AWS Classless Inter-Domain Routing (CIDR) for IPv4 | Overview.

AWS Classless Inter-Domain Routing (CIDR) for IPv4 - Overview.

Scope:

•       Intro,
•       VPC CIDR Block Requirements.
•       Subnet CIDR Sizing & Reservations, 
•       Table of Common CIDR Samples (Notation, Total addresses & Assignable Addresses),  
•       The concept of CIDR (Classless Inter-Domain Routing),
•       Structure of an IPv4 CIDR Block (format),
•       Sample CIDR Block,
•       CIDR Notation Breakdown,
•       Explanation CIDR Block,
•       Sample Calculation for a CIDR Block (when twtech is given 10.0.0.0/16) ,
•      CIDR Aggregation (Supernetting),
•       Sample CIDR Aggregation (Supernetting) for network,
•       CIDR in AWS VPC Design,
•       Tools & Tips for CIDR Planning,
•       CIDR in Security Context (AWS SGs & NACLs),
•       Samples CIDR in Security Context (AWS SGs & NACLs)
•       Architecture,
•       Link to calculate CIDR to IP Range from the website,
•       Insights.

Intro:

• In AWS, Classless Inter-Domain Routing (CIDR) is the notation used to define the range of IPv4 addresses for a Virtual Private Cloud (VPC) and its subnets. 
• Classless Inter-Domain Routing (CIDR) represents an IP address followed by a slash and a number (the prefix length).
• The prefix length indicates the number of bits used for the network portion of the address. 

VPC CIDR Block Requirements

• When creating a VPC, twtech must specify a primary IPv4 CIDR block.
• Size Limits: The allowed block size is between a /16 netmask (65,536 addresses) and a /28 netmask (16 addresses).
• Private Ranges: AWS recommends using private IPv4 address ranges from RFC 1918, such as 10.0.0.0/16, 172.31.0.0/16, or 192.168.0.0/20.
• Secondary CIDRs: twtech can associate additional (secondary) CIDR blocks after creation to expand the VPC.
•  But twtech cannot change the size of an existing block. 

Subnet CIDR Sizing & Reservations

• Subnet CIDR blocks must be a subset of the VPC's CIDR blocks and cannot overlap with other subnets in the same VPC.
• Subnet Size: Like VPCs, the size must be between /16 and /28.
• Reserved Addresses: In every subnet, AWS reserves exactly five IP addresses for internal networking.

NB:

• The reserved five IP addresses  cannot be assigned to resources like EC2 instances. 
• The reserved five IP addresses are used for:

1. Base address (e.g., .0): Network address.
2. Base + 1 (e.g., .1): Reserved for the VPC router.
3. Base + 2 (e.g., .2): Reserved for the AWS DNS server.
4. Base + 3 (e.g., .3): Reserved by AWS for future use.
5. Last address (e.g., .255): Network broadcast address.

 NB:

• AWS does not support broadcast address but still reserves this. 

Table of Common CIDR Samples (Notation, Total addresses & Assignable Addresses)

Notation	Total Addresses	Assignable Addresses (Total - 5)
/16	65,536	65,531
/20	4,096	4,091
/24	256	251
/28	16	11

• CIDR (Classless Inter-Domain Routing) for IPv4 is a fundamental concept in networking, especially when designing:
• VPCs, 
• Subnets,
• Routing in AWS or any cloud environment.

The concept of CIDR (Classless Inter-Domain Routing)

•     CIDR (Classless Inter-Domain Routing) is a method for allocating IP addresses and routing Internet Protocol packets.
•     CIDR (Classless Inter-Domain Routing)  replaced the old classful addressing system (Class A, B, C) to make IP address allocation more efficient & flexible.

 Structure of an IPv4 CIDR Block (format):

<IPv4 Address>/<Prefix Length>

Sample CIDR Block 

192.168.10.0/24

Explanation CIDR Block:

• 192.168.10.0 → Network address
• /24 → Prefix length (number of bits representing the network)
• The remaining (32 - 24 = 8) bits are reserved for host addresses.

