AWS Step-by-Step

Resolving Common AWS CIDR Errors, Part 2: Understanding the Why

Let's break down some of the more common error messages, dive into their meaning and show how you can avoid them popping up in the future.

In the previous article, I spent quite a bit of time talking about how CIDRs work within the context of an AWS VPC. Now, I want to move forward with talking about the subnet creation process and why errors so often occur.

Before I get started, I want to reiterate one extremely important point from the previous article. When you add a CIDR to a VPC, you are not creating a subnet or defining an IP address pool. You are only specifying the IP address range that will be valid for use within the VPC.

Creating a subnet essentially sets aside a portion of the IP address range specified by the VPC's CIDR for use by the subnet that you are creating. You can create a subnet by clicking on your VPC and then selecting the Subnets tab. From there, click on the Create Subnet button.

The process of creating a subnet is a lot like that of creating a VPC. You will need to enter a name for the subnet and you will also have to enter a CIDR block. There is also an option to select an availability zone, but that option is not required.

So with that said, let's talk about the two errors that often occur when creating a new subnet. The first of these errors states that, "CIDR address overlaps with existing subnet." The second error message indicates that, "CIDR Address is not within CIDR address from VPC."

Oddly enough, I have seen situations in which no matter what subnet address range you enter, it triggers one of these two errors. I will show you why that happens and how to fix it in a moment. Before I do though, let's look at what these errors really mean.

The CIDR address is not within the CIDR address from the VPC error indicates that the IP address range (the CIDR) that you are trying to use for the subnet falls outside of the range allowed by the VPC. Remember, when you create a VPC, you have to provide a CIDR that determines the address ranges that will be allowed to be used within the VPC. If you try to create a subnet with addresses that fall outside of that range then an error will occur.

If you look at Figure 1, for example, you can see that the CIDR associated with my VPC is As I explained in the previous article, the /16 portion of the CIDR indicates that the first two numbers define the network. As such, and address within the 10.10.x.x range is allowed within that VPC. If you look at the figure, you can see that I attempted to use as the subnet CIDR. 10.11.x.x clearly does not align with 10.10.x.x, hence the error.

[Click on image for larger view.] Figure 1. Your subnet CIDR must align with the VPC CIDR.

The other error indicates that the CIDR address overlaps with an existing subnet CIDR. Although a subnet must align with the VPC CIDR, the subnet does not have to match the VPC CIDR exactly. In fact, you can have multiple subnets within a single VPC, so long as the subnets do not overlap with one another. To put it another way, an IP address cannot exist in more than one subnet within a VPC. You can see an example of this error in Figure 2.

[Click on image for larger view.] Figure 2. Subnets cannot overlap with one another.

Now that I have explained the reasons why the two errors occur, let's talk about the situation in which any subnet CIDR that you enter triggers one of these two errors, regardless of what CIDR you try to use. This problem is not actually an AWS problem, but rather it is a configuration problem.

Sometimes when organizations are just starting out with AWS, they will create a VPC and then create a single subnet within that VPC. If the organization sees no need for additional subnets, they will often create a subnet that exactly matches the VPC's CIDR. This helps to ensure that the VPC's entire IP address space is available within the subnet.

To give you a more concrete example, take a look at Figure 3. Here you can see a subnet with a CIDR of, which is the same CIDR used by my VPC. Creating such a subnet is a perfectly valid option, but it means that no more subnets can be created within the VPC. The other problem is that because the subnet and the VPC CIDRs exactly match one another, those who are less experienced might not even realize that the full address space has been claimed. This is a situation that I have seen multiple times in the real world.

[Click on image for larger view.] Figure 3. The subnet's CIDR exactly matches the VPC.

The solution to this problem is to delete the existing subnet and create a series of smaller subnets (assuming that multiple subnets are required). You will need to be careful when doing so however, as deleting a subnet will break any object that has a dependency on the subnet.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


Subscribe on YouTube