# IP addressing for your VPCs and subnets IP addressing IP addresses enable resources in your VPC to communicate with each other, and with resources over the internet. Classless Inter-Domain Routing (CIDR) notation is a way to represent an IP address and its network mask. The format of these addresses is as follows: + An individual IPv4 address is 32 bits, with 4 groups of up to 3 decimal digits, 0-255. For example, 10.0.1.0. + An IPv4 CIDR block has an IPv4 address followed by a slash and a number from 0 to 32. For example, 10.0.0.0/16 represents 65,536 IPv4 addresses from 10.0.0.0 to 10.0.255.255. + An individual IPv6 address is 128 bits, with 8 segments of 4 hexadecimal digits. For example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334. It is not necessary to include the leading zeros in a segment. You can also replace consecutive all-zero segments with double colons (::) one time in an address. Therefore, the example address can be compressed as 2001:db8:85a3::8a2e:370:7334. + An IPv6 CIDR block has an IPv6 address that ends with all-zero segments, with the all-zero segments replaced by a double colon, followed by a slash and a number from 0 to 128. For example, 2001:db8:1234:1a00::/56 represents 2^72 IPv6 addresses from 2001:db8:1234:1a00:0000:0000:0000:0000 to 2001:db8:1234:1aff:ffff:ffff:ffff:ffff. For more information, see [What is CIDR?](https://aws.amazon.com/what-is/cidr/) **Topics** + [ ## Private IPv4 addresses ](#vpc-private-ipv4-addresses) + [ ## Public IPv4 addresses ](#vpc-public-ipv4-addresses) + [ ## IPv6 addresses ](#vpc-ipv6-addresses) + [ ## Use your own IP addresses ](#vpc-using-own-ip-address) + [ ## Use Amazon VPC IP Address Manager ](#vpc-using-ipam) + [ # VPC CIDR blocks ](vpc-cidr-blocks.md) + [ # Subnet CIDR blocks ](subnet-sizing.md) + [ # Compare IPv4 and IPv6 ](ipv4-ipv6-comparison.md) + [Managed prefix lists](managed-prefix-lists.md) + [ # AWS IP address ranges ](aws-ip-ranges.md) + [ # IPv6 support for your VPC ](vpc-migrate-ipv6.md) + [IPv6 support on AWS](aws-ipv6-support.md) ## Private IPv4 addresses Private IPv4 addresses (also referred to as *private IP addresses* in this topic) are not reachable over the internet, and can be used for communication between the instances in your VPC. When you launch an instance into a VPC, a primary private IP address from the IPv4 address range of the subnet is assigned to the primary network interface (for example, eth0) of the instance. Each instance is also given a private (internal) DNS hostname that resolves to the private IP address of the instance. The hostname can be of two types: resource-based or IP-based. For more information, see [EC2 instance naming](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html). If you don't specify a primary private IP address, we select an available IP address in the subnet range for you. For more information about network interfaces, see [Elastic Network Interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) in the *Amazon EC2 User Guide*. You can assign additional private IP addresses, known as secondary private IP addresses, to instances that are running in a VPC. Unlike a primary private IP address, you can reassign a secondary private IP address from one network interface to another. A private IP address remains associated with the network interface when the instance is stopped and restarted, and is released when the instance is terminated. For more information about primary and secondary IP addresses, see [Multiple IP Addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/MultipleIP.html) in the *Amazon EC2 User Guide*. We refer to private IP addresses as the IP addresses that are within the IPv4 CIDR range of the VPC. Most VPC IP address ranges fall within the private (non-publicly routable) IP address ranges specified in RFC 1918; however, you can use publicly routable CIDR blocks for your VPC. Regardless of the IP address range of your VPC, we do not support direct access to the internet from your VPC's CIDR block, including a publicly-routable CIDR block. You must set up internet access through a gateway; for example, an internet gateway, virtual private gateway, a AWS Site-to-Site VPN connection, or Direct Connect. We never advertise the IPv4 address range of a subnet to the internet. ## Public IPv4 addresses All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address (also referred to as a *public IP address* in this topic). Therefore, when you launch an instance into a subnet that has this attribute enabled, a public IP address is assigned to the primary network interface that's created for the