Why Does AWS Steal 5 IPs From Your Subnet?
4 min read
Meet Arjun again — the dev-turned-cloud architect behind the fast-growing ride-hailing app RideGo.
He’s deploying his app on AWS. He creates a subnet with the CIDR block:
10.0.0.0/24
Now as an AWS Solutions Architect, Arjun knows /24 means:
2^(32-24) = 256 total IPs
Perfect. He’s expecting 256 usable IPs for EC2 instances, databases, ALBs, and more.
But when he checks the AWS Console…
“Wait... only 251 IPs available?”
“Where did the other 5 IPs go?!”
🧾 Here's the Truth: AWS Reserves 5 IPs Per Subnet
It’s not a bug. It’s by design — and it's always true for every subnet in AWS.
🖐️ The 5 Reserved IP Addresses
Let’s say Arjun created a subnet:10.0.0.0/24 — which spans from 10.0.0.0 to 10.0.0.255.
Here’s how AWS uses the first and last few IPs:
| IP Address | Use Case |
10.0.0.0 | Network address — identifies subnet |
10.0.0.1 | VPC router — AWS internal networking |
10.0.0.2 | Reserved by AWS (for future use) |
10.0.0.3 | Reserved by AWS (for future use) |
10.0.0.255 | Broadcast address — reserved for legacy reasons |
🔍 These 5 IPs can’t be assigned to EC2 instances, containers, or any other resource.
So from 256 total IPs, Arjun only gets 251 usable IPs.
🧠 Why Does AWS Reserve These?
x.x.x.0- Network ID
Used to identify the subnet itself. Not a usable address.x.x.x.1- VPC Router
This IP serves as the default gateway for your subnet.x.x.x.2&x.x.x.3- AWS Reserved
These are reserved for internal AWS networking functions. Not officially documented, but likely tied to features like DNS, internal telemetry, or future scalability.x.x.x.255- Broadcast Address
Even though AWS doesn't support broadcast, it still reserves this IP just in case.
💡 Real Subnet IP Ranges (Example)
For a subnet like 192.168.1.0/24:
| Purpose | IP Address |
| Network ID | 192.168.1.0 |
| VPC Router | 192.168.1.1 |
| Reserved (AWS internal) | 192.168.1.2 |
| Reserved (AWS internal) | 192.168.1.3 |
| Broadcast Address | 192.168.1.255 |
| Usable IPs | 192.168.1.4 to 192.168.1.254 |
| Total Usable IPs | 251 |
🛠️ What Should Arjun Do?
Arjun now plans better:
For 1000 EC2s? Use larger subnets like
/22(gives 1024 total - 5 = 1019 IPs).For microservices? Use multiple subnets across AZs.
He stops blindly trusting CIDR calculators and starts designing with AWS rules in mind.
📌 SAA Exam Tip
In AWS exams and real-world design:
🧠 Always subtract 5 IPs from every subnet's CIDR block.
It’s a small thing… but when your app fails to scale because you’re short on IPs — you’ll remember this.
🧾 Final Summary
✅ AWS reserves 5 IPs per subnet
✅ Applies to all IPv4 subnets
✅ Plan your CIDRs with this in mind
✅ Helps build scalable, realistic VPC designs
More AWS SAA Articles
Understanding Amazon S3 Storage Classes for Smarter Storage Solution
How to Effectively Use Amazon S3 Replication for Data Duplication
AWS Load Balancers: How Deregistration Delay Ensures Seamless Shutdowns