Menu
Amazon Virtual Private Cloud
User Guide

VPCs and Subnets

To get started with Amazon Virtual Private Cloud (Amazon VPC), you create a VPC and subnets. For a general overview of Amazon VPC, see What is Amazon VPC?.

VPC and Subnet Basics

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.

When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. For more information about CIDR notation, see RFC 4632.

The following diagram shows a new VPC with an IPv4 CIDR block, and the main route table.

VPC with the main route table

When you create a VPC, it spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. We assign a unique ID to each subnet.

You can also optionally assign an IPv6 CIDR block to your VPC, and assign IPv6 CIDR blocks to your subnets.

The following diagram shows a VPC that has been configured with subnets in multiple Availability Zones. 1A, 1B, 2A, and 3A are instances in your VPC. An IPv6 CIDR block is associated with the VPC, and an IPv6 CIDR block is associated with subnet 1. An Internet gateway enables communication over the Internet, and a virtual private network (VPN) connection enables communication with your corporate network.

VPC with multiple Availability Zones

If a subnet's traffic is routed to an Internet gateway, the subnet is known as a public subnet. In this diagram, subnet 1 is a public subnet. If you want your instance in a public subnet to communicate with the Internet over IPv4, it must have a public IPv4 address or an Elastic IP address (IPv4). For more information about public IPv4 addresses, see Public IPv4 Addresses. If you want your instance in the public subnet to communicate with the Internet over IPv6, it must have an IPv6 address.

If a subnet doesn't have a route to the Internet gateway, the subnet is known as a private subnet. In this diagram, subnet 2 is a private subnet.

If a subnet doesn't have a route to the Internet gateway, but has its traffic routed to a virtual private gateway for a VPN connection, the subnet is known as a VPN-only subnet. In this diagram, subnet 3 is a VPN-only subnet. Currently, we do not support IPv6 traffic over a VPN connection.

For more information, see Scenarios and Examples, Internet Gateways, or Adding a Hardware Virtual Private Gateway to Your VPC.

Note

Regardless of the type of subnet, the internal IPv4 address range of the subnet is always private—we do not announce the address block to the Internet.

You have a limit on the number of VPCs and subnets you can create in your account. For more information, see Amazon VPC Limits.

VPC and Subnet Sizing

Amazon VPC supports IPv4 and IPv6 addressing, and has different CIDR block size limits for each. By default, all VPCs and subnets must have IPv4 CIDR blocks—you can't change this behavior. You can choose whether to associate an IPv6 CIDR block with your VPC.

VPC and Subnet Sizing for IPv4

You can assign a single CIDR block to a VPC. The allowed block size is between a /16 netmask and /28 netmask. In other words, the VPC can contain from 16 to 65,536 IP addresses.

When you create a VPC, we recommend that you specify a CIDR block from the private (non-publicly routable) IPv4 address ranges as specified in RFC 1918:

  • 10.0.0.0 - 10.255.255.255 (10/8 prefix)

  • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

  • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

You can create a VPC with a publicly routable CIDR block that falls outside of the private IPv4 address ranges specified in RFC 1918; however, for the purposes of this documentation, we refer to private IP addresses as the IPv4 addresses that are within the CIDR range of your VPC.

You can't change the size of a VPC after you create it. If your VPC is too small to meet your needs, create a new, larger VPC, and then migrate your instances to the new VPC. To do this, create AMIs from your running instances, and then launch replacement instances in your new, larger VPC. You can then terminate your old instances, and delete your smaller VPC. For more information, see Deleting Your VPC.

The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC), or a subset (for multiple subnets). The allowed block size is between a /28 netmask and /16 netmask. If you create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap.

For example, if you create a VPC with CIDR block 10.0.0.0/24, it supports 256 IP addresses. You can break this CIDR block into two subnets, each supporting 128 IP addresses. One subnet uses CIDR block 10.0.0.0/25 (for addresses 10.0.0.0 - 10.0.0.127) and the other uses CIDR block 10.0.0.128/25 (for addresses 10.0.0.128 - 10.0.0.255).

There are many tools available to help you calculate subnet CIDR blocks; for example, see http://www.subnet-calculator.com/cidr.php. Also, your network engineering group can help you determine the CIDR blocks to specify for your subnets.

The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:

  • 10.0.0.0: Network address.

  • 10.0.0.1: Reserved by AWS for the VPC router.

  • 10.0.0.2: Reserved by AWS. The IP address of the DNS server is always the base of the VPC network range plus two; however, we also reserve the base of each subnet range plus two. For more information, see Amazon DNS Server.

