Build Your AWS Network on Purpose — IPAM, VPC Pools, and Subnet Design That Scales

In this build session, we took a step back and planned our entire IP address space using AWS IPAM. Most people jump straight into creating a VPC, then end up with overlapping CIDRs, painful peering, and no clean way to scale across regions or accounts. We'll walk through a hierarchical IPAM design from RFC1918 all the way down to subnet-level pools, then use that plan to provision a 10.0.0.0/16 VPC with properly sized public and private subnets across multiple AZs. 🧱 What We're Building ➜ AWS IPAM with a multi-tier pool hierarchy ➜ Root pool from RFC1918 (10.0.0.0/8) ➜ Regional pools for us-west-2, ca-central-1, eu-west-1, and a reserved pool (/10 each) ➜ Environment pools: prod (/11), nonprod (/12), shared (/13), reserved (/13) ➜ Client VPC pools sized at /16 for predictable per-tenant allocation ➜ Subnet pools: private-workload (/17), public-workload (/19), private-endpoint (/19), reserved (/18) ➜ A 10.0.0.0/16 VPC carved out of the prod pool with public and private subnets across 3 AZs 🔍 What We Covered ✅ Why IP planning before VPC creation prevents painful re-architectures later ✅ Splitting the root by region so each region owns a distinct /10 ✅ Separating prod, nonprod, shared, and reserved environments under each region ✅ Sizing client VPCs at /16 for consistent per-tenant capacity ✅ Allocating subnet pools by workload type: private workload, public workload, private endpoints, and reserved ✅ Provisioning a 10.0.0.0/16 VPC with 3 public and 3 private subnets across AZs ✅ Pulling all CIDRs from IPAM instead of hardcoding them ✅ Reserving address space for future regions, accounts, and acquisitions ✅ Avoiding CIDR overlap that breaks VPC peering, Transit Gateway, and on-prem connectivity 🧩 Why This Matters ➜ IPAM turns IP space into a managed resource instead of a spreadsheet ➜ A clear hierarchy (root → region → environment → VPC → subnet) scales across accounts ➜ Sizing decisions made once at the pool level thus preventing overlap ➜ Reserved pools give you room for new regions and acquisitions without re-IPing ➜ Subnet pools by workload type make least-privilege routing and SG design easier — Build with Brainyl