Help Center/ Virtual Private Cloud/ User Guide/ VPC and Subnet/ VPC/ Adding or Removing a Secondary IPv4 CIDR Block from a VPC
Updated on 2025-08-27 GMT+08:00
View PDF
Share

Adding or Removing a Secondary IPv4 CIDR Block from a VPC

Scenarios

Generally, the number of IP addresses in a VPC CIDR block determines how many cloud resources that can be deployed in the VPC. If there are no sufficient IP addresses in the VPC CIDR block, you can add a secondary IPv4 CIDR block to expand the VPC CIDR block and increase the number of IP addresses.

The IPv4 CIDR block you specify when you create a VPC is the primary one. The primary CIDR block cannot be changed after the VPC is created. If IP addresses in the primary CIDR block are insufficient, you can add a secondary CIDR block to the VPC. The secondary CIDR block can be used in the same way as the primary CIDR block.

If the secondary IPv4 CIDR block function is available in a region, the CIDR block of a VPC in this region cannot be modified through the console. You can call an API to modify VPC CIDR block. For details, see Updating a VPC.

Configuration Example

As services develop, the IP addresses in VPC-A (primary CIDR block: 192.168.10.0/24) were insufficient. To solve this problem, you can add a secondary CIDR block (172.17.10.0/24) to this VPC and create two subnets (Subnet-A03 and Subnet-A04) in the secondary CIDR block to support future resource deployment and service expansion.
Figure 1 Configuration example with a secondary CIDR block

Constraints

  • You can allocate a subnet from either a primary or a secondary CIDR block of a VPC. A subnet cannot use both the primary and the secondary CIDR blocks.

    Subnets in the same VPC can communicate with each other by default, even if some subnets are allocated from the primary CIDR block and some are from the secondary CIDR block of a VPC.

  • If a subnet in a secondary CIDR block of your VPC is the same as or overlaps with the destination of an existing route in the VPC route table, the existing route does not take effect.

    If you create a subnet in a secondary CIDR block of your VPC, a route (the destination is the subnet CIDR block and the next hop is Local) is automatically added to your VPC route table. This route allows communications within the VPC and has a higher priority than any other routes in the VPC route table. For example, if you create a subnet (100.20.0.0/16) from a secondary CIDR block of a VPC, the system will automatically generate a Local route with the destination of 100.20.0.0/16. If the VPC route table already has a route with the VPC peering connection as the next hop and 100.20.0.0/24 as the destination, the two destinations (100.20.0.0/16 and 100.20.0.0/24) overlap and traffic will be forwarded through the route of the subnet.

  • The allowed secondary CIDR block size is between a /28 netmask and /3 netmask.
  • Table 1 provides you with IP address ranges that cannot be used as secondary IPv4 CIDR blocks. For example, the CIDR block 192.168.0.0/16 has IP addresses from 192.168.0.0 to 192.168.255.255, indicating that none of the IP addresses can be included in a secondary IPv4 CIDR block, for example, 192.168.0.0/16, 192.168.31.0/24, 192.168.100.0/24, and 192.168.255.255/32.
    Table 1 IP address ranges that cannot be used as secondary IPv4 CIDR blocks

    Type

    CIDR Block

    IP Address Range

    Reserved private CIDR blocks

    172.31.0.0/16

    172.31.0.0-172.31.255.255

    192.168.0.0/16

    192.168.0.0-192.168.255.255

    In-use primary CIDR blocks

    -

    Reserved system CIDR blocks

    100.64.0.0/10

    100.64.0.0-100.127.255.255

    214.0.0.0/7

    214.0.0.0-215.255.255.255

    198.18.0.0/15

    198.18.0.0-198.19.255.255

    169.254.0.0/16

    169.254.0.0-169.254.255.255

    Reserved public CIDR blocks

    0.0.0.0/8

    0.0.0.0-0.255.255.255

    127.0.0.0/8

    127.0.0.0-127.255.255.255

    240.0.0.0/4

    240.0.0.0-255.255.255.255

Adding a Secondary IPv4 CIDR Block

  1. Go to the VPC list page.
  2. In the VPC list, locate the target VPC and click Edit CIDR Block in the Operation column.

    The Edit CIDR Block dialog box is displayed.

  3. Click Add Secondary IPv4 CIDR Block.
  4. Enter a secondary IPv4 CIDR block in the text box and click OK.

    Do not specify a secondary CIDR block listed in Table 1. For example, if the primary CIDR block of a VPC is 192.168.0.0/16, you can add 10.1.0.0/16, 10.2.0.0/16, 172.16.0.0/16, or 172.17.0.0/16 as a secondary CIDR block.

Deleting a Secondary IPv4 CIDR Block

  1. Go to the VPC list page.
  2. In the VPC list, locate the target VPC and click Edit CIDR Block in the Operation column.

    The Edit CIDR Block dialog box is displayed.

  3. Locate the row that contains the secondary CIDR block to be deleted and click Delete in the Operation column.
    • A secondary IPv4 CIDR block of a VPC can be deleted, but the primary CIDR block cannot be deleted.
    • If you want to delete a secondary CIDR block that contains subnets, you need to delete the subnets first.
  4. Click OK.
Parent Topic: VPC