  • 10.0.0.3: Reserved by AWS for future use.

  • 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.

VPC and Subnet Sizing for IPv6

You can associate a single IPv6 CIDR block with an existing VPC in your account, or when you create a new VPC. The CIDR block uses a fixed prefix length of /56. You cannot choose the range of addresses or the IPv6 CIDR block size; we assign the block to your VPC from Amazon's pool of IPv6 addresses.

If you've associated an IPv6 CIDR block with your VPC, you can associate an IPv6 CIDR block with an existing subnet in your VPC, or when you create a new subnet. A subnet's IPv6 CIDR block uses a fixed prefix length of /64.

For example, you create a VPC and specify that you want to associate an IPv6 CIDR block with the VPC. Amazon assigns the following IPv6 CIDR block to your VPC: 2001:db8:1234:1a00::/56. You can create a subnet and associate an IPv6 CIDR block from this range; for example, 2001:db8:1234:1a00::/64.

You can disassociate an IPv6 CIDR block from a subnet, and you can disassociate an IPv6 CIDR block from a VPC. After you've disassociated an IPv6 CIDR block from a VPC, you cannot expect to receive the same CIDR if you associate an IPv6 CIDR block with your VPC again later.

Subnet Routing

Each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that you create is automatically associated with the main route table for the VPC. You can change the association, and you can change the contents of the main route table. For more information, see Route Tables.

In the previous diagram, the route table associated with subnet 1 routes all IPv4 traffic (0.0.0.0/0) and IPv6 traffic (::/0) to an Internet gateway (for example, igw-1a2b3c4d). Because instance 1A has an IPv4 Elastic IP address and instance 1B has an IPv6 address, they can be reached from the Internet over IPv4 and IPv6 respectively.

Note

(IPv4 only) The Elastic IPv4 address or public IPv4 address that's associated with your instance is accessed through the Internet gateway of your VPC. Traffic that goes through a VPN connection between your instance and another network traverses a virtual private gateway, not the Internet gateway, and therefore does not access the Elastic IPv4 address or public IPv4 address.

The instance 2A can't reach the Internet, but can reach other instances in the VPC. You can allow an instance in your VPC to initiate outbound connections to the Internet over IPv4 but prevent unsolicited inbound connections from the Internet using a network address translation (NAT) gateway or instance. Because you can allocate a limited number of Elastic IP addresses, we recommend that you use a NAT device if you have more instances that require a static public IP address. For more information, see NAT. To initiate outbound-only communication to the Internet over IPv6, you can use an egress-only Internet gateway. For more information, see Egress-Only Internet Gateways.

The route table associated with subnet 3 routes all IPv4 traffic (0.0.0.0/0) to a virtual private gateway (for example, vgw-1a2b3c4d). Instance 3A can reach computers in the corporate network over the VPN connection.

Subnet Security

AWS provides two features that you can use to increase security in your VPC: security groups and network ACLs. Security groups control inbound and outbound traffic for your instances, and network ACLs control inbound and outbound traffic for your subnets. In most cases, security groups can meet your needs; however, you can also use network ACLs if you want an additional layer of security for your VPC. For more information, see Security.

By design, each subnet must be associated with a network ACL. Every subnet that you create is automatically associated with the VPC's default network ACL. You can change the association, and you can change the contents of the default network ACL. For more information, see Network ACLs.

You can create a flow log on your VPC or subnet to capture the traffic that flows to and from the network interfaces in your VPC or subnet. You can also create a flow log on an individual network interface. Flow logs are published to CloudWatch Logs. For more information, see VPC Flow Logs.

Connections with Your Local Network and Other VPCs

You can optionally set up a connection between your VPC and your corporate or home network. If you have an IPv4 address prefix in your VPC that overlaps with one of your networks' prefixes, any traffic to the network's prefix is dropped. For example, let's say that you have the following:

  • A VPC with CIDR block 10.0.0.0/16

  • A subnet in that VPC with CIDR block 10.0.1.0/24

  • Instances running in that subnet with IP addresses 10.0.1.4 and 10.0.1.5

  • On-premises host networks using CIDR blocks 10.0.37.0/24 and 10.1.38.0/24

When those instances in the VPC try to talk to hosts in the 10.0.37.0/24 address space, the traffic is dropped because 10.0.37.0/24 is part of the larger prefix assigned to the VPC (10.0.0.0/16). The instances can talk to hosts in the 10.1.38.0/24 space because that block isn't part of 10.0.0.0/16.

You can also create a VPC peering connection between your VPCs, or with a VPC in another AWS account. A VPC peering connection enables you to route traffic between the VPCs using private IP addresses; however, you cannot create a VPC peering connection between VPCs that have overlapping CIDR blocks. For more information, see VPC Peering.

