Menu
Amazon Virtual Private Cloud
User Guide

IP Addressing in Your VPC

IP addresses enable resources in your VPC to communicate with each other, and with resources over the Internet. Amazon EC2 and Amazon VPC support the IPv4 and IPv6 addressing protocols.

By default, Amazon EC2 and Amazon VPC use the IPv4 addressing protocol. When you create a VPC, you must assign it an IPv4 CIDR block (a range of private IPv4 addresses). Private IPv4 addresses are not reachable over the Internet. To connect to your instance over the Internet, or to enable communication between your instances and other AWS services that have public endpoints, you can assign a globally-unique public IPv4 address to your instance.

You can optionally associate an IPv6 CIDR block with your VPC and subnets, and assign IPv6 addresses from that block to the resources in your VPC. IPv6 addresses are public and reachable over the Internet.

Note

To ensure that your instances can communicate with the Internet, you must also attach an Internet gateway to your VPC. For more information, see Internet Gateways.

Your VPC can operate in dual-stack mode: your resources can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 addresses are independent of each other; you must configure routing and security in your VPC separately for IPv4 and IPv6.

The following table summarizes the differences between IPv4 and IPv6 in Amazon EC2 and Amazon VPC.

IPv4 and IPv6 Characteristics and Restrictions

IPv4IPv6
The format is 32-bit, 4 groups of 4 numerical digits.The format is 128-bit, 8 groups of 4 hexadecimal digits.
Default and required for all VPCs; cannot be removed.Opt-in only.
The VPC CIDR block size can be from /16 to /28.The VPC CIDR block size is fixed at /56.
The subnet CIDR block size can be from /16 to /28.The subnet CIDR block size is fixed at /64.
You can choose the private IPv4 CIDR block for your VPC.We choose the IPv6 CIDR block for your VPC from Amazon's pool of IPv6 addresses. You cannot select your own range.
There is a distinction between private and public IP addresses. To enable communication with the Internet, a public IPv4 address is mapped to the primary private IPv4 address through network address translation (NAT). No distinction between public and private IP addresses. IPv6 addresses are public.
Supported on all instance types.Supported on all current generation instance types, except M3 and G2. For more information, see Amazon EC2 Instance Types.
Supported in EC2-Classic, and EC2-Classic connections with a VPC via ClassicLink.Not supported in EC2-Classic, and not supported for EC2-Classic connections with a VPC via ClassicLink.
Supported on all AMIs.Automatically supported on AMIs that are configured for DHCPv6. Amazon Linux versions 2016.09.0 and later and Windows Server 2008 R2 and later are configured for DHCPv6. For other AMIs, you must manually configure your instance to recognize any assigned IPv6 addresses.
An instance receives an Amazon-provided private DNS hostname that corresponds to its private IPv4 address, and if applicable, a public DNS hostname that corresponds to its public IPv4 or Elastic IP address.Amazon-provided DNS hostnames are not supported.
Elastic IPv4 addresses are supported.Elastic IPv6 addresses are not supported.
Supported for VPC VPN connections and customer gateways, NAT devices, and VPC endpoints.Not supported for VPC VPN connections and customer gateways, NAT devices, and VPC endpoints.
Supported in all regions.Currently supported in the US East (Ohio) region only.


We support IPv6 traffic over a virtual private gateway to an AWS Direct Connect connection. For more information, see the AWS Direct Connect User Guide.

Private IPv4 Addresses

Private IPv4 addresses (also referred to as private IP addresses in this topic) are not reachable over the Internet, and can be used for communication between the instances in your VPC. When you launch an instance into a VPC, a primary private IP address from the IPv4 address range of the subnet is assigned to the default network interface (eth0) of the instance. Each instance is also given a private (internal) DNS hostname that resolves to the private IP address of the instance. If you don't specify a primary private IP address, we select an available IP address in the subnet range for you. For more information about network interfaces, see Elastic Network Interfaces in the Amazon EC2 User Guide for Linux Instances.

You can assign additional private IP addresses, known as secondary private IP addresses, to instances that are running in a VPC. Unlike a primary private IP address, you can reassign a secondary private IP address from one network interface to another. A private IP address remains associated with the network interface when the instance is stopped and restarted, and is released when the instance is terminated. For more information about primary and secondary IP addresses, see Multiple IP Addresses in the Amazon EC2 User Guide for Linux Instances.

Note

We refer to private IP addresses as the IP addresses that are within the IPv4 CIDR range of the VPC. Most VPC IP address ranges fall within the private (non-publicly routable) IP address ranges specified in RFC 1918; however, you can use publicly routable CIDR blocks for your VPC. Regardless of the IP address range of your VPC, we do not support direct access to the Internet from your VPC's CIDR block, including a publicly-routable CIDR block. You must set up Internet access through a gateway; for example, an Internet gateway, virtual private gateway, a VPN connection, or AWS Direct Connect.

Public IPv4 Addresses

All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address (also referred to as a public IP address in this topic). Therefore, when you launch an instance into a subnet that has this attribute enabled, a public IP address is assigned to the primary network interface (eth0) that's created for the instance. A public IP address is mapped to the primary private IP address through network address translation (NAT).

