I got the following question and I have to choose two answers.
Which of these CIDR blocks and/or IP addresses are invalid for a private VPC or subnet on AWS
1. 192.168.1.2 255.255.255.0
2. 172.31.3.2
3. 10.2.4.255
4. 8.8.8.8
I answered 2,4 but for some reason, the correct answer was 1,2. Why we can not use 192.168.1.2/255 and how we can use 8.8.8.8 in the internal subnet.
1 Answers
There’s a few bits missing in your question. I re-visited the quiz to double check the question and the values are:
192.168.1.2 within a /24
172.31.3.2/15
10.2.4.255
8.8.8.8
Easiest one to pick out as being invalid is 172.31.3.2/15. AWS only allow VPC/Subnets to be of size /28 to /16 therefore /15 is invalid. The other 3 are a little tricker and require a bit of thinking.
Instantly I looked at 10.2.4.255 and thought that was invalid as AWS reserve the broadcast address (last IP), but if you have VPC of 10.2.0.0/16 and single subnet with /16, then 10.2.4.255 is not a reserved IP so it’s valid.
8.8.8.8 is valid as .8 wouldn’t be any of AWS’s reserved IPs given its not one of the first 4 or last 1, so it’s valid. Whether you should use it is a different story (and you probably should never use it but besides the point it’s still technically valid).
Therefore it leaves 192.168.1.2 (within a /24) as invalid. And why is it invalid? It’s the use of .2 address within the /24 that makes this address invalid. A /24 network has the .0 -.4 and .255 reserved and as 192.168.1.2 is within the reserved range, it is invalid.
So, the invalid addresses/blocks are 192.168.1.2 within a /24 and 172.31.3.2/15.
Slight correction on ".. A /24 network has the .0 -.4 and .255 reserved". It’s .0 -.3 and .255 that’s reserved and invalid, .4 is fine (miscounted :)).
Thanks @mev for the clarification. I got it now, even 192.168.1.2 /24 looks like correct internal address but in AWS VPC we can not use first 4 IPs. I was very surprised with 8.8.8.8 as internal IP, but you are right technically you can use it might work in AWS VPC.
No worries! Yeah it is quite confusing and a lot of people will get caught out by this. They will recognise that is the Google DNS and think we can’t use that IP internally. There is nothing stopping us from creating a VPC with the range 8.8.8.0/24 and using 8.8.8.8 as an internal IP. When it does start to become an issue is what if an EC2 in that VPC wants to communicate to 8.8.8.8 (the public Google DNS instead of the private 8.8.8.8 address)? This is where it really complicates your network as the local route is always the preferred route (which will point to the implicit VPC router and we can’t overwrite the local route per AWS design) therefore it will never reach the public 8.8.8.8 address. Even if you specify a more specific prefix in the route table (such as 8.8.8.8/32 -> IGW) this will not work as the route preference will choose the local route. So, even though we can technically use this it is something a Network Administrator should avoid at all costs.
Thank you so much!