Home / server / Questions / 1025033
Accepted
Leon
Asked: 2020-07-14 03:15:36 +0800 CST

What is a correct IP4 CIDR for AWS?

  • 772

I am trying to create some new subnets and cannot get AWS to accept a CIDR IP4. I receive the message: Must be valid IPv4 CIDR. Nothing I try is accepted. What is a valid IP4 for this purpose, and why? See attached image> enter image description here

I tried :

  • 10.0.0.1/16
  • 10.0.1.0/16
  • 10.1.0.0/16
  • 10.0.0.255/16
  • 10.255.255.255/16
  • 128.128.128.128/16
  • 10.0.0.16/24
  • 10.0.0.14/24 ... this list goes on a bit. I also tried various CIDR calculators online which didn't give me a correct subnet IP4. Obviously without understanding what i'm being asked to input trying random numbers is useless. I also read the documentation on amazon, which made no sense to me, hence me asking this question. Can someone answer what they would enter in this box, so that I can understand by example?
amazon-web-services amazon-vpc cidr

2 Answers

  1. Best Answer

    You need to create subnet, which is in range 10.0.0.0/16 .

    For example:

    10.0.0.0/24

    10.2.0.128/25

    etc

    • 5

  2. TL;DR version (Amazon VPC FAQs)

    • Read about CIDR Notation to understand what the below means.
    • AWS VPC CIDR block size must be between /16 and /28, e.g. 192.168.0.0/16
    • Subnet CIDR block sizes must also be between /16 and /28 and in reality should have smaller CIDR blocks than the VPC because you typically want more than one subnet per VPC. E.g. 192.168.2.0/24
    • The host-part of the CIDR must be zero'ed. I.e. this is valid: 192.168.0.0/16 and this isn't: 192.168.2.123/16
    • Choose a block from RFC1918 private range addresses: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 unless you really really know what you are doing.

    Some explanation:

    In IPv4 and IPv6 we sort of distinguish between network and host addresses. Hosts belong to networks, smaller networks belong to larger networks.

    In case of IPv4 a host address looks like this: 192.168.2.123 - it's got 4 bytes which means 32 bits (1 byte = 8 bits).

    CIDR notation is the standard way to describe network addresses. It uses a prefix notation to split the address to a network part and a host part where the prefix can be anywhere between /0 and /32, showing the number of bits from the left that are known.

    A host address has all the 32 bits defined. That means our example instance address in CIDR notation can be written as 192.168.2.123/32 - we know all the bits.

    This instance perhaps sits in a subnet 192.168.2.0/24 - 24 bits (= 3 bytes) from the left (192.168.2) are the CIDR block of the subnet, while the remaining 8 bits on the right are available for hosts.

    Network addresses are hierarchical - VPC has a large network address block with subnets inside having smaller slices of the VPC network network address block. That means your VPC CIDR block can be for example 192.168.0.0/16 - the first 16 bits (192.168) is defined and everything in the VPC must have addresses that start with 192.168.: subnets, instances, RDS, load balancers, everything.

    So to wrap up: an instance IP 192.168.2.123 (/32) belongs to subnet CIDR 192.168.2.0/24 which belongs to VPC CIDR 192.168.0.0/16. The undefined bits in the subnet and VPC addrs are always set to 0.

    However the prefix lengths don't have to be aligned to bytes boundaries. This would also be a valid example: instance IP 192.168.2.123 (/32) belongs to subnet CIDR 192.168.2.64/26 which belongs to VPC CIDR 192.168.2.0/23. It's a bit more effort to work it out but it's completely valid.

    Hope that helps :)

    • 4