What is a correct IP4 CIDR for AWS?

I am trying to create some new subnets and cannot get AWS to accept a CIDR IP4. I receive the message: Must be valid IPv4 CIDR. Nothing I try is accepted. What is a valid IP4 for this purpose, and why? See attached image> enter image description here

I tried :

  • 10.0.0.1/16
  • 10.0.1.0/16
  • 10.1.0.0/16
  • 10.0.0.255/16
  • 10.255.255.255/16
  • 128.128.128.128/16
  • 10.0.0.16/24
  • 10.0.0.14/24 ... this list goes on a bit. I also tried various CIDR calculators online which didn't give me a correct subnet IP4. Obviously without understanding what i'm being asked to input trying random numbers is useless. I also read the documentation on amazon, which made no sense to me, hence me asking this question. Can someone answer what they would enter in this box, so that I can understand by example?

Solution 1:

You need to create subnet, which is in range 10.0.0.0/16 .

For example:

10.0.0.0/24

10.2.0.128/25

etc

Solution 2:

TL;DR version (Amazon VPC FAQs)

  • Read about CIDR Notation to understand what the below means.
  • AWS VPC CIDR block size must be between /16 and /28, e.g. 192.168.0.0/16
  • Subnet CIDR block sizes must also be between /16 and /28 and in reality should have smaller CIDR blocks than the VPC because you typically want more than one subnet per VPC. E.g. 192.168.2.0/24
  • The host-part of the CIDR must be zero'ed. I.e. this is valid: 192.168.0.0/16 and this isn't: 192.168.2.123/16
  • Choose a block from RFC1918 private range addresses: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 unless you really really know what you are doing.

Some explanation:

In IPv4 and IPv6 we sort of distinguish between network and host addresses. Hosts belong to networks, smaller networks belong to larger networks.

In case of IPv4 a host address looks like this: 192.168.2.123 - it's got 4 bytes which means 32 bits (1 byte = 8 bits).

CIDR notation is the standard way to describe network addresses. It uses a prefix notation to split the address to a network part and a host part where the prefix can be anywhere between /0 and /32, showing the number of bits from the left that are known.

A host address has all the 32 bits defined. That means our example instance address in CIDR notation can be written as 192.168.2.123/32 - we know all the bits.

This instance perhaps sits in a subnet 192.168.2.0/24 - 24 bits (= 3 bytes) from the left (192.168.2) are the CIDR block of the subnet, while the remaining 8 bits on the right are available for hosts.

Network addresses are hierarchical - VPC has a large network address block with subnets inside having smaller slices of the VPC network network address block. That means your VPC CIDR block can be for example 192.168.0.0/16 - the first 16 bits (192.168) is defined and everything in the VPC must have addresses that start with 192.168.: subnets, instances, RDS, load balancers, everything.

So to wrap up: an instance IP 192.168.2.123 (/32) belongs to subnet CIDR 192.168.2.0/24 which belongs to VPC CIDR 192.168.0.0/16. The undefined bits in the subnet and VPC addrs are always set to 0.

However the prefix lengths don't have to be aligned to bytes boundaries. This would also be a valid example: instance IP 192.168.2.123 (/32) belongs to subnet CIDR 192.168.2.64/26 which belongs to VPC CIDR 192.168.2.0/23. It's a bit more effort to work it out but it's completely valid.

Hope that helps :)