instance. A public IP address is mapped to the primary private IP address through network address translation (NAT). **Note** AWS charges for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the **Public IPv4 Address** tab on the [Amazon VPC pricing page](https://aws.amazon.com/vpc/pricing/). You can control whether your instance receives a public IP address by doing the following: + Modifying the public IP addressing attribute of your subnet. For more information, see [Modify the IP addressing attributes of your subnet](subnet-public-ip.md). + Enabling or disabling the public IP addressing feature during instance launch, which overrides the subnet's public IP addressing attribute. + You can unassign a public IP address from your instance after launch by managing the IP addresses associated with a network interface. For more information, see [Manage IP addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#managing-network-interface-ip-addresses) in the *Amazon EC2 User Guide*. A public IP address is assigned from Amazon's pool of public IP addresses; it's not associated with your account. When a public IP address is disassociated from your instance, it's released back into the pool, and is no longer available for you to use. In certain cases, we release the public IP address from your instance, or assign it a new one. For more information, see [Public IP addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses) in the *Amazon EC2 User Guide*. If you require a persistent public IP address allocated to your account that can be assigned to and removed from instances as you require, use an Elastic IP address instead. For more information, see [Associate Elastic IP addresses with resources in your VPC](vpc-eips.md). If your VPC is enabled to support DNS hostnames, each instance that receives a public IP address or an Elastic IP address is also given a public DNS hostname. We resolve a public DNS hostname to the public IP address of the instance outside the instance network, and to the private IP address of the instance from within the instance network. For more information, see [DNS attributes for your VPC](vpc-dns.md). If you are using Amazon VPC IP Address Manager (IPAM), you can get a contiguous block of public IPv4 addresses from AWS and use it to allocate sequential Elastic IP addresses to AWS resources. Using contiguous IPv4 address blocks can significantly reduce management overhead for security access control lists and simplify IP address allocation and tracking for enterprises scaling on AWS. For more information, see [Allocate sequential Elastic IP addresses from an IPAM pool](https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-eip-pool.html) in the *Amazon VPC IPAM User Guide*. ## IPv6 addresses As the internet continues to grow, so does the need for IP addresses. The most common format for IP addresses is IPv4. The new format for IP addresses is IPv6, which provides a larger address space than IPv4. IPv6 resolves the IPv4 address exhaustion issue and enables you to connect more devices to the internet. The transition is gradual, but as IPv6 adoption grows, you can simplify your networks and take advantage of IPv6 advanced capabilities for better connectivity, performance, and security. Many AWS services, such as Amazon EC2, Amazon S3, and Amazon CloudFront, offer either dual-stack (IPv4 and IPv6) or IPv6-only support, allowing resources to be assigned IPv6 addresses and accessed over the IPv6 protocol and simplifying network configuration and management for those customers adopting IPv6. Other services offer limited or partial dual-stack and IPv6-only support. For more information about services that support IPv6, see [AWS services that support IPv6](aws-ipv6-support.md). Note that some IPv6 addresses are reserved by the Internet Engineering Task Force. For more information about reserved IPv6 address ranges, see [IANA IPv6 Special-Purpose Address Registry](http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml) and [RFC4291](https://tools.ietf.org/html/rfc4291). **Note** Both public and private IPv6 addressing is available in AWS. AWS defines public IP addresses as those advertised on the internet from AWS, while private IP addresses are not and cannot be advertised on the internet from AWS. **Topics** + [ ### Public IPv6 addresses ](#vpc-ipv6-addresses-public) + [ ### Private IPv6 addresses ](#vpc-ipv6-addresses-private) ### Public IPv6 addresses Amazon-provided IPv6 addresses are always advertised on the internet. They are globally unique, and therefore reachable over the internet. You can control whether resources such as