I am learning AWS CloudFormation. Now, I am trying to create a template for VPC and Subnets. I am now creating a VPC.
This is my template:
AWSTemplateFormatVersion: '2010-09-09'
Description: "Template for Networks and IAM Roles"
Resources:
Vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: True
EnableDnsSupport: True
What I don't understand here is that CidrBlock. Now, I specified it as, 10.0.0.0/16. To be honest, how does it work exactly. Is setting it as 10.0.0.0/16 always going to work? What is that for? How does that IP address range work exactly? How does it help? How can I determine which value to set for it? Is there a formula to calculate it? How? I saw an existing VPC in my console. The IP address is different.
Also, how can I calculate to split it to assign to subnets?
I am seeking an understanding of the following template, especially Cidr for subnets.
AWSTemplateFormatVersion: '2010-09-09'
Description: "Template for Networks and IAM Roles"
Parameters:
VpcCidr:
Default: '10.0.0.0/16'
Type: String
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
Resources:
Vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcCidr
EnableDnsHostnames: True
EnableDnsSupport: True
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref Vpc
CidrBlock: !Select [ 0, !Cidr [ !Ref VpcCidr, 12, 8 ] ]
MapPublicIpOnLaunch: True
AvailabilityZone: !Select
- 0
- Fn::GetAZs: !Ref "AWS::Region"
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref Vpc
CidrBlock: !Select [ 1, !Cidr [ !Ref VpcCidr, 12, 8 ] ]
MapPublicIpOnLaunch: True
AvailabilityZone: !Select
- 0
- Fn::GetAZs: !Ref "AWS::Region"
There are way too many sub-questions to answer each of them individually here. Instead I can write this.
CIDRs for VPC are selected from three common ranges:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
These ranges are used because they are not-routable over the internet.
10.0.0.0/16
- is the most commonly used CIDR used for VPC. This give you 65535 private IP addresses to work with in your VPC.
You commonly divide it to subnets of size /24
, each with 255 private addresses. For example:
If you use the above pattern for VPC and subnets, you don't have to do any calculations or memorize any formals. Of course if you want to have more specific subnets, or subnets of different sizes, you have to learn how to calculate subnets. There are many resources and tools on the internet for that. Examples are:
Update
The template uses intristic function Fn::Cidr.
The construct:
!Cidr [ !Ref VpcCidr, 12, 8 ]
Will create a list of 12 CIDR ranges, of size of /24 (32-8). Each subnet will have 255 addresses. The Select
is used to chose individual CIDRs from the list:
!Select [ 0, !Cidr [ !Ref VpcCidr, 12, 8 ] ] # 10.0.0.0/24
!Select [ 1, !Cidr [ !Ref VpcCidr, 12, 8 ] ] # 10.0.1.0/24
!Select [ 2, !Cidr [ !Ref VpcCidr, 12, 8 ] ] # 10.0.2.0/24
!Select [ 11, !Cidr [ !Ref VpcCidr, 12, 8 ] ] # 10.0.11.0/24
Question 1:
10.0.0.0/16 means you are creating a VPC which has 65,536 available private IP(s) internally in your VPC such you can have EC2 instances having IPs as 10.0.0.4, 10.0.0.5 ... like that.
Note: There are 5 IPs reserved by AWS
10.0.0.0: Network address.
10.0.0.1: Reserved by AWS for the VPC router.
10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC. For more information, see Amazon DNS server.
10.0.0.3: Reserved by AWS for future use.
10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address
To calculate you can use websites to calculate and visualize, such as https://mxtoolbox.com/subnetcalculator.aspx ( I just random pick up it, I'm not author of this)
Please read here for more detail