Network Considerations
Network Considerations for VPC CIDR Selection
Overview
When deploying the Trusst platform into your AWS environment, one of the key infrastructure decisions is selecting the appropriate VPC (Virtual Private Cloud) CIDR block. This document provides guidance to help you choose between using our default VPC CIDR configuration or specifying a custom CIDR block that aligns with your existing network architecture.
Default VPC CIDR Configuration
Default Settings
Primary CIDR Block:
10.60.0.0/20
(4,096 IP addresses)Availability Zones: 2 (configurable)
NAT Gateways: 1 (configurable, max 1 per AZ)
Subnet Configuration (per AZ):
Public Subnets:
/24
(256 IPs per subnet)Private Subnets with Egress:
/24
(256 IPs per subnet)Isolated Subnets (Database):
/27
(32 IPs per subnet)
Subnet Allocation Example (Default)
With the default 10.60.0.0/20
CIDR:
Public Subnets:
10.60.0.0/24
,10.60.1.0/24
Private Subnets:
10.60.2.0/24
,10.60.3.0/24
Isolated Subnets:
10.60.4.0/27
,10.60.4.32/27
When to Use Default Configuration
The default configuration is suitable when:
β Greenfield Deployment: You're deploying Trusst in a new AWS account with no existing infrastructure
β No IP Conflicts: The
10.60.0.0/20
range doesn't conflict with your existing networksβ Isolated Environment: The Trusst platform will operate independently without complex connectivity requirements
β Proof of Concept: You're evaluating the platform and don't need integration with existing systems
β Standard Workloads: Your expected usage aligns with typical Trusst deployments
Advantages of Default Configuration
Quick deployment with no additional network planning required
Pre-optimized subnet sizing for typical Trusst workloads
Avoids common CIDR ranges (
10.0.0.0/16
,172.31.0.0/16
) to reduce conflict probabilityTested configuration ensuring all components communicate properly
Efficient IP allocation with room for growth
Custom VPC CIDR Configuration
When to Use Custom Configuration
You should specify a custom CIDR block when:
β οΈ IP Range Conflicts: The default
10.60.0.0/20
overlaps with existing infrastructureβ οΈ VPC Peering Required: You plan to establish VPC peering connections with other VPCs
β οΈ Transit Gateway Integration: You're using AWS Transit Gateway for inter-VPC routing
β οΈ VPN Connectivity: You need Site-to-Site VPN or Client VPN connections
β οΈ Direct Connect: You're using AWS Direct Connect to your on-premises network
β οΈ Compliance Requirements: Your organization mandates specific IP ranges for different environments
β οΈ Large Scale Deployment: You need more than 4,096 IP addresses
CIDR Block Requirements
Minimum Requirements
Minimum Size:
/20
(4,096 IP addresses)Maximum Size:
/16
(65,536 IP addresses) for future growthRequired Subnets: 6 subnets across 2 AZs (3 subnet types per AZ)
CIDR Block Conflicts to Avoid
Common AWS Default Ranges
172.31.0.0/16
- AWS default VPC10.0.0.0/16
- Commonly used in tutorials10.60.0.0/20
- Trusst default (if using custom)
On-Premises Networks
Typical corporate ranges:
10.0.0.0/8
,172.16.0.0/12
,192.168.0.0/16
Check with your network team for reserved ranges
Partner/Vendor Networks
If connecting to external services via VPN or Direct Connect
Common SaaS provider ranges that may conflict
Network Architecture Details
Subnet Types and Usage
Public Subnets (
/24
per AZ)Application Load Balancers (ALB)
NAT Gateways
Bastion hosts (if required)
Internet-facing services
Private Subnets with Egress (
/24
per AZ)ECS Fargate tasks
Lambda functions (if VPC-attached)
EC2 instances (GPU servers)
VPC Endpoints (ECR, CloudWatch, Secrets Manager)
Isolated Subnets (
/27
per AZ)Aurora RDS clusters
No direct internet access
Database security isolation
VPC Endpoints (Cost Optimization)
The infrastructure automatically creates VPC endpoints for:
S3 (Gateway endpoint) - No data transfer charges
ECR (Interface endpoint) - Container image pulls
CloudWatch Logs (Interface endpoint) - Log streaming
Secrets Manager (Interface endpoint) - Secure credential access
These endpoints reduce NAT gateway costs and improve security by keeping traffic within AWS's network.
