Emanuele Gurini

Posted on Jan 23

The Mental Model That Made AWS Networking Finally Click

#aws #networking

When I first started working with AWS, I could copy-paste CIDR blocks from tutorials and make things work.

But I couldn't explain them. And when something broke, I had to retrace my steps blindly until it worked again.

That gap — between "it works" and "I understand why" — bothered me until I finally found the mental model that made it click.

It wasn't more documentation. It wasn't finally memorizing binary conversion tables.

It was thinking about IP addresses as buildings.

This article is for anyone who's been nodding along in AWS tutorials while secretly hoping nobody asks them to explain subnets. You'll walk away understanding CIDR notation well enough to design your own VPC architecture from scratch — not because you memorized rules, but because you'll finally see what's actually happening.

Let's start with the building.

I — The Internet Is a City of Buildings

Before we touch a single technical concept, I want to install a mental model that will do most of the heavy lifting for you.

Think of the internet as a massive city. Billions of buildings. Every device that connects — your laptop, your phone, that WordPress site you spun up three years ago and forgot about — needs an address so other devices can find it.

An IP address is that address.

Here's one: 172.31.0.25

Think of it like this: Building 172, Floor 31, Wing 0, Room 25

Four numbers. Separated by dots. Each number ranges from 0 to 255.

That's it. That's an IP address.

Now, you might be wondering: why 0 to 255? Why not 0 to 100, or 0 to 1000?

This is where most explanations lose people. They jump straight into binary. But I want to take a different route — one that actually sticks.

II — Why Computers Think in Light Switches

Here's the thing about computers: they're not smart. They're fast, but they're not smart.

A computer only understands two states: on or off. 1 or 0. Like a light switch.

One switch = one bit.

If you have one light switch, you can represent two states: off (0) or on (1).

If you have two switches, you can represent four states: 00, 01, 10, 11.

If you have eight switches — which we call a byte — you can represent 256 states. That's 2^8. Two to the power of eight.

This is why each number in an IP address goes from 0 to 255. Each number is one byte. Eight light switches. 256 possible combinations.

Here's a trick that makes reading binary instant. Imagine eight light bulbs, each with a fixed value:

To convert binary to decimal, just add up the values where the light is "on."

The number 10 in binary is 00001010.

You don't need to memorize this. You just need to understand why 255 is the ceiling. Because 11111111 — all lights on — equals 128+64+32+16+8+4+2+1 = 255.

Now we can go back to buildings.

III — Your Building Has 4.3 Billion Rooms (And We've Used Almost All of Them)

An IP address has four bytes. Each byte can be 0-255.

Total possible addresses: 256 × 256 × 256 × 256 = 4,294,967,296.

About 4.3 billion addresses.

Sounds like a lot. It's not. We've nearly exhausted IPv4 addresses — which is why IPv6 exists. But that's a story for another day.

Here's the question that actually matters for AWS: How do we carve up these addresses into usable chunks?

This is where CIDR comes in. And this is where most people get lost.

But you won't. Because you understand buildings.

*IV — The Slash Number Is Just a Lock
*

Look at this: 172.31.0.0/16

That /16 is called CIDR notation. It stands for Classless Inter-Domain Routing, but forget that. Here's what it actually means:

The number after the slash tells you how many bits are locked.

An IP address is 32 bits total (4 bytes × 8 bits).

/16 means the first 16 bits are locked. Fixed. Unchangeable.

Back to our building:

You own building 172.31. You can assign any room from 0.0 to 255.255.

How many rooms is that?

*V — The T-Shirt and Pants Principle
*

This is where I see people's eyes glaze over. "Why 256 × 256? Where does multiplication come into IP addresses?"

Let me explain with outfits.

You're packing for a trip. You have:

256 t-shirts (numbered 0-255)
256 pants (numbered 0-255)

How many unique outfits can you make?

For each t-shirt, you can pair it with any of the 256 pants:

Total: 256 × 256 = 65,536 outfits.

This is exactly how IP ranges work. Each "unlocked" byte can combine with every value of every other unlocked byte.

With /16, you have two unlocked bytes. Two clothing items. 65,536 combinations.

With /24, you have one unlocked byte:

That's 256 addresses (254 usable — we'll get to why in a moment).

You went from owning the whole building to owning just one floor.

VI — The Tricky Case: When the Lock Lands Mid-Byte
Here's where it gets interesting: 172.31.0.0/20

Twenty bits are locked. But 20 doesn't divide evenly by 8.

The third byte is half-locked. The first 4 bits are fixed, leaving 4 bits free.

4 free bits = 2^4 = 16 possible values (0-15).

Back to outfits:

16 t-shirts (the partially-free third byte)
256 pants (the completely-free fourth byte)

Total: 16 × 256 = 4,096 addresses.

Your range: 172.31.0.1 → 172.31.15.254

You now own 16 floors of the building, each with 256 rooms.

*VII — Why Would You Ever Want to Lock IPs?
*

"Okay," you might be thinking, "but why would I voluntarily limit my address space?"

Because limitation creates structure. And structure creates security.

Watch what becomes possible:

You've just created subnets. Isolated networks within your larger network.

Three things this gives you:

Security — Dev can't accidentally (or intentionally) access HR data
Organization — You see 172.31.17.x and instantly know: Sales, South Region
Traffic control — You can put firewalls between sections, like badge readers between floors

This isn't theoretical. This is exactly how you'll design your AWS infrastructure.

VIII — How AWS Uses Everything You Just Learned

When you create a VPC (Virtual Private Cloud) in AWS, the first thing it asks for is a CIDR block.

This is not optional. This is the foundation.

Think of it this way:

VPC = Your building
CIDR block = How many total rooms the building has

AWS allows VPC sizes between /16 (65,536 addresses) and /28 (16 addresses).

The default VPC uses 172.31.0.0/16 — which is the example we've been using this entire article. Not a coincidence.

But here's the key insight: you don't put resources directly in the VPC.

You create subnets inside the VPC. Each subnet gets a slice of the VPC's address space. Then you put your EC2 instances, databases, and other resources into those subnets.