search

More about CIDR blocks and explanation of IP address portions

hashtag
✅ 1. What is a CIDR block?

A CIDR block is a way to represent an IP address range using this format:

<base IP>/<prefix length>

Example:

10.0.0.0/16

It tells you two things:

1) Network portion — the part that identifies the network

2) Host portion — the part used for individual devices (hosts) inside that network

hashtag
🎯 2. Network Portion vs Host Portion

Let’s take this example:

10.0.0.0/16

Binary representation of the IP:

00001010.00000000.00000000.00000000

Prefix “/16” means:

  • First 16 bits → network portion

  • Last 16 bits → host portion

So:

Portion
What it means
Controls

Network portion

Fixed

Defines your “overall network” or VPC size

Host portion

Variable

Defines number of usable IP addresses inside the network

Visual:

So what does this allow?

10.0.0.010.0.255.255

Meaning:

  • All IPs from 10.0.0.0 to 10.0.255.255

  • Total = 65,536 IPs (but AWS reserves 5 per subnet)

Why we care:

  • Network portion determines the size of the network.

  • Host portion determines how many subnets and hosts you can carve out.

hashtag
🧩 3. Why do VPC examples use 10.0.x.x/16?

Because 10.x.x.x is part of the RFC 1918 private IP ranges, which are reserved for private networks (LANs, VPCs):

These addresses:

  • do not exist on the public internet

  • are not routable globally

  • are safe for internal use

  • are industry standard for private networks and cloud VPCs

This is why AWS, GCP, Azure examples use:

  • 10.0.0.0/16

  • 172.31.0.0/16

  • 192.168.0.0/24

Using 10.0.0.0/16 is just a convention, but a widely adopted one.

hashtag
📌 Why specifically 10.0.0.0/16 for VPC labs?

Because it is:

  • easy to understand

  • easy to subdivide e.g.:

Subnet
CIDR
Type

10.0.1.0/24

Public

Subnet A

10.0.2.0/24

Public

Subnet B

10.0.10.0/24

Private

Subnet A

10.0.11.0/24

Private

Subnet B

  • large enough (65k addresses) but not massively oversized

  • unlikely to overlap with corporate networks (a real concern in enterprise AWS)

Enterprises often intentionally avoid overlapping IPs to avoid VPN conflicts.

hashtag
👍 Is using 10.0.0.0/16 general practice?

Yes. Very common. But NOT a rule.

Common patterns in real companies:

  • Small VPC: 10.0.0.0/16

  • Medium: 10.0.0.0/12

  • Large: 10.0.0.0/8 (rare, enterprise only)

  • Multi-environment split:

    • prod: 10.10.0.0/16

    • stage: 10.20.0.0/16

    • dev: 10.30.0.0/16

Cloud providers also pick defaults:

  • AWS default VPC: 172.31.0.0/16

  • GCP default network: 10.128.0.0/9

All chosen from private IP ranges.

hashtag
🔥 Putting it all simply:

Network portion (/16)

  • Defines your entire VPC size

  • Doesn’t change within the VPC

Host portion

  • Used to carve subnets inside the VPC

  • Public vs Private subnets take slices of this portion

Why 10.0.x.x?

Because:

  • It belongs to the private IP ranges recommended by IPv4 standards

  • It’s clean, predictable, and large

  • AWS and cloud tutorials commonly use it

hashtag
What the Network Portion Actually Does

The network portion of an IP address does more than just identify a VPC or determine how many IPs you get. Its real purpose is deeper and fundamental to how devices communicate.

Let’s break it down clearly.

hashtag
1. Identifies the network

It tells routers:

“This IP belongs to this specific network.”

Example: 10.0.0.0/16 → all IPs from 10.0.x.x belong to the same logical network.

But that’s just the first job.

hashtag
2. Tells routers whether two devices are on the same network or different networks

This is the MOST important function.

A device will ask:

  • “Is the destination IP in my network portion?” → If yes, send the packet directly using Layer 2 (no router).

  • “If not, send the packet to the default gateway (router).”

Example: Device = 10.0.1.50 Subnet = 10.0.1.0/24 Destination = 10.0.1.80

→ Same subnet → communicate directly (ARP + Layer 2 frames)

Destination = 10.0.5.20 → Different subnet → send to router

This logic applies both in AWS and in traditional networking.

hashtag
3. Enables segmentation and isolation

By choosing different network portions, you can create:

  • public subnets

  • private subnets

  • restricted zones

  • DMZs

  • workload isolation (e.g., databases separate from app servers)

In AWS:

  • Public subnet: route to Internet Gateway

  • Private subnet: route or to NAT, VPC endpoint, etc.

The segmentation works because the network portions differ.

hashtag
4. Determines the size of the network (host portion)

Yes—changing the prefix length changes how many IPs you get.

  • /16 → ~65k addresses

  • /20 → 4096

  • /24 → 256

But this is almost a side effect of how subnetting works — not the only purpose.

hashtag
5. Controls routing at every hop

Routers match traffic to routing table entries based on the network portion.

Example in AWS inside a subnet:

The “local” entry exists because of the network portion.

hashtag
📌 So the network portion does all of this:

Role
Description

Identifies your network

Defines “this group of IPs belongs together.”

Determines same vs different subnet

Decides whether traffic uses Layer 2 or goes to a router.

Enables segmentation

Lets you carve public/private/subnets logically.

Supports routing decisions

Used by routers to send traffic through the right path.

Defines network size

Determines how many host IPs exist (host portion bits).

hashtag
🔥 VPC-specific context

In AWS, the network portion:

  • Defines the entire VPC (10.0.0.0/16)

  • Ensures subnets fit inside it (10.0.1.0/24, 10.0.2.0/24, etc.)

  • Enables AWS built-in “local” routing

  • Helps determine overlap with other VPCs when using peering/TGW/Direct Connect

So its purpose goes far beyond just “identifying and counting addresses.”

hashtag
🎯

The network portion is critical for:

  • Deciding how devices communicate

  • Routing

  • Isolation

  • Segmentation

  • Determining network size

  • Defining logical boundaries

The host portion is simply "everything that can be assigned an IP address" inside that boundary.

PreviousALB vs NLB vs CLBNextIAM

Last updated