AWS Outposts network components - AWS Outposts

AWS Outposts network components

The following diagram shows the network components for your Outpost.

        The VPC networking components for your Outpost.

VPCs and subnets

A virtual private cloud (VPC) spans all Availability Zones in its AWS Region. You can extend any VPC in the Region to your Outpost by adding an Outpost subnet. To add an Outpost subnet to a VPC, specify the Amazon Resource Name (ARN) of the Outpost when you create the subnet.

Outposts support multiple subnets. You can specify the EC2 instance subnet when you launch the EC2 instance in your Outpost. You cannot restrict the hardware server where the instance is deployed because the Outpost is a pool of AWS compute and storage capacity.

IP addressing

AWS creates an address pool, known as a customer-owned IP address pool, based on information that you provide about your on-premises network. Customer-owned IP addresses provide internet connectivity to resources in your Outpost subnets through your on-premises network. You can assign these public addresses to resources on your Outpost, such as EC2 instances, using Elastic IP addresses. When you allocate an Elastic IP address, you can select an IP address from your customer-owned IP address pool. You continue to own the IP addresses in your customer-owned IP address pool and are responsible for advertising them on the internet.

You can also use IP address ranges that you provisioned for use with your AWS resources through bring your own IP addresses (BYOIP). These public IP addresses provide internet connectivity through the AWS Region.


The route tables for Outpost subnets work as they do for Availability Zone subnets. You can specify IP addresses, internet gateways, local gateways, virtual private gateways, and peering connections as destinations.

By default, every Outpost subnet inherits the main route table from its VPC. You can create a custom route table and explicitly associate it with an Outpost subnet. You can include a local gateway as a next-hop target for traffic to be routed to your on-premises network.


By default, EC2 instances in Outposts subnets can use the Amazon Route 53 DNS Service to resolve domain names to IP addresses. Route 53 supports DNS features such as domain registration, DNS routing, and health checks for instances running in your Outpost. Both public and private hosted zones are supported for routing traffic to specific domains. Route 53 resolvers are hosted in the AWS Region. Therefore, service link connectivity from the Outpost back to the AWS Region must be up and running for these DNS features to work.

You might encounter longer DNS resolution times with Route 53, depending on the path latency between your Outpost and the AWS Region. In such cases, you can use the DNS servers installed locally in your on-premises environment. To use your own DNS servers, you must create DHCP option sets for the servers and associate them with the VPC. You must also ensure that there is IP connectivity to these DNS servers. You might also need to add routes to the local gateway routing table for reachability. Because DHCP option sets have a VPC scope, instances in both the Outpost subnets and the Availability Zone subnets for the VPC will try to use the specified DNS servers for DNS name resolution.

Access to your local network

A local gateway is a local interconnect virtual router that enables communication between your Outpost and your on-premises network. You can also use the local gateway for communication between your Outpost and the internet. Each Outpost supports a single local gateway. You can associate multiple VPCs with the local gateway. For more information, see Local gateways and Outpost connectivity to the local network.

Access to the internet

The local gateway enables connectivity from your Outpost subnets to the internet.

For local internet connectivity, you can use a NAT instance in your Outpost subnet or send internet-bound traffic to a NAT device in your on-premises network.

Access to AWS

The local gateway for your Outpost enables connectivity from your Outpost subnets to all AWS services that are available in the parent Region, in the same way that you access them from an Availability Zone subnet. For example, you can access the Regional service endpoints over the public internet or you can use interface VPC endpoints (AWS PrivateLink) to access them without going over the public internet. For more information, see Outpost connectivity to AWS Regions.