AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

Which of these CIDR blocks and/or IP addresses are invalid for a private VPC or subnet on AWS

I got the following question and I have to choose two answers.

Which of these CIDR blocks and/or IP addresses are invalid for a private VPC or subnet on AWS





I answered 2,4 but for some reason, the correct answer was 1,2. Why we can not use and how we can use in the internal subnet.

1 Answers

There’s a few bits missing in your question. I re-visited the quiz to double check the question and the values are: within a /24

Easiest one to pick out as being invalid is AWS only allow VPC/Subnets to be of size /28 to /16 therefore /15 is invalid. The other 3 are a little tricker and require a bit of thinking.

Instantly I looked at and thought that was invalid as AWS reserve the broadcast address (last IP), but if you have VPC of and single subnet with /16, then is not a reserved IP so it’s valid. is valid as .8 wouldn’t be any of AWS’s reserved IPs given its not one of the first 4 or last 1, so it’s valid. Whether you should use it is a different story (and you probably should never use it but besides the point it’s still technically valid).

Therefore it leaves (within a /24) as invalid. And why is it invalid? It’s the use of .2 address within the /24 that makes this address invalid. A /24 network has the .0 -.4 and .255 reserved and as is within the reserved range, it is invalid.

So, the invalid addresses/blocks are within a /24 and


Slight correction on ".. A /24 network has the .0 -.4 and .255 reserved". It’s .0 -.3 and .255 that’s reserved and invalid, .4 is fine (miscounted :)).

Roman Sluzhynskyy

Thanks @mev for the clarification. I got it now, even /24 looks like correct internal address but in AWS VPC we can not use first 4 IPs. I was very surprised with as internal IP, but you are right technically you can use it might work in AWS VPC.


No worries! Yeah it is quite confusing and a lot of people will get caught out by this. They will recognise that is the Google DNS and think we can’t use that IP internally. There is nothing stopping us from creating a VPC with the range and using as an internal IP. When it does start to become an issue is what if an EC2 in that VPC wants to communicate to (the public Google DNS instead of the private address)? This is where it really complicates your network as the local route is always the preferred route (which will point to the implicit VPC router and we can’t overwrite the local route per AWS design) therefore it will never reach the public address. Even if you specify a more specific prefix in the route table (such as -> IGW) this will not work as the route preference will choose the local route. So, even though we can technically use this it is something a Network Administrator should avoid at all costs.

Roman Sluzhynskyy

Thank you so much!

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?