Networkingintermediate22 min read

Subnetting and CIDR Planning in Google Cloud

Learn CIDR, subnet sizing, RFC1918 planning, GKE secondary ranges, and Shared VPC design in Google Cloud with practical examples.

What is CIDR

CIDR stands for Classless Inter-Domain Routing. It is the notation you use to describe an IP network and its prefix length, such as 10.20.30.0/24.

The part before the slash is the network address. The part after the slash is the number of bits reserved for the network. The remaining bits are available for hosts or sub-allocation.

In practical cloud networking, CIDR answers three questions:

  • How big is this subnet?
  • Which IPs belong to it?
  • How much room do I have left before I need another subnet?
CIDRTotal IPv4 addressesTypical generic usable hostsGoogle Cloud primary subnet usable IPs
/28161412
/27323028
/24256254252
/204,0964,0944,092
/1665,53665,53465,532

In Google Cloud, a primary subnet range loses four addresses, not two. Google reserves the first two and last two IPs in each primary IPv4 subnet range. That matters when you are doing tight capacity planning for node pools, bastion subnets, and small management networks.

Example networkMeaningFast mental model
10.0.0.0/8Very large address poolGood for carving environments
10.10.0.0/16Regional or platform blockGood for one environment in one region
10.10.32.0/20Workload blockGood for app, data, or node tiers
10.10.32.0/24Small subnetGood for admin, bastion, or tiny services

Private IP ranges

For most production Google Cloud environments, your default choice should be RFC1918 private space. These ranges are non-routable on the public internet and are the safest default when you expect VPN, Interconnect, peering, or hybrid growth.

RFCRangeSizeCommon use
RFC191810.0.0.0/816,777,216 IPsLarge enterprises, multi-environment platforms
RFC1918172.16.0.0/121,048,576 IPsMid-sized estates, segmented regional designs
RFC1918192.168.0.0/1665,536 IPsSmall environments, edge, labs

Google Cloud documentation for VPC subnets lists these RFC1918 ranges as valid private IPv4 subnet ranges, and it also allows some additional internal ranges. Even so, RFC1918 should remain your production default unless you have a clear reason to use something else.

Range familyProduction guidance
RFC1918 private rangesPreferred for almost every enterprise VPC design
100.64.0.0/10 shared address spaceUse only when you understand carrier-grade NAT overlaps and downstream implications
Privately used public IP spacePossible in GCP, but risky if you ever peer, import routes, or use BYOIP

One practical rule keeps many teams out of trouble: pick one RFC1918 strategy for the whole company. If networking, platform, and Kubernetes teams all improvise independently, overlap becomes almost guaranteed.

Org sizeSafe default
Small startup10.0.0.0/8 reserved globally, even if you use only a small part today
Mid-sized company10.0.0.0/8 with environment and region blocks from day one
Hybrid enterpriseAudit on-prem first, then choose a private plan that avoids existing overlap

Understanding subnet masks

A subnet mask and a CIDR prefix describe the same boundary in two different formats. For example, /24 is the same as 255.255.255.0.

CIDRSubnet maskTotal IPsGCP primary usable IPsTypical role
/28255.255.255.2401612Tiny management subnet
/27255.255.255.2243228Proxy or appliance subnet
/26255.255.255.1926460Small shared service tier
/24255.255.255.0256252Standard app subnet
/23255.255.254.0512508Denser application or node subnet
/22255.255.252.01,0241,020Large regional shared tier

CIDR math is easier if you remember one formula:

  • Total IPs = 2^(32 - prefix)
  • GCP primary subnet usable IPs = 2^(32 - prefix) - 4
ExampleMathResult
10.40.0.0/242^(32-24) = 256252 usable in GCP
10.40.0.0/232^(32-23) = 512508 usable in GCP
10.40.16.0/202^(32-20) = 40964092 usable in GCP

Visualizing the split helps:

If you cannot do the math quickly in your head, that is normal. The engineering requirement is not mental speed. It is consistency. You need a plan that teams can extend without guessing.

Subnet sizing strategy

Subnet sizing is a capacity exercise, not a trivia exercise. Start from workload growth, not from a random /24 habit.

Workload patternStarting pointWhy
Bastion or admin subnet/27 or /26Few instances, low growth
Small app tier/24Reasonable default, easy to understand
Large app tier or node pool/23 or /22Prevent early fragmentation
Shared services or future-heavy region/20Leaves room for platform growth
GKE Pod secondary rangeOften /21 or largerPod IP demand grows faster than VM counts

A production planner should always ask:

  1. How many workloads exist today?
  2. What is the 12 to 24 month growth target?
  3. Will I add GKE, private services, PSC endpoints, or more regions later?
  4. Does this subnet need room for blue-green or migration overlap?
PrefixTotal IPsGCP usable IPsWhen it exhausts quickly
/24256252Node pools, shared services, fast-growing app fleets
/23512508Medium clusters with several pools
/221,0241,020Usually safer for regional shared tiers
/204,0964,092Better reserve block for structured subdivision

IP exhaustion happens when the subnet still exists, but no new IPs can be allocated. In Google Cloud that blocks new VMs, forwarding rules, node scale-out, or load balancer growth depending on what uses the range.