EC2 instances are reachable using their IPv6 addresses by controlling routing for your subnets, or by using security groups and network ACLs. These are some of the ways you can prepare to use public IPv6 addresses for your workloads: + Create an IPAM with Amazon VPC IP Address Manager and provision an Amazon-owned public IPv6 address range to an IPAM address pool. For more information, see [Create IPv6 pools](https://docs.aws.amazon.com/vpc/latest/ipam/intro-create-ipv6-pools.html) in the *Amazon VPC IPAM User Guide*. + If you have an IPAM and you own a public IPv6 address range, bring some or all of the public IPv6 address range to IPAM and provision the public IPv6 address range to an IPAM address pool. For more information, see [Tutorial: Bring your IP addresses to IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-byoip-ipam.html) in the *Amazon VPC IPAM User Guide*. + If you don't have an IPAM but you own a public IPv6 address range, bring some or all of the public IPv6 address range to AWS. For more information, see [Bring your own IP addresses (BYOIP) to Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html) in the *Amazon EC2 User Guide*. When you are prepared to use public IPv6 addresses, you can assign public IPv6 addresses to instances (see [IPv6 addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-ipv6-addresses.html) in the *Amazon EC2 User Guide*), you can allocate a public IPv6 CIDR block to your VPC (see [Add or remove a CIDR block from your VPC](add-ipv4-cidr.md)) and associate the IPv6 CIDR block with your subnets (see [Modify the IP addressing attributes of your subnet](subnet-public-ip.md)). ### Private IPv6 addresses Private IPv6 addresses are IPv6 addresses that are not advertised and cannot be advertised on the Internet from AWS. You can use a private IPv6 address if you want your private networks to support IPv6 and you have no intention of routing traffic from these addresses to the Internet. If you want to connect to the internet from a resource that has a private IPv6 address, you can, but you must route traffic through a resource in another subnet with a public IPv6 address to do so. There are two types of private IPv6 addresses: + **IPv6 ULA ranges**: IPv6 addresses as defined in [RFC4193](https://datatracker.ietf.org/doc/html/rfc4193). These address ranges always start with “fc” or “fd”, which makes them easily identifiable. Valid IPv6 ULA space is anything under fd00::/8 that does not overlap with the Amazon reserved range fd00::/16. + **IPv6 GUA ranges**: IPv6 addresses as defined in [RFC3587](https://datatracker.ietf.org/doc/html/rfc3587). The option to use IPv6 GUA ranges as private IPv6 addresses is disabled by default and must be enabled before you can use it. For more information, see [Enable provisioning private IPv6 GUA CIDRs](https://docs.aws.amazon.com/vpc/latest/ipam/enable-prov-ipv6-gua.html) in the *Amazon VPC IPAM User Guide*. Note the following: + Private IPv6 addresses are only available through [Amazon VPC IP Address Manager (IPAM)](https://docs.aws.amazon.com/vpc/latest/ipam/what-it-is-ipam.html). IPAM discovers resources with IPv6 ULA and GUA addresses and monitors pools for overlapping IPv6 ULA and GUA address space. + When you use private IPv6 GUA ranges, we require that you use IPv6 GUA ranges owned by you. + Private IPv6 addresses are not and cannot be advertised on the internet by AWS. AWS does not allow direct egress to the public internet from a private IPv6 range even if there is an internet gateway or egress only internet gateway in the VPC. Private IPv6 addresses are automatically dropped at the internet gateway edge ensuring that they are not routed publicly. + AWS reserves the first 4 subnet private IPv6 addresses and the last one. + Valid ranges for private IPv6 ULA are /9 to /60 starting with fd80::/9. + If you have a private IPv6 GUA range allocated to a VPC, you cannot use public IPv6 GUA space that overlaps the private IPv6 GUA space in the same VPC. + Communication between resources with private IPv6 ULA and GUA address ranges is supported (such as across Direct Connect, VPC peering, transit gateway, or VPN connections). + You can use private IPv6 addresses with IPv6-only and dual-stack [VPC subnets](configure-subnets.md#subnet-ip-address-range), [elastic load balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-getting-started.html) and [AWS Global Accelerator endpoints](https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints.html). + There is no charge for private IPv6 addresses. These are some of the ways you can prepare to use private IPv6 addresses for your