Subnet CIDR Notation: Complete Networking Guide

The Problem CIDR Solves

Before CIDR (Classless Inter-Domain Routing), IP addresses were divided into fixed "classes" - Class A, B, and C - each with a fixed network/host boundary. A Class C network gave you exactly 254 usable addresses. A Class B gave you 65,534. There was nothing in between. Organizations either had too few addresses or wasted thousands of them.

CIDR, introduced in 1993 (RFC 1519), replaced the class system with a flexible notation that lets you specify any network boundary you need. The result: addresses are allocated more efficiently, routing tables are smaller (route aggregation), and you can create subnets of exactly the size you require.

Today, CIDR notation appears everywhere developers work:

• AWS Security Groups: 0.0.0.0/0 (allow all), 10.0.0.0/8 (private network)
• VPC CIDR blocks: 10.0.0.0/16
• Kubernetes pod/service CIDR: 172.16.0.0/12
• Nginx allow / deny directives
• Firewall rules, iptables, and security group policies

IP Addresses: A Quick Refresher

An IPv4 address is 32 bits written as four decimal octets: 192.168.1.100. Each octet is a number from 0 to 255 (8 bits). The full address in binary looks like:

192.168.1.100
= 11000000.10101000.00000001.01100100

A subnet divides this 32-bit space into two parts: the network prefix (shared by all addresses in the subnet) and the host portion (unique to each device). CIDR notation tells you how many bits belong to the network prefix.

Reading CIDR Notation

A CIDR block is written as address/prefix-length. The prefix length (the number after the slash) tells you how many leading bits identify the network. The remaining bits are available for hosts.

192.168.1.0/24
                ^--- 24 bits = network, 8 bits = hosts
                     2^8 = 256 addresses (254 usable)

The formula is simple: a /N network has 2^(32-N) total addresses, minus 2 reserved (network address and broadcast address), giving 2^(32-N) - 2 usable host addresses.

Common Prefix Lengths at a Glance

• /8 - 16,777,214 usable hosts. Example: 10.0.0.0/8 (entire Class A private range)
• /16 - 65,534 usable hosts. Example: 10.0.0.0/16 (typical VPC size)
• /24 - 254 usable hosts. Example: 192.168.1.0/24 (typical home/office subnet)
• /28 - 14 usable hosts. Commonly used for small AWS subnets
• /32 - 1 specific host (no range). Used in security group rules to target a single IP
• /0 - all addresses (0.0.0.0/0). Used to mean "allow all" in security rules

Subnet Masks: The Traditional Representation

Before CIDR notation became universal, subnet masks were written in dotted decimal. The subnet mask has 1s for the network bits and 0s for the host bits:

CIDR    Subnet Mask       Binary
/8    = 255.0.0.0       = 11111111.00000000.00000000.00000000
/16   = 255.255.0.0     = 11111111.11111111.00000000.00000000
/24   = 255.255.255.0   = 11111111.11111111.11111111.00000000
/28   = 255.255.255.240 = 11111111.11111111.11111111.11110000

CIDR prefix length and subnet mask carry identical information. The CIDR form is more compact and is universally preferred in modern tooling.

Calculating a Network Range

Given a CIDR block, you can calculate the network address, broadcast address, and usable range:

Example: 10.0.1.0/26

Prefix length: 26
Host bits: 32 - 26 = 6
Total addresses: 2^6 = 64
Usable hosts: 64 - 2 = 62

Network address (all host bits = 0): 10.0.1.0
Broadcast address (all host bits = 1): 10.0.1.63
First usable host: 10.0.1.1
Last usable host: 10.0.1.62

To find the network address of any IP/prefix, perform a bitwise AND of the IP address with the subnet mask. This zeroes out the host portion.

Subnetting: Dividing a Network

Subnetting is the process of dividing a larger network into smaller ones. For a practical AWS example, suppose you have a VPC with CIDR 10.0.0.0/16 (65,534 usable hosts) and you want to create subnets for each availability zone.

VPC: 10.0.0.0/16

Subnet plan:
  Public subnet AZ-a:  10.0.0.0/24   (254 hosts)
  Public subnet AZ-b:  10.0.1.0/24   (254 hosts)
  Private subnet AZ-a: 10.0.10.0/24  (254 hosts)
  Private subnet AZ-b: 10.0.11.0/24  (254 hosts)
  Database subnet AZ-a: 10.0.20.0/28 (14 hosts)
  Database subnet AZ-b: 10.0.21.0/28 (14 hosts)

Each subnet is contained within the VPC range and does not overlap with another. The subnets use higher prefix lengths (more specific) than the VPC, which is how the hierarchy works.

AWS reserves 5 IP addresses in every subnet: network address, VPC router, DNS resolver, future use, and broadcast. A /28 subnet gives you 16 total addresses minus 5 reserved = 11 usable - not 14. Always account for cloud provider reservations when planning subnet sizes.

Private IP Address Ranges (RFC 1918)

Three IP ranges are reserved for private networks (not routable on the public internet):

• 10.0.0.0/8 - 16.7 million addresses (used by large enterprises and cloud VPCs)
• 172.16.0.0/12 - 1.05 million addresses (covers 172.16.0.0 to 172.31.255.255, used by Docker, Kubernetes)
• 192.168.0.0/16 - 65,536 addresses (used by home routers and office networks)

When you configure a Kubernetes cluster, the pod CIDR is typically set to 172.16.0.0/12 or 10.244.0.0/16 and the service CIDR to 10.96.0.0/12. These must not overlap with your node network or each other.

