AWS VPC Subnet Calculator
Plan subnet sizing, usable IP capacity, and multi-AZ subnet distribution for Amazon VPC designs. This calculator applies AWS subnet behavior, including the five reserved IPv4 addresses in every subnet, to help you validate whether your VPC CIDR can support your architecture.
Results
Enter your VPC CIDR and target subnet size, then click Calculate.
Expert guide to using an AWS VPC subnet calculator
An AWS VPC subnet calculator is one of the most useful planning tools for cloud architects, DevOps engineers, and security teams because network mistakes are cheap to prevent but expensive to fix. Before an application reaches production, you need to know whether your chosen CIDR range can support the number of subnets you want, the number of Availability Zones you plan to use, and the amount of usable IP space each workload tier requires. In AWS, subnetting is not just a mathematical exercise. It directly affects availability, segmentation, routing design, private endpoint growth, scaling headroom, and long-term account governance.
At a basic level, your VPC CIDR defines the total address space available to your virtual network. From that block, you carve smaller subnet CIDRs for public, private, database, shared services, inspection, or isolated workloads. The calculator above helps you test how a target subnet mask changes total subnet count and usable capacity. It also accounts for a key AWS behavior that many beginners overlook: AWS reserves five IPv4 addresses in every subnet, which reduces the number of assignable addresses available to EC2 instances, load balancers, container tasks, and other resources.
Why subnet sizing matters in AWS
In traditional data centers, teams often over-allocated networks because changing VLANs or physical topology was difficult. In AWS, the temptation can be the opposite: creating very small subnets to conserve address space. Both extremes can create operational issues. If your subnets are too large, you may waste address space and make route or segmentation policies harder to reason about. If they are too small, your platform can fail in subtle ways when Auto Scaling, managed services, or Kubernetes nodes begin consuming more IPs than expected.
Subnet sizing is especially important for services with dynamic elasticity. For example, an application running behind an Application Load Balancer, deployed across multiple Availability Zones, and scaled by Auto Scaling groups may need far more headroom than the initial instance count suggests. The same principle applies to containerized environments, NAT gateways, interface endpoints, and internal service meshes. If a subnet runs out of available IPs, scale-out events can fail even while CPU and memory capacity remain available elsewhere in the environment.
How AWS subnet math differs from textbook subnetting
Classic subnetting lessons often teach that a subnet with 2^n addresses has two unusable addresses: the network address and the broadcast address. AWS adds another layer. Amazon reserves five IPv4 addresses in each subnet. That means the practical usable host count is lower than many generic subnet calculators show. This is why a cloud-specific calculator is more helpful than a generic CIDR tool when planning for Amazon VPC.
- Address 1 in the subnet network range is the network address.
- Address 2 is reserved by AWS for the VPC router.
- Address 3 is reserved by AWS for DNS.
- Address 4 is reserved by AWS for future use.
- The last address is the broadcast-style reserved address for the subnet.
As a result, a /24 contains 256 total IPv4 addresses, but only 251 are usable in AWS. A /28 contains 16 total addresses, but only 11 are usable. That difference can look small in a spreadsheet yet become a real bottleneck in heavily automated environments.
Key planning inputs for an AWS VPC subnet calculator
When you use a subnet calculator for AWS, think beyond the CIDR itself. You are really planning a future operating model. A mature design usually evaluates the following inputs together:
- VPC CIDR size: for example, 10.0.0.0/16 or 10.20.0.0/20.
- Target subnet mask: such as /24 for moderate segmentation or /26 for tighter address control.
- Availability Zone count: because highly available AWS designs usually span at least two AZs, and often three.
- Subnet groups per AZ: common examples include public, private application, and database tiers.
- Service growth expectations: Auto Scaling, ECS tasks, EKS worker nodes, Lambda ENIs, VPC endpoints, and managed databases can all consume IPs over time.
The calculator on this page combines these variables so you can quickly answer practical questions such as, “Can my /20 VPC support three AZs with public, private, and data subnets?” or “How many /24 subnets can I create inside a /16 VPC?”
