AWS VPC Subnet Planning
When you create a subnet in an AWS VPC, Amazon reserves 5 IP addresses in every subnet, not the standard 2. Understanding these reservations is critical for sizing your subnets correctly.
AWS Reserved IPs
For any subnet, AWS reserves the first four addresses and the last one:
| Address | Purpose |
|---|---|
| Network + 0 | Network address |
| Network + 1 | VPC router |
| Network + 2 | DNS server (VPC base + 2) |
| Network + 3 | Reserved for future use |
| Last address | Broadcast address |
Example: In a 10.0.1.0/24 subnet:
- 10.0.1.0 is the network address
- 10.0.1.1 is the VPC router
- 10.0.1.2 is DNS
- 10.0.1.3 is reserved
- 10.0.1.255 is the broadcast address
- Usable range: 10.0.1.4 through 10.0.1.254 = 251 hosts
Minimum Subnet Size
The smallest subnet AWS allows is /28 (16 addresses, 11 usable). This is enforced by the VPC console and API. You cannot create a /29 or smaller.
Recommended VPC Layout
A common production VPC architecture uses a /16 VPC with /24 subnets across 3 availability zones:
VPC: 10.0.0.0/16 (65,536 addresses)
├── Public Subnets (internet-facing)
│ ├── 10.0.1.0/24 us-east-1a (251 hosts)
│ ├── 10.0.2.0/24 us-east-1b (251 hosts)
│ └── 10.0.3.0/24 us-east-1c (251 hosts)
├── Private Subnets (application tier)
│ ├── 10.0.11.0/24 us-east-1a (251 hosts)
│ ├── 10.0.12.0/24 us-east-1b (251 hosts)
│ └── 10.0.13.0/24 us-east-1c (251 hosts)
├── Database Subnets (data tier)
│ ├── 10.0.21.0/24 us-east-1a (251 hosts)
│ ├── 10.0.22.0/24 us-east-1b (251 hosts)
│ └── 10.0.23.0/24 us-east-1c (251 hosts)
└── Spare: 10.0.24.0 through 10.0.255.255This leaves roughly 63,000 addresses unallocated for future growth.
Sizing Tips
| Scenario | Recommended CIDR | Usable (AWS) |
|---|---|---|
| Small service (few Lambda, ECS tasks) | /27 | 27 |
| Medium service (EC2 fleet) | /24 | 251 |
| Large service (EKS pods) | /20 | 4,091 |
| EKS with custom networking | /18 or larger | 16,379+ |
EKS consideration: Each pod gets its own IP address. A cluster with 200 pods across 10 nodes needs 210+ IPs, so a /24 per AZ is the minimum. For larger clusters, use /20 or /18 subnets.
Multi-Account Strategy
For organizations using AWS Organizations with multiple accounts:
- Allocate a /16 per account from your IPAM range.
- Use Transit Gateway to connect VPCs.
- Avoid overlapping CIDR ranges. This is the number one mistake in multi-account setups.
- Plan your IPAM (IP Address Management) ranges using RFC 1918 private address space:
- 10.0.0.0/8 has 16.7M addresses (most common for VPCs)
- 172.16.0.0/12 has 1M addresses
- 192.168.0.0/16 has 65K addresses (usually too small for multi-account)
Common Mistakes
- Starting with a /24 VPC. You’ll run out of space fast. Always start with at least /20 for production; /16 is standard.
- Forgetting the 5 reserved IPs. A /28 has 16 addresses but only 11 usable in AWS.
- Not planning for multiple AZs. You need at least 2 subnets per tier (public, private, data) for high availability.
- Overlapping CIDRs across VPCs. This prevents VPC peering and Transit Gateway connectivity.
Tools
Use our subnet calculator with AWS VPC mode to see correct host counts with 5 reserved IPs. Our VLSM planner can also plan multi-AZ subnet layouts.
Other Cloud Providers
Different clouds have different reservations:
| Provider | Reserved IPs | Min Subnet | Guide |
|---|---|---|---|
| AWS | 5 | /28 | This page |
| Azure | 5 | /29 | Azure VNet Subnet Planning |
| GCP | 4 | /29 | GCP VPC Subnet Planning |
| OCI | 3 | /30 | OCI VCN Subnet Planning |
All modes are supported in our calculator.