What is a correct IP4 CIDR for AWS?

Solution 1:

You need to create subnet, which is in range .

For example:


Solution 2:

TL;DR version (Amazon VPC FAQs)

  • Read about CIDR Notation to understand what the below means.
  • AWS VPC CIDR block size must be between /16 and /28, e.g.
  • Subnet CIDR block sizes must also be between /16 and /28 and in reality should have smaller CIDR blocks than the VPC because you typically want more than one subnet per VPC. E.g.
  • The host-part of the CIDR must be zero'ed. I.e. this is valid: and this isn't:
  • Choose a block from RFC1918 private range addresses:,, or unless you really really know what you are doing.

Some explanation:

In IPv4 and IPv6 we sort of distinguish between network and host addresses. Hosts belong to networks, smaller networks belong to larger networks.

In case of IPv4 a host address looks like this: - it's got 4 bytes which means 32 bits (1 byte = 8 bits).

CIDR notation is the standard way to describe network addresses. It uses a prefix notation to split the address to a network part and a host part where the prefix can be anywhere between /0 and /32, showing the number of bits from the left that are known.

A host address has all the 32 bits defined. That means our example instance address in CIDR notation can be written as - we know all the bits.

This instance perhaps sits in a subnet - 24 bits (= 3 bytes) from the left (192.168.2) are the CIDR block of the subnet, while the remaining 8 bits on the right are available for hosts.

Network addresses are hierarchical - VPC has a large network address block with subnets inside having smaller slices of the VPC network network address block. That means your VPC CIDR block can be for example - the first 16 bits (192.168) is defined and everything in the VPC must have addresses that start with 192.168.: subnets, instances, RDS, load balancers, everything.

So to wrap up: an instance IP (/32) belongs to subnet CIDR which belongs to VPC CIDR The undefined bits in the subnet and VPC addrs are always set to 0.

However the prefix lengths don't have to be aligned to bytes boundaries. This would also be a valid example: instance IP (/32) belongs to subnet CIDR which belongs to VPC CIDR It's a bit more effort to work it out but it's completely valid.

Hope that helps :)