How many IPs does AWS reserve in each subnet?

AWS reserves 5 IP addresses in every subnet: the network address, the VPC router (x.x.x.1), DNS (x.x.x.2), future use (x.x.x.3), and the broadcast address (x.x.x.255). So a /24 subnet in AWS has 251 usable IPs, not 254.

Cloud AWS

How to Choose a CIDR Block for Your AWS VPC

Q: What CIDR block should I use for my AWS VPC?

For most VPCs, use a /16 from the 10.0.0.0/8 private range (e.g. 10.0.0.0/16 or 10.1.0.0/16). A /16 gives 65,536 IPs, which you can divide into per-AZ subnets. Avoid 192.168.x.x (conflicts with employee home networks over VPN) and 172.31.x.x (AWS default VPC).

Guidance on picking the right VPC CIDR, avoiding conflicts with on-premises networks, sizing subnets per AZ, and planning for growth.

AWS VPC CIDR constraints

Before picking a CIDR, understand AWS's limits:

→VPC CIDR must be between /16 (65,536 IPs) and /28 (16 IPs).
→AWS reserves 5 IPs per subnet: .0 (network), .1 (router), .2 (DNS), .3 (future), .255 (broadcast).
→You can add up to 5 secondary CIDR blocks per VPC (useful to expand later).
→VPC CIDR cannot be changed after creation — choose carefully.
→Overlapping CIDRs between peered VPCs or with on-premises networks will prevent connectivity.

Recommended CIDR choices

✓ Best choice for most VPCs

Use a /16 from the 10.0.0.0/8 range:

10.0.0.0/16 10.1.0.0/16 10.10.0.0/16 10.100.0.0/16

Each /16 gives 65,536 IPs. With a /8 supernet, you can have 256 distinct /16 VPCs before running out — perfect for multi-account AWS organizations.

⚠ Avoid these

192.168.x.x — conflicts with most home networks over VPN
172.17.0.0/16 — Docker's default bridge network
172.31.0.0/16 — AWS default VPC (already in use)
10.0.0.0/16 — overused; pick a less common 10.x.x.x/16

Subnet sizing per AZ

A typical 3-AZ VPC with public + private + intra (database) tiers per AZ. Starting from 10.0.0.0/16:

Subnet	CIDR	AZ	Tier	Usable IPs
Public AZ-a	10.0.0.0/24	us-east-1a	Public (NAT GW, ALB)	251
Public AZ-b	10.0.1.0/24	us-east-1b	Public	251
Public AZ-c	10.0.2.0/24	us-east-1c	Public	251
Private AZ-a	10.0.10.0/24	us-east-1a	App / ECS / EKS nodes	251
Private AZ-b	10.0.11.0/24	us-east-1b	App	251
Private AZ-c	10.0.12.0/24	us-east-1c	App	251
Intra AZ-a	10.0.20.0/24	us-east-1a	RDS, ElastiCache	251
Intra AZ-b	10.0.21.0/24	us-east-1b	RDS, ElastiCache	251
Intra AZ-c	10.0.22.0/24	us-east-1c	RDS, ElastiCache	251

251 usable = 256 − 5 reserved AWS IPs per subnet.

FAQ

What CIDR block should I use for my AWS VPC?

For most VPCs, use a /16 from 10.0.0.0/8. Pick a different 10.x.x.x/16 for each VPC to make VPC peering and Transit Gateway routing straightforward. Avoid 192.168.x.x (VPN conflicts) and 172.17-31.x.x (Docker and AWS defaults).

How many IPs does AWS reserve per subnet?

AWS reserves 5 IPs in every subnet: .0 (network address), .1 (VPC router), .2 (AWS DNS), .3 (reserved future use), .255 (broadcast). A /24 subnet therefore has 251 usable IPs — not 254.

Can I change my VPC CIDR later?

The primary CIDR cannot be changed after VPC creation. You can, however, add up to 5 secondary CIDR blocks to expand the address space. Plan carefully and use /16 rather than /24 to leave room for growth within the primary CIDR.