The /24, /16, and /8 you keep seeing in AWS security groups and Kubernetes docs — decoded in a way you'll actually remember.
If you've spent an afternoon staring at an AWS security group asking "what exactly does 10.0.0.0/16 mean, and why does the tutorial want /24?" — this is for you. Twenty minutes, no networking degree required, and you'll never have to Google the difference again.
An IPv4 address is 32 bits. CIDR notation says how many of those 32 bits are the "network" part and the rest are the "host" part.
/24 means the first 24 bits are locked; the last 8 bits vary. 28 = 256 addresses.
/16 means the first 16 bits are locked; the last 16 bits vary. 216 = 65,536 addresses.
/32 means every bit is locked — exactly one address.
That's the whole trick. Bigger number = smaller range. Smaller number = bigger range. You can stop here and get 80% of what you need in daily work.
You'll see the same three CIDR blocks over and over. Memorise them and you'll skip the calculator most of the time.
/24 — 256 addresses (a "class C" subnet in the old-school naming). Typical home network, one AWS subnet.
/16 — 65,536 addresses. Typical AWS VPC, big office network.
/32 — 1 address. A single host — used in firewall rules that mean "only this exact IP".
Almost everything else you meet is one of these three or a small variation. See our IP address & CIDR converter if you need to sanity-check a block quickly.
Take 192.168.1.0/24. The /24 tells you the first three octets (three sets of 8 bits = 24 bits) are locked. So every address from 192.168.1.0 to 192.168.1.255 is inside the block. That's 256 addresses, of which 254 are usable — the first (network address) and last (broadcast address) are reserved.
Same trick for 10.0.0.0/16: first two octets locked, so anything from 10.0.0.0 to 10.0.255.255 is inside. 65,536 addresses.
10.0.0.0/8? First octet locked. That's the entire 10.x.x.x range — over 16 million addresses. This is why /8 is a huge block reserved for enterprise-scale private networks.
Three IPv4 ranges are reserved for private use — meaning your router hands them out and they never touch the public internet:
10.0.0.0/8 — 16.7 million addresses. Corporate networks.
172.16.0.0/12 — 1 million addresses. Docker default (172.17.0.0/16) lives here.
192.168.0.0/16 — 65,536 addresses. Every home router in the world.
If your device's IP starts with one of these, you're behind NAT — the router does the translation to a public IP for outbound traffic. The public IP is what appears in an AWS security group; the private IP only matters inside your own network.
The most common real-world subnetting task: you have a /16 VPC in AWS and need to carve it into per-availability-zone subnets. A /16 holds 256 /24s. If your VPC is 10.0.0.0/16, the /24s are 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24… all the way to 10.0.255.0/24.
Each of those /24s has 256 addresses. AWS reserves 5 in every subnet (network, broadcast, plus three internal AWS uses), so you get 251 usable IPs per /24. Enough for most workloads; if you need more, drop to /23 (512 addresses) or /22 (1,024).
Once you understand /24 and /16, the odd sizes are easy. Each step down doubles the number of addresses:
/25 = 128 addresses (half of a /24). Common for splitting a home network in two.
/26 = 64 addresses. Small AWS subnet.
/28 = 16 addresses. AWS' minimum subnet size — enough for 11 usable IPs once reserved addresses are subtracted.
/30 = 4 addresses. Point-to-point links between routers use this.
The other direction, doubling up: /23 = 512, /22 = 1,024, /20 = 4,096, /16 = 65,536. Every step down from a bigger number is a doubling.
Mistake 1: assuming /24 = 256 usable IPs. No — always subtract the reserved ones. On-prem it's 2; on AWS it's 5; on GCP it's 4.
Mistake 2: overlapping subnets. If you set your VPN to route 10.0.0.0/8 and your office LAN is 10.10.0.0/16, everything breaks. Overlapping ranges are the #1 cause of "the VPN killed my Wi-Fi".
Mistake 3: opening a security group to 0.0.0.0/0. That's every IP on the internet. Use my.public.ip/32 during development, then swap to a proper CIDR block for production.
IPv6 uses the same CIDR notation but with 128 bits instead of 32. A typical IPv6 subnet is /64, which is 18 quintillion addresses — vastly more than any single organisation will use. If you see /64 in an IPv6 context, treat it the same way you'd treat /24 in IPv4: one normal subnet's worth of space.
Print this out or stick it in a note; it covers 95% of situations:
Home router → 192.168.1.0/24
Small AWS subnet → 10.0.1.0/24
Full AWS VPC → 10.0.0.0/16
Single-host firewall rule → 1.2.3.4/32
Everything on the internet (dangerous) → 0.0.0.0/0
Docker default bridge → 172.17.0.0/16
Kubernetes pod CIDR (typical) → 10.244.0.0/16
Bigger CIDR number = smaller block. Memorise /24 = 256, /16 = 65k, /32 = single host, and you'll read almost every real-world CIDR block correctly on the first try.
Creating helpful tools and sharing productivity insights to make your work easier.
Convert dates between DD/MM/YYYY, MM/DD/YYYY, YYYY-MM-DD, and 20+ other date formats. Free online date format converter with custom format support and one-click copy.
Send a WhatsApp message to any number without saving it to your contacts. Free, instant, no signup — perfect for businesses and one-off chats.
Convert between gold karats, purity percentage, touch, tunch, and 916/750/585/375 hallmark markings. Free online gold karat calculator and purity converter.
Generate custom QR codes for URLs, vCards, Wi-Fi, text, and more — high-resolution PNG and SVG download, free.
Convert byte arrays to strings online. Decode space- or comma-separated bytes (decimal, hex, or binary) to UTF-8 text. Free browser-based byte-to-string converter.