Build VPC configurations with subnets, IP ranges, and multi-tier network architectures.
Last verified: May 2026
Build VPC configurations with subnets, IP ranges, Linode assignments, and multi-tier network architectures.
Required Fields
labelregionsubnetsOutput will appear here...The builder collects VPC name, region, description, and a list of subnets (each with a label and CIDR). It validates that subnet CIDRs are within the VPC range, do not overlap, and fall within RFC 1918 private space. Output is JSON for the Linode VPC API plus a subnet allocation summary.
Linode VPCs provide private networking between Linodes, with per-region scope and configurable subnets. The Linode VPC Config Builder generates VPC definitions with IP ranges, subnets, and validates the proposed CIDRs against Linode's reserved blocks. Output is JSON-ready for the Linode API and includes a topology summary that maps subnets to intended workloads.
Your team is migrating from public-only Linodes to a proper VPC topology. You design a /16 VPC with separate subnets for web, app, and db tiers. After applying the VPC and migrating Linodes one tier at a time (with brief connectivity adjustments), the application's external attack surface shrinks dramatically: only the web tier has public IPs, and even that traffic is filtered by the NodeBalancer in front. The next penetration test no longer finds a path from the internet to the database tier.
Use private-only Linodes for database and application tiers, and put the web tier in a subnet with public IPs. The blast radius of an internet-exposed Linode is much smaller if only the load balancer's backends are reachable from the public network.
Pick a /20 or larger for the parent VPC range — /16 is fine and gives plenty of room for future subnets. /24 is too tight for anything but a tiny environment.
Yes — a VPC exists in a single Linode region. For cross-region private connectivity, you'd need to run a VPN between VPCs in different regions or use VLAN-based interconnection where supported. The single-region scoping matches AWS VPC behavior; cross-region peering is on the Linode roadmap but not currently generally available.
A Linode in a VPC can have a public IP, a private VPC IP, or both. Traffic destined for a VPC subnet uses the private IP; traffic to or from the internet uses the public IP. Default routing sends internet traffic out the public IP and inter-VPC traffic over the private subnet, which is what you usually want.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.