Contact

VPC CIDR Blocks – Amazon Virtual Private Cloud

Amazon Web Services (AWS) provides Virtual Private Cloud (VPC) for creating isolated and secure networks in the cloud. One of the most important aspects of a VPC is its CIDR blocks, which define the IP address ranges available for your resources. In this article, we will explore VPC CIDR Blocks in Amazon Virtual Private Cloud, including IPv4 and IPv6 ranges, CIDR notation, and how to configure custom CIDR blocks for your VPC.

What is AWS VPC?

Virtual Private Cloud (VPC) is a customizable, isolated network environment for deploying cloud resources. A default VPC is configured and ready for you to use when you create your account. You can also create your Custom VPC.

Virtual Private Cloud can be created and managed through:

  • AWS management console
  • AWS CLI
  • AWS SDKs
  • Query APIs

Key Components Of AWS VPC

Subnets

A subnet is a logical division of your VPC’s IP address range that helps you organize and isolate resources within your virtual network. By splitting the VPC into smaller networks, you can separate workloads, enhance security, and manage traffic flow more effectively. Subnets can be public or private, depending on whether they have access to the internet. For example, web servers are usually placed in public subnets, while databases and backend services remain in private subnets. With the right configuration, you can also connect subnets to the internet, other VPCs, and even on-premises data centers.

Route Tables

Route tables define how network traffic flows inside your VPC. Each subnet is associated with a route table that contains a list of rules, known as routes, which specify the path that outbound traffic should take. For instance, you can configure a route to send internet-bound traffic through an internet gateway while directing private communication to another subnet. This flexibility makes route tables a powerful tool for controlling connectivity and ensuring that traffic reaches the correct destination. In practice, well-structured route tables improve performance, reduce latency, and strengthen security across your applications.

IP Addressing

Every resource inside a VPC receives a private IPv4 address to ensure secure communication within the network. You can also assign a public IPv4 address using Elastic IP if external access is required. Additionally, when you allocate an IPv6 CIDR block to your VPC, your resources can take advantage of IPv6 addresses, which offer a larger address space and improved scalability. By carefully planning IP addressing, you prevent conflicts, simplify routing, and maintain high availability. Consequently, effective IP address management plays a vital role in building resilient cloud architectures.

Gateways

Gateways connect your VPC with the outside world. An internet gateway allows instances in public subnets to communicate with the internet. On the other hand, a NAT gateway enables outbound internet traffic from private subnets while preventing unsolicited inbound connections, thereby keeping sensitive workloads secure. These gateways ensure that applications get the right balance of accessibility and protection. Furthermore, gateways can integrate with VPN connections and Direct Connect to securely link your VPC with on-premises environments.

Peering

VPC peering establishes direct network connectivity between two VPCs, enabling resources to communicate as if they were part of the same network. This is particularly useful when applications span multiple VPCs for isolation, compliance, or organizational purposes. In more complex scenarios, you can use a transit gateway to interconnect multiple VPCs and even extend connectivity to on-premises data centers. With these options, AWS provides a scalable and flexible way to manage hybrid and multi-VPC architectures.

Flow Logs

VPC Flow Logs record information about the traffic passing through your network interfaces. With this data, you can analyze traffic patterns, troubleshoot issues, and strengthen security monitoring. For example, flow logs help identify misconfigured security groups, unusual access attempts, or traffic bottlenecks. The logs can be sent to Amazon CloudWatch or S3, making them easy to store, visualize, and integrate with third-party analytics tools. Ultimately, flow logs provide deep visibility into your network activity, allowing you to operate a more secure and optimized VPC environment.

What are VPC CIDR Blocks in AWS?

A CIDR block (Classless Inter-Domain Routing) is a notation used to define IP address ranges. When you create a VPC, you must specify an IP address range for the VPC in the form of a CIDR block.

What Are IPv4 VPC CIDR Blocks?

In AWS, allowed prefix length/netmask block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses). You can associate additional IPv4 CIDR blocks with the VPC.

What is CIDR Notation?

CIDR (Classless Inter-Domain Routing) notation is a modern way to represent IP address ranges. It is written in the format IP-address/prefix-length.

  • IP address: The starting point of the range.
  • Prefix length: A number between 0 and 32 that defines how many bits belong to the network portion. The remaining bits define the host portion.

For example, 10.0.0.0/16 represents addresses from 10.0.0.0 to 10.255.255.255, which gives you 65,536 usable IPs. This notation makes subnetting flexible and avoids wasting large blocks of addresses.

