Just wanted to mention that a /28 will only provide you with 11 IP’s not 16 because AWS reserves the first 4 IP’s and the last IP.
Technically, it only reserves the first three IPs in the subnet. The subnet mask address (.0) and the broadcast (.255) are never available via DHCP. OP is not wrong. I’m just clarifying.
From documentation, this is considered the most correct answer:
The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:
10.0.0.0: Network address.
10.0.0.1: Reserved by AWS for the VPC router.
10.0.0.2: Reserved by AWS. The IP address of the DNS server is always the base of the VPC network range plus two; however, we also reserve the base of each subnet range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. For more information, see Amazon DNS Server.
10.0.0.3: Reserved by AWS for future use.
10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.