Erraform AWS VPC module - Understanding subnet separation

HI friends, im creating a new VPC using the terraform <https://github.com/terraform-aws-modules/terraform-aws-vpc> module.

I would like to understand the separation of the subnets a little better.

public_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 6, k + 4)]
database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 6, k + 8)]```


In total i end up with 9 subnets. I chose /22 so that i have a larger 1024 available ip addresses to work with.

One thing i don't understand is the gap in between them for example. What is the purpose of this and why?

4->8


```10.1.4.0/22 -> 10.1.8.0/22```




```vpc-private-us-east-2a 10.1.0.0/22
vpc-private-us-east-2b 10.1.4.0/22
vpc-private-us-east-2c 10.1.8.0/22
vpc-public-us-east-2a 10.1.16.0/22
vpc-public-us-east-2b 10.1.20.0/22
vpc-public-us-east-2c 10.1.24.0/22
vpc-db-us-east-2a 10.1.32.0/22
vpc-db-us-east-2b 10.1.36.0/22 
vpc-db-us-east-2c 10.1.40.0/22```

Is it just because IP subnetting is binary, and therefore splits subnets nicely in 2s/4s/8s etc, but because you’re using 3 x AZs, there is a “spare” subnet?

10.1.12.0/22 “spare private subnet”
10.1.28.0/22 “spare public subnet”
10.1.44.0/22 “spare db subnet”

Assuming you chose 10.1.0.0/18 as your VPC CIDR?

This tool helps with IP subnetting:

https://www.davidc.net/sites/default/subnets/subnets.html?network=10.1.0.0&mask=18&division=31.f4627231

To clarify the cidr range is "10.1.0.0/16"

ill take a look at that link, thanks

I think i still don’t understand the splitting of subnets you mention nicely in 2s/4s/8s.

https://www.davidc.net/sites/default/subnets/subnets.html?network=10.1.0.0&mask=16&division=127.f399c9c4e9c4e462f9c4e462f4627231

Using that site i can divide it to 1022 hosts, i can see the subnet increments by 4s everytime.

But in the above example i have created using terraform i can see between public, private, db subnet groups there is a gap of 8, is there some reason for that?

I think it’s just the way the Terraform was written.

In terms of subnetting, using your example, if you allocate 10.1.0.0/22, you can’t then allocate 10.1.4.0/21

10.1.4.0/21 is not a valid subnet, because it /21 boundary would be 10.1.0.0-10.1.7.255, i.e. overlapping with 10.1.0.0/22