 CIDR Notation Breakdown

CIDR	Network Bits	Host Bits	# of Hosts (Usable)	Subnet Mask	Sample Range
/8	8	24	16,777,214	255.0.0.0	10.0.0.0 – 10.255.255.255
/16	16	16	65,534	255.255.0.0	192.168.0.0 – 192.168.255.255
/24	24	8	254	255.255.255.0	192.168.1.0 – 192.168.1.255
/28	28	4	14	255.255.255.240	192.168.1.0 – 192.168.1.15

 Sample Calculation for a CIDR Block (when twtech is given 10.0.0.0/16) 

• Network bits: 16
• Host bits: 16 → (32 – 16 = 16)
• Number of addresses: 2^16 = 65,536 total addresses

NB:

• Usable IP addresses = 65,534, 
• Because:
•  One IP address is reserved for network.
•  Another IP address is reserved for broadcast,

CIDR Aggregation (Supernetting)

• CIDR allows grouping multiple contiguous networks into a single routing entry.

Sample CIDR Aggregation (Supernetting) for networks.

192.168.0.0/24

192.168.1.0/24

This Can be summarized as:

192.168.0.0/23

NB:

• This reduces routing table entries — critical in internet routing.

 CIDR in AWS VPC Design

• In AWS, twtech defines the VPC CIDR block, then subdivide it into subnets (Sample):

VPC CIDR: 10.0.0.0/16

Subnets:

• Public Subnet A → 10.0.0.0/24
• Private Subnet A → 10.0.1.0/24
• Public Subnet B → 10.0.2.0/24
• Private Subnet B → 10.0.3.0/24

  NB:

This allows for isolation and controlled routing.

 Tools & Tips for CIDR Planning

• CIDR Calculator:
• Tols like cidr.xyz, ipcalc, or AWS VPC wizard help in visualizing ranges.
• Avoid Overlap:
• Ensure CIDR ranges don’t overlap when peering or connecting networks.
• Private IPv4 Ranges (RFC 1918):
•    10.0.0.0/8 → Large enterprises
•    172.16.0.0/12 → Mid-size
•    192.168.0.0/16 → Small networks

 CIDR in Security Context (AWS SGs & NACLs)

• CIDR is used to define source/destination IP ranges in:
• Security Groups
• Network ACLs
• Route Tables

Samples CIDR in Security Context (AWS SGs & NACLs):

0.0.0.0/0       → open to the internet

10.0.0.0/16     → internal network

203.0.113.0/24  → specific corporate range

Architecture: 

 Link to calculate CIDR to IP Range from the website: 

https://www.ipaddressguide.com/cidr

Insights: Advanced Topics

• VLSM (Variable Length Subnet Masking):
• Allows efficient IP allocation using variable subnet sizes.
• Route Summarization:
• Reduces route table size by combining multiple CIDRs.
• CIDR Overlaps in Multi-VPC / Hybrid Cloud:
• Must plan carefully to avoid conflicts with on-premises IP space.
• IPv6 Equivalent:
• Uses /n notation as well, but supports 128-bit addressing.

CIDR to IPv4 Conversion

•  CIDR is the short for Classless Inter-Domain Routing, an IP addressing scheme that replaces the older system based on classes A, B, and C.
•  A single IP address can be used to designate many unique IP addresses with CIDR.
•  A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP network prefix.
• CIDR addresses reduce the size of routing tables and make more IP addresses available within organizations.

Amazon Custom VPC | Overview & Hands-On.

Amazon Custom VPC - Overview & Hands-On.

Scope:

• Intro,
• Key features & components of an Amazon VPC, 
• The concept of  Amazon VPC (Deep dive),
• Core VPC Components: CIDR Block, Subnets, Route Tables, Internet Gateway (IGW), NAT Gateway / NAT Instance, VPC Endpoints (PrivateLink), Elastic Network Interface (ENI),
• Security Controls, (Deep Dive)
• Security Groups (SGs),
• Network ACLs (NACLs),
• VPC Connectivity Options, Description & Use Cases,
• Security & Isolation Features,
• Common VPC Design Patterns,
• Public + Private Subnet Model,
• Three-Tier Architecture,
• Hub-and-Spoke with Transit Gateway,
• Shared VPC,
• Advanced Topics with Hybrid Networking, IPv6 Dual-Stacking, VPC Lattice, & DNS in VPC,
• perational Best Practices & Recommendations,
• Sample-Reference-Architecture,
• Project: Hands-On.

