Same /16, the big 3 cloud providers differ on how far it reaches

in 7 hours

cloudnetworkawsgcpazure

I used to think 10.0.0.0/16 was pinned to one corner of one datacenter.

Then I noticed the same block running in three places at once: my home router, my AWS account, a friend's GCP project. None of them collided.

If it were a place, they would have. So it isn't a place. It's a set of numbers, and how far those numbers reach is something each cloud decides, not something the block carries.

CIDR (Classless Inter-Domain Routing) is a contiguous range of IP numbers. In 10.0.0.0/16 the /16 fixes the first 16 bits, which leaves 65536 addresses.

The block is just numbers

10.0.0.0/16 looks like "the network behind my home router." That glues together three things that are actually independent:

How many numbers. /16 is 65536 addresses, /24 is 256. A count, not a geographic size.
Whether it touches the public internet. Three ranges are reserved as private (RFC 1918): 10/8, 172.16/12, 192.168/16. Private means reusable and never routed onto the internet. Not small, not local. That is why my home, my AWS, and a friend's GCP can all run 10.0.0.0/16 at once.
Where the machines are. Region, zone. The only axis that is about geography.

The confusion is reading the first axis as if it were the third. Numbers don't decide where a machine sits.

A VPC is a logical envelope

VPC (Virtual Private Cloud) is your own private network in the cloud.

Creating a 10.0.0.0/16 VPC builds nothing physical. You are declaring "this range of numbers is mine." A VPC has no location.

The subnet is what touches the ground. It carves out a slice (10.0.1.0/24) and binds it to a real place. In AWS that place is an Availability Zone (AZ), an isolated group of datacenters in a region.

First you claim numbers, then you pin them down.

Three abstractions, three design philosophies

Same concept, three layouts. Two questions tell them apart: is the VPC drawn inside the region or outside it, and does a subnet cover one zone or several?

Put VMs and their IPs in and the difference shows.

AWS is strictest. The VPC stays in one region, the subnet is locked to one AZ. Zone a is 10.0.1.x, zone b is 10.0.2.x, so spanning two AZs means two subnets. AWS started in 2006, the earliest of the three, and enforces the tightest fault isolation.

Azure keeps the VNet in one region but lets a subnet span every zone. Three VMs in three zones share one range, 10.1.1.x. The zone is not a subnet property; you pick it when you create the VM.

GCP went furthest: the VPC is global. One envelope wraps both us-west1 and asia-east1. The subnet stays regional, so two VMs in different zones still share 10.240.0.x.

Line them up and the difference is one axis: how far each lets the same /16 reach (the wider reach in red):

	subnet reaches	VPC reaches
AWS	one AZ	one region
Azure	the whole region	one region
GCP	the whole region	global

The numbers never changed. Only the envelope got wider.

How the abstraction holds

Two tenants both run 10.0.0.5. On one physical network, why don't they collide?

Two networks are stacked. The overlay is your VPC's 10.0.0.5. The substrate (the underlay) is the cloud's real network beneath it, where your VM's host has an address like 10.51.0.7. A table maps (VPC, overlay IP) to a substrate host, so two 10.0.0.5s carry different VPC IDs and land on different machines. The IP is now a label, not an address.

You never touch that table. Your eth0 is virtual, and its other end plugs into a virtual switch on the host (Open vSwitch, GCP's Andromeda, or AWS's Nitro card). The switch is the data plane; the table is the control plane (AWS's mapping service, GCP's Andromeda).

So VM-A (10.0.0.5) reaching VM-B (10.0.0.9) is really three lookups, and only the middle one is the cloud's invention:

① in the guest, overlay ARP. 10.0.0.9 → MAC, at L2, inside your VPC. The virtual switch proxy-answers it.
② in the virtual switch, the mapping table. (vpc, 10.0.0.9) → host 10.51.0.9, overlay to substrate. It then wraps the packet: an outer 10.51.0.7 → 10.51.0.9 on the substrate, carrying your inner 10.0.0.5 → 10.0.0.9.
③ on the fabric, substrate ARP. 10.51.0.9 → MAC, at L2, on the cloud's physical network.

At the far end the switch strips the outer header and hands the inner packet to VM-B. Your guest ran plain networking the whole time and saw none of it.

And 10.51.0.7 needs no further lookup: private just means scoped, and on the cloud's own fabric it is a real, routable address. The recursion stops at the wire.

None of this needs the cloud to recognize your traffic. Your VM boots on the cloud's host, on the cloud's network; from the moment a packet leaves eth0 it was never anywhere else. The cloud is the landlord. That is also how a flat global 10.0.0.0/16 spans continents: the number is flat, the table routes each label to a real host over the backbone.

Why peering hates overlapping CIDRs

Peering two VPCs has one hard rule: their ranges cannot overlap. The break happens earlier than you would guess.

When VM-A sends to 10.0.0.5, the first thing its OS checks is its own routing table, and 10.0.0.0/16 is local. So it judges the destination to be on its own subnet and tries to deliver at home. The packet never heads for the door, so the mapping table, the substrate, and ARP never get a turn. A destination that matches your own range cannot even leave your own VPC.

That is also why connecting overlapping VPCs needs NAT: a foreign-looking address like 100.64.0.5 is what convinces the VM the target is remote and worth sending out.

Each layout fits the company behind it

These choices line up with what each company already was. Less a proven cause than a pattern worth noticing.

AWS: contain the blast radius. AWS treats an Availability Zone as a hard failure boundary, and pinning a subnet to one AZ likely reflects the same instinct, pushing your architecture across failure domains. (AWS Fault Isolation Boundaries)
GCP: expose a network that was already global. Google ran a planet-scale software-defined network (Andromeda) for its own products long before selling cloud, so a global VPC mostly opens up what already existed. (Andromeda)
Azure: shaped by the enterprise it came from. Microsoft built Azure to be hybrid from day one, and the VNet is made to extend to on-premises over VPN or ExpressRoute, the way a corporate network would. (Microsoft Azure on hybrid)

References

Subnets across AWS, Azure, and GCP — ipspace.net (Ivan Pepelnjak) — the comparison table this article builds on.
Amazon VPC — Subnets for your VPC — "each subnet must reside entirely within one Availability Zone."
Azure — What is Azure Virtual Network? — virtual networks and subnets span all availability zones in a region.
Azure — Virtual Network FAQ: can a VNet span regions?
Google Cloud — VPC networks — VPC networks are global resources; subnets are regional.
Andromeda: Performance, Isolation, and Velocity at Scale in Cloud Network Virtualization (Google research) — GCP's SDN layer.
RFC 1918 — Address Allocation for Private Internets