workloads: + Create an IPAM with Amazon VPC IP Address Manager and provision a private IPv6 *ULA* range to an IPAM address pool. For more information, see [Create IPv6 pools](https://docs.aws.amazon.com/vpc/latest/ipam/intro-create-ipv6-pools.html) in the *Amazon VPC IPAM User Guide*. + Create an IPAM with Amazon VPC IP Address Manager and provision a private IPv6 *GUA* range to an IPAM address pool. The option to use IPv6 GUA ranges as private IPv6 addresses is disabled by default and must be enabled on your IPAM before you can use it. For more information, see [Enable provisioning private IPv6 GUA CIDRs](https://docs.aws.amazon.com/vpc/latest/ipam/enable-prov-ipv6-gua.html) in the *Amazon VPC IPAM User Guide*. When you are prepared to use private IPv6 addresses, you can allocate a private IPv6 CIDR block from an IPAM pool to your VPC (see [Add or remove a CIDR block from your VPC](add-ipv4-cidr.md)) and associate the IPv6 CIDR block with your subnets (see [Modify the IP addressing attributes of your subnet](subnet-public-ip.md)). ## Use your own IP addresses You can bring part or all of your own public IPv4 address range or IPv6 address range to your AWS account. You continue to own the address range, but AWS advertises it on the internet by default. After you bring the address range to AWS, it appears in your account as an address pool. You can create an Elastic IP address from your IPv4 address pool, and you can associate an IPv6 CIDR block from your IPv6 address pool with a VPC. For more information, see [Bring your own IP addresses (BYOIP)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html) in the *Amazon EC2 User Guide*. ## Use Amazon VPC IP Address Manager Amazon VPC IP Address Manager (IPAM) is a VPC feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads. You can use IPAM to allocate IP address CIDRs to VPCs using specific business rules. For more information, see [What is IPAM?](https://docs.aws.amazon.com/vpc/latest/ipam/what-it-is-ipam.html) in the *Amazon VPC IPAM User Guide*. # VPC CIDR blocks The IP addresses for your virtual private cloud (VPC) are represented using Classless Inter-Domain Routing (CIDR) notation. A VPC must have an associated IPv4 CIDR block. You can optionally associate additional IPv4 CIDR blocks and one or more IPv6 CIDR blocks. For more information, see [IP addressing for your VPCs and subnets](vpc-ip-addressing.md). **Topics** + [ ## IPv4 VPC CIDR blocks ](#vpc-sizing-ipv4) + [ ## Manage IPv4 CIDR blocks for a VPC ](#vpc-resize) + [ ## IPv4 CIDR block association restrictions ](#add-cidr-block-restrictions) + [ ## IPv6 VPC CIDR blocks ](#vpc-sizing-ipv6) ## IPv4 VPC CIDR blocks When you create a VPC, you must specify an IPv4 CIDR block for the VPC. The allowed block size is between a `/16` netmask (65,536 IP addresses) and `/28` netmask (16 IP addresses). After you've created your VPC, you can associate additional IPv4 CIDR blocks with the VPC. For more information, see [Add or remove a CIDR block from your VPC](add-ipv4-cidr.md). When you create a VPC, we recommend that you specify a CIDR block from the private IPv4 address ranges as specified in [RFC 1918](http://www.faqs.org/rfcs/rfc1918.html). | RFC 1918 range | Example CIDR block | | --- | --- | | 10.0.0.0 - 10.255.255.255 (10/8 prefix) | 10.0.0.0/16 | | 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) | 172.31.0.0/16 | | 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) | 192.168.0.0/20 | **Considerations** + You can't specify the following CIDR blocks for your VPCs: + 0.0.0.0/8 + 127.0.0.0/8 (internal host loopback address range) + 169.254.0.0/16 ([link-local address range](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#link-local-addresses)) + 224.0.0.0/4 (multicast address range) + When you create a VPC for use with an AWS service, check the service documentation to verify if there are specific requirements for its configuration. + Some AWS services use the `172.17.0.0/16` CIDR range. Services can experience IP address conflicts if the IP address range is already in use in your network. For example, AWS Cloud9 and Amazon SageMaker AI use `172.17.0.0/16`. To avoid conflicts, don't use this range when creating your VPC. For more information, see [Can't connect to EC2 environment because VPC's IP addresses are used by Docker](https://docs.aws.amazon.com/cloud9/latest/user-guide/troubleshooting.html#docker-bridge) in the *AWS Cloud9 User Guide*. + You can create a VPC with a publicly routable CIDR block that falls outside of the private IPv4 address ranges specified in RFC 1918. However, for the purposes of this documentation, we