Navigating CIDR Conflicts in AWS: A Guide to Clean Subnet Design
You have been here before: you are spinning up a new subnet in your VPC, feed in what looks like a perfectly valid CIDR block, and AWS slaps you with that familiar error:
Error: The CIDR conflicts with another subnet
You double-check. No existing subnet has that exact range. So what is the issue?
The issue is overlap, and in AWS networking, overlap is non-negotiable. Let's unpack why this happens and how to design subnets that stay out of each other's way.
Why "Non-Duplicate" CIDRs Still Collide
AWS enforces a simple but strict rule: every subnet must reside entirely within the VPC's CIDR block and must not overlap—even partially—with any other subnet in that VPC.
Take the default VPC, typically 172.31.0.0/16. AWS pre-creates three /20 subnets across availability zones:
172.31.0.0/20 → covers 172.31.0.0 – 172.31.15.255 172.31.16.0/20 → covers 172.31.16.0 – 172.31.31.255 172.31.32.0/20 → covers 172.31.32.0 – 172.31.47.255
Now, try to create 172.31.10.0/20. It's not an exact match for any existing block, but a /20 spans 4,096 addresses. Your new range would stretch from 172.31.0.0 to 172.31.15.255, squarely overlapping the first subnet. AWS rejects it immediately.
Overlapping subnets break routing determinism. The VPC router needs unambiguous paths, and overlap introduces ambiguity. AWS won't let you paint yourself into that corner.
Right-Size Your Subnets—Before You Need To
It's tempting to grab a /20 "just in case" you scale. Don't!
Large blocks consume address space aggressively and constrain future flexibility. Remember: you can't shrink a subnet after creation.
For most workloads, smaller is smarter:
/24(256 IPs): comfortable for general-purpose application tiers/25or/26(128–64 IPs): ideal for tightly scoped services, private backends, or ephemeral workloadsReserve
/20or larger only for proven, high-density needs (e.g., container clusters with aggressive pod density)
The default VPC's pre-baked /20s eat up the lower ranges fast. If you are extending it, look higher—172.31.96.0/24 or 172.31.112.0/24 are often free and safely aligned.
Align on Boundaries—Or Pay the Price
CIDR blocks must start on bit-boundary-aligned addresses. A /20 spans 16 contiguous /24s, so valid starting points are .0, .16, .32, .48, and so on. Try 172.31.10.0/20, and AWS rejects it, not for overlap, but for misalignment.
Similarly, /24s must start at .0, /25s at multiples of 128, etc. When in doubt, use a CIDR calculator or this quick sanity check:
# List existing subnets to spot free, aligned ranges
aws ec2 describe-subnets \
--filters "Name=vpc-id,Values=vpc-xxxxxx" \
--query 'Subnets[*].{CIDR:CidrBlock,AZ:AvailabilityZone,Type:MapPublicIpOnLaunch}' \
--output table
Visualizing what's already claimed is the single most effective way to avoid conflicts.
Design Patterns That Prevent Pain
A few habits separate smooth subnetting from firefighting:
Audit before you create. Five seconds with
describe-subnetsbeats ten minutes debugging a failed CloudFormation stack.Plan for symmetry across AZs. If you deploy a
/24in us-east-1a, reserve matching blocks in 1b and 1c, even if you don't use them immediately. This prevents fragmentation later.Tag deliberately. A
SubnetPurpose=app-tiertag won't prevent conflicts, but it makes cleanup and auditing tractable when your VPC grows to 30+ subnets.Avoid the default VPC for production. Its preconfigured layout is convenient for testing but constrains thoughtful design. For anything beyond experimentation, carve out a custom VPC with a clean
/16and your own layout.
Conclusion
CIDR conflicts aren't AWS being difficult; they are guardrails protecting routing integrity. Once you internalize that AWS rejects overlap, not just duplication, subnet planning becomes predictable.
Think of your VPC's address space as finite real estate. Parcel it deliberately. Start small. Align cleanly. And always check what's already occupied before breaking ground.
Do that, and you'll stop fighting subnet errors and start designing networks that scale cleanly under pressure.
