Standard formula to determine or calculate Cidr for VPC in AWS

Question

I am learning AWS CloudFormation. Now, I am trying to create a template for VPC and Subnets. I am now creating a VPC.

This is my template:

AWSTemplateFormatVersion: '2010-09-09'
Description: "Template for Networks and IAM Roles"
Resources:
  Vpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: '10.0.0.0/16'
      EnableDnsHostnames: True
      EnableDnsSupport: True

What I don't understand here is that CidrBlock. Now, I specified it as, 10.0.0.0/16. To be honest, how does it work exactly. Is setting it as 10.0.0.0/16 always going to work? What is that for? How does that IP address range work exactly? How does it help? How can I determine which value to set for it? Is there a formula to calculate it? How? I saw an existing VPC in my console. The IP address is different.

Also, how can I calculate to split it to assign to subnets?

I am seeking an understanding of the following template, especially Cidr for subnets.

AWSTemplateFormatVersion: '2010-09-09'
Description: "Template for Networks and IAM Roles"
Parameters:
  VpcCidr:
    Default: '10.0.0.0/16'
    Type: String
    AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
Resources:
  Vpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcCidr
      EnableDnsHostnames: True
      EnableDnsSupport: True
  PublicSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref Vpc
      CidrBlock: !Select [ 0, !Cidr [ !Ref VpcCidr, 12, 8 ] ]
      MapPublicIpOnLaunch: True
      AvailabilityZone: !Select
        - 0
        - Fn::GetAZs: !Ref "AWS::Region"
  PublicSubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref Vpc
      CidrBlock: !Select [ 1, !Cidr [ !Ref VpcCidr, 12, 8 ] ]
      MapPublicIpOnLaunch: True
      AvailabilityZone: !Select
        - 0
        - Fn::GetAZs: !Ref "AWS::Region"

score 13 · Accepted Answer · edited Dec 30 '20 at 20:12

There are way too many sub-questions to answer each of them individually here. Instead I can write this.

CIDRs for VPC are selected from three common ranges:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

These ranges are used because they are not-routable over the internet.

10.0.0.0/16 - is the most commonly used CIDR used for VPC. This give you 65535 private IP addresses to work with in your VPC.

You commonly divide it to subnets of size /24, each with 255 private addresses. For example:

10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
10.0.4.0/24

If you use the above pattern for VPC and subnets, you don't have to do any calculations or memorize any formals. Of course if you want to have more specific subnets, or subnets of different sizes, you have to learn how to calculate subnets. There are many resources and tools on the internet for that. Examples are:

Update

The template uses intristic function Fn::Cidr.

The construct:

 !Cidr [ !Ref VpcCidr, 12, 8 ]

Will create a list of 12 CIDR ranges, of size of /24 (32-8). Each subnet will have 255 addresses. The Select is used to chose individual CIDRs from the list:

!Select [ 0, !Cidr [ !Ref VpcCidr, 12, 8 ] ] # 10.0.0.0/24 
!Select [ 1, !Cidr [ !Ref VpcCidr, 12, 8 ] ] # 10.0.1.0/24
!Select [ 2, !Cidr [ !Ref VpcCidr, 12, 8 ] ] # 10.0.2.0/24
!Select [ 11, !Cidr [ !Ref VpcCidr, 12, 8 ] ] # 10.0.11.0/24

Hi, thanks for your answer. Can you also please explain the template I just added? — Wai Yan Hein, Jul 25 '20 at 23:37

score 3 · Answer 2 · answered Jul 25 '20 at 23:24

Question 1:

10.0.0.0/16 means you are creating a VPC which has 65,536 available private IP(s) internally in your VPC such you can have EC2 instances having IPs as 10.0.0.4, 10.0.0.5 ... like that.

Note: There are 5 IPs reserved by AWS

10.0.0.0: Network address.

10.0.0.1: Reserved by AWS for the VPC router.

10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC. For more information, see Amazon DNS server.

10.0.0.3: Reserved by AWS for future use.

10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address

To calculate you can use websites to calculate and visualize, such as https://mxtoolbox.com/subnetcalculator.aspx ( I just random pick up it, I'm not author of this)

Please read here for more detail

Hi, thanks for your answer. Can you also please explain the template I just added? — Wai Yan Hein, Jul 25 '20 at 23:37

Standard formula to determine or calculate Cidr for VPC in AWS

2 Answers2