refer to *private IP addresses* as the IPv4 addresses that are within the CIDR range of your VPC. + If you create a VPC using a command line tool or the Amazon EC2 API, the CIDR block is automatically modified to its canonical form. For example, if you specify 100.68.0.18/18 for the CIDR block, we create a CIDR block of 100.68.0.0/18. ## Manage IPv4 CIDR blocks for a VPC You can associate secondary IPv4 CIDR blocks with your VPC. When you associate a CIDR block with your VPC, a route is automatically added to your VPC route tables to enable routing within the VPC (the destination is the CIDR block and the target is `local`). In the following example, the VPC has both a primary and a secondary CIDR block. The CIDR blocks for Subnet A and Subnet B are from the primary VPC CIDR block. The CIDR block for Subnet C is from the secondary VPC CIDR block. ![\[VPCs with single and multiple CIDR blocks\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/vpc-multiple-cidrs.png) The following route table shows the local routes for the VPC. | Destination | Target | | --- | --- | | 10.0.0.0/16 | Local | | 10.2.0.0/16 | Local | To add a CIDR block to your VPC, the following rules apply: + The allowed block size is between a `/28` netmask and `/16` netmask. + The CIDR block must not overlap with any existing CIDR block that's associated with the VPC. + There are restrictions on the ranges of IPv4 addresses you can use. For more information, see [IPv4 CIDR block association restrictions](#add-cidr-block-restrictions). + You cannot increase or decrease the size of an existing CIDR block. + You have a quota on the number of CIDR blocks you can associate with a VPC and the number of routes you can add to a route table. You cannot associate a CIDR block if this results in you exceeding your quotas. For more information, see [Amazon VPC quotas](amazon-vpc-limits.md). + The CIDR block must not be the same or larger than a destination CIDR range in a route in any of the VPC route tables. For example, in a VPC where the primary CIDR block is `10.2.0.0/16`, you have an existing route in a route table with a destination of `10.0.0.0/24` to a virtual private gateway. You want to associate a secondary CIDR block in the `10.0.0.0/16` range. Because of the existing route, you cannot associate a CIDR block of `10.0.0.0/24` or larger. However, you can associate a secondary CIDR block of `10.0.0.0/25` or smaller. + The following rules apply when you add IPv4 CIDR blocks to a VPC that's part of a VPC peering connection: + If the VPC peering connection is `active`, you can add CIDR blocks to a VPC provided they do not overlap with a CIDR block of the peer VPC. + If the VPC peering connection is `pending-acceptance`, the owner of the requester VPC cannot add any CIDR block to the VPC, regardless of whether it overlaps with the CIDR block of the accepter VPC. Either the owner of the accepter VPC must accept the peering connection, or the owner of the requester VPC must delete the VPC peering connection request, add the CIDR block, and then request a new VPC peering connection. + If the VPC peering connection is `pending-acceptance`, the owner of the accepter VPC can add CIDR blocks to the VPC. If a secondary CIDR block overlaps with a CIDR block of the requester VPC, the VPC peering connection request fails and cannot be accepted. + If you're using Direct Connect to connect to multiple VPCs through a Direct Connect gateway, the VPCs that are associated with the Direct Connect gateway must not have overlapping CIDR blocks. If you add a CIDR block to one of the VPCs that's associated with the Direct Connect gateway, ensure that the new CIDR block does not overlap with an existing CIDR block of any other associated VPC. For more information, see [Direct Connect gateways](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways.html) in the *Direct Connect User Guide*. + When you add or remove a CIDR block, it can go through various states: `associating` \$1 `associated` \$1 `disassociating` \$1 `disassociated` \$1 `failing` \$1 `failed`. The CIDR block is ready for you to use when it's in the `associated` state. You can disassociate a CIDR block that you've associated with your VPC; however, you cannot disassociate the CIDR block with which you originally created the VPC (the primary CIDR block). To view the primary CIDR for your VPC in the Amazon VPC console, choose **Your VPCs**, select the checkbox for your VPC, and choose the **CIDRs** tab. To view the primary CIDR using the AWS CLI, use the [describe-vpcs](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpcs.html) command as