Passer au contenu
En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post
À propos de re:Post

Network CIDR setting in VPC

0

Hi guys,

When I setting a CIDR for VPC such as 100.0.0.0/16, some told me that I should use another range for local network like 10.x.x.x/16 or 172.x.x.x/16 because the range 100.x.x.x/16 may be overlap with other IP addresses in Public internet. Could you help me explain this issue? Is it true? or do you have any best practices to setup the CIDR range in VPC please let me know.

Thanks, Steven

Sujets
Réseaux et diffusion de contenu
Balises
Amazon VPC
Langue
English
demandé il y a un an756 vues
2 réponses
3

I'm not sure what is meant by "local network". Are you adding another range to your VPC? Are you connecting your VPC to somewhere else via VPN or Direct connect?

You can (pretty much) use any IP range in your VPC that you like although there are some restrictions: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html but for most purposes, creating a VPC with a private IP address range as listed in RFC1918 is fine. That covers the 10.x, 172.16.x and 192.168.x ranges.

You can use the 100.64.x.x range but why do that if you don't have to. There's nothing specifically "wrong" about it - there are the same risks as with any other private (ish) IP range that you might choose a range that someone else is using and you want to communicate with them. Ref: https://en.wikipedia.org/wiki/Reserved_IP_addresses

Otherwise, choose an IP range that is private and doesn't conflict with any other network that you wish to communicate with.

AWS
EXPERT
répondu il y a un an
EXPERT
vérifié il y a un an
AWS
EXPERT
vérifié il y a un an
  • Sam
    il y a un an

    Hi Brettski, Thank you for answer. However, I would like to know if I use the range 100.0.0.0/16 for example then there is another IP in pubic internet which has an IP 100.0.0.1/32, so are there any issues with this situation.

  • Brettski-AWS EXPERT
    il y a un an

    The Wikipedia article has some details; that range was designed to be used inside carrier networks for large-scale NAT operations. You won't see it on the open internet but if it were me I'd be sticking to the RFC1918 ranges unless you had a good reason not to.

1

Hi,

The ranges of IP addresses that you can use to avoid overlapping with publicly routable Internet addresses were defined as standard RFC1918.

See https://en.wikipedia.org/wiki/Private_network for all details.

To avoid any accessibility issues of public internet sites from your VPC, you should strictly adhere to the ranges of RFC1918.

(Note: for security purposes, I have seen folks using non-1918 ranges in their VPC to make them very private: all requests from the outside could never reach them because all Internet routers would divert the IP packets somewhere else. But, it was for very special use cases.)

Best,

Didier

EXPERT
répondu il y a un an
EXPERT
vérifié il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Contenus pertinents