Network Topology Diagram Spec Builder

Document a network topology with zones, subnets, and security groups

Builds a textual network topology specification with VPC zones, subnet CIDR blocks, security group rules, load balancers, and data flow paths — and validates each CIDR and host count so the spec is accurate before you diagram it. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is CIDR notation?

CIDR (Classless Inter-Domain Routing) notation writes an IP range as an address and a prefix length, like 10.0.1.0/24. The prefix says how many leading bits are the network portion; the rest address hosts. A /24 has 256 addresses, of which 254 are usable for hosts.

The Network Topology Diagram Spec Builder produces a precise, text-based network spec — zones, subnets, security rules, and flows — with every CIDR block validated and its host count computed. A network diagram drawn from wrong CIDRs is worse than none; capturing the topology as a checked spec catches subnet overlaps and sizing mistakes before they reach production.

Why document the topology first

Drawing a diagram in Lucidchart or draw.io is fast. Writing the spec first is better: it forces you to work out CIDR ranges, host capacity, and trust boundaries before you commit to a design. Gaps become obvious in text (two subnets with conflicting CIDRs, a database reachable from the internet) that a diagram might hide behind nice-looking boxes.

How it works

You define zones — a VPC, an availability zone, a network tier, or a firewall segment — each with a CIDR block. The tool validates the CIDR (four valid octets, prefix 0–32) and computes usable host count as 2^(32 − prefix) − 2. You then add:

  • Security group rules: source (CIDR or security group name), port or range, protocol (TCP/UDP/ICMP). These define the trust boundaries between zones.
  • Data flow paths: which zone talks to which, over what protocol. Flows let you verify that every needed connection has a corresponding security rule.

The output is a structured spec with a subnet table showing each CIDR’s network address, broadcast, and usable host count, plus the rules and flows in numbered form — ready to hand to a reviewer, paste into a design document, or feed into a Terraform/CloudFormation module.

CIDR sizing quick reference

PrefixTotal addressesUsable hosts
/281614
/273230
/266462
/25128126
/24256254
/23512510
/221,0241,022
/204,0964,094
/1665,53665,534

Practical guidance

  • Leave room to grow. A /24 where you need a /26 today costs nothing; re-numbering a live subnet after you run out of addresses is painful.
  • Non-overlapping CIDRs. Two zones with overlapping ranges cannot be peered or routed cleanly. Plan a non-overlapping RFC 1918 address plan (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) up front.
  • Public subnets should be small. Only load balancers and bastion hosts need internet routes. A /28 (14 hosts) is often plenty for the public tier; private tiers can be /24 or larger.
  • One security rule per documented flow. If a flow from the app tier to the database tier is in the spec, there should be a corresponding rule allowing the port. If there is no flow, the port should be blocked. The spec makes this auditable.

Example

A VPC 10.0.0.0/16 with:

  • Public subnet 10.0.1.0/24 (254 hosts) — load balancer, inbound 443 from anywhere
  • App subnet 10.0.10.0/24 (254 hosts) — application servers, inbound 8080 from public subnet only
  • Data subnet 10.0.20.0/24 (254 hosts) — database, inbound 5432 from app subnet only, no internet route

This produces a defence-in-depth layout: the database is unreachable from the internet in two hops, not just one.