Subnet Design 2026

VPC layout.

Overview

Modern subnet design leaves room for growth, separates tiers, and matches CIDR allocation to AZ structure. The decisions made at VPC creation time live for the lifetime of the workload; getting the layout wrong forces a painful re-IP migration later. Generous sizing, three-tier separation per AZ, and non-overlapping CIDRs across environments are the foundations.

• VPC layout. Per-environment VPCs with non-overlapping CIDRs. Future peering and Transit Gateway require this.
• Tier separation. Public, private, and isolated subnets per AZ. Standard three-tier pattern.
• CIDR sizing. /16 VPC with /20 subnets gives meaningful headroom. Avoids the IP-exhaustion incident that forces re-IPing.
• AZ alignment plus IPv6 readiness. One subnet per tier per AZ; dual-stack subnets where IPv6 applies.

The approach

Three habits make subnet design durable: plan CIDR allocation up front at the org level, ship three tiers per AZ, and manage everything through Terraform so the topology is reviewable and replayable.

• Plan CIDR up front. Org-wide allocation document. Non-overlapping ranges per environment, region, and account.
• Three tiers per AZ. Public for ingress, private for application, isolated for data. Match the separation to the security model.
• Generous sizing. /20 subnets minimum. The pain of IP exhaustion outweighs the cost of unused address space.
• Terraform-managed plus documented topology. IaC produces audit trail; per-VPC the layout documented in source control.

Why this compounds

Each correctly-sized VPC supports years of workload growth without re-IPing. The team’s AWS networking fluency deepens; new VPCs inherit the conventions; security and compliance reviews work from documented topology.

• Re-IPing avoided. Right sizing at the start avoids the migration that takes weeks and breaks production.
• Tier separation. Three-tier produces real isolation. Security model becomes enforceable.
• Resilience. Multi-AZ subnets support HA without extra design effort.
• Year-one investment, year-two habit. First VPC is heavy lift. By the third, the topology template is settled.