0

I know this topic has a lot information all over but I can't find an answer to a simple question.

I am willing to have a subnet for each availability zone in my region (3 zones). My VPC CIDR is 10.0.0.0/19 and I want each subnet to have same amount of IPs. My question is what is the CIDR Block I should assign for each subnet?

guystart
  • 5
  • 2
  • I'm voting to close this question as off-topic because it does not appear to be about programming within the scope defined in the [help center](http://stackoverflow.com/help/on-topic). – Matt Nov 25 '16 at 11:00

1 Answers1

0

10.0.0.0/19 has 8,192 IP addresses, from 10.0.0.0 through 10.0.31.255

When dividing up a supernet into subnets of equal size, you can only divide by powers of two -- 2, 4, 8, 16, etc., so this block can't be divided into 3 blocks of equal size, but it can be divided into 4.

10.0.0.0/21 has 2,048 addresses
10.0.8.0/21 has 2,048 addresses
10.0.16.0/21 has 2,048 addresses
10.0.24.0/21 has 2,048 addresses

Since you only three of these, you could simply reserve one of them for use in a 4th availability zone if you are given access to one (some accounts do have access to more than 3 availability zones in at least one region) or for other purposes.

However, even though you may not realize it yet, you probably need at least two subnets in each availability zone in each VPC. Typically, your instances go on private subnets, but NAT Gateways or Instances and Elastic Load Balancers need to be in public subnets. See Why do we need private subnets in VPC? for more detail on how this works.

So, you probably need at least 6 blocks. Again, you can't make 6 even-sized blocks, but you can make 8, and stash the two leftovers away.

10.0.0.0/22 has 1,024 addresses
10.0.4.0/22 has 1,024 addresses
10.0.8.0/22 has 1,024 addresses
10.0.12.0/22 has 1,024 addresses
10.0.16.0/22 has 1,024 addresses
10.0.20.0/22 has 1,024 addresses
10.0.24.0/22 has 1,024 addresses
10.0.28.0/22 has 1,024 addresses

Another important factor in VPC is that you do not need to worry about the subnet a machine is on if it is communicating with another machine in the same availability zone. There is no difference in performance within an availability zone whether the two communicating instances are on the same subnets or not... so it may make sense to use even smaller subnets that these, or variable length subnet masks, and segregate your machines for administrative convenience.

Community
  • 1
  • 1
Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • Thanks @Michael-sqlbot. Let's consider I set public IP for each instance, then I need only one subnet for each zone right? In addition, what's the downside for setting public ip for each instance? – guystart Nov 13 '16 at 14:36
  • It's really not a good practice. You increase your potential attack surface area exponentially and entirely unnecessarily, you're wasting IPv4 addresses (a scarce resource), your machines won't have *static* public addresses, they're dynamic, unless you request AWS support increase your default allowance of 5 static public ("elastic") IP addresses per region, which requires that you justify your use case. It might seem simpler now, but as you learn more about AWS, you'll inevitably see the issues more clearly and then have a lot of work to undo. – Michael - sqlbot Nov 13 '16 at 14:51