Skip to content

Network Layer

In this section we detail all the network design related specifications

  • VPCs CIDR blocks
  • VPC Gateways: Internet, NAT, VPN.
  • VPC Peerings
  • VPC DNS Private Hosted Zones Associations.
  • Network ACLS (NACLs)

VPCs IP Addressing Plan (CIDR blocks sizing)


VPCs can vary in size from 16 addresses (/28 netmask) to 65,536 addresses (/16 netmask). In order to size a VPC correctly, it is important to understand the number, types, and sizes of workloads expected to run in it, as well as workload elasticity and load balancing requirements.

Keep in mind that there is no charge for using Amazon VPC (aside from EC2 charges), therefore cost should not be a factor when determining the appropriate size for your VPC, so make sure you size your VPC for growth.

Moving workloads or AWS resources between networks is not a trivial task, so be generous in your IP address estimates to give yourself plenty of room to grow, deploy new workloads, or change your VPC design configuration from one to another. The majority of AWS customers use VPCs with a /16 netmask and subnets with /24 netmasks. The primary reason AWS customers select smaller VPC and subnet sizes is to avoid overlapping network addresses with existing networks.

So having AWS single VPC Design we've chosen a Medium/Small VPC/Subnet addressing plan which would probably fit a broad range variety of use cases

Networking - IP Addressing

Starting CIDR Segment (AWS Org)

  • AWS Org IP Addressing calculation is presented below based on segment
  • We started from and subnetted to /20
  • Resulting in Total Subnets: 256
    • 2 x AWS Account with Hosts/SubNet: 4094
    • 1ry VPC + 2ry VPC
    • 1ry VPC DR + 2ry VPC DR

Individual CIDR Segments (VPCs)

⏩ Then each of these are /20 to /24

  • Considering the whole Starting CIDR Segment (AWS Org) before declared, we'll start at

    • shared
      • 1ry VPC CIDR:
      • 2ry VPC CIDR:
      • 1ry VPC DR CIDR:
      • 2ry VPC DR CIDR:
    • apps-devstg
      • 1ry VPC CIDR:
      • 2ry VPC CIDR:
      • 1ry VPC DR CIDR:
      • 2ry VPC DR CIDR:
    • apps-prd
      • 1ry VPC CIDR:
      • 2ry VPC CIDR:
      • 1ry VPC DR CIDR:
      • 2ry VPC DR CIDR:
  • Resulting in Subnets: 16 x VPC

    • VPC Subnets with Hosts/Net: 256.
    • Eg: apps-devstg account → us-east-1 w/ 3 AZs → 3 x Private Subnets /az + 3 x Public Subnets /az
      • 1ry VPC CIDR:
        • Private, and
        • Public, and

Planned VPCs

Having defined the initial VPC that will be created in the different accounts that were defined, we are going to create subnets in each of these VPCs defining Private and Public subnets split among different availability zones:

Subnet address Netmask Range of addresses Hosts Assignment - 4094 1ry VPC: shared - 4094 2ry VPC: shared - 4094 1ry VPC DR: shared - 4094 2ry VPC DR: shared - 4094 1ry VPC: apps-devstg - 4094 2ry VPC: apps-devstg - 4094 1ry VPC DR: apps-devstg - 4094 2ry VPC DR: apps-devstg - 4094 1ry VPC: apps-prd - 4094 2ry VPC: apps-prd - 4094 1ry VPC DR: apps-prd - 4094 2ry VPC DR: apps-prd


Design considerations

  • 📒 AWS EKS: Docker runs in the CIDR range in Amazon EKS clusters. We recommend that your cluster's VPC subnets do not overlap this range. Otherwise, you will receive the following error:
    Error: : error upgrading connection: error dialing backend: dial tcp 172.17.nn.nn:10250: 
    getsockopt: no route to host
    Read more: AWS EKS network requirements
  • 📒 Reserved IP Addresses The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block, the following five IP addresses are reserved. For more AWS VPC Subnets IP addressing