We therefore recommend that you create a VPC with a CIDR range large enough for expected future growth, but not one that overlaps with current or expected future subnets anywhere in your corporate or home network, or that overlaps with current or future VPCs.

We currently do not support VPN connections over IPv6.

Working with VPCs and Subnets

You can create a VPC and subnets using the Amazon VPC console. The following procedures are for manually creating a VPC and subnets. You also have to manually add gateways and routing tables. Alternatively, you can use the Amazon VPC wizard to create a VPC plus its subnets, gateways, and routing tables in one step. For more information, see Scenarios and Examples.

Note

(EC2-Classic) If you use the launch wizard in the Amazon EC2 console to launch an instance type that is available in a VPC only and you do not have any existing VPCs, the wizard creates a nondefault VPC and subnets for you. For more information, see Instance Types Available Only in a VPC in the Amazon EC2 User Guide for Linux Instances.

Creating a VPC

You can create an empty VPC using the Amazon VPC console.

To create a VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Your VPCs, Create VPC.

  3. Specify the following VPC details as necessary and choose Create VPC.

    • Name tag: Optionally provide a name for your VPC. Doing so creates a tag with a key of Name and the value that you specify.

    • IPv4 CIDR block: Specify an IPv4 CIDR block for the VPC. We recommend that you specify a CIDR block from the private (non-publicly routable) IP address ranges as specified in RFC 1918; for example, 10.0.0.0/16, or 192.168.0.0/16. It's possible to specify a range of publicly routable IPv4 addresses; however, we currently do not support direct access to the Internet from publicly routable CIDR blocks in a VPC. Windows instances cannot boot correctly if launched into a VPC with ranges from 224.0.0.0 to 255.255.255.255 (Class D and Class E IP address ranges). For more information about IP addresses, see IP Addressing in Your VPC.

    • IPv6 CIDR block: Optionally associate an IPv6 CIDR block with your VPC by choosing Amazon-provided IPv6 CIDR block.

    • Tenancy: Select a tenancy option, for example, dedicated tenancy ensures that your instances run on single-tenant hardware. For more information about Dedicated Instances, see Dedicated Instances.

After you've created a VPC, you can add subnets. For more information, see Adding a Subnet to Your VPC.

Associating an IPv6 CIDR Block with Your VPC

You can associate an IPv6 CIDR block with any existing VPC. The VPC must not have an existing IPv6 CIDR block associated with it.

To associate an IPv6 CIDR block with a VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Your VPCs.

  3. Select your VPC, choose Actions, Edit CIDRs.

  4. Choose Add IPv6 CIDR. After the IPv6 CIDR block is added, choose Close.

Adding a Subnet to Your VPC

When you add a new subnet to your VPC, you can specify the Availability Zone in which you want the subnet to reside. You can have multiple subnets in the same Availability Zone. You must specify an IPv4 CIDR block for the subnet from the range of your VPC. You can optionally specify an IPv6 CIDR block for your subnet if an IPv6 CIDR block is associated with your VPC.

To add a subnet to your VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets, Create Subnet.

  3. Specify the subnet details as necessary and choose Create Subnet.

    • Name tag: Optionally provide a name for your subnet. Doing so creates a tag with a key of Name and the value that you specify.

    • VPC: Choose the VPC for which you're creating the subnet.

    • Availability Zone: Optionally choose an Availability Zone in which your subnet will reside, or leave the default No Preference to let AWS choose an Availability Zone for you.

    • IPv4 CIDR block: Specify an IPv4 CIDR block for your subnet, for example, 10.0.1.0/24. For more information, see VPC and Subnet Sizing for IPv4.

    • IPv6 CIDR block: (Optional) If you've associated an IPv6 CIDR block with your VPC, choose Specify a custom IPv6 CIDR. Specify the hexadecimal pair value for the subnet, or leave the default value.

  4. (Optional) If required, repeat the steps above to create more subnets in your VPC.

After you've created a subnet, you can do the following:

  • Configure your routing. To make your subnet a public subnet, you must first attach an Internet gateway to your VPC. For more information, see Attaching an Internet Gateway. You can then create a custom route table, and add route to the Internet gateway. For more information, see Creating a Custom Route Table. For other routing options, see Route Tables.

  • Modify the subnet settings to specify that all instances launched in that subnet receive a public IPv4 address, or an IPv6 address, or both. For more information, see IP Addressing Behavior for Your Subnet.

  • Create or modify your security groups as needed. For more information, see Security Groups for Your VPC.

