Cloud / AWS

AWS VPC Subnetting Guide

Q: How many IPs does AWS reserve per subnet?

AWS reserves 5 IP addresses in every subnet: the network address (.0), the VPC router (.1), the AWS-provided DNS server (.2), a future-use address (.3), and the broadcast address (.255). A /24 subnet therefore has 256 − 5 = 251 usable IPs in AWS, not the usual 254.

Q: What is the difference between a public and private subnet in AWS?

A public subnet has a route to an Internet Gateway (IGW), allowing instances to receive public IP addresses and communicate directly with the internet. A private subnet has no IGW route — instances can only reach the internet through a NAT Gateway placed in a public subnet. Database and application servers typically live in private subnets.

Q: What CIDR should I use for my AWS VPC?

Use a /16 for the VPC (65,536 IPs), which gives ample room to allocate /24 subnets across multiple Availability Zones and tiers. Choose a range from 10.0.0.0/8 to avoid conflicts with home networks (192.168.x.x) or default Docker ranges (172.17.x.x). Plan for at least 3 AZs × 3 tiers = 9 subnets, with room to grow.

How to design subnets within an AWS VPC: public vs. private subnets, per-AZ sizing, reserved IPs, and common patterns for web, app, and database tiers.

AWS VPC subnet fundamentals

→Subnets live in a single Availability Zone (AZ). For HA, deploy across 2–3 AZs.
→A public subnet has a route to an Internet Gateway (IGW). Instances can have public IPs.
→A private subnet has no IGW route. Outbound internet access goes through a NAT Gateway in a public subnet.
→AWS reserves 5 IPs per subnet (see note below).
→Subnet CIDR must be within the VPC CIDR and cannot overlap with other subnets.

AWS reserved IPs (the 5-IP rule)

For every subnet, AWS reserves these 5 addresses:

Address	Purpose
10.0.0.0	Network address (cannot be assigned)
10.0.0.1	VPC router
10.0.0.2	AWS-provided DNS server
10.0.0.3	Reserved for future use
10.0.0.255	Broadcast address (VPCs do not support broadcast, but reserved)

Result: a /24 subnet has 256 − 5 = 251 usable IPs in AWS, not 254.

Recommended subnet sizes

Prefix	Total IPs	Usable in AWS	Best for
/20	4,096	4091	Large EKS node groups, big compute clusters
/22	1,024	1019	Medium app tier with ~500 services
/24	256	251	Standard tier subnet (most common)
/26	64	59	Small per-service or per-component subnet
/27	32	27	Management or transit subnet
/28	16	11	NAT Gateway, VPC endpoint, transit attachment

Subnet tiers pattern

A well-designed VPC separates resources into tiers with distinct access patterns:

Public Tier

Internet-facing resources: Application Load Balancers, NAT Gateways, bastion hosts. Keep small — use /24 or /26.

Private Tier

Application servers, ECS/EKS nodes, Lambda in VPC. Use /24 or /22 to handle autoscaling.

Intra (Database) Tier

RDS, ElastiCache, OpenSearch. No outbound internet needed. /24 or /26 is fine.

Management Tier

VPC endpoints, Transit Gateway attachments. Use dedicated /28 subnets per AZ.

Frequently Asked Questions

How many IPs does AWS reserve per subnet?

AWS reserves 5 IP addresses per subnet: the network address, the VPC router (.1), the AWS DNS server (.2), a future-use address (.3), and the broadcast address. A /24 has 251 usable IPs in AWS — not 254.

What is the difference between a public and private subnet in AWS?

A public subnet has a route to an Internet Gateway, enabling instances to have public IPs and communicate directly with the internet. A private subnet has no IGW route — outbound internet traffic routes through a NAT Gateway in a public subnet. Application and database servers belong in private subnets.

What CIDR should I use for my AWS VPC?

Use a /16 from the 10.0.0.0/8 range for the VPC, which gives 65,536 IPs to distribute across subnets. Plan for 3 AZs × 3 tiers (public, private, intra) = at least 9 subnets. /24 subnets for application tiers and /28 for management resources (NAT Gateway, VPC endpoints) is a common pattern.