed VPC in Figure 3.
Now it's time to create a subnet. To do so, go to the VPC Dashboard and click Subnets. When the Subnets screen appears, click Create Subnet.
The Create Subnet screen requires you to select your VPC and then enter a name for the subnet that you want to create. You also have the option of associating the subnet with an availability zone. You will also need to enter a CIDR block. Assuming that you want to use the entire address space, just enter the same CIDR block that you did when you created the VPC. You can of course sub-divide the address space into multiple subnets if you like. In my case, I am creating a subnet that consumes the entire address space, as shown in Figure 4.
When you are done, click the Create Subnet button and your subnet will be created and ready for use, as shown in Figure 5.
Brien Posey is a 20-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.