AWS VPC & Subnet

VPC Peering Limitations

• https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html#vpc-peering-limitations

VPC deep dive

• main route table is implicitly associate with subnets that haven't been explicitly associated with a route table

VPC/Subnet Optimize

Public subnet for NAT gateway doesn't need too much IP range(CIDR block)

because it's only for the proxy to the private subnet.

so for making a public subnet for NAT gateway /30 the subnet mask would be best.

because /30 IP range is 2

but AWS VPC & Subnet do not allow /30 you should do /28 that's best for optimizing CIDR block

The subnet CIDR block size can be from /16 to /28. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html

so if you set 10.0.0.0/28 then you will get IP range 10.0.0.0 - 10.0.0.15

if you want multiple IP private subnet IP range maybe you can start

10.0.255.0 and assign then

• 10.0.255.0 / 28 -> 10.0.255.0 ~ 10.0.255.15

• 10.0.255.16 / 28 -> 10.0.255.16 ~ 10.0.255.31

• 10.0.255.32 / 28 -> 10.0.255.32 ~ 10.0.255.47

• ...

• 10.0.255.128 / 28 -> 10.0.255.128 ~ 10.0.255.143

• ...

you can get 16 private subnets for NAT gateway from 10.0.255.x

CIDR Block Strategy

When you create VPC 10.x.0.0 /16

you can split /20 bitmask, then you will be able to make 16 subnet that has 4094 IP address

but don't chuck everything with /20 bitmask,

chuck 12 subnets with /20 mask with 10.x.0.0/20 ~ 10.x.175.0 /20 then you will use 10.x.0.0 ~ 10.x.191.255

IP address will be -5 always.

https://docs.aws.amazon.com/vpc/latest/userguide/subnet-sizing.html

The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:

• 10.0.0.0: Network address.

• 10.0.0.1: Reserved by AWS for the VPC router.

• 10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC. For more information, see Amazon DNS server.

• 10.0.0.3: Reserved by AWS for future use.

• 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.

The reason why orient /20 with 4094 range

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-quotas.html

Fargate Task use 1 private address

By default, every Amazon ECS task on Fargate is provided an elastic network interface (ENI) with a primary private IP address. https://docs.aws.amazon.com/AmazonECS/latest/userguide/fargate-task-networking.html

Subnet network bit prefix rules for usual service

IP 할당이 많이 필요한 경우는 prefix 16까지 해도 됨.

10.0.0.0./16 로 할경우

CIDR range 10.0.0.0 - 10.0.255.255

IP개수는 65534가 됨. 메세징 서버같은 특별한 경우는

10.128.0.0 부터 prefix 12로 해도 됨.

CIDR range 10.128.0.0 - 10.143.255.255 = IP 1,048,574

• https://www.subnet-calculator.com/cidr.php

Reference

• RFC 1918 - Address Allocation for Private Internets

Copy

3. Private Address Space

   The Internet Assigned Numbers Authority (IANA) has reserved the
   following three blocks of the IP address space for private internets:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

• https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml#iana-ipv4-special-registry-1