Back to Guides
DevOps & Cloud 7 min read June 8, 2026

Demystifying CIDR & Subnetting: A Guide for Backend and DevOps Engineers

Understand IP addressing, CIDR blocks, and subnetting. Learn how network masks work, how to calculate host capacities, and how to design clean VPC network layouts.

When setting up a Virtual Private Cloud (VPC) in AWS, Azure, or Google Cloud, the very first field you must fill in is the primary IP address range, written in **CIDR (Classless Inter-Domain Routing)** notation—for example, `10.0.0.0/16`.

For many backend engineers, CIDR notation is something they copy-paste from documentation and hope it works. But understanding subnetting is essential for configuring security groups, peering networks, and preventing IP exhaustion. Let's break down the binary math of CIDR blocks and subnets.

1. What is an IP Address?

An IPv4 address is a 32-bit number, usually represented as four "octets" separated by dots (e.g., `192.168.1.1`). Each octet represents 8 bits, with a decimal value ranging from 0 to 255.

In networking, an IP address is split into two halves: the **Network Portion** (which routes traffic to the correct network) and the **Host Portion** (which identifies the specific machine on that network).

2. Enter the Subnet Mask and Slash Notation

A subnet mask tells the router where the network portion ends and the host portion begins.

In CIDR notation, the number after the slash represents how many bits (from left to right) are allocated to the network portion.

  • /24 Notation: A block like `192.168.1.0/24` means the first 24 bits (the first 3 octets) are the network address. Only the last 8 bits (32 - 24 = 8) are available for hosts. The host capacity is 2 to the power of 8 (2^8 = 256 IPs).
  • /16 Notation: A block like `10.0.0.0/16` means the first 16 bits (first 2 octets) represent the network. The remaining 16 bits are for hosts. The capacity is 2^16 = 65,536 IPs.

3. Calculating Usable Host IPs

You cannot use every IP address in a subnet range. In standard TCP/IP networking, two IP addresses are always reserved:

  1. The Network Address: The very first IP in the block (e.g., `.0`). It represents the subnet itself.
  2. The Broadcast Address: The very last IP in the block (e.g., `.255`). Used to send data to all hosts on the subnet.

Therefore, the formula for usable hosts in a CIDR block is **2^(32 - N) - 2**, where $N$ is the prefix size. For a `/24` block, that leaves $256 - 2 = 254$ usable hosts.

Cloud Provider Exceptions: Cloud platforms like AWS reserve additional IPs. AWS reserves 5 IPs per subnet: the network address (.0), the VPC router (.1), the DNS server (.2), a reserved IP for future use (.3), and the broadcast address (.255). Keep this in mind when sizing database subnets!

4. Sizing Subnets for VPC Layouts

A standard best practice when designing a cloud network is the **Three-Tier VPC Architecture**. Let's split a `/16` network (`10.0.0.0/16`) into smaller subnets:

  • Public Subnets (`10.0.1.0/24`, `10.0.2.0/24`): Linked to Internet Gateways. Used for Load Balancers and NAT Gateways.
  • Private Application Subnets (`10.0.10.0/24`, `10.0.11.0/24`): Contain backend servers. Accessible only through public load balancers.
  • Isolated Database Subnets (`10.0.20.0/24`, `10.0.21.0/24`): Contain databases. No egress or ingress routes to the internet.

By planning your CIDR blocks cleanly, you prevent subnets from overlapping, making it simple to scale your nodes and connect external VPN networks.

Advertisement