  • Create or modify your network ACLs as needed. For more information about network ACLs, see Network ACLs.

Associating an IPv6 CIDR Block with Your Subnet

You can associate an IPv6 CIDR block with an existing subnet in your VPC. The subnet must not have an existing IPv6 CIDR block associated with it.

To associate an IPv6 CIDR block with a subnet

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets.

  3. Select your subnet, choose Subnet Actions, Edit IPv6 CIDRs.

  4. Choose Add IPv6 CIDR. Specify the hexadecimal pair for the subnet (for example, 00) and confirm the entry by choosing the tick icon.

  5. Choose Close.

Launching an Instance into Your Subnet

After you've created your subnet and configured your routing, you can launch an instance into your subnet using the Amazon EC2 console.

To launch an instance into your subnet

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the dashboard, choose Launch Instance.

  3. Follow the directions in the wizard. Select an AMI and an instance type and choose Next: Configure Instance Details.

    Note

    If you want your instance to communicate over IPv6, you must select a supported instance type. All current generation instance types, except M3 and G2, support IPv6 addresses.

  4. On the Configure Instance Details page, ensure that you have selected the required VPC in the Network list, then select the subnet in to which to launch the instance. Keep the other default settings on this page and choose Next: Add Storage.

  5. On the next pages of the wizard, you can configure storage for your instance, and add tags. On the Configure Security Group page, choose from any existing security group that you own, or follow the wizard directions to create a new security group. Choose Review and Launch when you're done.

  6. Review your settings and choose Launch.

  7. Select an existing key pair that you own or create a new one, and then choose Launch Instances when you're done.

Disassociating an IPv6 CIDR Block from Your VPC or Subnet

If you no longer want IPv6 support in your VPC or subnet, but you want to continue using your VPC or subnet for creating and communicating with IPv4 resources, you can disassociate the IPv6 CIDR block.

To disassociate an IPv6 CIDR block, you must first unassign any IPv6 addresses that are assigned to any instances in your subnet. For more information, see Unassigning an IPv6 Address From an Instance.

To disassociate an IPv6 CIDR block from a subnet

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets.

  3. Select your subnet, choose Subnet Actions, Edit IPv6 CIDRs.

  4. Remove the IPv6 CIDR block for the subnet by choosing the cross icon.

  5. Choose Close.

To disassociate an IPv6 CIDR block from a VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Your VPCs.

  3. Select your VPC, choose Actions, Edit CIDRs.

  4. Remove the IPv6 CIDR block by choosing the cross icon.

  5. Choose Close.

Note

Disassociating an IPv6 CIDR block does not automatically delete any security group rules, network ACL rules, or route table routes that you've configured for IPv6 networking. You must manually modify or delete these rules or routes.

Deleting Your Subnet

If you no longer need your subnet, you can delete it. You must terminate any instances in the subnet first.

To delete your subnet

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Terminate all instances in the subnet. For more information, see Terminate Your Instance in the EC2 User Guide.

  3. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  4. In the navigation pane, choose Subnets.

  5. Select the subnet to delete and choose Subnet Actions, Delete.

  6. In the Delete Subnet dialog box, choose Yes, Delete.

Deleting Your VPC

You can delete your VPC at any time. However, you must terminate all instances in the VPC first. When you delete a VPC using the Amazon VPC console, we delete all its components, such as subnets, security groups, network ACLs, Internet gateways, VPC peering connections, and DHCP options.

If you have a VPN connection, you don't have to delete it or the other components related to the VPN (such as the customer gateway and virtual private gateway). If you plan to use the customer gateway with another VPC, we recommend that you keep the VPN connection and the gateways. Otherwise, your network administrator must configure the customer gateway again after you create a new VPN connection.

To delete your VPC

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Terminate all instances in the VPC. For more information, see Terminate Your Instance in the Amazon EC2 User Guide for Linux Instances.

  3. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  4. In the navigation pane, choose Your VPCs.

  5. Select the VPC to delete and choose Actions, Delete VPC.

  6. To delete the VPN connection, select the option to do so; otherwise, leave it unselected. Choose Yes, Delete.

CLI Overview

You can perform the tasks described on this page using a command line interface (CLI). For more information, including a list of available API actions, see Accessing Amazon VPC.

Create a VPC

Create a subnet

Associate an IPv6 CIDR block with a VPC

Associate an IPv6 CIDR block with a subnet

Disassociate an IPv6 CIDR block from a VPC

Disassociate an IPv6 CIDR block from a subnet

Describe a VPC

Describe a subnet

Delete a VPC

Delete a subnet