IPv4 CIDR Subnetting Guide: Subnet Masks, VLSM, and Cloud Networking

Every AWS VPC you create, every Kubernetes pod CIDR you configure, every firewall rule you write — all of them require you to read and reason about CIDR notation fluently. Yet CIDR arithmetic trips up developers regularly, leading to overlapping subnets, misconfigured security groups, and VPC peering failures. Use the IPv4 Subnet Calculator to verify your calculations as you work through this guide.

Anatomy of a CIDR Block

CIDR (Classless Inter-Domain Routing) notation expresses both a network address and its size in a single string: 10.0.0.0/24. The number after the slash is the prefix length — it tells you how many of the 32 bits in an IPv4 address belong to the network portion.

10.0.0.0/24

Address:    10.0.0.0   → 00001010.00000000.00000000.00000000
Prefix /24 → first 24 bits are the network
Host bits  → last 8 bits are available for hosts
Total addresses: 2^8 = 256 (but 2 are reserved — see below)

The prefix length directly determines how large the address space is. A longer prefix (higher number) means fewer available addresses; a shorter prefix means more.

Prefix Length Reference Table

The usable host formula is always 2^(32 - prefix) - 2. The subtracted 2 accounts for the network address and the broadcast address, which cannot be assigned to hosts.

Network Address vs Broadcast Address

Within any subnet, two addresses are always reserved and cannot be assigned to devices:

• Network address — the first address in the block. All host bits are 0. Used to identify the subnet itself, not a host.
• Broadcast address — the last address in the block. All host bits are 1. Packets sent here reach every host in the subnet.

Subnet: 192.168.10.0/24

Network address:   192.168.10.0    (host bits all 0)
First usable host: 192.168.10.1
Last usable host:  192.168.10.254
Broadcast address: 192.168.10.255  (host bits all 1)
Usable hosts: 254

Use the IPv4 Range Expander to list every address in a CIDR block, or the IPv4 Address Converter to inspect the binary representation of any address.

Calculating Network and Broadcast Addresses

The subnet mask is a 32-bit number with the network bits set to 1 and the host bits set to 0. You derive the network address by performing a bitwise AND between the IP address and the subnet mask. To find the broadcast address, OR the network address with the bitwise inverse of the mask.

IP address:    10.4.17.200   → 00001010.00000100.00010001.11001000
Subnet mask /20: 255.255.240.0 → 11111111.11111111.11110000.00000000

Network = IP AND mask:
  00001010.00000100.00010001.11001000
  11111111.11111111.11110000.00000000
= 00001010.00000100.00010000.00000000
= 10.4.16.0

Inverse mask (wildcard): 0.0.15.255
Broadcast = Network OR inverse mask:
  10.4.16.0 OR 0.0.15.255 = 10.4.31.255

Result: 10.4.16.0/20
Network:   10.4.16.0
Broadcast: 10.4.31.255
Usable:    10.4.16.1 – 10.4.31.254 (4,094 hosts)

Variable-Length Subnet Masking (VLSM)

VLSM lets you divide a larger CIDR block into subnets of different sizes, allocating address space efficiently rather than assigning equal-sized chunks everywhere. This is the standard approach in both on-premises network design and cloud VPCs.

Parent block: 10.0.0.0/20  (4,096 addresses)

Divide into:
  10.0.0.0/22   → 1,022 usable hosts (production app servers)
  10.0.4.0/22   → 1,022 usable hosts (staging)
  10.0.8.0/23   →   510 usable hosts (databases)
  10.0.10.0/24  →   254 usable hosts (management)
  10.0.11.0/26  →    62 usable hosts (bastion / jump hosts)
  10.0.11.64/26 →    62 usable hosts (reserved for growth)
  ...

Each child block starts where the previous one ends.
Children must not overlap the parent's boundaries.