You can control whether your instance receives a public IP address by doing the following:

A public IP address is assigned from Amazon's pool of public IP addresses; it's not associated with your account. When a public IP address is disassociated from your instance, it's released back into the pool, and is no longer available for you to use. You cannot manually associate or disassociate a public IP address. Instead, in certain cases, we release the public IP address from your instance, or assign it a new one. For more information, see Public IP Addresses in the Amazon EC2 User Guide for Linux Instances.

If you require a persistent public IP address allocated to your account that can be assigned to and removed from instances as you require, use an Elastic IP address instead. For more information, see Elastic IP Addresses.

If your VPC is enabled to support DNS hostnames, each instance that receives a public IP address or an Elastic IP address is also given a public DNS hostname. We resolve a public DNS hostname to the public IP address of the instance outside the instance network, and to the private IP address of the instance from within the instance network. For more information, see Using DNS with Your VPC.

IPv6 Addresses

You can optionally associate an IPv6 CIDR block with your VPC and subnets. For more information, see the following topics:

Your instance in a VPC receives an IPv6 address if an IPv6 CIDR block is associated with your VPC and your subnet, and if one of the following is true:

  • Your subnet is configured to automatically assign an IPv6 address to the primary network interface of an instance during launch.

  • You manually assign an IPv6 address to your instance during launch.

  • You assign an IPv6 address to your instance after launch.

  • You assign an IPv6 address to a network interface in the same subnet, and attach the network interface to your instance after launch.

When your instance receives an IPv6 address during launch, the address is associated with the primary network interface (eth0) of the instance. You can disassociate the IPv6 address from the primary network interface. We do not support IPv6 DNS hostnames for your instance.

An IPv6 address persists when you stop and start your instance, and is released when you terminate your instance. You cannot reassign an IPv6 address while it's assigned to another network interface—you must first unassign it.

You can assign additional IPv6 addresses to your instance by assigning them to a network interface attached to your instance. The number of IPv6 addresses you can assign to a network interface, and the number of network interfaces you can attach to an instance varies per instance type. For more information, see IP Addresses Per Network Interface Per Instance Type in the Amazon EC2 User Guide.

IPv6 addresses are globally unique, and therefore reachable over the Internet. You can control whether instances are reachable via their IPv6 addresses by controlling the routing for your subnet, or by using security group and network ACL rules. For more information, see Security.

For more information about reserved IPv6 address ranges, see IANA IPv6 Special-Purpose Address Registry and RFC4291.

IP Addressing Behavior for Your Subnet

All subnets have a modifiable attribute that determines whether a network interface created in that subnet is assigned a public IPv4 address and, if applicable, an IPv6 address. This includes the primary network interface (eth0) that's created for an instance when you launch an instance in that subnet.

Regardless of the subnet attribute, you can still override this setting for a specific instance during launch. For more information, see Assigning a Public IPv4 Address During Instance Launch and Assigning an IPv6 Address During Instance Launch.

Working with IP Addresses

You can modify the IP addressing behavior of your subnet, assign a public IPv4 address to your instance during launch, and assign or unassign IPv6 addresses to and from your instance.

Modifying the Public IPv4 Addressing Attribute for Your Subnet

By default, nondefault subnets have the IPv4 public addressing attribute set to false, and default subnets have this attribute set to true. An exception is a nondefault subnet created by the Amazon EC2 launch instance wizard — the wizard sets the attribute to true. You can modify this attribute using the Amazon VPC console.

To modify your subnet's public IPv4 addressing behavior

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets.

  3. Select your subnet and choose Subnet Actions, Modify auto-assign IP settings.

  4. The Enable auto-assign public IPv4 address check box, if selected, requests a public IPv4 address for all instances launched into the selected subnet. Select or clear the check box as required, and then choose Save.

Modifying the IPv6 Addressing Attribute for Your Subnet

By default, all subnets have the IPv6 addressing attribute set to false. You can modify this attribute using the Amazon VPC console. If you enable the IPv6 addressing attribute for your subnet, network interfaces created in the subnet (and instances launched in the subnet) receive an IPv6 address from the range of the subnet. Your subnet must have an associated IPv6 CIDR block.

To modify your subnet's IPv6 addressing behavior

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets.

  3. Select your subnet and choose Subnet Actions, Modify auto-assign IP settings.

  4. The Enable auto-assign IPv6 address check box, if selected, requests an IPv6 address for all instances launched into the selected subnet. Select or clear the check box as required, and then choose Save.

Assigning a Public IPv4 Address During Instance Launch

You can control whether your instance in a default or nondefault subnet is assigned a public IPv4 address during launch.

Important

You can't manually disassociate the public IPv4 address from your instance after launch. Instead, it's automatically released in certain cases, after which you cannot reuse it. If you require a persistent public IP address that you can associate or disassociate at will, associate an Elastic IP address with the instance after launch instead. For more information, see Elastic IP Addresses.

