The /28 subnet, explained.

The /28 subnet uses 255.255.255.240 as its subnet mask — meaning the first 28 bits of every address identify the network, and the remaining 4 bits identify the host within that network. That gives you 16 total addresses (14 usable on standard RFC math, after subtracting the network and broadcast addresses).

The wildcard mask — the bitwise inverse of the subnet mask — is 0.0.0.15. Wildcards are what Cisco access-control lists and OSPF area definitions use instead of subnet masks; the "1" bits mark "don't care" positions. For a /28, that leaves 4 don't-care host bits.

To find the network address for any IP in a /28 block, perform a bitwise AND between the IP and the subnet mask. To find the broadcast, OR the network address with the wildcard. Modern tools — like our subnet calculator — do this in microseconds, but the underlying mechanics are straightforward binary arithmetic.

A /28 is the smallest practical AWS / Azure subnet — 14 usable hosts on standard math, only 11 on AWS or Azure because of their 5 reserved IPs. Often used for management or NAT-gateway subnets. AWS ALB needs at least 8 IPs per AZ, which makes /28 too tight for production load balancers.

Cloud-provider quirks matter at every prefix size: AWS and Azure reserve 5 IPs per subnet, GCP reserves 4, and OCI reserves 3. So a /28 on standard RFC math gives you 14 usable hosts, but on AWS or Azure that drops to 11. The capacity-planning gap bites hardest at small prefixes (a /28 has 14 usable on paper, only 11 on AWS) but exists at every size. Our cloud-aware calculator applies the right math automatically.