Security Groups
Three security groups are automatically created:
ECS Security Group - For containerized services
Aurora Security Group - For database access (port 5432)
GPU Security Group - For GPU-accelerated transcription services
IP Address Consumption
Typical IP Usage for Standard Deployment
ECS Tasks
20-50
Scales with load, each task gets an IP
RDS Aurora
2-4
Primary + read replicas
ALB
2-4
2 per AZ minimum
NAT Gateways
1-2
1 per AZ (configurable)
VPC Endpoints
6-12
2-4 per interface endpoint
Reserved AWS IPs
10
First 4 and last 1 IP per subnet
Total Active
~50-100
Normal operations
Growth Buffer
30-50%
Recommended reserve
Scaling Considerations
High Volume: 100+ concurrent calls may require 100+ ECS task IPs
Multi-Region: Each region needs its own VPC and CIDR
Disaster Recovery: Consider DR site CIDR requirements
Decision Matrix
Consideration
Default CIDR (10.60.0.0/20
)
Custom CIDR
Deployment Speed
β Immediate
β±οΈ Requires planning
IP Capacity
β 4,096 IPs
π§ Configurable
Conflict Risk
β Low (uncommon range)
β Eliminated with planning
Network Integration
β οΈ Check for conflicts
β Full flexibility
Configuration Complexity
β Simple
β οΈ Requires expertise
Future Connectivity
β οΈ May conflict
β Future-proof
Recommended Custom CIDR Ranges
If the default 10.60.0.0/20
conflicts with your infrastructure, consider:
For Production Environments
10.64.0.0/20
- Next logical range if 10.60 conflicts10.100.0.0/20
- Good isolation from common ranges172.20.0.0/20
- Alternative if 10.x.x.x is heavily used100.64.0.0/20
- RFC 6598 space (verify ISP compatibility)
For Development/Testing
10.200.0.0/20
- Clear separation from production172.25.0.0/20
- Isolated development range192.168.64.0/20
- Small environments (if within private range)
For Large Scale Deployments
10.60.0.0/16
- Full /16 for maximum growth (65,536 IPs)10.128.0.0/16
- Alternative large range172.24.0.0/16
- If 10.x.x.x unavailable
Configuration Parameters
When deploying with CDK, you can customize:
{
maxAzs: 2, // Number of Availability Zones (2-3 recommended)
cidr: '10.60.0.0/20', // Your chosen CIDR block
natGateways: true, // Enable NAT gateways
natGatewayCount: 1 // Number of NAT gateways (1-2 typical)
}
Integration Scenarios
Scenario 1: Standalone Deployment
Recommendation: Use default
10.60.0.0/20
Rationale: Uncommon range, unlikely to conflict
Scenario 2: Integration with Corporate Network
Recommendation: Custom CIDR coordinated with network team
Example Process:
Document existing CIDR blocks
Identify available /20 or larger range
Plan VPN/Direct Connect routing
Update CDK configuration
Scenario 3: Multi-Region Deployment
Recommendation: Regional CIDR strategy
Example:
US-East-1:
10.60.0.0/20
US-West-2:
10.61.0.0/20
EU-West-1:
10.62.0.0/20
Scenario 4: High Availability Requirements
Recommendation: Increase NAT gateway count
Configuration:
Set
natGatewayCount: 2
for redundancyConsider 3 AZs for maximum availability
Pre-Deployment Checklist
Before finalizing your CIDR decision:
Migration Considerations
Changing CIDR Post-Deployment
β οΈ Critical Warning: Changing the VPC CIDR after deployment requires:
Complete infrastructure teardown and rebuild
Database backup and restoration
DNS and certificate updates
Application reconfiguration
Service downtime (hours to days)
Data migration complexity
Strong Recommendation: Invest time upfront to select the correct CIDR. The cost of migration far exceeds the planning effort.
Troubleshooting Guide
Common Issues and Solutions
CIDR Overlap
VPC peering fails
Use custom non-overlapping CIDR
IP Exhaustion
ECS tasks fail to start
Use larger CIDR (/16 or /18)
Route Conflicts
VPN connectivity issues
Adjust CIDR or routing tables
NAT Gateway Costs
High AWS bills
Verify VPC endpoints are working
Support and Assistance
Information to Provide Trusst Support
When requesting CIDR guidance, please provide:
Current Network Map:
Production VPC: 10.0.0.0/16 Development VPC: 10.1.0.0/16 On-Premises: 192.168.0.0/16
Connectivity Requirements:
VPC peering needs
VPN/Direct Connect status
Internet egress requirements
Scale Projections:
Expected concurrent users
Call volume estimates
Growth timeline
Frequently Asked Questions
Q: Why doesn't Trusst use the default AWS VPC? A: We require a custom VPC for security isolation, specific subnet configuration, and VPC endpoint optimization.
Q: Can I change the subnet sizes? A: Subnet masks are optimized for the platform. Modifications require custom CDK changes and may impact scalability.
Q: Is 10.60.0.0/20
always safe to use? A: While uncommon, always verify against your network documentation. Some organizations reserve entire 10.x ranges.
Q: Can I use a smaller than /20 CIDR? A: Not recommended. The platform requires minimum 4,096 IPs for proper operation and growth.
Q: Do I need public subnets if not internet-facing? A: Yes, ALBs and NAT gateways require public subnets even for internal-only deployments.
Conclusion
The VPC CIDR selection impacts:
β Network connectivity and integration options
β Platform scalability and growth potential
β Operational complexity and maintenance
β Future architectural flexibility
Default Choice (10.60.0.0/20
): Suitable for most deployments with its uncommon range reducing conflict probability while providing adequate capacity.
Custom CIDR: Required when the default conflicts with existing infrastructure or when specific network architecture demands it.
Key Takeaway: Time invested in CIDR planning prevents costly migrations. When in doubt, document your existing network thoroughly and choose a custom CIDR that guarantees no conflicts.
For additional assistance with network planning or custom CIDR configuration, please visit Trusst's Customer Portal with your network documentation ready.
Last updated