Common subnet sizes and AWS usable IP capacity
The table below shows why the subnet mask you choose has such a large effect on capacity. These are real IPv4 counts derived from CIDR math and adjusted for AWS reserved addresses.
| Subnet Mask | Total IPv4 Addresses | AWS Reserved Addresses | Usable IPv4 Addresses | Typical Use Case |
|---|---|---|---|---|
| /24 | 256 | 5 | 251 | General application or private tier |
| /25 | 128 | 5 | 123 | Smaller app tiers or utility subnets |
| /26 | 64 | 5 | 59 | Tightly scoped workloads |
| /27 | 32 | 5 | 27 | Low-density supporting services |
| /28 | 16 | 5 | 11 | Very small or specialized infrastructure |
Example: designing for multi-AZ resilience
Suppose you start with a 10.0.0.0/16 VPC and want to deploy in three Availability Zones. If you choose /24 subnets and need three subnet groups per AZ, you need 9 total subnets. A /16 can be divided into 256 separate /24 subnets, so that requirement is easy to satisfy. Each subnet offers 251 usable IPs, giving you plenty of room for EC2 instances, internal load balancers, interface endpoints, or container worker nodes.
Now compare that to a smaller 10.0.0.0/20 VPC. A /20 contains 4,096 total addresses. If you split it into /24s, you get only 16 subnets. For a simple two-tier design across three AZs, that may still be enough, but your headroom for future expansion becomes much tighter. This is exactly the kind of tradeoff an AWS VPC subnet calculator helps expose early.
Comparison table: VPC block size versus number of /24 subnets
Another practical way to evaluate address strategy is to compare how many standard /24 subnets fit inside common VPC prefixes.
| VPC CIDR | Total IPv4 Addresses | Number of /24 Subnets | Total AWS Usable IPs if Fully Split into /24s | Planning Observation |
|---|---|---|---|---|
| /16 | 65,536 | 256 | 64,256 | Excellent flexibility for large environments |
| /18 | 16,384 | 64 | 16,064 | Good for many medium production estates |
| /20 | 4,096 | 16 | 4,016 | Adequate for smaller or tightly governed workloads |
| /22 | 1,024 | 4 | 1,004 | Very limited for multi-tier multi-AZ growth |
How to choose the right subnet size
A useful rule of thumb is to start with business intent and platform behavior, not just immediate server counts. Ask yourself how many subnets you need per Availability Zone, whether those subnets will host static infrastructure or elastic workloads, and how likely your environment is to adopt services that create additional network interfaces. If your team runs managed Kubernetes, heavy private endpoint usage, or many shared service appliances, subnets that initially appear “large enough” can become cramped faster than expected.
- Choose /24 if you want a balanced default with easy readability and healthy growth room.
- Choose /25 or /26 if you need more granular segmentation and can confidently predict low to moderate IP demand.
- Choose /27 or /28 only for narrowly scoped infrastructure where usage is tightly controlled.
- Use a larger VPC CIDR when you expect account growth, future peering, Transit Gateway attachment, or complex network service insertion.
Mistakes teams make when calculating AWS subnets
The most common error is focusing only on current infrastructure. Cloud networks should be designed for change. A VPC that looks oversized on day one may become perfectly sized once multiple environments, observability tooling, endpoints, and migration workloads are added. Another common mistake is forgetting even subnet distribution across Availability Zones. If you need three AZs and three subnet groups per AZ, the design is not complete until all nine subnets have capacity and routing intent.
Teams also underestimate the impact of reserved IPs in smaller subnets. Losing five addresses from a /28 is a large percentage of the subnet. Finally, some organizations create a VPC CIDR that is technically valid but awkward for future connectivity. If the enterprise later needs peering, hybrid connectivity, or IPAM standardization, overlapping or overly restrictive ranges can become a serious obstacle.
Security and governance considerations
Subnetting is deeply connected to security posture. While security groups are stateful and often the first line of workload control in AWS, subnet boundaries still matter for route tables, network ACL strategy, egress inspection, and administrative clarity. Well-structured subnets make it easier to define which resources should be internet-facing, which should remain private, and which should route through centralized security services.
A strong subnet plan improves not only scaling but also security review quality, incident response speed, and the ability to apply standardized cloud landing zone patterns across multiple accounts.
Helpful government and university resources
If you want broader context on network architecture, segmentation, and cloud security principles, these sources are useful references:
- CISA Zero Trust Maturity Model
- NIST SP 800-207 Zero Trust Architecture
- Carnegie Mellon University School of Computer Science
Final recommendations
Use an AWS VPC subnet calculator early, and use it repeatedly. Revisit subnet assumptions when you add new application tiers, adopt EKS or ECS, increase Availability Zone spread, introduce private connectivity, or change landing zone standards. A good subnet design is not just mathematically correct. It should be understandable, resilient, secure, and durable enough to support future architecture decisions without forcing disruptive renumbering. If in doubt, choose a design that leaves strategic headroom. In cloud networking, spare address space is often far cheaper than rework.