AWS Private CIDR Ranges

AWS uses private IP ranges defined by RFC 1918. These ranges are essential for building isolated networks inside a VPC, and they are not routable over the internet.

The private ranges include:

192.168.0.0/16 → 192.168.0.0 – 192.168.255.255

10.0.0.0/8 → 10.0.0.0 – 10.255.255.255

172.16.0.0/12 → 172.16.0.0 – 172.31.255.255

IPv6 VPC CIDR Blocks Overview

When creating a new Virtual Private Cloud (VPC) on AWS, you have the option to associate an IPv6 CIDR block. You can either assign a single IPv6 CIDR block during VPC creation or up to five IPv6 CIDR blocks later. These blocks can range from /44 to /60, in increments of /4.

Key Points About IPv6:
  • IPv6 Address Structure: IPv6 addresses are 128 bits long and are typically written in hexadecimal, divided into eight 16-bit groups separated by colons. For example:
    • 2001:db8:0000:0000:0000:0000:0000:0000
    • This is often abbreviated as 2001:db8:: to make it more readable.
  • Prefix Length: In IPv6, the prefix length indicates how many bits are dedicated to the network portion of the address, similar to IPv4. The prefix length for IPv6 ranges from /0 to /128. For example:
    • 2001:db8::/32: This block includes IP addresses from 2001:db8:0000:0000:0000:0000:0000:0000 to 2001:db8:ffff:ffff:ffff:ffff:ffff
CIDR Block Association Guidelines for IPv6 in AWS:
  • You can assign up to 5 IPv6 CIDR blocks per VPC.
  • The IPv6 CIDR blocks you associate must range from /44 to /60.
  • Non-overlapping requirement: Each IPv6 CIDR block associated with a VPC must not overlap with any other existing CIDR blocks in that VPC.
  • Block size adjustment: Once a CIDR block is associated with a VPC, its size cannot be changed (increased or decreased).
  • How to Manage CIDR Blocks of VPC?

How to Create a Custom VPC i n AWS

Creating a custom VPC allows you to control your network design, assign your own IP ranges, and configure resources for better security. Follow these steps to build one in the AWS Management Console:

Step 1: Open the VPC Console

Log in to your AWS account and navigate to the VPC service from the console.

Step 2: Start VPC Creation

In the VPC dashboard, choose Your VPCs from the left-hand menu and then click Create VPC.

Step 3: Define Basic Details

On the Create VPC page, provide a descriptive name for your VPC. This makes it easier to identify later. Next, under IPv4 CIDR block, select Manual input to specify your own IP range.

Step 4: Assign IPv4 Range

Enter the IPv4 CIDR block for your VPC. For example, you can use 10.16.0.0/16, which gives you 65,536 IP addresses. This range will define how resources inside your VPC communicate.

Step 5: Enable IPv6 Support

If you want IPv6, choose Amazon-provided IPv6 CIDR block. This option allows AWS to assign IPv6 addresses automatically, which helps future-proof your network.

Step 6: Finalize the Configuration

Leave other options as default unless you have specific requirements. Finally, click Create VPC to launch your custom virtual network.

After the VPC is created, you should a page like below which mentions private IPv4 and IPv6 addressees.

How to Edit CIDR blocks?

  • You can add more both IPv4 and IPv6 CIDR blocks. You can also remove CIDR blocks.
  • In your custom VPC page, click on the action tab and it will open a modal. Click on the Edit CIDRs option. This will open the page from which you can add CIDR blocks just like the way we did it in creation page and also can remove them.
Edit CIDRs

Key Features of AWS VPC (Virtual Private Cloud)

1. VPC is a Regional Service

Region-specific infrastructure: AWS VPC operates on a regional level, meaning each VPC is created within a specific AWS region (such as US-East-1 or EU-West-1). Resources and services inside the VPC remain confined to that region; however, you can enable cross-region communication through services like AWS Transit Gateway or VPN connections.
High availability: By leveraging multiple Availability Zones (AZs) within a region, you can design a highly available and fault-tolerant architecture. Each AZ functions as a separate data center, so distributing your resources across them ensures resilience in case of failure.

2. Default Isolation from the Internet

Secure by design: When a VPC is created, all resources inside are isolated from the internet by default. This gives you complete control over which services are exposed publicly and which remain private. Initial isolation ensures that no external traffic can access your resources unless you explicitly configure it.
Custom internet access: To allow public access, you can create a public subnet and attach an Internet Gateway (IGW) to the VPC. Resources inside private subnets can still access the internet using NAT gateways or NAT instances, without being directly exposed.

