πΈοΈ Subnets and Network Masks
TL;DR:
Using /16 mask for the network (e.g. AWS VPC) and /24 mask for the subnets is a reasonable starting point.
bits mask description
network: /16 255.255.0.0 contains up to 65534 hosts in 256 subnets
subnets: /24 255.255.255.0 contains up to 254 hosts in each subnet.
The most vanilla network configuration is:
- Use
192.168.0.0/16for the whole network. - Use
192.168.X.0/24for the subnets, where X is between 0 and 255.
Networks, Subnets and Masks - The Full Details
Computers in an IP network have an address divided into two parts: the network prefix and the host identifier.
[Network prefix][Host identifier]
[38].[124.10.55]
[38.124].[10.55]
[38.124.10].[55]
Network prefix tells IP package handlers like routers where to send the package to find the network. When the package enters the network, host identifier is used to identify a machine inside the network.
Network prefix is in Classless Inter-Domain Routing (CIDR) notation. But of course you also need the full address to actually calculate the network prefix.
/[Prefix Length in Bits]
/16
IP address plus CIDR has all information required to route packages.
38.124.10.55/24
=>
IP Address: 38.124.10.55
CIDR: /24
Subnet Mask: 255.255.255.0 (= 24 bits)
Network Address: 38.124.10.0/24 (AND between IP and mask)
Host Identifier: 0.0.0.55 (reminder of network address)
Broadcast Address: 38.124.10.255 (Last IP in the subnet)
Subnet Host Pool: 38.124.10.1 - 38.124.10.254
IP networks are divided into subnets. Subnets are mainly created to increase network security and improve network performance. Subnets are created by utilizing bits from host identifier to indicate a network inside the IP network prefix; thus called subnet.
There are three address blocks reserved for private subnets in IPv4. Addresses within this private address space will only be unique within the network and the machines will need to be assigned a global unique identifier to communicate on the Internet.
Private Network Addresses
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
To allow Internet access from hosts in a private network, you have to use a network gateway. All IP packages that are sent outside the subnet are sent to the network gateway.
If the network is 192.168.0.0/24, all packages other than 192.168.0.X
are sent to the network gateway.
Bits are borrowed from the host identifier to create subnets.
192.168.5.0/26 "contains" 4 subnets:
192.168.5.0/26 = 192.168.5.1 - 192.168.5.62
192.168.5.64/26 = 192.168.5.65 - 192.168.5.126
192.168.5.128/26 = 192.168.5.129 - 192.168.5.190
192.168.5.192/26 = 192.168.5.193 - 192.168.5.254
And 6 bits is reserved for the host identifier which allows 62 hosts
per subnet. Number of available hosts is 2^h-2 where h is the number of
bits reserved for hosts in the network.
A network has a subnet mask, which is the bitmap when applied by a bitwise AND operation to any IP address yielding the network prefix.
IP Address: 192.168.5 .130
Subnet Mask 255.255.255.0 (/24 CIDR)
Network Prefix: 192.168.5 .0
Host Identifier: 0 .0 .0 .130
IP Address 192.168.5.130 with a mask 255.255.255.0 can be written
as 192.168.5.130/24.
CIDR is a shorter way to represent subnet masks.
11111111.11111111.11111111.00000000 // Binary
255.255.255.0 // Subnet Mask
/24 // CIDR
Address of the subnet itself is always the first address in a subnet. You can't assign it to a host.
Network -> Network Address
192.168.5.0/26 -> 192.168.5.0
192.168.5.64/26 -> 192.168.5.64
192.168.5.128/26 -> 192.168.5.128
192.168.5.192/26 -> 192.168.5.192
Broadcast address is always the last address in a subnet.
Network -> Broadcast Address
192.168.5.0/26 -> 192.168.5.63
192.168.5.64/26 -> 192.168.5.127
192.168.5.128/26 -> 192.168.5.191
192.168.5.192/26 -> 192.168.5.255
This is why you always have 2 fewer hosts than the number of addresses in the subnet.
Availability Zone Segmentation
In cloud environments, especially with AWS, it's common to segment networks across multiple Availability Zones (AZs) to ensure high availability and fault tolerance.
Distribute `/24` subnets across multiple AZs:
- AZ-A: 192.168.1.0/24
- AZ-B: 192.168.2.0/24
- etc.
Reserving non-overlapping CIDR blocks for each AZ helps to avoid routing conflicts.
Security Zone Segmentation
It is also common to segment networks into security zones, such as public, private, and critical subnets. This helps to enforce security policies.
Public subnets (e.g. 192.168.1.0/24): Internet-facing, load balancers, NATs
Private subnets (e.g. 192.168.2.0/24): Application servers, no direct internet
Database subnets (e.g. 192.168.3.0/24): Backend services, most restrictive
Admin subnets (e.g. 192.168.254.0/24): Admin access, monitoring, bastion hosts
In the simplest setup:
- Only public subnet is reachable from the public Internet (Inbound).
- From there onwards, you only allow ports needed between subnets.
- Only allow public, private and db subnet port 22 from admin subnet, and only allow company IPs to access 22 of the admin subnet.
- For outbound, you usually allow stuff like HTTP:80 and HTTPS:443 for API calls, all 1024+ ports TCP for return traffic, and all traffic inside the subnet. But you can also be more restrictive.
AZ and SZ Segmentation Example
To keep cross-AZ networking local for high availability, use AZ as the higher level of segmentation and SZ as the lower level.
10.0.0.0/16 VPC
β
βββ 10.0.0.0/20 (PUBLIC, less addresses as mainly access points)
β βββ 10.0.0.0/24 (Public-AZ-A) β Load balancers in AZ-A
β βββ 10.0.1.0/24 (Public-AZ-B) β Load balancers in AZ-B
β βββ 10.0.2.0/24 (Public-AZ-C) β Load balancers in AZ-C
β
βββ 10.0.16.0/20 (PRIVATE, more addresses for applications)
β βββ 10.0.16.0/23 (Private-AZ-A) β Applications in AZ-A
β βββ 10.0.18.0/23 (Private-AZ-B) β Applications in AZ-B
β βββ 10.0.20.0/23 (Private-AZ-C) β Applications in AZ-C
β
βββ 10.0.32.0/20 (DATABASE, even less addresses as mainly databases)
βββ 10.0.32.0/26 (DB-AZ-A) β Databases in AZ-A
βββ 10.0.32.64/26 (DB-AZ-B) β Databases in AZ-B
βββ 10.0.32.128/26 (DB-AZ-C) β Databases in AZ-C
etc.