Every AWS VPC subnet has 5 IP addresses you can't use. The textbook usable count (total − 2) is wrong on AWS — you need to subtract 5. This breaks capacity plans more often than any other AWS networking detail.
The 5 reserved IPs
For a subnet 10.0.0.0/24, AWS reserves:
10.0.0.0— Network address10.0.0.1— VPC router10.0.0.2— DNS resolver (the VPC's+2address)10.0.0.3— Reserved for future use10.0.0.255— Broadcast (not used in AWS but still reserved)
What this means for sizing
A /28 has 16 total addresses. Subtract 5 reserved → 11 usable. A /27 has 32 total → 27 usable. A /24 has 256 total → 251 usable.
AWS minimum subnet: /28
AWS doesn't allow /29 or smaller VPC subnets. A /29 would have only 3 usable IPs after the 5 reserved (8 − 5 = 3), and a /30 would have negative usable. The minimum is /28.
The hidden capacity drains
The 5 reserved IPs aren't the only thing eating your subnet. Many AWS resources consume ENIs (Elastic Network Interfaces), each taking an IP from your subnet:
- NAT Gateway: 1 IP per AZ
- Application Load Balancer: at least 8 IPs per AZ for autoscaling
- Network Load Balancer: similar to ALB
- VPC Interface Endpoints (PrivateLink): 1 IP per AZ per endpoint
- RDS Multi-AZ instance: 2 IPs (primary + standby)
- EFS mount targets: 1 IP per AZ
- Lambda in VPC: ENIs as needed for concurrency
An "empty" /28 subnet with a NAT gateway and an interface endpoint is already at 7/11 used before you place a single workload.
The EKS pod problem
If you're running EKS with the AWS VPC CNI, every pod gets a real VPC IP. A node with 30 pods consumes 30 IPs from your subnet. A /24 holds about 8 nodes worth. This is why EKS clusters of any size need large subnets — or you need to enable prefix delegation, which assigns /28 blocks per node and is far more efficient.
Recommended subnet sizes
- Small DMZ or jump host network: /28
- Public subnet for load balancers: /27 (so the ALB has room)
- Private subnet for app servers: /24
- Database subnet (Multi-AZ): /27 per AZ
- EKS worker subnet: /22 (with prefix delegation, /23 minimum)
Plan with the math, not the textbook
The cloud-aware calculator defaults to AWS reserved-IP math. Drop in your prefix and see the real usable count without doing the subtraction in your head. For multi-tier VPCs, the VLSM planner handles the boundary alignment automatically.