Designing a VPC and choosing the right CIDR: The last guide you need

The very first step in designing your application is designing your VPC plan. The VPC forms the very base of any application and a well-designed VPC will help in building a secure and resilient infrastructure.

A properly designed VPC plan has two goals:

• It meets the communication requirements of VPC instances.
• It maintains flexibility for future growth.

In this blog, I will give an example of designing the addressing plan for a 3-tiered web application, in which each tier is supported by multiple zones. If you want to set up a 3-tier application, do check my blog on 3-tier application setup.

For the purpose of this blog, I am going to consider the same 3-tier application that was used in the previous blog, with a minor change. We will be considering a highly available setup.

Before we delve into the details, let's take a step back to understand the basics.

What is VPC?

A VPC is a virtually isolated network in the cloud in which you can provision your cloud resources. It is logically isolated from other virtual networks providing your application with a separate network.

What is a subnet?

A subnet is a logical segment in your VPC that allows you to isolate resources. It is a smaller isolated network within a larger network(VPC).

What is CIDR?

CIDR stands for Classless Inter-Domain Routing, which is an IP address allocation method that forms the VPC or a subnet. In simpler terms, CIDR is how you decide what is the size of your VPC and/or subnets, and how many resources can be allocated to it.

To understand this entire concept, think of where you live as a large society having multiple multi-storey buildings. Each floor in each building has multiple flats/homes. Now, the Society represents the VPC. Each building in the society represents a different subnet in the VPC. Each flat on a building represents the resource and its IP address in the subnet. And collectively all the flat numbers represent the CIDR that forms the entire society, aka, VPC.

Now that we are familiar with the basics let’s understand a few critical details.

Private and Public VPC

When you create a private VPC it is recommended that you specify a CIDR block from the private IPv4 address ranges as specified in RFC 1918:

• 10.0.0.0 –10.255.255.255 (10/8 prefix)
• 172.16.0.0–172.31.255.255 (172.16/12 prefix)
• 192.168.0.0–192.168.255.255 (192.168/16 prefix)

You can create a public VPC using a CIDR block that falls outside of the private IPv4 address ranges specified in RFC 1918.

Design considerations and Determining each tier’s subnet size

In designing the VPC plan for an application, the primary consideration is to keep the CIDR blocks used for creating subnets within a single zone.

For our sample 3-tier application, we need subnets each for our Presentation, Logic, and Data tier. Our application is a Highly available application with each tier of the application having a presence in each zone. So each zone requires three subnets.

Another consideration is the number of available addresses that a subnet might need for future scaling. The below table lists the number of available addresses based on CIDR block size:

Further, Consider the following information regarding subnet size:

• The Data tier is the least likely to need dynamic scaling, so these subnets are the smallest. That is, these subnets can contain the least number of available addresses. This example uses a /27 CIDR block, which allows for 30 addresses in this tier.
• The Logic tier is the most likely to need dynamic scaling, so these subnets are the largest. That is, they must contain the greatest number of available addresses. This example uses a /25 CIDR block, which allows for 124 addresses in this tier.
• The Presentation tier doesn’t need as many addresses as the Logic tier, but it needs more than the database tier does. This example uses a /26 CIDR block, which allows for 62 addresses in this tier.

Combining the Subnets and determining the VPC CIDR

Now, let's combine the number of IP addresses required for all the subnets per zone. We need a CIDR size that’s large enough to accommodate all three subnets in each tier and still leave room for future expansion

A /22 CIDR prefix is the smallest prefix into which these three subnets can be combined (30 + 124 + 62)*3. Select the next larger CIDR size, not the smallest. Assigning the next larger CIDR size (/21) allows for future expansion. So we select our VPC CIDR as 10.0.0.0/21 .

Now, we can assign the actual CIDR prefixes, one for each subnet.

By following this step by step we were able to carefully design our VPC. We can extend this approach to any application.

Thank You

Thank you for reading through, I hope you learned something new today. In future blogs, I will be writing about Terraform and how we can use the IaaC approach to deploy the 3-tier application in AWS. To get notified about the same please follow me.