The Network Topology Diagram Spec Builder produces a precise, text-based network spec — zones, subnets, security rules, and flows — with every CIDR block validated and its host count computed. A network diagram drawn from wrong CIDRs is worse than none; capturing the topology as a checked spec catches subnet overlaps and sizing mistakes before they reach production.
Why document the topology first
Drawing a diagram in Lucidchart or draw.io is fast. Writing the spec first is better: it forces you to work out CIDR ranges, host capacity, and trust boundaries before you commit to a design. Gaps become obvious in text (two subnets with conflicting CIDRs, a database reachable from the internet) that a diagram might hide behind nice-looking boxes.
How it works
You define zones — a VPC, an availability zone, a network tier, or a firewall segment — each with a CIDR block. The tool validates the CIDR (four valid octets, prefix 0–32) and computes usable host count as 2^(32 − prefix) − 2. You then add:
- Security group rules: source (CIDR or security group name), port or range, protocol (TCP/UDP/ICMP). These define the trust boundaries between zones.
- Data flow paths: which zone talks to which, over what protocol. Flows let you verify that every needed connection has a corresponding security rule.
The output is a structured spec with a subnet table showing each CIDR’s network address, broadcast, and usable host count, plus the rules and flows in numbered form — ready to hand to a reviewer, paste into a design document, or feed into a Terraform/CloudFormation module.
CIDR sizing quick reference
| Prefix | Total addresses | Usable hosts |
|---|---|---|
| /28 | 16 | 14 |
| /27 | 32 | 30 |
| /26 | 64 | 62 |
| /25 | 128 | 126 |
| /24 | 256 | 254 |
| /23 | 512 | 510 |
| /22 | 1,024 | 1,022 |
| /20 | 4,096 | 4,094 |
| /16 | 65,536 | 65,534 |
Practical guidance
- Leave room to grow. A /24 where you need a /26 today costs nothing; re-numbering a live subnet after you run out of addresses is painful.
- Non-overlapping CIDRs. Two zones with overlapping ranges cannot be peered or routed cleanly. Plan a non-overlapping RFC 1918 address plan (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) up front.
- Public subnets should be small. Only load balancers and bastion hosts need internet routes. A /28 (14 hosts) is often plenty for the public tier; private tiers can be /24 or larger.
- One security rule per documented flow. If a flow from the app tier to the database tier is in the spec, there should be a corresponding rule allowing the port. If there is no flow, the port should be blocked. The spec makes this auditable.
Example
A VPC 10.0.0.0/16 with:
- Public subnet
10.0.1.0/24(254 hosts) — load balancer, inbound 443 from anywhere - App subnet
10.0.10.0/24(254 hosts) — application servers, inbound 8080 from public subnet only - Data subnet
10.0.20.0/24(254 hosts) — database, inbound 5432 from app subnet only, no internet route
This produces a defence-in-depth layout: the database is unreachable from the internet in two hops, not just one.