To assign a public IPv4 address to an instance during launch

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Choose Launch Instance.

  3. Choose an AMI and an instance type and choose Next: Configure Instance Details.

  4. On the Configure Instance Details page, select a VPC from the Network list. The Auto-assign Public IP list is displayed. Select Enable or Disable to override the default setting for the subnet.

    Important

    A public IPv4 address cannot be assigned if you specify more than one network interface. Additionally, you cannot override the subnet setting using the auto-assign public IPv4 feature if you specify an existing network interface for eth0.

  5. Follow the remaining steps in the wizard to launch your instance.

  6. On the Instances screen, select your instance. On the Description tab, in the IPv4 Public IP field, you can view your instance's public IP address. Alternatively, in the navigation pane, choose Network Interfaces and select the eth0 network interface for your instance. You can view the public IP address in the IPv4 Public IP field.

    Note

    The public IPv4 address is displayed as a property of the network interface in the console, but it's mapped to the primary private IPv4 address through NAT. Therefore, if you inspect the properties of your network interface on your instance, for example, through ipconfig on a Windows instance, or ifconfig on a Linux instance, the public IP address is not displayed. To determine your instance's public IP address from within the instance, you can use instance metadata. For more information, see Instance Metadata and User Data.

This feature is only available during launch. However, whether or not you assign a public IPv4 address to your instance during launch, you can associate an Elastic IP address with your instance after it's launched. For more information, see Elastic IP Addresses.

Assigning an IPv6 Address During Instance Launch

You can auto-assign an IPv6 address to your instance during launch. To do this, you must launch your instance into a VPC and subnet that has an associated IPv6 CIDR block. The IPv6 address is assigned from the range of the subnet, and is assigned to the primary network interface (eth0).

To auto-assign an IPv6 address to an instance during launch

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Choose Launch Instance.

  3. Select an AMI and an instance type and choose Next: Configure Instance Details.

    Note

    Select an instance type that supports IPv6 addresses.

  4. On the Configure Instance Details page, select a VPC from Network and a subnet from Subnet. For Auto-assign IPv6 IP, choose Enable.

  5. Follow the remaining steps in the wizard to launch your instance.

Alternatively, if you want to assign a specific IPv6 address from the subnet range to your instance during launch, you can assign the address to the primary network interface for your instance.

To assign a specific IPv6 address to an instance during launch

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Choose Launch Instance.

  3. Select an AMI and an instance type and choose Next: Configure Instance Details.

    Note

    Select an instance type that supports IPv6 addresses.

  4. On the Configure Instance Details page, select a VPC from Network and a subnet from Subnet.

  5. Go to the Network interfaces section. For the eth0 network interface, under IPv6 IPs, choose Add IP.

  6. Enter an IPv6 address from the range of the subnet.

  7. Follow the remaining steps in the wizard to launch your instance.

For more information about assigning multiple IPv6 addresses to your instance during launch, see Working with Multiple IPv6 Addresses in the Amazon EC2 User Guide for Linux Instances

Assigning an IPv6 Address to an Instance

If your instance is in a VPC and subnet with an associated IPv6 CIDR block, you can use the Amazon EC2 console to assign an IPv6 address to your instance from the range of the subnet.

To associate an IPv6 address with your instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances and select your instance.

  3. Choose Actions, Manage IP Addresses.

  4. Under IPv6 Addresses, choose Assign new IP. You can specify an IPv6 address from the range of the subnet, or leave the Auto-assign value to let Amazon choose an IPv6 address for you.

  5. Choose Save.

Alternatively, you can assign an IPv6 address to a network interface. For more information, see Assigning an IPv6 Address in the Elastic Network Interfaces topic in the Amazon EC2 User Guide for Linux Instances.

Unassigning an IPv6 Address From an Instance

If you no longer need an IPv6 address for your instance, you can disassociate it from the instance using the Amazon EC2 console.

To disassociate an IPv6 address from your instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances and select your instance.

  3. Choose Actions, Manage IP Addresses.

  4. Under IPv6 Addresses, choose Unassign for the IPv6 address.

  5. Choose Save.

Alternatively, you can disassociate an IPv6 address from a network interface. For more information, see Unassigning an IPv6 Address in the Elastic Network Interfaces topic in the Amazon EC2 User Guide for Linux Instances.

API and Command Overview

You can perform the tasks described on this page using the command line or an API. For more information about the command line interfaces and a list of available APIs, see Accessing Amazon VPC.

Assign a public IPv4 address during launch

  • Use the --associate-public-ip-address or the --no-associate-public-ip-address option with the run-instances command. (AWS CLI)

  • Use the -AssociatePublicIp parameter with the New-EC2Instance command. (AWS Tools for Windows PowerShell)

Assign an IPv6 address during launch

  • Use the --ipv6-addresses option with the run-instances command. (AWS CLI)

  • Use the -Ipv6Addresses parameter with the New-EC2Instance command. (AWS Tools for Windows PowerShell)

Modify a subnet's IP addressing behavior

Assign an IPv6 address to a network interface

Unassign an IPv6 address from a network interface