REL02-BP03 Ensure IP subnet allocation accounts for expansion and availability
Amazon VPC IP address ranges must be large enough to accommodate workload requirements, including factoring in future expansion and allocation of IP addresses to subnets across Availability Zones. This includes load balancers, EC2 instances, and container-based applications.
When you plan your network topology, the first step is to define the IP address space itself. Private IP address ranges (following RFC 1918 guidelines) should be allocated for each VPC. Accommodate the following requirements as part of this process:
-
Allow IP address space for more than one VPC per Region.
-
Within a VPC, allow space for multiple subnets that span multiple Availability Zones.
-
Always leave unused CIDR block space within a VPC for future expansion.
-
Ensure that there is IP address space to meet the needs of any transient fleets of EC2 instances that you might use, such as Spot Fleets for machine learning, Amazon EMR clusters, or Amazon Redshift clusters.
-
Note that the first four IP addresses and the last IP address in each subnet CIDR block are reserved and not available for your use.
-
You should plan on deploying large VPC CIDR blocks. Note that the initial VPC CIDR block allocated to your VPC cannot be changed or deleted, but you can add additional non-overlapping CIDR blocks to the VPC. Subnet IPv4 CIDRs cannot be changed, however IPv6 CIDRs can. Keep in mind that deploying the largest VPC possible (/16) results in over 65,000 IP addresses. In the base 10.x.x.x IP address space alone, you could provision 255 such VPCs. You should therefore err on the side of being too large rather than too small to make it easier to manage your VPCs.
Common anti-patterns:
-
Creating small VPCs.
-
Creating small subnets and then having to add subnets to configurations as you grow.
-
Incorrectly estimating how many IP addresses a elastic load balancer can use.
-
Deploying many high traffic load balancers into the same subnets.
Benefits of establishing this best practice: This ensures that you can accommodate the growth of your workloads and continue to provide availability as you scale up.
Level of risk exposed if this best practice is not established: Medium
Implementation guidance
Plan your network to accommodate for growth, regulatory compliance, and integration with others. Growth can be underestimated, regulatory compliance can change, and acquisitions or private network connections can be difficult to implement without proper planning.
-
Select relevant AWS accounts and Regions based on your service requirements, latency, regulatory, and disaster recovery (DR) requirements.
-
Identify your needs for regional VPC deployments.
-
Identify the size of the VPCs.
-
Determine if you are going to deploy multi-VPC connectivity.
-
Determine if you need segregated networking for regulatory requirements.
-
Make VPCs as large as possible. The initial VPC CIDR block allocated to your VPC cannot be changed or deleted, but you can add additional non-overlapping CIDR blocks to the VPC. This however may fragment your address ranges.
-
-
Resources
Related documents:
Related videos: