CIDR and Subnets What /24 Actually Means (and Why Developers Should Care)
If you have ever configured a cloud security group, a Docker network, or a VPN, you have typed a CIDR range. Here is what the slash-numbers actually mean, how to calculate them, and the subnet ranges every developer should know.
You are setting up an AWS security group. The rule says “allow inbound on port 443 from 10.0.0.0/16”. Or you spin up a Docker network and see it defaulting to 172.17.0.0/16. Or you need to lock an API endpoint down to your office’s IP. In every one of these cases, you are dealing with CIDR notation — and if you have been copying these values without fully understanding them, this article will fix that.
IP Addresses Are Just 32-Bit Numbers
An IPv4 address like 192.168.1.5 is not four separate numbers joined by dots. It is a single 32-bit integer. The dotted-decimal format is just a human-readable way to look at it. Each “octet” (the four numbers between the dots) represents 8 bits, and together they make 32 bits total.
192 .168 .1 .5
11000000 .10101000 .00000001 .00000101
Each octet runs from 0 (00000000) to 255 (11111111). That gives you 2^32 = 4,294,967,296 possible addresses in total. That sounds like a lot until you realise we are running out of them, which is why IPv6 exists — but more on that later.
What a Subnet Mask Actually Does
Every IP address on a network has two logical parts: the network portion and the host portion. The subnet mask tells you where the dividing line is.
A traditional subnet mask looks like 255.255.255.0. In binary, that is:
255 .255 .255 .0
11111111 .11111111 .11111111 .00000000
The ones (1s) mark the network bits. The zeros (0s) mark the host bits. So with this mask, the first 24 bits identify the network, and the last 8 bits identify individual hosts within that network. A device at 192.168.1.5 with this mask is on the 192.168.1.0 network, host number 5.
CIDR notation is just a shorthand for this. Instead of writing 192.168.1.0 255.255.255.0, you write 192.168.1.0/24. The /24 tells you that the first 24 bits are the network part.
The /N Suffix: What the Number Means
CIDR stands for Classless Inter-Domain Routing. The /N suffix simply means “the first N bits are reserved for the network.” The remaining 32 – N bits are available for host addresses.
Here is how the math works out for the most common values:
Notation | Network bits | Host bits | Total addresses | Usable hosts
----------|--------------|-----------|-----------------|-------------
/32 | 32 | 0 | 1 | 1 (single IP)
/30 | 30 | 2 | 4 | 2
/29 | 29 | 3 | 8 | 6
/28 | 28 | 4 | 16 | 14
/27 | 27 | 5 | 32 | 30
/26 | 26 | 6 | 64 | 62
/25 | 25 | 7 | 128 | 126
/24 | 24 | 8 | 256 | 254
/23 | 23 | 9 | 512 | 510
/22 | 22 | 10 | 1,024 | 1,022
/20 | 20 | 12 | 4,096 | 4,094
/16 | 16 | 16 | 65,536 | 65,534
/8 | 8 | 24 | 16,777,216 | 16,777,214
/0 | 0 | 32 | all addresses | all addresses
To quickly calculate the number of addresses in any block: 2^(32-N). For /24 that is 2^8 = 256. For /16 it is 2^16 = 65,536.
Need to do this fast? Use the Калькулятор подсети IPv4 — paste in any CIDR block and get the full breakdown instantly.
Why /24 Gives You 254 Usable Hosts, Not 256
Every subnet reserves two addresses that you cannot assign to hosts:
- Сетевой адрес — the first address in the range (all host bits set to 0). For 192.168.1.0/24, this is 192.168.1.0. It identifies the network itself.
- Широковещательный адрес — the last address in the range (all host bits set to 1). For 192.168.1.0/24, this is 192.168.1.255. Packets sent here go to every device on the subnet.
That leaves 192.168.1.1 through 192.168.1.254 as assignable addresses — 254 hosts. This applies to every subnet size. A /30 block has 4 total addresses, 2 usable. A /16 has 65,536 total, 65,534 usable.
Common CIDR Blocks You Will Actually Use
/32 — A Single IP Address
When the prefix length equals 32, all 32 bits are the network. There are zero host bits, so the block contains exactly one address. You use /32 any time you want to reference a specific machine.
# AWS security group: allow inbound SSH only from your specific IP
aws ec2 authorize-security-group-ingress \
--group-id sg-0abc123 \
--protocol tcp \
--port 22 \
--cidr 203.0.113.42/32
/24 — A Small Subnet (256 Addresses)
The /24 block is the default subnet size for most LANs and cloud subnets. It gives you 254 usable host addresses, which is enough for a small office floor, an application tier, or a VPC subnet in a single availability zone. When you create a subnet in AWS, the default suggestion is often a /24 within your /16 VPC.
# Terraform: create a /24 subnet inside a /16 VPC
resource "aws_subnet" "app_tier" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
availability_zone = "us-east-1a"
}
/16 — A VPC or Large Network (65,536 Addresses)
A /16 block gives you 65,534 usable addresses. This is the standard size for a VPC — large enough that you can carve it into dozens of /24 subnets across multiple availability zones and still have room left over.
