What is the recommended CIDR when creating VPC on AWS?

cidr amazon-vpc

I have been creating AWS VPCs and I am wondering if there is a recommended CIDR value when creating VPCs. What are the factors that I must consider when choosing a CIDR and does the CIDR value affect the performance of the network?


I would recommend the following considerations:

If you creating an IPSEC connection between your corporate LAN and your VPC, use a CIDR that is different than that on your corporate LAN. This will prevent routing overlaps and create an identity distinction for reference.

For very large networks, use at least different 16-bit masks in different regions eg

eu-west-1 10.1.0.0/16
us-east-1 10.2.0.0/16
us-west-1 10.3.0.0/16

For smaller networks, use a 24-bit mask in different regions eg

eu-west-1 10.0.1.0/24
us-east-1 10.0.2.0/24
us-west-1 10.0.3.0/24

Consider making a distinction between private and public subnets, eg

private 10.0.1.0/24 (3rd byte < 129)
public 10.0.129.0/24 (3rd byte > 128)

Don't over-allocate address space to subnets, eg

eu-west-1 10.0.1.0/26
eu-west-1 10.0.1.64/26
eu-west-1 10.0.1.128/26
eu-west-1 10.0.1.192/26

(62 hosts per subnet)

Don't under-allocate either. If you use a load of Elastic Load Balancers, remember that they will also consume available ip addresses on your subnets. This is a particularly true if you use ElasticBeanstalk.


Some things I considered the last time I created a new VPC:

  1. Make sure the IP ranges from different regions don't overlap. You shouldn't have a 172.31.0.0/16 in us-west eu-ireland, for example. It will make VPN between those two regions a problem requiring double-NAT to solve. No thanks.
  2. Make sure the IP range is large enough to hold all the instances you think you'll need x.x.x.x/24 will accommodate 254 different addresses. There are probably hundreds of CIDR calculators out there to help you figure this out.
  3. I create a lot of different subnets in a single VPC, rather than creating multiple VPCs. The subnets can talk to each other - I can have private vs. public subnets to keeps some instances shielded from the open internet. Use a NAT instance so that the private subnet can talk to the public subnet. Use security groups to isolate groups of instances from one another.

Related

What are useful .screenrc settings?
Given a debian source package - How do I install the build-deps?
best way to debug nginx rewrite rules in config file?
nginx set variable in location
What is the ipv6 equivalent of 0.0.0.0/0
Correct way to move kvm vm
What is the difference between SQL Server standard and web edition?
Which websites should a system administrator read? [closed]
Rsync : copying over timestamps only
php cli memory limit
IIS7: can't set host name on site with SSL cert and port 443
Why should I use Amazon Route 53 over my registrar's DNS servers?