Networking Essentials for DevOps

IP Addressing & Subnets

18 min Lesson 2 of 30

IP Addressing & Subnets

Every packet on the internet needs two things: a source and a destination. IPv4 addresses are those destinations — 32-bit integers written in dotted-decimal notation. Understanding them at the bit level is not an academic exercise; it is what lets you design VPC topologies that do not collide, write security-group rules that actually match, and debug routing tables under production pressure.

IPv4 Anatomy

An IPv4 address such as 192.168.10.45 is four octets (8-bit groups), each ranging 0–255. In binary:

192 . 168 . 10 . 45 11000000 . 10101000 . 00001010 . 00101101

Two logical parts live inside every address: the network prefix (identifies the network) and the host portion (identifies the specific device). The boundary between them is set by the subnet mask.

CIDR Notation

Classless Inter-Domain Routing (CIDR) replaced the old Class A/B/C system in 1993. Instead of encoding the mask in the address class, you append a prefix length after a slash. 10.0.0.0/8 means the first 8 bits are the network prefix; the remaining 24 bits are host space — room for 224 − 2 = 16,777,214 usable addresses.

The two addresses you always lose from any block: the network address (all host bits zero) and the broadcast address (all host bits one). A /30 gives only 2 usable IPs — exactly right for a point-to-point link.

Key prefix lengths every DevOps engineer knows by heart:

  • /32 — single host (used in security-group rules, route table entries for precise hosts)
  • /31 — 2 IPs, no broadcast; RFC 3021 point-to-point links
  • /30 — 4 IPs, 2 usable; classic router-to-router link
  • /28 — 16 IPs, 14 usable; smallest AWS subnet supported
  • /24 — 256 IPs, 254 usable; the everyday workload subnet
  • /22 — 1,024 IPs; reasonable node-pool subnet for Kubernetes
  • /16 — 65,536 IPs; typical VPC CIDR block
  • /8 — 16.7M IPs; entire RFC 1918 10.x.x.x private range

Private Address Ranges (RFC 1918)

Three blocks are reserved for private networks — they are not routed on the public internet:

  • 10.0.0.0/8 — 16.7M addresses; preferred for large clouds and data-center fabrics
  • 172.16.0.0/12 — 1M addresses (172.16.x.x through 172.31.x.x)
  • 192.168.0.0/16 — 65K addresses; ubiquitous in home/office LANs
At big-tech scale, always build VPCs from the 10.0.0.0/8 space. It gives you room to allocate non-overlapping /16 blocks to every region, every environment (prod/staging/dev), and every team — without ever running into RFC 1918 exhaustion. Document your allocation table in a CMDB or even a shared spreadsheet from day one; reclaiming overlapping ranges later is extraordinarily painful.

Subnetting a VPC

A VPC CIDR is subdivided into subnets. Each subnet lives in exactly one Availability Zone (AZ) and carries one traffic class (public, private, or isolated/database). This is the standard three-tier layout used at production scale:

VPC Subnet Split — three-tier layout across two AZs VPC: 10.0.0.0/16 Availability Zone A Availability Zone B Public Subnet A 10.0.1.0/24 (254 hosts) Load Balancer · NAT Gateway · Bastion Public Subnet B 10.0.2.0/24 (254 hosts) Load Balancer · NAT Gateway · Bastion Private Subnet A 10.0.11.0/24 (254 hosts) App Servers · ECS Tasks · Pods Private Subnet B 10.0.12.0/24 (254 hosts) App Servers · ECS Tasks · Pods Isolated Subnet A 10.0.21.0/24 (254 hosts) RDS · ElastiCache · Kafka Isolated Subnet B 10.0.22.0/24 (254 hosts) RDS · ElastiCache · Kafka PUBLIC PRIVATE ISOLATED
Three-tier VPC subnet layout: public subnets face the internet, private subnets run application workloads, isolated subnets hold databases — each tier replicated across two AZs for high availability.

Notice the addressing convention: public subnets use the 10.0.1.x and 10.0.2.x range, private subnets the 10.0.11.x and 10.0.12.x range, and isolated subnets the 10.0.21.x and 10.0.22.x range. The tens-digit encodes the tier, the units-digit encodes the AZ. This is a simple mnemonic you can apply consistently across every environment.

Computing Subnet Boundaries

The ipcalc utility (available on most Linux distributions) is indispensable for quick verification:

$ ipcalc 10.0.11.0/24 Address: 10.0.11.0 00001010.00000000.00001011. 00000000 Netmask: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000 Network: 10.0.11.0/24 HostMin: 10.0.11.1 HostMax: 10.0.11.254 Broadcast: 10.0.11.255 Hosts/Net: 254

For Terraform-managed infrastructure, the cidrsubnet() function carves subnets programmatically — no manual math required:

locals { vpc_cidr = "10.0.0.0/16" } # cidrsubnet(prefix, newbits, netnum) # newbits=8 extends /16 to /24; netnum selects which /24 resource "aws_subnet" "public_a" { vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(local.vpc_cidr, 8, 1) # 10.0.1.0/24 availability_zone = "us-east-1a" map_public_ip_on_launch = true } resource "aws_subnet" "private_a" { vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(local.vpc_cidr, 8, 11) # 10.0.11.0/24 availability_zone = "us-east-1a" } resource "aws_subnet" "isolated_a" { vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(local.vpc_cidr, 8, 21) # 10.0.21.0/24 availability_zone = "us-east-1a" }

Common Production Failure Modes

  • Overlapping CIDRs. Two VPCs or on-premises networks share the same RFC 1918 block. VPC peering and Transit Gateway refuse to connect them, and even if you work around it, routing becomes ambiguous. Prevent this with a central IP address management (IPAM) policy enforced at account creation time.
  • Exhausted subnets. A /28 (14 usable IPs) works fine for a NAT gateway but will choke an ECS cluster during a scale event. AWS also reserves 5 IPs per subnet for internal use, reducing /28 to 11 usable addresses. Always size for peak + 50% headroom.
  • Kubernetes pod CIDR collision. If your VPC is 10.0.0.0/16 and your cluster uses 10.0.0.0/14 as the pod CIDR (a common CNI default), pod IPs and node IPs collide. Plan pod and service CIDRs explicitly and document them before provisioning.
Never assign a /16 or larger CIDR to a single subnet. Route tables advertise every subnet as a directly-connected prefix, and large flat subnets undermine security group segmentation. A single /16 flat network also makes blast radius from a misconfigured security group much larger. Keep subnets purposefully small and tier-separated.

Quick Reference: Useful Host Commands

# Show all interfaces and their CIDR assignments (Linux) ip addr show # Check what network a host IP belongs to ip route get 10.0.11.42 # List routing table — essential for debugging "no route to host" ip route show table main # On macOS ifconfig en0 | grep inet netstat -rn -f inet
Memorise the /24 = 254 hosts and /16 = 65,534 hosts anchors; derive everything else from there by doubling or halving host count as you move the prefix by one bit. Every senior engineer asked to size a subnet on the spot does this mental arithmetic — it takes about ten seconds.

With a solid grasp of CIDR and subnet design, you can now reason about every layer that builds on top of it: routing tables, security groups, NAT gateways, and VPC peering all operate on subnet boundaries. The next lesson extends this foundation to DNS — how names resolve to these IP addresses at cloud scale.

Previous Lesson TCP/IP & the Layers That Matter
Next Lesson DNS in Depth
Back to Course