AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

Question confuses “invalid addresses” and “unusable addresses”

"Which of these CIDR blocks and/or IP addresses are invalid for a private VPC or subnet on AWS? (Choose 2)



3. with subnet mask


Not only is the question confused, but the explanation for the answers is confused.

All of the addresses are "valid" IP addresses or CIDR blocks

[1] is a valid IP address, and provided it is ANY prefix shorter than /24 it is usable in a private subnet (You can pick any prefix length between 16 and 29 for subnets–you aren’t limited to using /16 or /24)

[2] is a valid IP address but can only be used as an external target (such as in a "nameserver" entry it a resolv.conf file)– it can’t be used to number a host in a VPC or subnet

[3] is a perfectly VALID IP address and subnet mask and it is in fact used by resources in the VPC to refer to the internal DNS server; but you can’t number a host in the VPC with that address

[4] is a perfectly VALID CIDR block but can’t be USED in VPCs because the prefix (/15) is shorter than AWS allows.

It may be that these questions come from AWS material or actual tests, but people who have a networking background that predates AWS’s misnomers may well get tripped up on this sort of confused terminology.

Another bit of trivia: all the private network blocks are described in RFC1918, and are often referred to as "RFC 1918 addresses:" 10/8, 172.16/12, and 192.168/16.


Hi there I concur with the sentiment that the question is ambiguous. Though I think the provide answers are right, however not for the reasons provided in the answers section. As according to You can create a VPC with a publicly routable CIDR block that falls outside of the private IPv4 address ranges specified in RFC 1918; Based on that you could create for example where ( is valid), though I can’t think of any valid use case for a config like that…

1 Answers

Hi Arob,

Again, I’ll reiterate the same answer as before.  This is an exam prep course so we must use similar terms as the AWS exam.  From a VPC standpoint, those addresses can’t be used…call them invalid (in the context of a VPC) or unusable.  Doesn’t matter.  They aren’t available to assign out.



Neither is


The same answer as before is "we will continue to propagate wrong information because AWS." I performed QA in the CISSP, CSSLP, CGEIT, and CISM exams as an ISC2 member and ISACA board member between 2004 and 2010. When someone pointed out basic errors like this, we amended the tests and the training materials. Consider doing the same.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?