The Three Private IP Ranges Every Network Engineer Should Know
RFC 1918 defines three address blocks reserved for private networks: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Here's when to use each and why they exist.
Every device on your home network, every server in a corporate data centre, and every container in a Kubernetes cluster uses a private IP address. These addresses come from three specific ranges defined in RFC 1918, published in 1996. They are not routable on the public internet — which is precisely the point.
The Three RFC 1918 Ranges
RFC 1918 reserves three blocks of IPv4 address space for private use:
10.0.0.0/8— 16,777,216 addresses (Class A equivalent)172.16.0.0/12— 1,048,576 addresses (Class B equivalent range)192.168.0.0/16— 65,536 addresses (Class C equivalent)
Routers on the public internet drop packets destined for these addresses, ensuring they never leak beyond the private network boundary.
The 10.0.0.0/8 Range — Large Enterprises and Cloud VPCs
With over 16 million addresses, the 10.0.0.0/8 range is the choice for organisations that need room to grow. AWS recommends CIDR blocks within 10.0.0.0/8 for VPCs because it gives you the most flexibility for subnetting. A typical enterprise might use 10.0.0.0/8 as the corporate supernet and carve out 10.x.0.0/16 blocks per region or business unit.
The 172.16.0.0/12 Range — A Misunderstood Middle Ground
The 172.16.0.0/12 range covers addresses from 172.16.0.0 to 172.31.255.255 — a total of 16 Class B networks. Docker uses this range by default for its container networks. Because many people forget this range is private, it occasionally causes confusion when traffic to a 172.x.x.x address fails because the host has no route to it.
The 192.168.0.0/16 Range — Home Networks and Small Offices
The most familiar private range. Your home router almost certainly uses a subnet from 192.168.0.0/16 — usually 192.168.0.0/24 or 192.168.1.0/24, giving you 254 usable host addresses. This range is defined down to individual /24 subnets, making it simple to configure without subnetting expertise.
How NAT Enables Private Addresses
Private addresses work because of Network Address Translation (NAT). Your router maintains a translation table that maps each internal private address and port to your single public IP address. Outbound packets have their source address rewritten to the public IP; return traffic is translated back to the correct private host. Without NAT, billions of devices could not share the limited IPv4 address space.
Choosing the Right Range
For a home or small office: use 192.168.x.x. For cloud infrastructure or a large enterprise: use 10.x.x.x. Avoid 172.16.0.0/12 unless you have a specific reason — its boundaries are non-obvious and it is already claimed by Docker. Whatever you choose, use the CIDR calculator to verify the exact address range before committing. See also our private IP ranges guide for more depth on RFC 1918 design choices.