CIDR, VPC and Subnets in the cloud — Almost all you need to know

While entering into the cloud world, one has to deal with extensively or at the very least understand various networking primitives like CIDRs, Virtual Private Cloud (VPC) and Subnets. In this article I will explain what these primitives mean, how one can divide CIDR ranges (or VPCs into subnets) and how their semantics differentiate between different public clouds like AWS, Google Cloud and Azure. It is assumed the reader knows what an IP address, especially IPv4, and what a subnet mask is.

With CIDR, a network of IP addresses is allocated in 1-bit increments as opposed to 8-bits in classful network

CIDRs (Classless interdomain routing)

Addressing schemes

Classful is older originating in 1981, where IPv4 addresses are divided into classes A to E (D and E are not discussed here). A Class A address would range from 0.0.0.0 to 127.255.255.255 having its first bit of the first octet always set to 0. The whole first octet is assigned to the network address.

Similarly other classes (B and C) allocate IP addresses in 8-bit increments, i.e. first two octets denote the network portion in class B and the first three octets denote the network portion in class C. With such classful addressing, the minimum number of addresses that can be assigned to an organization is 254 (Class C with a subnet mask of 255.255.255.0), excluding the reserved addresses. For even a single more required address, the organization would be assigned 65534 addresses (class B with a subnet mask of 255.255.0.0), excluding the reserved addresses.

Clearly a lot of IP addresses go to waste like this and to avoid this waste, classless addresses were introduced in 1993 which allows users to use Variable Length Subnet mask (VLSM). With CIDR, a network of IP addresses is allocated in 1-bit increments as opposed to 8-bits in classful network.

In CIDR subnet masks are denoted by /X. The X part here denotes the number of bits denoted to the network portion of the address. For example a subnet of 255.255.255.0 would be denoted by /24 (First 24 bits as 1). You can thus even represent the classful addresses using this scheme (Class A = /8, Class B = /16, and Class C = /24).

Important : The maximum number of addresses in a network with a CIDR /X is 2^(32-X). For example, a network with a CIDR /28 has maximum 2^(32–28) = 2⁴ = 16 addresses.

Image for post
Image for post
Example with four CIDRs. Max value of a CIDR can be /32 for IPv4

In this way one can better allocate addresses into the networks and further into subnetworks. For example, let’s say we have a total of 960 devices in our network. Looking at the table above, we can use a CIDR of /22 for the network. While there is still a bit of waste, its not as exorbitant as in the case of classful because of the 1-bit increment in network portion instead of 8-bit.

Dividing networks / VPCs into subnets

Image for post
Image for post
Min max CIDR range for GCP, AWS and Azure

Clouds use non-globally routable CIDR from the private IPv4 address ranges as shown below:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

These address spaces can be used internally by the organizations without any coordination with the IANA or the internet registry. Now let’s take an example of a network with a 192.168/16 prefix which we need to divide into subnets.

Rule: A /X CIDR range can be equally divided into two /(X-1) range, four /(X-2) ranges, eight /(X-3) ranges and so on. For e.g., a 192.168.0.0/16 range can be divided into two /17 ranges (192.168.0.0/17 and 192.168.128.0/17), four /18 ranges and so on.

So if we divide 192.168/16 network into two subnets, each subnet would have 32768 addresses, however not all of them will be usable by the hosts. Why?

Because each cloud reserves a few addresses for its internal purposes. For e.g. GCP reserves the first two and last two IP addresses for internal use, whereas AWS and Azure reserve the first four and the last IP addresses for internal use, however for different purposes.

Azure

  • x.x.x.1: Reserved by Azure for the default gateway
  • x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
  • x.x.x.255: Network broadcast address

AWS

  • x.x.x.1: Reserved by AWS for the VPC router.
  • x.x.x.2: Reserved by AWS. The IP address of the DNS server is always the base of the VPC network range plus two; however, AWS also reserves the base of each subnet range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR.
  • x.x.x.3: Reserved by AWS for future use.
  • x.x.x.255: Network broadcast address.

GCP

  • x.x.x.1: Reserved by GCP for the default gateway
  • x.x.x.254: Reserved by GCP for future use.
  • x.x.x.255: Network broadcast address

Note: Another differentiating factor between different clouds in terms of networking is the scope of VPC and subnets. For e.g., in GCP a VPC represents a global network spanning multiple regions, whereas in AWS and Azure, a VPC / VNet is a regional construct. In the same vain, a subnet in GCP spans a whole region or multiple Availability Zones (AZs) whereas a subnet in Azure / AWS spans only a single Availability Zone.

Conclusion

A Certified Multi-Cloud Architect/Big Data/ML Specialist and Quantum Computing Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store