# Typical VPC CIDR in AWS/GCP/Azure
10.0.0.0/16 # 10.0.0.0 – 10.0.255.255 (65,534 usable)
# Carved into /24 subnets per AZ:
10.0.1.0/24 # AZ-a, public
10.0.2.0/24 # AZ-b, public
10.0.11.0/24 # AZ-a, private (app tier)
10.0.12.0/24 # AZ-b, private (app tier)
10.0.21.0/24 # AZ-a, private (data tier)
10.0.22.0/24 # AZ-b, private (data tier)
/8 — A Massive Private Block
The 10.0.0.0/8 private range spans 10.0.0.0 through 10.255.255.255 — over 16 million addresses. Large enterprises use /8 as their overall private address space, then subnet it down. In most development contexts, you will pick a /16 or smaller from within this range.
/0 — All Addresses (Be Careful)
0.0.0.0/0 matches every possible IP address. Zero bits are reserved for the network, so all 32 bits are host bits — every address matches. In a firewall or security group rule, this means “allow from anywhere.” It is a valid use case for public-facing HTTP/HTTPS rules, but putting it on SSH or database ports is asking for trouble.
# Fine: allow public web traffic
CIDR: 0.0.0.0/0, Port: 443
# Not fine: allow SSH from anywhere
CIDR: 0.0.0.0/0, Port: 22 # do not do this
RFC 1918: Private IP Ranges
RFC 1918 defines three address ranges reserved for private networks. Routers on the public internet will never forward these addresses — they only exist within private networks (your LAN, your VPC, your Docker network).
Range | CIDR | Addresses
-------------------|--------------|------------------
10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | 16,777,214
172.16.0.0 – 172.31.255.255 | 172.16.0.0/12| 1,048,574
192.168.0.0 – 192.168.255.255| 192.168.0.0/16| 65,534
When you see 192.168.x.x in your home router, 10.x.x.x in an AWS VPC, or 172.17.x.x in Docker — those are all RFC 1918 addresses. They are non-routable on the public internet by design.
If you need to figure out what range a CIDR block covers, the Расширитель диапазона IPv4 will show you the full start and end address for any block.
Реальные примеры
AWS Security Group Rules
Security groups in AWS use CIDR blocks to define allowed traffic sources. The patterns below cover most scenarios you will actually encounter:
# Allow all traffic from within your VPC (10.0.0.0/16)
Type: All traffic, Source: 10.0.0.0/16
# Allow your database port only from the app subnet
Type: PostgreSQL (5432), Source: 10.0.11.0/24
# Allow HTTPS from the entire internet
Type: HTTPS (443), Source: 0.0.0.0/0
# Allow SSH only from your office public IP
Type: SSH (22), Source: 203.0.113.5/32
Docker Networking
Docker’s default bridge network uses 172.17.0.0/16. When you create a custom network, Docker picks a /16 block from the 172.16.0.0/12 RFC 1918 range (unless you specify one).
# Create a Docker network with a specific CIDR
docker network create \
--driver bridge \
--subnet 10.10.0.0/24 \
--gateway 10.10.0.1 \
my-app-network
# docker-compose.yml
networks:
backend:
ipam:
config:
- subnet: 10.10.0.0/24
Restricting an API to Your Office
If your office has a static public IP, you can whitelist it as a /32 in your firewall or load balancer rules. If the office uses a block of IPs (a /28 or /29 from your ISP), you can specify that block directly instead of listing individual addresses.
# nginx: restrict /admin to office IP range only
location /admin {
allow 203.0.113.0/28; # office block: 203.0.113.0–203.0.113.15
deny all;
proxy_pass http://backend;
}
Need to convert between network mask and CIDR? The Калькулятор сетевой маски handles the conversion both ways.
A Note on IPv6 CIDR
IPv6 uses the same CIDR notation, but with 128-bit addresses instead of 32-bit. The /N suffix still means “the first N bits are the network.” A few key IPv6 prefix sizes:
- /128 — a single IPv6 address (equivalent to /32 in IPv4)
- /64 — the standard size for a LAN subnet. The first 64 bits identify the network, the last 64 bits are for hosts. This gives you 2^64 host addresses per subnet, which is more addresses than the entire IPv4 address space squared.
- /48 — typically assigned to a single site or organization
- /32 — a block typically allocated to an ISP
An IPv6 address like 2001:db8::/32 is the documentation prefix used in examples. Your VPC will typically get a /56 or /64 from AWS if you enable IPv6, and you assign /64 subnets from that. The math is the same — only the scale changes.
For IPv6 subnet calculations, the Калькулятор подсети IPv6 handles the 128-bit math for you.
Скорое руководство
Here is the mental model to carry forward:
- The /N number tells you how many bits are locked to the network. Everything else is the host space.
- Addresses in a block = 2^(32-N). Usable hosts = that number minus 2.
- /32 = one IP, /24 = 256 addresses, /16 = 65,536 addresses, /0 = everything.
- 10.x.x.x, 172.16-31.x.x, and 192.168.x.x are private — they never route on the public internet.
- Docker defaults to 172.17.0.0/16. AWS VPCs are typically a /16 carved into /24 subnets per tier and AZ.
- Use /32 to reference a single machine in firewall rules. Use /0 only when you actually mean “anyone in the world.”
Вам также может понравиться
Установите наши расширения
Добавьте инструменты ввода-вывода в свой любимый браузер для мгновенного доступа и более быстрого поиска
恵 Табло результатов прибыло!
Табло результатов — это интересный способ следить за вашими играми, все данные хранятся в вашем браузере. Скоро появятся новые функции!
Подписаться на новости
все Новые поступления
всеОбновлять: Наш последний инструмент was added on Июн 26, 2026