Step-by-Step: Planning AWS VPC Subnets

1. Choose a VPC CIDR: Use a /16 from the 10.0.0.0/8 range (e.g., 10.10.0.0/16). This gives you 65,534 addresses and ample room to subnet.
2. Determine availability zones: Most regions have 3 AZs. Plan subnets in pairs (one per AZ) for public, private app, and private database tiers.
3. Size your subnets: Use /24 (256 addresses) for app subnets with many servers. Use /27 or /28 for small resources like RDS instances or NAT gateways.
4. Leave room for growth: Do not use contiguous ranges. Leave gaps so you can add subnets later without re-planning.
5. Verify non-overlap: Use a subnet calculator to confirm no two subnets share any addresses.

# Example: 3-tier architecture across 2 AZs in 10.100.0.0/16

# Public (internet-facing load balancers)
10.100.0.0/24   public-us-east-1a
10.100.1.0/24   public-us-east-1b

# Private app (ECS/EC2 containers)
10.100.10.0/23  private-app-us-east-1a  (510 hosts)
10.100.12.0/23  private-app-us-east-1b

# Private data (RDS, ElastiCache)
10.100.20.0/27  private-db-us-east-1a   (27 usable after AWS reservations)
10.100.20.32/27 private-db-us-east-1b

CIDR in Security Rules

CIDR notation is used in security group rules, network ACLs, and firewall policies to specify which IP ranges are allowed or denied:

# Allow SSH only from a specific office IP
source: 203.0.113.50/32  port: 22  action: allow

# Allow all internal VPC traffic
source: 10.0.0.0/16  all ports  action: allow

# Allow HTTPS from the internet
source: 0.0.0.0/0   port: 443  action: allow

# Block an entire ISP's range
source: 198.51.100.0/24  action: deny

The /32 prefix is commonly misunderstood: it means a single specific IP address (all 32 bits are fixed). Use it when you want to allow only one specific machine.

CIDR Aggregation: Summarizing Routes

One of CIDR's key benefits is route aggregation. Instead of advertising many specific routes, a router can advertise a single summary route that covers all of them. This is why ISPs use CIDR - it keeps the internet's routing tables manageable.

# These four /26 subnets:
10.0.0.0/26    (10.0.0.0  - 10.0.0.63)
10.0.0.64/26   (10.0.0.64 - 10.0.0.127)
10.0.0.128/26  (10.0.0.128 - 10.0.0.191)
10.0.0.192/26  (10.0.0.192 - 10.0.0.255)

# Can be summarized as a single /24:
10.0.0.0/24    (10.0.0.0  - 10.0.0.255)

Use our free tool here → Subnet Calculator

Frequently Asked Questions

What does /24 mean in CIDR notation?

A /24 means the first 24 bits of the IP address identify the network, and the remaining 8 bits identify individual hosts. This gives 2^8 = 256 total addresses, with 254 usable hosts (the network address and broadcast address are reserved). The subnet mask equivalent is 255.255.255.0.

What is the difference between a subnet mask and CIDR notation?

They represent the same information in different formats. A subnet mask uses dotted decimal (e.g., 255.255.255.0), where each bit set to 1 represents a network bit. CIDR notation uses a prefix length (e.g., /24), which counts the number of leading 1-bits. They are interchangeable: /24 is exactly equivalent to 255.255.255.0. CIDR notation is more compact and is the modern standard.

How do I know if two CIDR blocks overlap?

Two CIDR blocks overlap if any IP address belongs to both. The quick check: convert both to their network address and host range, then see if the ranges intersect. For example, 10.0.0.0/24 covers 10.0.0.0 to 10.0.0.255, and 10.0.0.128/25 covers 10.0.0.128 to 10.0.0.255 - these overlap. AWS will reject subnet configurations with overlapping CIDRs. Use our Subnet Calculator to check ranges instantly.

What CIDR block should I use for a Kubernetes cluster?

Common Kubernetes CIDR assignments: pod CIDR 10.244.0.0/16 (Flannel default) or 192.168.0.0/16 (Calico default), service CIDR 10.96.0.0/12. The critical requirement is that pod CIDR, service CIDR, and your node network must not overlap. In a managed service like EKS, the pod CIDR is determined by the CNI plugin (aws-vpc-cni uses VPC IPs directly; others use an overlay network from a separate CIDR).

Why does AWS reserve 5 IP addresses in each subnet?

AWS reserves: (1) network address (first IP), (2) VPC router (second IP, e.g., 10.0.0.1), (3) DNS server (third IP, always the base +2), (4) reserved for future use (fourth IP), (5) broadcast address (last IP). This means a /28 subnet with 16 total addresses only provides 11 usable IPs for your instances, not 14. Always subtract 5 from the total when sizing AWS subnets.

What is the difference between /0 and /32 in security rules?

0.0.0.0/0 matches every IPv4 address - it is used to mean "allow traffic from anywhere" in security group ingress rules. x.x.x.x/32 matches exactly one specific IP address - used to allow traffic from a single trusted host (e.g., a specific office IP or bastion host). Using /32 for SSH access is a security best practice to restrict shell access to known IPs only.