Home/Blog/CIDR Block Overlaps with Existing Subnet ? AWS VPC Fix Guide
??
awsvpcnetworking

CIDR Block Overlaps with Existing Subnet ? AWS VPC Fix Guide

CIDR overlap errors in AWS VPC happen when two subnets or VPCs share IP address ranges. Learn how to calculate non-overlapping CIDR blocks, detect conflicts, and plan your IP space.

May 22, 20263 min readby ToolNinja

The Exact Error

The CIDR '10.0.1.0/24' conflicts with another subnet

Or in Terraform:

Error: creating EC2 Subnet: InvalidSubnet.Conflict: The CIDR '10.0.0.0/24' conflicts with another subnet.

Or for VPC peering:

InvalidVpcPeeringConnectionState: Cannot create a peering connection between VPCs with overlapping CIDR blocks

Quick summary: Two subnets (or two peered VPCs) share an overlapping IP address range. AWS requires all subnets within a VPC to have non-overlapping CIDRs.

Why This Error Happens

CIDR notation defines a range of IP addresses. 10.0.0.0/24 means all IPs from 10.0.0.0 to 10.0.0.255. If you create a subnet whose CIDR shares any IP with an existing subnet, AWS rejects it.

Four root causes:

1. Subnets in the same VPC overlap ? Creating a second subnet with a CIDR that includes addresses already claimed.

2. VPC peering with overlapping ranges ? Both VPCs use 10.0.0.0/16 ? peering is impossible.

3. On-premises network conflict ? VPC connected to corporate network via VPN when both use the same RFC 1918 range.

4. Copy-paste from a template ? Reusing the same Terraform template without updating CIDR blocks per environment.

Step-by-Step Diagnosis

Step 1 ? List all existing subnets and their CIDRs

aws ec2 describe-subnets   --filters "Name=vpc-id,Values=vpc-xxxxxxxx"   --query 'Subnets[*].[SubnetId,CidrBlock,AvailabilityZone]'   --output table

Step 2 ? Calculate the address range of your new CIDR

For 10.0.1.0/24:

  • Range: 10.0.1.0 ? 10.0.1.255
  • If any existing subnet overlaps this range, you'll get the conflict.

Step 3 ? Check both VPCs' CIDRs for peering

aws ec2 describe-vpcs --vpc-ids vpc-aaa --query 'Vpcs[*].CidrBlock'
aws ec2 describe-vpcs --vpc-ids vpc-bbb --query 'Vpcs[*].CidrBlock'

Solutions

Solution 1 ? Choose a non-overlapping CIDR

# Existing subnets: 10.0.1.0/24 and 10.0.2.0/24
# New subnet ? use the next available /24:
aws ec2 create-subnet   --vpc-id vpc-xxxxxxxx   --cidr-block 10.0.3.0/24   --availability-zone us-east-1a

Solution 2 ? Plan subnets across availability zones

# VPC: 10.0.0.0/16
# Public subnets:
10.0.1.0/24   # us-east-1a public
10.0.2.0/24   # us-east-1b public
# Private subnets:
10.0.11.0/24  # us-east-1a private
10.0.12.0/24  # us-east-1b private
# Database subnets:
10.0.21.0/24  # us-east-1a database
10.0.22.0/24  # us-east-1b database

Solution 3 ? Fix Terraform CIDR conflicts across environments

# prod.tfvars
vpc_cidr = "10.0.0.0/16"
subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24"]

# staging.tfvars
vpc_cidr = "10.1.0.0/16"
subnet_cidrs = ["10.1.1.0/24", "10.1.2.0/24"]

Quick Reference

CIDRRangeHostsUse case
10.x.0.0/16256 /24 subnets65KOne VPC per environment
10.x.y.0/2410.x.y.0 ? 10.x.y.255254One subnet per AZ
10.x.y.0/2816 addresses11Small subnet

Prevent This Error in the Future

1. Plan your entire IP address space before creating any resources. Map all environments and regions, assign non-overlapping CIDRs upfront.

2. Use a CIDR calculator to visualize ranges and check for overlaps before creating subnets.

3. Document your IP allocation in a simple table and check it before adding a new VPC.

Use ToolNinja to Debug Faster

The CIDR Calculator shows the full IP range, number of hosts, and network/broadcast addresses for any CIDR block. Use it to verify non-overlapping ranges before opening the AWS console.

?? CIDR Calculator ? toolninja.io/tools/cidr-calculator

Share:𝕏 Twitterin LinkedIn

Frequently Asked Questions

What does CIDR overlap mean and why is it a problem?

Two CIDR blocks overlap when they share one or more IP addresses. Overlapping subnets create routing ambiguity ? the network can't determine which subnet to use for a given IP ? so AWS prevents creating them.

How do I quickly check if two CIDR blocks overlap?

Two CIDRs overlap if one contains the other's network address. For 10.0.1.0/24 and 10.0.2.0/24: range A is 10.0.1.0-10.0.1.255, range B is 10.0.2.0-10.0.2.255 ? no overlap. For 10.0.1.0/24 and 10.0.0.0/16: the /24 range falls entirely within the /16 range ? overlap.

What is a good CIDR block strategy for multiple VPCs?

Use a hierarchical allocation: assign a /8 or /16 range to your organization (e.g., 10.0.0.0/8), then divide it into /16 blocks per environment (10.0.0.0/16 for prod, 10.1.0.0/16 for staging, 10.2.0.0/16 for dev). Subdivide each /16 into /24 blocks per subnet.

Can I change a VPC's CIDR block after creation?

You can add secondary CIDR blocks (up to 5 total) but you cannot remove or shrink the primary CIDR block. If your primary CIDR is wrong, you need to create a new VPC and migrate resources. This is why planning IP space before creating resources is critical.

Related Articles

🔄

How to Convert cURL Commands to Python, JavaScript, PHP and More

5 min read

📋

YAML: Mapping Values Are Not Allowed / Bad Indentation Fix

4 min read

??

error: pathspec did not match any file(s) known to git ? Fix Guide

3 min read

Try it yourself →

toolIP / CIDR CalculatorFree, browser-only →
← All articles
🥷 ToolNinja