Exhaustion symptomWhat usually caused it
New VM creation failsSubnet sized too tightly for workload growth
GKE node pool stops scalingNode primary range or Pod secondary range too small
Migration project stallsNo temporary overlap space for old and new systems
Shared services cannot expandMany teams were pointed at one undersized subnet

Environment segmentation

The cleanest production estates separate dev, staging, and prod at the address-planning layer, not just with IAM and labels. If you do not reserve environment blocks early, teams eventually collide.

EnvironmentRecommended propertyWhy
DevSmaller, cheaper, disposableEncourages experimentation without consuming prod-scale IPs
StagingClose to prod shapeMakes capacity testing realistic
ProdLargest reserved spaceProduction almost always grows faster than expected
Shared servicesSeparate from app environmentsAvoids mixing DNS, logging, CI, and identity traffic with app subnets

A straightforward enterprise pattern inside 10.0.0.0/8 is:

EnvironmentReserved blockNotes
Prod10.0.0.0/10Largest block for long-term growth
Staging10.64.0.0/10Mirrors prod structure
Dev10.128.0.0/10Smaller per-workload needs, same pattern
Shared platform10.192.0.0/10Identity, CI, observability, transit, PSC

Inside each environment, you can repeat the same region and subnet pattern:

Prod regional blockSub-allocation example
10.0.0.0/16 for us-central110.0.0.0/24 admin, 10.0.4.0/22 app, 10.0.16.0/20 GKE
10.1.0.0/16 for us-east1Same structure, different second octet
10.2.0.0/16 for europe-west1Same structure, easier operations

This repeatable pattern lowers cognitive load. When an engineer sees 10.2.16.0/20, they can infer both the environment and the region without opening a spreadsheet.

Multi-region planning

Google Cloud VPC networks are global, but subnets are regional. That means your IP plan should reserve regional blocks inside an environment, then subdivide those blocks by workload.

Planning layerExample blockPurpose
Environment10.0.0.0/10Prod
Region10.0.0.0/16Prod us-central1
Workload10.0.32.0/20Prod us-central1 GKE nodes
Subnet10.0.48.0/24Prod us-central1 admin subnet
StrategyBenefitTradeoff
One /16 per regionEasy to reason aboutCan feel wasteful in tiny environments
One /20 per workload type in each regionPredictable growth pathRequires up-front discipline
Sparse allocationEasy to insert future subnetsUses more address space early
Dense allocationSaves space todayHarder to expand later

A common production mistake is to allocate subnets consecutively without reserving gaps. That feels efficient on day one and painful on year two.

Better patternWorse pattern
Reserve a regional /16, then carve by role with gapsHand out random /24s as teams ask
Repeat the same subnet map in every regionReinvent the plan in every region
Document future reserved ranges nowPromise to fix it later during migration

GKE subnet planning

Kubernetes changes IP planning because you are no longer sizing only for nodes. In a VPC-native GKE cluster, you must think about:

  • The primary subnet range for nodes and internal load balancers
  • A secondary range for Pods
  • A secondary range for Services

Google Cloud guidance matters here:

  • GKE Pod secondary ranges are immutable after cluster creation, so undersizing them causes future scaling pain.
  • Google Cloud documentation notes that all IPs in secondary ranges are usable for Pods, while primary ranges still lose four addresses.
  • For Standard clusters, the default maximum of 110 Pods per node maps to a /24 Pod CIDR per node.
Range typeExampleUsed for
Primary subnet10.20.32.0/20Nodes, internal load balancers, node NICs
Pod secondary10.20.64.0/17Pod IPs
Service secondary10.20.192.0/22ClusterIP Services
Max Pods per nodePer-node Pod CIDRIPs per node blockGood fit
8/2816Very small clusters with many nodes
32/2664Lower density, more node count flexibility
64/25128Moderate density
110/24256Standard default
256/23512High density, consumes Pod space quickly

The planning tradeoff is direct:

ChoiceWhat you gainWhat you lose
Higher Pods per nodeFewer nodesLarger Pod CIDR per node
Lower Pods per nodeMore nodes in the same Pod rangeLower Pod density per node
Larger Pod secondary rangeScale headroomMore address space consumed
Smaller Pod secondary rangeConserves IPsHigher risk of cluster exhaustion

Practical example from Google Cloud sizing logic:

InputsResult
Pod secondary range /21, max Pods per node 110Nodes get /24 Pod blocks, so the cluster can support 8 nodes
Pod secondary range /21, max Pods per node 32Nodes get /26 Pod blocks, so the cluster can support 32 nodes

That is why a cluster can run out of Pod IPs even when the node subnet still has room. The node subnet and the Pod secondary range are different exhaustion domains.

