What Is a /32 Host Route and When Should You Use It?
A /32 CIDR block contains exactly one IP address. It is used in firewall rules targeting a single host, BGP loopback advertisements, and AWS security group allowlists for individual IPs.
The /32 prefix length is the maximum possible in IPv4 — it sets all 32 bits as the network portion, leaving zero bits for hosts. The result is a CIDR block that contains exactly one IP address. See the /32 subnet reference for the maths, or enter any IP address into the CIDR calculator to see its /32 representation.
How /32 Works Mathematically
A /32 subnet mask is 255.255.255.255 — all ones. When you AND any IP address with this mask, you get the address itself unchanged. The network address equals the broadcast address equals the only host address. 203.0.113.42/32 is simply a notation for the single address 203.0.113.42.
Firewall Rules and Security Groups
The most common use of /32 is in firewall rules where you want to permit or deny traffic from a single specific IP. An AWS security group rule allowing SSH from 203.0.113.42/32 allows only that one IP address — not a subnet, not a range. This is the minimum-privilege approach for administrative access. Any developer machine or bastion host requiring direct access should be specified as a /32, never as a broader range.
BGP Loopback Advertisements
In BGP routing, routers advertise their loopback interface addresses as /32 routes. Loopback addresses are not tied to a physical interface, so they remain stable even if individual links go down. Advertising a /32 tells neighbouring routers "this specific IP is reachable via me" without implying anything about the surrounding subnet.
AWS Elastic IPs and NAT Gateways
When you allocate an Elastic IP in AWS, you can add it to a security group rule as a /32 to allow traffic from that specific address. Similarly, if you know your application will always connect through a NAT Gateway with a fixed EIP, you can allowlist precisely that EIP on the receiving end using a /32 rule — a much tighter rule than allowing the entire VPC CIDR.
Bare IP Addresses vs /32 Notation
Most networking tools accept either form: 203.0.113.42 and 203.0.113.42/32 are equivalent in practice. Some tools — particularly cloud provider APIs and Terraform — require the /32 notation explicitly. The CIDR calculator accepts bare IP addresses and automatically treats them as /32 for calculation purposes.