I got the following question and I have to choose two answers.
Which of these CIDR blocks and/or IP addresses are invalid for a private VPC or subnet on AWS
1. 192.168.1.2 255.255.255.0
I answered 2,4 but for some reason, the correct answer was 1,2. Why we can not use 192.168.1.2/255 and how we can use 18.104.22.168 in the internal subnet.
There’s a few bits missing in your question. I re-visited the quiz to double check the question and the values are:
192.168.1.2 within a /24
Easiest one to pick out as being invalid is 172.31.3.2/15. AWS only allow VPC/Subnets to be of size /28 to /16 therefore /15 is invalid. The other 3 are a little tricker and require a bit of thinking.
Instantly I looked at 10.2.4.255 and thought that was invalid as AWS reserve the broadcast address (last IP), but if you have VPC of 10.2.0.0/16 and single subnet with /16, then 10.2.4.255 is not a reserved IP so it’s valid.
22.214.171.124 is valid as .8 wouldn’t be any of AWS’s reserved IPs given its not one of the first 4 or last 1, so it’s valid. Whether you should use it is a different story (and you probably should never use it but besides the point it’s still technically valid).
Therefore it leaves 192.168.1.2 (within a /24) as invalid. And why is it invalid? It’s the use of .2 address within the /24 that makes this address invalid. A /24 network has the .0 -.4 and .255 reserved and as 192.168.1.2 is within the reserved range, it is invalid.
So, the invalid addresses/blocks are 192.168.1.2 within a /24 and 172.31.3.2/15.
Slight correction on ".. A /24 network has the .0 -.4 and .255 reserved". It’s .0 -.3 and .255 that’s reserved and invalid, .4 is fine (miscounted :)).
Thanks @mev for the clarification. I got it now, even 192.168.1.2 /24 looks like correct internal address but in AWS VPC we can not use first 4 IPs. I was very surprised with 126.96.36.199 as internal IP, but you are right technically you can use it might work in AWS VPC.
No worries! Yeah it is quite confusing and a lot of people will get caught out by this. They will recognise that is the Google DNS and think we can’t use that IP internally. There is nothing stopping us from creating a VPC with the range 188.8.131.52/24 and using 184.108.40.206 as an internal IP. When it does start to become an issue is what if an EC2 in that VPC wants to communicate to 220.127.116.11 (the public Google DNS instead of the private 18.104.22.168 address)? This is where it really complicates your network as the local route is always the preferred route (which will point to the implicit VPC router and we can’t overwrite the local route per AWS design) therefore it will never reach the public 22.214.171.124 address. Even if you specify a more specific prefix in the route table (such as 126.96.36.199/32 -> IGW) this will not work as the route preference will choose the local route. So, even though we can technically use this it is something a Network Administrator should avoid at all costs.
Thank you so much!