The key constraint: a subnet's network address must be a multiple of its size. A /25 block (128 addresses) can start at .0 or .128, but not at .64. Violating this alignment rule is a common source of invalid CIDR errors in Terraform and CloudFormation.

RFC 1918 Private Address Ranges

Three address ranges are reserved for private use (RFC 1918) and are never routed on the public internet:

The 10/8 range is the most common choice for cloud infrastructure because its size gives you room to create many non-overlapping VPCs and subnets without running out of space.

AWS and Cloud VPC Sizing in Practice

AWS VPCs can use prefix lengths between /16 (65,536 addresses) and /28 (16 addresses). The conventional starting point is a /16 VPC divided into /24 subnets — one per availability zone per tier (public, private, data).

VPC: 10.10.0.0/16

Public subnets (one per AZ):
  10.10.0.0/24   us-east-1a  (254 hosts)
  10.10.1.0/24   us-east-1b
  10.10.2.0/24   us-east-1c

Private app subnets:
  10.10.10.0/24  us-east-1a
  10.10.11.0/24  us-east-1b
  10.10.12.0/24  us-east-1c

Private data subnets:
  10.10.20.0/24  us-east-1a
  10.10.21.0/24  us-east-1b
  10.10.22.0/24  us-east-1c

When peering VPCs — whether between AWS accounts, regions, or with an on-premises network via Direct Connect — the CIDRs must not overlap. Plan your address space before provisioning; re-IP-ing a VPC with running workloads is painful.

Note that AWS reserves 5 addresses in each subnet (not the standard 2): the network address, the VPC router, the DNS server, a reserved future-use address, and the broadcast address. A /24 subnet therefore gives you 251 usable addresses, not 254.

Docker and Kubernetes CIDRs

Container networking relies on the same CIDR building blocks. Docker's default bridge network is 172.17.0.0/16, drawn from the RFC 1918 172.16.0.0/12 range. Each container on the bridge gets an address from that pool.

Docker default bridge: 172.17.0.0/16   (65,534 addresses)
Custom Docker network: 192.168.100.0/24 (254 addresses)

Kubernetes (kubeadm defaults):
  Pod CIDR:     10.244.0.0/16   (Flannel default)
  Service CIDR: 10.96.0.0/12   (1,048,576 addresses)

Each node gets a /24 slice of the pod CIDR:
  Node 1 pods: 10.244.0.0/24
  Node 2 pods: 10.244.1.0/24
  Node 3 pods: 10.244.2.0/24

If your Kubernetes cluster runs inside an AWS VPC, ensure the pod and service CIDRs do not overlap with the VPC CIDR or any peered network. A conflict here causes silent routing failures that are difficult to diagnose.

Common Mistakes

• /32 is a single host — 10.1.2.3/32 contains exactly one address. It is valid and useful in security group rules ("allow this exact IP") or routing entries, but it is not a subnet you can assign hosts to.
• /31 is a point-to-point link — RFC 3021 permits /31 subnets for two-router links. There is no broadcast address; both addresses are usable. Not all platforms support this; check before using it in a cloud environment.
• Misaligned network addresses — 10.0.1.128/24 is not a valid CIDR block. A /24 must start on a 256-address boundary: .0, never .128. Use the subnet calculator to validate before pasting into infrastructure-as-code.
• Overlapping subnets with on-premises — Using 10.0.0.0/8 for your cloud VPC while your corporate network uses 10.0.0.0/16 means Direct Connect or VPN routing will break. Always allocate a distinct, non-overlapping CIDR for each environment.
• Allocating too small a VPC — A /24 VPC gives you only 251 usable addresses on AWS. With three AZs and three tiers, you will run out quickly. Start with at least a /20, preferably a /16.

Work through your subnet designs interactively with the IPv4 Subnet Calculator. To enumerate every address in a range, use the IPv4 Range Expander. To inspect the binary breakdown of any address or mask, open the IPv4 Address Converter — all three tools run entirely in your browser with no data leaving your machine.