AWS Networking

For CIDR block, see below.

CIDR Ranges

An example CIDR block looks like this:

10.0.1.0/18

PROTIP: To avoid naming conflicts, some organizations use a convention replacing the “1” in the address with other numbers for each separate environment and tier as well as duplicate zones:

Env	Tier	zone A	zone B	Routes
Prd	ELB	1	11	Public
Prd	WEB	2	12	Private
Prd	APP	3	13	Private
Prd	Cache	4	14	Private
Prd	DB	5	15	Private
Dev	ELB	21	31	Public
Dev	WEB	22	32	Private
Dev	APP	23	33	Private
Dev	Cache	24	34	Private
Dev	DB	25	35	Private

PROTIP: Use the table above to pre-define your own numbering scheme, which can also be used as shortcuts in other names.

PROTIP: Some organizations allocate the bottom half of the 255 possibilities to private and upper half to public addresses:

• private 10.1.0.0/24   (< 129)
• public   10.129.0.0/24 (> 128)

Address ranges for private (non-routed) use (per RFC 1918):

• 10.0.0.0 -> 10.255.255.255 within “Class A” addresses 1 -> 126
• 172.16.0.0 -> 172.31.255.255 within “Class B” addresses 127 -> 191
• 192.168.0.0 -> 192.168.255.255 within “Class C” addresses 192 -> 223

REMEMBER: The CIDR block for a default VPC is always 172.31.0.0/16.

PROTIP: Use addresses from different IP classes. For example,

• use VPC CIDR 10.0.0.0/16 for production
• use VPC CIDR 172.16.0.0/16 for DR regions

PROTIP: Carefully predict how many nodes each subnet might need. Once assigned, AWS VPC subnet blocks can’t be modified. If you find an established VPC is too small, you’ll need to terminate all of the instances of the VPC, delete it, and then create a new, larger VPC, then instantiate again.

Refer to this table of nodes for each netmask Amazon allows:

# Nodes	Netmask	Subnet Mask
14	/28	255.255.255.240
30	/27	255.255.255.224
62	/26	255.255.255.192
126	/25	255.255.255.128
254	/24	255.255.255.0
510	/23	255.255.254.0
65,534	/16	255.255.255.240

For example, if all you’ll need are 14 nodes, specify /28. Notice that the larger the CIDR netmask, the less hosts in the subnet.

Bucket of Candies Analogy

If you must know why, here is my analogy (best for kinesthetic learners): When we say a sports star makes a “7 figure salary”, we figure out what that means with a table like this:

Figure:	7	6	5	4	3	2	1
# Values:	1,000,000	100,000	10,000	1,000	100	10	1

Now imagine a bucket for each figure level, a different size bucket containing candies of various colors and patterns, unique one for each possible value. People earning 7 figures can choose from the bucket holding a million possible values.

If we add up the values (colors) possible in the right-most 3 buckets, we would have 100 + 10 + 1 = 111 possibilities.

Counting in Base 2

Instead of the way bankers do arithmetic where ten $1 bills is equivalent to a 10 dollar bill (called “base 10” or decimal calculation), computers count using “base 2” or binary arithmetic using 0’s and 1’s. So each of their “buckets” have a different number of possibility values:

Position:	8	7	6	5	4	3	2	1
# Values:	254	128	64	32	16	8	4	2
Cumulative possible addresses:	510	254	126	62	30	14	6	2

If we add up the possible addresses just from the right-most 3 buckets (from right to left), we would have 2 + 4 + 8 = 14 possibilities.

Look back above at the table of nodes, we see 14 possibilities can be obtained from a specification of 28 bits.

This is all one needs to know to use AWS VPC.

But if you would like to know how we get 3 buckets from the 28 bit specification, read on.

IP address octets

IPV4 subnet addresses such as “127.10.138.128” are 4 sets of there are 32 “buckets” separated by dots into four 8 bit “octets”:

The 127 in the figure above is obtained by adding the base 10 value of each bit “bucket”. Looking at a single octet of 8 bits:

“Bucket” position:	8	7	6	5	4	3	2	1
Base 10 value of each bucket:	128	64	32	16	8	4	2	1
Cumulative base 10 (left to right)	255	127	63	31	15	7	3	1
Base 2 for 127 in base 10	1	1	0	1	1	0	0	1
Cumulative base 10 (left to right)	217	89	25	25	9	1	1	1

To translate a base 2 number of all 1’s (“1111111”) to a base 10 value of 255 we accumulate base 10 values for each “bucket”, left to right.

To translate the Base 2 set of 1’s and 0’s to a base 10 number of 217, we accumulate the equivalent base 10 number at each position where there is a 1.

Now let’s look at the relationship between /28 and the “255.255.255.240” subnet mask associated with the /28 in the table of nodes above.

The “240” base 10 number in the right-most quartet is equivalent to “11110000” in base 2.

“Bucket” position:	8	7	6	5	4	3	2	1
Base 10 value of bucket:	128	64	32	16	8	4	2	1
Base 2 for 240 in base 10	1	1	1	1	0	0	0	0
Cumulative base 10 (left to right)	240	122	48	16	0	0	0	0

Putting the three 255 and 240 together we get a continuous set of 1’s followed by four 0’s:

11111111.11111111.1111111.11110000

• The 1’s “buckets” on the left side are used to address subnets managed by Amazon.

• The 0’s buckets on the right side are used to address your individual nodes.

REMEMBER: Although there are four 0’s buckets, only 3 are used to specify node addresses because one digit (two values) are reserved for network broadcast use (addresses containing all 0’s and all 1’s).

More on CIDR (Classless Inter-Domain Routing), aka “supernetting”:

• https://www.youtube.com/watch?v=POPoAjWFkGg IP Subnetting from CIDR Notations (getting network and broadcast addresses).

• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

• VLSM (Variable Length Subnet Mask)

• https://cloudacademy.com/amazon-web-services/amazon-vpc-networking-course/build-and-configure-a-nat-instance.html