Intro:

• Amazon Virtual Private Cloud (Amazon VPC) is a service that allows twtech to define and provision a logically isolated section of the Amazon Web Services (AWS) cloud. 
• Within this virtual network, twtech has complete control over its environment, including:
•  The selection of twtech own IP address range, 
• Creation of subnets, 
• Configuration of route tables and network gateways. 

Key features & components of an Amazon VPC

• Subnets: Segments of a VPC's IP address range where twtech can place resources like EC2 instances. 
• They can be public (accessible from the internet) or private.
• Internet Gateway: A horizontally scaled, redundant, and highly available VPC component that allows communication between the VPC and the internet.
• NAT Gateway: Enables resources in a private subnet to connect to the internet or other AWS services while preventing the Public internet from initiating a connection with those resources.
• Security Groups and Network ACLs (NACLs): Act as virtual firewalls to control inbound and outbound traffic at the instance and subnet levels, respectively.
• Peering Connections: A networking connection between two VPCs that enables twtech to route traffic between them using private IPv4 or IPv6 addresses.
• Connectivity Options: twtech can connect its VPC to its own corporate data center using a Site-to-Site VPN or AWS Direct Connect (DX). 

NB:

• Every AWS account comes with a default VPC in each region,
• Default VPC in each region, is pre-configured with a public subnet in each Availability Zone and an attached internet gateway to help twtech get started quickly.

 The concept of  Amazon VPC (deep dive)

•  Amazon Virtual Private Cloud (VPC) is an isolated, logically separated network within the AWS Cloud.
•   Amazon Virtual Private Cloud (VPC) allows twtech to define and control networking.
•        Amazon Virtual Private Cloud (VPC) therefore, controls:
•    IP addressing,
•    Subnets,
•    Route tables,
•    Gateways,
•    Security.

NB:

•  This control by Amazon Virtual Private Cloud (VPC) is just as the control in a traditional on-premises data center.
• But the control comes with AWS scalability and elasticity.

 Core VPC Components

1. CIDR Block

•  Defines the IP address range for the VPC using Classless Inter-Domain Routing (CIDR) notation.
• Example: 10.0.0.0/16 provides 65,536 IP addresses.
• twtech may later decide to add secondary CIDR blocks (IPv4 and IPv6) for IP expansion.

2. Subnets

• Subdivide twtech VPC CIDR into smaller ranges.
• Subnets are tied to a single Availability Zone (AZ).
• Two main types:
•    Public Subnet: Has a route to the Internet Gateway (IGW).
•    Private Subnet: Has no direct route to the internet; 
•  Private Subnet can use NAT Gateway for outbound internet.

3. Route Tables

• Control network traffic routing.
• Each subnet must be associated with exactly one route table.
• Routes can target:
•    Local VPC traffic
•    Internet Gateway
•    NAT Gateway
•    Transit Gateway
•    VPC Peering Connection
•    VPN Connection
•    AWS PrivateLink / VPC Endpoint

4. Internet Gateway (IGW)

• Horizontally scaled, redundant gateway that allows internet access for public subnets.

5. NAT Gateway / NAT Instance

• Provides outbound internet access for private subnets without exposing them inbound.
• NAT Gateway is fully managed, supports multi-AZ high availability, and scales automatically.

6. VPC Endpoints (PrivateLink)

• Enables private connectivity to AWS services (like S3, DynamoDB, etc.) without using IGW/NAT/VPN.
•  Two types of VPC Endpoints:
•    Interface Endpoint (ENI-based, PrivateLink)
•    Gateway Endpoint (for S3, DynamoDB)

7. Elastic Network Interface (ENI)

• A virtual network card that can be attached to EC2 instances.
• Useful for:
•    Network separation
•    Failover: e.g., moving Elastic Network Interface (ENI) between instances.
•    Multi-homed configurations

8. Security Controls

a. Security Groups (SGs)

• Stateful firewalls at the instance level.
• Allow inbound/outbound rules; return traffic is automatically allowed.

b. Network ACLs (NACLs)

• Stateless firewalls at the subnet level.
• Evaluate inbound and outbound rules separately.
• Order-based rules (evaluated from lowest to highest).

