Last reviewed: May 2026
A /32 is fundamentally different from all other prefix lengths — it is not a network segment. A /32 identifies a single, specific host IP address. All 32 bits are set in the mask (255.255.255.255), meaning there are no bits left for host addressing. There is no network address, no broadcast address, and no "subnet" in the traditional sense — only the host itself.
Use SubnetSolver — free subnet calculator →| Property | Value |
|---|---|
| Prefix length | /32 |
| Subnet mask | 255.255.255.255 |
| Wildcard mask | 0.0.0.0 |
| Total addresses | 1 |
| Usable host addresses | 1* (the host address itself) |
| Network address | None — the single IP is the host address |
| Broadcast address | None |
| Binary mask | 11111111.11111111.11111111.11111111 |
* A /32 has no network or broadcast address. The single IP is the host address itself.
Network devices use /32 for loopback interfaces. A loopback is a virtual interface that is always up as long as the device is running — it is not tied to a physical port that could go down. Loopback IPs are used as:
ISPs and large networks advertise /32 host routes in BGP to announce a specific IP address to the internet. For example, an Anycast DNS server might be reached via a /32 route advertised from multiple locations. A /32 is also used in traffic engineering to steer specific IPs to specific paths.
In AWS, when you add an inbound rule to a security group with a /32 CIDR source, you are allowing traffic from exactly one IP address:
203.0.113.5/32 as an SSH source means only that IP can reach port 22Network ACLs in AWS (and firewall rules generally) also use /32 to target a single IP address, for both allowing and denying traffic.
A static route with a /32 destination tells a router exactly where to send traffic destined for one specific IP — useful for routing management traffic, VPN split-tunneling configurations, or blackhole routes to block specific attackers.
When you want to restrict access to a service to only your office's public IP, use YOUR.IP.HERE/32 as the inbound CIDR. This ensures only your exact IP — not an entire range — is permitted. Find your public IP at whatismyip.com and append /32.
| CIDR | Subnet Mask | Total IPs | Usable | Typical Use |
|---|---|---|---|---|
| /30 | 255.255.255.252 | 4 | 2 | Point-to-point WAN links (traditional) |
| /31 | 255.255.255.254 | 2 | 2 | Point-to-point WAN links (RFC 3021, no broadcast) |
| /32 | 255.255.255.255 | 1 | 1 | Host route, loopback, single-IP security rule |