Common mistakes

The most expensive subnetting problems are usually not syntax mistakes. They are planning mistakes that surface only when you add regions, clusters, or hybrid links.

MistakeWhy it hurtsBetter move
Starting every subnet as /24Looks tidy, causes early exhaustionSize by growth, not habit
Overlapping VPC and on-prem rangesBreaks VPN, peering, and route importReserve a company-wide IP plan first
Not separating environmentsDev and prod become entangled operationallyReserve environment blocks up front
Ignoring GKE secondary rangesCluster scales fail laterPlan node, Pod, and Service ranges separately
Letting every project choose its own CIDRShared VPC and peering get messy fastCentralize address ownership
Filling a regional block denselyNo room for future subnet insertionLeave intentional gaps

Overlapping subnets are especially painful. They create ambiguous routing and often block:

  • Cloud VPN or Interconnect attachments
  • VPC Network Peering
  • Shared services migration
  • Mergers between teams or projects
  • Shared VPC adoption later
Overlap scenarioReal-world consequence
On-prem and GCP both use 10.1.0.0/16Hybrid routing conflict
Two GCP VPCs both use 10.20.0.0/16Peering design becomes constrained or impossible
Service project already uses random RFC1918 spaceShared VPC migration requires re-addressing
GKE Pods overlap with future regional app rangesPlatform team has to redesign cluster networking under load

IP exhaustion and overlap often combine. Teams squeeze small ranges to save space, then later reuse neighboring space without a central plan.

Production recommendations

Production IP planning should be opinionated. Ambiguity is what turns networking into archaeology six months later.

RecommendationReason
Reserve a company-wide RFC1918 strategy firstPrevent overlap across cloud, on-prem, labs, and partners
Allocate by environment, then by region, then by workloadKeeps growth predictable
Prefer sparse, documented allocationFuture subnet insertion is easier than re-addressing
Use larger regional reserve blocks than you need todayCloud platforms expand faster than expected
Treat GKE as a separate planning trackNode, Pod, and Service ranges grow differently
Keep a source-of-truth spreadsheet or IaC-generated registryAvoid tribal knowledge
Review plans before Shared VPC rolloutShared VPC centralizes network control, so bad plans spread faster

For Shared VPC, the strongest pattern is:

Shared VPC elementPlanning advice
Host projectOwns the canonical network plan and subnet lifecycle
Service projectsConsume selected subnets, not ad hoc CIDRs
Shared subnetsGrant at subnet level where possible, not whole-host-project by default
Secondary rangesReserve them in the host project early for GKE and platform services

Google Cloud Shared VPC documentation emphasizes that the host project can share selected subnets, including secondary ranges, with service projects, and that subnet-level permissions help preserve least privilege. That should shape your IP plan: design the host project like a platform, not like a single app team’s network.

Team maturityPractical recommendation
Early-stageStill reserve the whole 10.0.0.0/8 mentally, even if only one /16 is active
Scaling startupStandardize one reusable regional template
Enterprise platformReview every new region and GKE cluster against the central CIDR registry

FAQ

QuestionAnswer
Should I always use 10.0.0.0/8?Not always, but it is the safest large default if it does not conflict with existing networks.
Is /24 still a good default subnet size?For many small app tiers, yes. For node pools, shared services, and growth-heavy workloads, often no.
Why do Google Cloud primary subnets have fewer usable IPs than classic subnet math suggests?Google Cloud reserves the first two and last two addresses in each primary IPv4 subnet range.
Can I resize a subnet later?You can expand primary ranges in some cases, but you should not build a production plan that depends on rescue resizing.
Why do GKE clusters run out of IPs even when the subnet looks big?Because Pod secondary ranges can exhaust independently from the primary node subnet.
Should dev and prod share a VPC?Usually no. Separate environments reduce blast radius and make IP planning clearer.
How should I think about Shared VPC?One team owns the network plan in the host project, while service projects consume approved subnets and secondary ranges.
What is the fastest way to detect future trouble?Audit for small subnets, overlapping RFC1918 allocations, and GKE clusters with undersized Pod secondary ranges.

Try it on DevForge

Free online tools related to this tutorial β€” no signup required.

Related Tutorials