one of the most important “why my subnet ran out of IPs” topics in AWS. Let’s go deep and make it crystal clear.
1) In AWS, a subnet is not just a raw IP range
When you create a subnet (say 10.0.1.0/24), AWS automatically keeps some IPs for the VPC networking plumbing so that routing, DNS and management work reliably.
That’s why AWS says: in every subnet, the first 4 IPs and the last 1 IP are reserved.
So total reserved = 5 IPs per subnet.
2) Example: 10.0.1.0/24 — list the actual reserved IPs
A /24 has:
-
Range:
10.0.1.0to10.0.1.255(256 total)
AWS reserves:
-
10.0.1.0→ Network address-
This identifies the subnet itself.
-
In traditional networking,
.0is the subnet ID.
-
-
10.0.1.1→ VPC router-
This is the default gateway for that subnet.
-
Instances route out of the subnet using this internal router.
-
-
10.0.1.2→ AWS DNS-
Used by AWS-provided DNS resolver (for resolving names like EC2, S3 endpoints, internal records, etc.).
-
This matters a lot for private DNS, service discovery, EKS, etc.
-
-
10.0.1.3→ Future use (AWS reserved)-
AWS keeps this for internal expansion/compatibility.
-
You can’t use it.
-
-
10.0.1.255→ Reserved (AWS calls it “broadcast” / last address)-
In classic networks,
.255is broadcast for /24. -
Even though AWS VPC doesn’t use broadcast the same way as traditional L2 networks, AWS still reserves the last IP in each subnet.
-
✅ So your usable IP range becomes:
-
Usable starts:
10.0.1.4 -
Usable ends:
10.0.1.254
Count usable:
-
Total = 256
-
Reserved = 5
-
Usable = 251
3) Why “per subnet” (not per VPC) matters a lot
If you create many subnets, you lose 5 IPs each time.
Example: If you have 12 subnets (common in prod: public/private/db across 3 AZs):
-
Reserved =
12 × 5 = 60 IPsgone immediately.
Not huge in /16, but very painful in small subnets like /28, /27, /26.
4) How it affects EKS, ALB, NAT, and scaling
This is where teams get hit.
EKS (biggest impact)
-
Each Pod gets an IP (VPC CNI)
-
Nodes need IPs
-
ENIs hold IPs
-
Scaling pods burns subnet IPs fast
So that “251 usable” can vanish quickly.
NAT Gateway / ALB
-
NAT Gateways live in public subnets and consume IP(s)
-
ALB uses IPs via ENIs in subnets
You still have 251 usable, but your headroom shrinks.
5) Quick usable-IP cheat table (AWS reality)
-
/24→ 256 - 5 = 251 usable -
/23→ 512 - 5 = 507 usable -
/22→ 1024 - 5 = 1019 usable -
/21→ 2048 - 5 = 2043 usable
Notice: AWS always subtracts 5, regardless of subnet size.
6) The practical rule for designing subnets
-
If it’s EC2-only small apps,
/24is usually fine. -
If it’s EKS / microservices / MLOps, prefer:
-
private subnets: /22 or /23
-
public subnets can stay /24
-
Because EKS + autoscaling can exhaust IPs unexpectedly.
7) Tiny but critical clarification
You listed “Broadcast” in the 5 items.
In AWS VPC:
-
It’s not a traditional L2 broadcast domain, but AWS still reserves the last IP in the subnet and documentation often refers to it like “broadcast / reserved last address”.
So the correct operational takeaway is:
✅ First 4 + last 1 are unusable in every subnet.
