Amazon Virtual Private Cloud endpoints and quotas - AWS General Reference

Amazon Virtual Private Cloud endpoints and quotas

The following are the service endpoints and service quotas for this service. To connect programmatically to an AWS service, you use an endpoint. In addition to the standard AWS endpoints, some AWS services offer FIPS endpoints in selected Regions. For more information, see AWS service endpoints. Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. For more information, see AWS service quotas.

Note

AWS recommends using Regional STS endpoints within your applications and avoid using the global (legacy) STS endpoint. Regional STS endpoints reduce latency, build in redundancy, and increase session token validity. For more information about configuring your applications to use the regional STS endpoint, see AWS STS Regionalized endpoints in the AWS SDKs and Tools Reference Guide. For more information about the global (legacy) AWS STS endpoint, including how to monitor for use of this endpoint, see How to use Regional AWS STS endpoints in the AWS Security blog.

Service endpoints

The API actions to manage Amazon VPC resources (for example, virtual private clouds, subnets, and gateways) are part of the Amazon EC2 API. For more information, see Amazon VPC actions in the Amazon EC2 API Reference.

For the service endpoints for Amazon EC2, see Amazon EC2 endpoints and quotas.

Service quotas

Name Default Adjustable Description
Active VPC peering connections per VPC Each supported Region: 50 Yes The maximum number of active VPC peering connections per VPC. This quota can be increased up to a maximum of 125.
Characters per VPC endpoint policy Each supported Region: 20,480 No The maximum number of characters in a VPC endpoint policy, including white space.
Egress-only internet gateways per Region Each supported Region: 5 Yes The maximum number of egress-only (outbound-only) internet gateways per Region. This quota is directly tied to the maximum number of VPCs per Region. To increase this quota, increase the number of VPCs per Region.
Elastic IP address quota per NAT gateway Each supported Region: 2 Yes The maximum number of Elastic IP addresses that can be associated with a single NAT Gateway of connectivity type public.
Gateway VPC endpoints per Region Each supported Region: 20 Yes The maximum number of gateway VPC endpoints per Region. The maximum is 255 gateway endpoints per VPC.
IPv4 CIDR blocks per VPC Each supported Region: 5 Yes The maximum number of IPv4 CIDR blocks per VPC. The primary CIDR block and all secondary CIDR blocks count toward this quota. This quota can be increased up to a maximum of 50.
IPv6 CIDR blocks per VPC Each supported Region: 5 Yes The maximum number of IPv6 CIDR blocks per VPC.
Inbound or outbound rules per security group Each supported Region: 60 Yes The maximum number of inbound or outbound rules per VPC security group (120 rules in total). This quota is enforced separately for IPv4 and IPv6 rules. A rule that references a security group or prefix list ID counts as one rule each for IPv4 and IPv6. This quota multiplied by the security groups per network interface quota cannot exceed 1000.
Interface VPC endpoints per VPC Each supported Region: 50 Yes The maximum number of interface VPC endpoints per VPC.
Internet gateways per Region Each supported Region: 5 Yes The maximum number of internet gateways per Region. This quota is directly tied to the maximum number of VPCs per Region. To increase this quota, increase the number of VPCs per Region.
NAT gateways per Availability Zone Each supported Region: 5 Yes The maximum number of NAT gateways per Availability Zone. This includes NAT gateways in the pending, active, or deleting state.
Network ACLs per VPC Each supported Region: 200 Yes The maximum number of network ACLs per VPC.
Network Address Usage Each supported Region: 64,000 Yes The maximum Network Address Usage for a single VPC.
Network interfaces per Region Each supported Region: 5,000 Yes The maximum number of network interfaces per Availability Zone in a Region.
Outstanding VPC peering connection requests Each supported Region: 25 Yes The maximum number of outstanding VPC peering connection requests that youve requested.
Participant accounts per VPC Each supported Region: 100 Yes The maximum number of distinct participant accounts that subnets in a VPC can be shared with. This is a per VPC quota and applies across all the subnets shared in a VPC.
Peered Network Address Usage Each supported Region: 128,000 Yes The maximum Network Address Usage for a VPC and its peers.
Private IP address quota per NAT gateway Each supported Region: 8 Yes The maximum number of private IP addresses that can be assigned to a single NAT Gateway of connectivity type private.
Route tables per VPC Each supported Region: 200 Yes The maximum number of route tables per VPC. The main route table counts toward this quota.
Routes per route table Each supported Region: 50 Yes The maximum number of non-propagated routes per route table. This quota can be increased up to a maximum of 1000; however, network performance might be impacted. This quota is enforced separately for IPv4 and IPv6 routes.
Rules per network ACL Each supported Region: 20 Yes The maximum number of inbound rules or outbound rules per network ACL (a total of 40 rules). This includes both IPv4 and IPv6 rules, and the default deny rules. This quota can be increased up to a maximum of 40; however, network performance might be impacted.
Security groups per network interface Each supported Region: 5 Yes The maximum number of security groups per network interface. The maximum is 16. This quota, multiplied by the quota for rules per security group, cannot exceed 1000.
Subnets per VPC Each supported Region: 200 Yes The maximum number of subnets per VPC.
Subnets that can be shared with an account Each supported Region: 100 Yes The maximum number of subnets that can be shared with an AWS account.
VPC peering connection request expiry hours Each supported Region: 168 No The maximum number of hours after which an unaccepted VPC peering connection request expires. The default value is 168 hours (one week).
VPC security groups per Region Each supported Region: 2,500 Yes The maximum number of VPC security groups per Region.
VPCs per Region Each supported Region: 5 Yes The maximum number of VPCs per Region. This quota is directly tied to the maximum number of internet gateways per Region.

For more information, see the following: