What is a correct IP4 CIDR for AWS?
I am trying to create some new subnets and cannot get AWS to accept a CIDR IP4. I receive the message: Must be valid IPv4 CIDR. Nothing I try is accepted. What is a valid IP4 for this purpose, and why? See attached image>
I tried :
- 10.0.0.1/16
- 10.0.1.0/16
- 10.1.0.0/16
- 10.0.0.255/16
- 10.255.255.255/16
- 128.128.128.128/16
- 10.0.0.16/24
- 10.0.0.14/24 ... this list goes on a bit. I also tried various CIDR calculators online which didn't give me a correct subnet IP4. Obviously without understanding what i'm being asked to input trying random numbers is useless. I also read the documentation on amazon, which made no sense to me, hence me asking this question. Can someone answer what they would enter in this box, so that I can understand by example?
Solution 1:
You need to create subnet, which is in range 10.0.0.0/16 .
For example:
10.0.0.0/24
10.2.0.128/25
etc
Solution 2:
TL;DR version (Amazon VPC FAQs)
- Read about CIDR Notation to understand what the below means.
- AWS VPC CIDR block size must be between
/16
and/28
, e.g.192.168.0.0/16
- Subnet CIDR block sizes must also be between
/16
and/28
and in reality should have smaller CIDR blocks than the VPC because you typically want more than one subnet per VPC. E.g.192.168.2.0/24
- The host-part of the CIDR must be zero'ed. I.e. this is valid:
192.168.0.0/16
and this isn't:192.168.2.123/16
- Choose a block from RFC1918 private range addresses:
10.0.0.0/8
,172.16.0.0/12
, or192.168.0.0/16
unless you really really know what you are doing.
Some explanation:
In IPv4 and IPv6 we sort of distinguish between network and host addresses. Hosts belong to networks, smaller networks belong to larger networks.
In case of IPv4 a host address looks like this: 192.168.2.123
- it's got 4 bytes which means 32 bits (1 byte = 8 bits).
CIDR notation is the standard way to describe network addresses. It uses a prefix notation to split the address to a network part and a host part where the prefix can be anywhere between /0
and /32
, showing the number of bits from the left that are known.
A host address has all the 32 bits defined. That means our example instance address in CIDR notation can be written as 192.168.2.123/32
- we know all the bits.
This instance perhaps sits in a subnet 192.168.2.0/24
- 24 bits (= 3 bytes) from the left (192.168.2
) are the CIDR block of the subnet, while the remaining 8 bits on the right are available for hosts.
Network addresses are hierarchical - VPC has a large network address block with subnets inside having smaller slices of the VPC network network address block. That means your VPC CIDR block can be for example 192.168.0.0/16
- the first 16 bits (192.168
) is defined and everything in the VPC must have addresses that start with 192.168.
: subnets, instances, RDS, load balancers, everything.
So to wrap up: an instance IP 192.168.2.123
(/32
) belongs to subnet CIDR 192.168.2.0/24
which belongs to VPC CIDR 192.168.0.0/16
. The undefined bits in the subnet and VPC addrs are always set to 0
.
However the prefix lengths don't have to be aligned to bytes boundaries. This would also be a valid example: instance IP 192.168.2.123
(/32
) belongs to subnet CIDR 192.168.2.64/26
which belongs to VPC CIDR 192.168.2.0/23
. It's a bit more effort to work it out but it's completely valid.
Hope that helps :)