AWS The CIDR is invalid

I’m just starting my terraform journey.

I have defined a VPC with a CIDR of 10.0.11.0/24. I now want to create subnets within it but some are returning a invalid CIDR when I run apply. These are the subnets I am trying;
10.0.11.0/29 - invalid
10.0.11.8/29 - invalid
10.0.11.16/29 - invalid
10.0.11.32/28 - OK
10.0.11.48/28 - OK
10.0.11.64/28 - OK
10.0.11.80/29 - invalid
10.0.11.88/29 - invalid
10.0.11.96/29 - invalid

Any idea why AWS would flag these as invalid?

Thanks

Hi @pjbeard99,

According to Subnet Sizing, 28 bits is the maximum prefix length for an IPv4 subnet.

This decision was made by engineers at AWS and so I can only speculate as to what the reasons might be, but I’d note that a 28-bit subnet prefix leaves room for only 16 unique host addresses, or 14 if you subtract the conventional network and broadcast addresses.

Perhaps the designers of VPC concluded that a longer prefix would be too constraining. Your 29-bit prefix would have only 8 (or 6) distinct host addresses, and it’s worth noting that some resources other than EC2 instances also consume private IP addresses in your subnet, so an address space that small would be very constraining.

Hi @apparentlymart,

Thanks for replying. I never thought AWS would not allow a valid subnet.

I intended the /29 subnets to be for NLBs and RDS. It’s a single application VPC so thought they’d be fine.

Anyway, sorted now.

Many thanks.

Great!

Looking again at that AWS documentation now that I have a little more time to study it more closely, I notice that they describe five different reserved host numbers in each subnet:

  • 0: Network address.
  • 1: The VPC router
  • 2: Reserved for a possible VPC DNS server, if this subnet happens to be at the start of the address range of the containing VPC.
  • 3: Reserved for future use
  • 255: The broadcast address

So if you subtract these five reservations, an /29 subnet would only have three unique addresses left for your own use. I imagine there are some specialized cases where that would be enough, but I’d guess that the VPC engineers concluded that people would be tempted to set up small subnets and then later realize they needed more space and be stuck; making the minimum be 16-5=11 addresses is still pretty tight but gives a little more room for a small amount of growth beyond initial expectations.