AWS Reserved IPs: Why Every Subnet Loses 5 Addresses

When you create a subnet in an AWS VPC, you do not get all the IP addresses the CIDR block contains. AWS reserves five addresses in every subnet for its own use. A /28 subnet with 16 addresses only yields 11 for your instances. Plan without knowing this and you will hit address exhaustion unexpectedly.

The Five Reserved Addresses

For a subnet of 10.0.1.0/24, the five reserved addresses are:

• 10.0.1.0 — Network address (not usable, as with all IPv4 subnets)
• 10.0.1.1 — VPC router
• 10.0.1.2 — Reserved for Amazon DNS (always the VPC base CIDR + 2)
• 10.0.1.3 — Reserved by AWS for future use
• 10.0.1.255 — Broadcast address (AWS does not support broadcast, but the address is reserved)

Why AWS Reserves These Addresses

The first and last addresses follow standard IPv4 conventions — they are the network address and broadcast address of any CIDR block. The VPC router at .1 is the gateway your instances use to reach other subnets and the internet. The DNS resolver at .2 is the Route 53 Resolver that answers DNS queries from within the VPC. The .3 reservation is AWS future-proofing: they keep it in case a new service needs a well-known address in every subnet.

Calculating Usable Addresses

Take the total IP count for your CIDR prefix and subtract 5:

• /24 — 256 total, 251 usable in AWS
• /25 — 128 total, 123 usable in AWS
• /26 — 64 total, 59 usable in AWS
• /27 — 32 total, 27 usable in AWS
• /28 — 16 total, 11 usable in AWS

Practical Sizing Guidance

For production workloads, size your subnets with significant headroom. A /24 per Availability Zone is a common default — 251 usable IPs gives plenty of room for EC2 instances, Lambda ENIs, RDS, and ELB addresses. For dedicated workloads like a small EKS node group, a /22 (1,019 usable) may be more appropriate to support pod-level networking. See the full AWS VPC subnetting guide and browse live AWS IP ranges for current allocation patterns.