Amazon VPC quotas - Amazon Virtual Private Cloud

Amazon VPC quotas

The following tables list the quotas, formerly referred to as limits, for Amazon VPC resources for your AWS account. Unless indicated otherwise, these quotas are per Region.

If you request a quota increase that applies per resource, we increase the quota for all resources in the Region.

VPC and subnets

Name Default Adjustable Comments
VPCs per Region 5 Yes

Increasing this quota increases the quota on internet gateways per Region by the same amount.

You can increase this limit so that you can have hundreds of VPCs per Region.

Subnets per VPC 200 Yes
IPv4 CIDR blocks per VPC 5 Yes

(up to 50)

This primary CIDR block and all secondary CIDR blocks count toward this quota.
IPv6 CIDR blocks per VPC 5 Yes

(up to 50)

The number of CIDRs you can allocate to a single VPC.

DNS

Each EC2 instance can send 1024 packets per second per network interface to RouteĀ 53 Resolver (specifically the .2 address, such as 10.0.0.2 and 169.254.169.253). This quota cannot be increased. The number of DNS queries per second supported by RouteĀ 53 Resolver varies by the type of query, the size of the response, and the protocol in use. For more information and recommendations for a scalable DNS architecture, see the AWS Hybrid DNS with Active Directory Technical Guide.

Elastic IP addresses

Name Default Adjustable Comments
Elastic IP addresses per Region 5 Yes This quota applies to individual AWS account VPCs and shared VPCs.
Elastic IP addresses per public NAT gateway 2 Yes You can request a quota increase up to 8.

Gateways

Name Default Adjustable Comments
Egress-only internet gateways per Region 5 Yes To increase this quota, increase the quota for VPCs per Region.

You can attach only one egress-only internet gateway to a VPC at a time.

Internet gateways per Region 5 Yes To increase this quota, increase the quota for VPCs per Region.

You can attach only one internet gateway to a VPC at a time.

NAT gateways per Availability Zone 5 Yes NAT gateways only count toward your quota in the pending, active, and deleting states.
Private IP address quota per NAT gateway 8 No
Carrier gateways per VPC 1 No

Customer-managed prefix lists

While the default quotas for customer-managed prefix lists are adjustable, you cannot request an increase using the Service Quotas console. You must open a service limit increase case using the AWS Support Center Console.

Name Default Adjustable Comments
Prefix lists per Region 100 Yes
Versions per prefix list 1,000 Yes If a prefix list has 1,000 stored versions and you add a new version, the oldest version is removed so that the new version can be added.
Maximum number of entries per prefix list 1,000 Yes

You can resize a customer-managed prefix list up to 1000. For more information, see Resize a prefix list. When you reference a prefix list in a resource, the maximum number of entries for the prefix lists counts against the quota for the number of entries for the resource. For example, if you create a prefix list with 20 maximum entries and you reference that prefix list in a security group rule, this counts as 20 security group rules.

References to a prefix list per resource type 5,000 Yes This quota applies per resource type that can reference a prefix list. For example, you can have 5,000 references to a prefix list across all of your security groups plus 5,000 references to a prefix list across all of your subnet route tables. If you share a prefix list with other AWS accounts, the other accounts' references to your prefix list count toward this quota.

Network ACLs

Name Default Adjustable Comments
Network ACLs per VPC 200 Yes You can associate one network ACL to one or more subnets in a VPC.
Rules per network ACL 20 Yes

This quota determines both the maximum number of inbound rules and the maximum number of outbound rules. This quota can be increased up to a maximum of 40 inbound rules and 40 outbound rules (for a total of 80 rules), but network performance might be impacted.

Network interfaces

Name Default Adjustable Comments
Network interfaces per instance Varies by instance type No For more information, see Network interfaces per instance type.
Network interfaces per Region 5,000 Yes This quota applies to individual AWS account VPCs and shared VPCs.

Route tables

Name Default Adjustable Comments
Route tables per VPC 200 Yes The main route table counts toward this quota. Note that if you request a quota increase for route tables, you may also want to request a quota increase for subnets. While route tables can be shared with multiple subnets, a subnet can only be associated with a single route table.
Routes per route table (non-propagated routes) 50 Yes You can increase this quota up to a maximum of 1,000; however, network performance might be impacted. This quota is enforced separately for IPv4 routes and IPv6 routes.

If you have more than 125 routes, we recommend that you paginate calls to describe your route tables for better performance.

Propagated routes per route table 100 No

If you require additional prefixes, advertise a default route.

Security groups

Name Default Adjustable Comments
VPC security groups per Region 2,500 Yes This quota applies to individual AWS account VPCs and shared VPCs.

If you increase this quota to more than 5,000 security groups in a Region, we recommend that you paginate calls to describe your security groups for better performance.

Inbound or outbound rules per security group 60 Yes This quota is enforced separately for inbound and outbound rules. For an account with the default quota of 60 rules, a security group can have 60 inbound rules and 60 outbound rules. In addition, this quota is enforced separately for IPv4 rules and IPv6 rules. For an account with the default quota of 60 rules, a security group can have 60 inbound rules for IPv4 traffic and 60 inbound rules for IPv6 traffic. For more information, see Security group size.

A quota change applies to both inbound and outbound rules. This quota multiplied by the quota for security groups per network interface cannot exceed 1,000.

Security groups per network interface 5 Yes

(up to 16)

This quota multiplied by the quota for rules per security group cannot exceed 1,000.

VPC sharing

All standard VPC quotas apply to a shared VPC.

Name Default Adjustable Comments
Participant accounts per VPC 100 Yes The maximum number of distinct participant accounts that subnets in a VPC can be shared with. This is a per VPC quota and applies across all the subnets shared in a VPC.

VPC owners can view the network interfaces and security groups that are attached to the participant resources.

Subnets that can be shared with an account 100 Yes This is the maximum number of subnets that can be shared with an AWS account.

Network Address Usage

Network Address Usage (NAU) is comprised of IP addresses, network interfaces, and CIDRs in managed prefix lists. NAU is a metric applied to resources in a VPC to help you plan for and monitor the size of your VPC. For more information, see Network Address Usage.

The resources that make up the NAU count have their own individual service quotas. Even if a VPC has NAU capacity available, you won't be able to launch resources into the VPC if the resources have exceeded their service quotas.

Name Default Adjustable Comments
Network Address Usage 64,000 Yes (up to to 256,000) The maximum number of NAU units per VPC.
Peered Network Address Usage 128,000 Yes (up to 512,000) The maximum number of NAU units for a VPC and all of its intra-Region peered VPCs. VPCs that are peered across different Regions do not contribute to this number.

Amazon EC2 API throttling

For information about Amazon EC2 throttling, see API Request Throttling in the Amazon EC2 API Reference.

Additional quota resources

For more information, see the following: