Skip to content

Subnet

This article explains AWS subnets, their types, requirements, and configuration considerations within a Virtual Private Cloud.

In AWS, a subnet is a contiguous range of IP addresses within a Virtual Private Cloud (VPC). Each subnet resides in a single Availability Zone (AZ) and determines where resources—such as EC2 instances—are placed. Selecting a subnet implicitly chooses the AZ for those resources, enabling high availability and fault isolation.

What Is an AWS Subnet?

  • A subnet’s CIDR block must be a subset of its VPC’s CIDR block.
  • AWS supports subnet sizes from /16 (65,536 IPs) down to /28 (16 IPs).
  • You distribute subnets across multiple AZs to increase resilience.

Example:

  • Subnet A: 192.168.10.0/24 in us-east-1a
  • Subnet B: 192.168.20.0/24 in us-east-1b

By spreading workloads across AZs, you achieve higher availability and withstand AZ-level failures.

Public vs. Private Subnets

Subnet Type Route Target Typical Use Cases
Public Internet Gateway Web servers, load balancers
Private NAT Gateway Databases, application servers
  • Public subnets have a route to an Internet Gateway (IGW) for direct internet access.
  • Private subnets use a NAT Gateway (or NAT instance) for outbound internet connectivity without exposing resources to inbound traffic.

Configure route tables to associate subnets with the IGW or NAT Gateway as needed.

Subnet Requirements

  1. CIDR containment\ Your subnet’s CIDR must lie within the VPC’s CIDR block.
  2. Valid: VPC 192.168.0.0/16, Subnet 192.168.10.0/24

  3. Invalid: VPC 192.168.0.0/16, Subnet 10.100.1.0/24

  4. Reserved IP addresses\ AWS reserves five IPs in each subnet:

Address Offset Purpose
.0 Network address
.1 VPC router
.2 DNS
.3 AWS future use
/.last Broadcast address
  1. Size constraints
  2. Minimum: /28 (16 IPs)
  3. Maximum: /16 (65,536 IPs)

The image explains subnet requirements within a VPC, including CIDR range, block size, and reserved IP addresses, with a diagram showing public subnets in two availability zones.

Configuration Considerations

  • No overlapping CIDRs within the same VPC. Overlapping is only permitted across distinct VPCs.

Warning

Defining overlapping CIDR blocks in the same VPC causes route conflicts and deployment failures.

Example of an invalid overlap:

10.16.0.0/24
10.16.0.128/25
  • IPv6 support: You can associate a /56 IPv6 CIDR block with your VPC. Subnets may be configured as:
  • IPv4 only
  • IPv6 only

  • Dual-stack (IPv4 + IPv6)

  • Default communication: All subnets in a VPC can communicate without extra route entries.

  • Auto-assign public IP: Enabling this on a subnet ensures every instance launched receives a public IPv4/IPv6 address in addition to its private IP.

The image illustrates subnet configuration options within a VPC, highlighting that subnets cannot overlap, can allow for optional IPv6 CIDR, and can be configured as IPv6 only. It includes a diagram showing two public subnets in different availability zones with specific CIDR blocks.

Summary

  • Subnets are AZ-scoped IP ranges within a VPC.
  • Choose public or private routing by using an Internet Gateway or NAT Gateway.
  • Support for IPv4, IPv6, or dual-stack.
  • CIDR blocks must be non-overlapping and nested within the VPC’s CIDR.

Key Takeways

  • Subnets are a range of IP address within a VPC
  • Subnets reside within a single Availability Zone
  • Subnets can be made public/private using Internet Gateways and Nat Gateways
  • Subnets can be configured for IPv4 and/or IPv6
  • Subnets cannot overlap with other subnets in a VPC