3. Customizable IP Address Ranges

Flexible IP allocation: With AWS, you can define custom IP address ranges for your VPC using Classless Inter-Domain Routing (CIDR). This flexibility lets you set the IP range depending on your network design. The CIDR block size can range from /16 to /28 for IPv4, giving between 65,536 and 16 IP addresses.
Multiple CIDR blocks: If your VPC requires additional IP addresses later, you can associate more CIDR blocks (up to 5 for both IPv4 and IPv6). Keep in mind that overlapping ranges are not permitted.

4. Security Features

Security Groups: These act as stateful firewalls that control inbound and outbound traffic at the instance level. You can apply Security Groups to EC2 instances, RDS databases, and other resources, allowing or denying traffic based on rules.
Network Access Control Lists (NACLs): Unlike Security Groups, NACLs are stateless and operate at the subnet level. They add another security layer by allowing or denying specific traffic for entire subnets.
Flow logs: To monitor and analyze network traffic, you can enable VPC Flow Logs. They capture information about traffic going to and from network interfaces, which is helpful for audits and troubleshooting.

5. Subnet Segmentation

Public and private subnets: AWS VPC allows you to divide resources into public and private subnets. Public subnets connect to the internet (via IGW), while private subnets remain isolated for internal services such as databases. This ensures applications can securely separate front-end and back-end components.
Subnet creation in multiple AZs: For better redundancy, subnets can be created across different Availability Zones. This design improves both availability and fault tolerance.

6. Route Tables for Custom Routing

Custom routing: Route tables define where network traffic should go. You can create routes for communication between subnets, internet gateways, NAT gateways, VPNs, or VPC peering connections.
Private connectivity: VPC endpoints allow you to connect securely to AWS services like S3 and DynamoDB without routing traffic over the public internet.

7. Elastic IPs

Static public IPs: Elastic IP addresses provide a permanent public IP for your resources. In case of an instance failure, they can quickly be reassigned to maintain availability.

8. Integration with Other AWS Services

Seamless integration: VPC integrates smoothly with services like EC2, RDS, ELB, and Auto Scaling. Together, these allow you to design a complete cloud infrastructure within your VPC.
Hybrid connectivity: Using VPN or AWS Direct Connect, you can extend your on-premises network into the AWS VPC, enabling hybrid cloud setups.

9. VPC Peering and Transit Gateway

VPC Peering: This feature lets two VPCs communicate as if they were part of the same network, which is useful for linking different environments or applications.
Transit Gateway: For more complex networks, AWS Transit Gateway simplifies connectivity across multiple VPCs and on-premises environments through a single gateway.

10. High Availability and Fault Tolerance

Multi-AZ deployment: Running resources in multiple AZs ensures high availability. Even if one AZ experiences downtime, your application continues running from the others.
Backup and disaster recovery: By integrating with services like Amazon S3 and Amazon EBS, you can design reliable backup strategies and disaster recovery solutions.

Conclusion

Amazon Virtual Private Cloud (VPC) serves as the backbone of AWS networking, enabling you to design a secure, scalable, and customizable environment for hosting applications. By carefully planning and assigning CIDR blocks, you can define the IP address ranges for your workloads and ensure that your network design supports both present and future growth. Understanding the concepts of IPv4 and IPv6 CIDR blocks, their notations, and limitations is crucial to avoid conflicts and ensure smooth communication within your infrastructure.

Beyond addressing, AWS VPC provides powerful features such as subnets, route tables, gateways, security groups, and NACLs, all of which help build a layered and secure architecture. VPC peering, Transit Gateway, and hybrid connectivity options make it possible to interconnect multiple environments seamlessly, whether they are within AWS or extend to on-premises data centers. Additionally, tools like VPC Flow Logs give you visibility into traffic patterns, allowing for monitoring, troubleshooting, and maintaining compliance.

By learning how to create a custom VPC, configure CIDR blocks, and manage routing and security, you gain full control over your cloud networking. This flexibility not only enhances application availability and fault tolerance across multiple Availability Zones but also ensures resilience against failures and external threats.

In summary, mastering AWS VPC and its CIDR block configurations empowers you to build highly secure, scalable, and fault-tolerant applications in the cloud. Whether you are running small workloads or scaling to millions of users, VPC acts as the foundation of a robust cloud architecture, making it one of the most important services for any cloud practitioner or organization adopting AWS.