AWS Step-by-Step

Resolving Common AWS CIDR Errors Part 1

Navigate the complexities of AWS VPCs and subnets and discover their root causes.

In AWS, resources are organized into one or more VPCs and those resources will often require the use of subnets. While there is nothing overly difficult about defining a subnet, you may find that the AWS management interface causes the process to be far more difficult than it needs to be. In fact, depending on how the VPC was set up, you may find that it is impossible to add a subnet due to contradictory error messages that appear when you try. So let's take a look at the subnet related errors that can occur and how you can work around them.

In an effort to show you exactly why these errors occur when you try to create a subnet, I am going to spend Part 1 of this series going over some of the fundamental concepts of VPCs and CIDRs. Once I have done that, then I will use Part 2 of this series to show you the errors that commonly occur, the reason why those errors are being displayed, and what you can do to make the error messages go away.

To get started, go ahead and log into AWS and then open the VPC dashboard. Next, click on VPCs. This will cause the AWS management console to display a list of all of the VPCs that you have created. If you look at Figure 1 for example, you can see that I have a single VPC within this particular AWS region. You will also notice that there is currently an IPv4 CIDR associated with this VPC. This CIDR is Keep this CIDR in mind, because it will be important as we go forward.

[Click on image for larger view.] Figure 1. I currently have one VPC and it has a CIDR of

So now that I have shown you the current state of my AWS environment, I want to take a step back and examine what this CIDR is and where it came from. In AWS, VPC stands for Virtual Private Cloud. Think of it as an isolated virtual network within the Amazon cloud. Like any other network, this virtual network or VPC requires the use of IP addresses. One of the things that makes a VPC different from at least some physical networks however, is that when you create a VPC you have to explicitly define the IP address range that will be valid for the virtual network.

To see how this works, take a look at Figure 2. This is the interface that is used when creating a brand new VPC. Notice in the figure that when you create a VPC, you have to provide a VPC name and an IPv4 CDR. If you look back at Figure 1, you can see that the name used for my existing VPC was My-VPC. That VPC had been assigned a CIDR of

This raises the question of where the CIDR came from and what this number means. If I am to be totally honest with you, the numbers used in this particular CIDR were simply made up. Amazon basically lets you use whatever CIDR you want, although it does provide recommendations for CIDRs that you should consider using, as well as some CIDRs that you need to avoid using. 

So with that said, let's move on to the bigger question… What do these numbers mean? As you will recall, earlier I said that when you create a VPC, you must tell AWS which IP addresses will be valid for use on that VPC. As such, the CIDR is essentially an IP address range. The really important thing to keep in mind is that when you associate a CIDR with a VPC, as is shown in Figure 2, you aren't actually creating an IP address pool. All you are doing is telling the VPC what range of IP addresses it can expect to be used in the future. This point might seem trivial, but it will become super important when we eventually begin discussing subnets.

[Click on image for larger view.] Figure 2.

As far as the CIDR structure is concerned, it is based on the idea that a portion of each IP address refers to a network while the remaining portion of an address pertains to a specific device on the network. Suppose for a moment that you have an IP address of with a subnet mask of The subnet mask indicates that the first three numbers of the address (192.168.0) are the network address and the last number (1) pertains to a device on that network.

The numbers that make up an IP address are sometimes referred to as octets, because each is an 8 bit number. The reason why I am telling you this is because in a CIDR, the number that comes after the slash refers to a specific number of bits. In my CIDR of for example, the number 16 means that the first 16 bits are the network portion of the address. Being that each number position (between periods) consists of 8 bits, my CIDR defines an IP address range starting at with a subnet mask of The last address in the range would be and the range would allow for a total of 65,536 IP addresses to be used within the VPC. If you want to experiment with CIDRs for yourself, there is a helpful CIDR calculator available here.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


Subscribe on YouTube