 VPC Connectivity Options, Description & Use Cases

Connectivity Type	Description	Use Case
Internet Gateway	Public internet access	Public-facing apps
NAT Gateway	Private → Public outbound	Private workloads needing updates
VPC Peering	Connects two VPCs privately	Same or different accounts/regions
Transit Gateway	Hub-and-spoke multi-VPC routing	Enterprise-scale multi-VPC networks
PrivateLink	Private access to services over AWS backbone	SaaS/private API access
VPN Connection	IPsec tunnels between on-prem and VPC	Hybrid connectivity
Direct Connect (DX)	Dedicated private fiber connection	Low-latency hybrid workloads

Security & Isolation Features

• Flow Logs: Capture metadata about network traffic.
• Captured metadata can be sent to CloudWatch or S3 for Monitoring & observability.
• VPC Traffic Mirroring: Copy traffic from ENIs for inspection.
•  Prefix Lists: Centralize and simplify routing and security rule management.
•  Network Firewall / Gateway Load Balancer (GWLB): For deep packet inspection, intrusion detection, etc.
•  Egress-Only Internet Gateway (for IPv6): Allows outbound IPv6 but no inbound.

Common VPC Design Patterns

1. Public + Private Subnet Model

•   Public Subnet: Load balancers, bastion hosts
•   Private Subnet: App servers, databases
•   NAT Gateway in public subnet for outbound traffic from private subnets

2. Three-Tier Architecture

• Web Tier (Public)
• App Tier (Private)
• DB Tier (Private, no internet)

3. Hub-and-Spoke with Transit Gateway

•  Centralized connectivity model where multiple VPCs connect through a Transit Gateway (TGW).

4. Shared VPC

• Multiple AWS accounts share subnets within a centrally managed VPC.
• Useful for multi-account organizations using AWS Organizations and Service Control Policies (SCPs).

Advanced Topics with Hybrid Networking

• Combine VPC + On-Prem using:
• AWS Direct Connect (DX)
• Site-to-Site VPN
• Transit Gateway for central management

Advanced Topics with IPv6 Dual-Stacking

• Assign both IPv4 and IPv6 CIDRs.
• IPv6 routing uses Egress-Only Internet Gateway for outbound-only internet access.

Advanced Topics with VPC Lattice

• Application-level networking across VPCs and accounts.
• Offers service discovery, auth, traffic policies, and monitoring at the app layer.

Advanced Topics with DNS in VPC

• AmazonProvidedDNS for name resolution.
• Route 53 Resolver for custom DNS forwarding between on-prem and AWS.

 Operational Best Practices & Recommendations

Area	Recommendation
IP Planning	Reserve address space for growth; avoid overlap with on-prem
High Availability	Distribute subnets across multiple AZs
Security	Use least-privilege SGs and NACLs; enable Flow Logs
Monitoring	Integrate with CloudWatch, GuardDuty, and AWS Config
Automation	Use IaC (Terraform / CloudFormation / CDK) for VPC setup
Cost Optimization	Reuse NAT Gateways; minimize cross-AZ traffic

Sample-Reference-Architectures

Project: Hands-On
How twtech creates a Custom VPC within its Environment.
Search for aws service: VPC
Create VPC:
Create VPC

A VPC is an isolated portion of the AWS Cloud populated by AWS objects,

 such as Amazon EC2 instances. 

How twtech calculates the number of addresses for a CIDR block from website:
https://www.ipaddressguide.com/cidr
Create VPC:
How twtech adds CIDR blocks to a Custom VPC: Select the custom VPC and click Open to edit CIDRs
Add new IPv4 CIDR: 10.0.0.1/24