Private IP Address Ranges

Introduction

Not all IP addresses are equal. Some are routable on the public internet, and some are reserved for private use within organizations. The distinction matters because private addresses are free to use, can be reused independently by different organizations, and must never appear on the public internet. Understanding which ranges are private -- and which are reserved for other special purposes -- is fundamental to network design.

The primary standard governing private IPv4 addresses is RFC 1918, published in 1996. It defines three address blocks that are reserved for private internets and will never be allocated for public use.

The Three RFC 1918 Ranges

10.0.0.0/8 -- The Enterprise Workhorse

With over 16 million addresses, the 10/8 range is the largest private block and the default choice for enterprise networks and cloud VPCs. Its size makes it ideal for organizations that need a deep hierarchy of subnets: regions, data centers, departments, and environments can each receive their own slice without running out of space.

Common allocation patterns within 10/8:

• 10.{region}.0.0/16 -- One /16 per AWS region or data center
• 10.{env}.0.0/16 -- One /16 per environment (10.0.x.x = prod, 10.1.x.x = staging, 10.2.x.x = dev)
• 10.{team}.{tier}.0/24 -- Structured allocation by team and application tier

The 10/8 range is used by AWS, GCP, and Azure as the default private range for VPCs and virtual networks. If you are working in cloud infrastructure, this is almost certainly the range you will use most.

172.16.0.0/12 -- The Middle Ground

The 172.16/12 range provides about 1 million addresses spanning from 172.16.0.0 to 172.31.255.255. Note the unusual boundary: this range does not cover all of 172.x.x.x, only the 172.16-31 portion. This trips up many engineers who assume 172.32.0.0 is private -- it is not.

In practice, 172.16/12 is less commonly used than 10/8 for new deployments. However, it appears frequently in:

• Docker default bridge networks (172.17.0.0/16)
• Kubernetes pod networks and service CIDRs
• VPN tunnel address pools
• Legacy corporate networks that pre-date cloud migration

AWS uses 172.31.0.0/16 for default VPCs, which is another reason to be careful with this range in production architectures.

192.168.0.0/16 -- The Home Network Standard

The smallest of the three private ranges at 65,536 addresses, 192.168/16 is best known as the home router default. Almost every consumer router ships with a 192.168.0.x or 192.168.1.x address, making this range synonymous with local networking for most people.

For enterprise use, 192.168/16 is generally too small for production environments but works well for:

• Small office networks
• Development and lab environments
• IoT device networks
• Guest Wi-Fi segments

When to Use Which Range

The choice of private range depends on scale, integration requirements, and convention:

• Cloud VPCs and large networks: Use 10.0.0.0/8. The address space is large enough for any deployment, and it is the industry standard for cloud infrastructure.
• Container and overlay networks: Use 172.16.0.0/12. Docker and Kubernetes already default to this range, so using it for container networking avoids conflicts with your main VPC range (which is typically in 10/8).
• Small or isolated networks: Use 192.168.0.0/16. Fine for development machines, home labs, and small office setups where you will never need to peer with a 10/8 network.
• VPN clients: Assign VPN clients addresses from a range that does not overlap with any network they might connect to. If your corporate network uses 10.0.0.0/8, assign VPN clients from 172.16.0.0/12.

Other Special-Use Ranges

Beyond RFC 1918, several other IPv4 ranges are reserved for specific purposes and should never be used for general host addressing.

Link-Local Addresses (169.254.0.0/16)

Link-local addresses deserve special attention because they appear in cloud environments. When a device cannot obtain an IP address from DHCP, it self-assigns an address from 169.254.0.0/16 using Automatic Private IP Addressing (APIPA). In home networking, this usually indicates a problem.

In AWS, however, the link-local range has a critical role: the instance metadata service lives at 169.254.169.254. Every EC2 instance can reach this address to retrieve its own metadata, user data, and IAM credentials. This address is also used by ECS task metadata endpoints and container credential providers.

Loopback (127.0.0.0/8)

The entire 127.0.0.0/8 block -- over 16 million addresses -- is reserved for loopback. In practice, only 127.0.0.1 is commonly used, and it is universally known as “localhost.” Packets sent to any address in 127/8 never leave the machine; the network stack simply loops them back to the local host.

Some applications use other addresses within 127/8 for creative purposes, such as running multiple local services on the same port but different loopback addresses (127.0.0.1:8080, 127.0.0.2:8080, etc.). This is valid but uncommon.

Carrier-Grade NAT (100.64.0.0/10)

RFC 6598, published in 2012, carved out 100.64.0.0/10 for Carrier-Grade NAT (CGNAT). ISPs use this range as a “shared address space” between their NAT infrastructure and customer premises equipment. It is effectively a fourth private range, but one intended specifically for ISP use rather than end-user networks.

Notably, Tailscale (the VPN mesh) uses 100.x.x.x addresses from this range for its WireGuard overlay network. If you are using Tailscale and also need to interact with CGNAT ranges, be aware of potential conflicts.

Common Pitfalls

• Assuming all of 172.x.x.x is private: Only 172.16.0.0 through 172.31.255.255 is private. Addresses like 172.32.0.0 are public IP space.
• Using private addresses on the public internet: Routers on the public internet drop packets with private source or destination addresses. If you see 10.x.x.x in a traceroute, it means you are traversing a network that uses NAT or is leaking internal routes.
• Overlapping ranges across VPN tunnels: When connecting two sites via VPN, their private ranges must not overlap. If both sites use 192.168.1.0/24, routing becomes ambiguous. Plan address allocations globally before connecting networks.
• Forgetting about Docker and Kubernetes defaults: Docker uses 172.17.0.0/16 by default. Kubernetes service CIDRs often use 10.96.0.0/12. These can conflict with your infrastructure addressing if not planned for.

Try It Yourself

Need to check whether an IP address falls within a private range, or calculate the exact boundaries of a subnet? Our Subnet Calculator identifies private vs. public addresses, shows the full range for any CIDR block, and detects overlaps between multiple networks -- all in your browser with no data sent to any server.