follows. The primary CIDR is returned in the top-level `CidrBlock element`. ``` aws ec2 describe-vpcs --vpc-id vpc-1a2b3c4d --query Vpcs[*].CidrBlock --output text ``` The following is example output. ``` 10.0.0.0/16 ``` ## IPv4 CIDR block association restrictions The following table provides an overview of permitted and restricted VPC CIDR block associations for existing VPC CIDR blocks. The reason for restrictions is that some AWS services make use of cross-VPC and cross-account features that require non-conflicting CIDR blocks on the AWS service side. | Existing IPv4 address range | Restricted associations | Permitted associations | | --- | --- | --- | | 10.0.0.0/8 | CIDR blocks from other RFC 1918\$1 ranges (172.16.0.0/12 and 192.168.0.0/16). If any of the CIDR blocks associated with the VPC are from the 10.0.0.0/15 range (10.0.0.0 to 10.1.255.255), you cannot add a CIDR block from the 10.0.0.0/16 range (10.0.0.0 to 10.0.255.255). CIDR blocks from the 198.19.0.0/16 range. | Any other CIDR block from the 10.0.0.0/8 range between a /16 netmask and /28 netmask that's not restricted. Any publicly routable IPv4 CIDR block (non-RFC 1918) between a /16 netmask and /28 netmask or a CIDR block between a /16 netmask and /28 netmask from the 100.64.0.0/10 range. | | 169.254.0.0/16 | CIDR blocks from the "link local" block are reserved as described in [RFC 5735](https://www.rfc-editor.org/rfc/rfc5735) and cannot be assigned to VPCs. | | | 172.16.0.0/12 | CIDR blocks from other RFC 1918\$1 ranges (10.0.0.0/8 and 192.168.0.0/16). CIDR blocks from the 172.31.0.0/16 range. CIDR blocks from the 198.19.0.0/16 range. | Any other CIDR block from the 172.16.0.0/12 range between a /16 netmask and /28 netmask that's not restricted. Any publicly routable IPv4 CIDR block (non-RFC 1918) between a /16 netmask and /28 netmask or a CIDR block between a /16 netmask and /28 netmask from the 100.64.0.0/10 range. | | 192.168.0.0/16 | CIDR blocks from other RFC 1918\$1 ranges (10.0.0.0/8 and 172.16.0.0/12). CIDR blocks from the 198.19.0.0/16 range. | Any other CIDR block from the 192.168.0.0/16 range between a /16 netmask and /28 netmask. Any publicly routable IPv4 CIDR block (non-RFC 1918) between a /16 netmask and /28 netmask or a CIDR block from the 100.64.0.0/10 range between a /16 netmask and /28 netmask. | | 198.19.0.0/16 | CIDR blocks from the RFC 1918\$1 ranges. | Any publicly routable IPv4 CIDR block (non-RFC 1918) between a /16 netmask and /28 netmask or a CIDR block from the 100.64.0.0/10 range between a /16 netmask and /28 netmask. | | Publicly routable CIDR block (non-RFC 1918), or a CIDR block from the 100.64.0.0/10 range | CIDR blocks from the RFC 1918\$1 ranges. CIDR blocks from the 198.19.0.0/16 range. | Any other publicly routable IPv4 CIDR block (non-RFC 1918) between a /16 netmask and /28 netmask or a CIDR block between a /16 netmask and /28 netmask from the 100.64.0.0/10 range. You can also associate a CIDR in one of the RFC 1918 ranges, but to do this you have to add that CIDR first when you create the VPC and then add the non-RFC 1918 CIDR. | \$1 RFC 1918 ranges are the private IPv4 address ranges specified in [RFC 1918](http://www.faqs.org/rfcs/rfc1918.html). ## IPv6 VPC CIDR blocks You can associate a single IPv6 CIDR block when you create a new VPC or you can associate up to five IPv6 CIDR blocks from `/44` to `/60` in increments of `/4`. You can request an IPv6 CIDR block from Amazon's pool of IPv6 addresses. For more information, see [Add or remove a CIDR block from your VPC](add-ipv4-cidr.md). If you've associated an IPv6 CIDR block with your VPC, you can associate an IPv6 CIDR block with an existing subnet in your VPC or when you create a new subnet. For more information, see [Subnet sizing for IPv6](subnet-sizing.md#subnet-sizing-ipv6). For example, you create a VPC and specify that you want to associate an Amazon-provided IPv6 CIDR block with the VPC. Amazon assigns the following IPv6 CIDR block to your VPC: `2001:db8:1234:1a00::/56`. You cannot choose the range of IP addresses yourself. You can create a subnet and associate an IPv6 CIDR block from this range; for example, `2001:db8:1234:1a00::/64`. You can disassociate an IPv6 CIDR block from a VPC. After you've disassociated an IPv6 CIDR block from a VPC, you cannot expect to receive the same CIDR if you associate an IPv6 CIDR block with your VPC again later. # Subnet CIDR blocks The IP addresses for your subnets are represented using Classless Inter-Domain Routing (CIDR) notation. The CIDR block of a subnet can be the same as the CIDR block for the VPC (to create a single subnet in the VPC), or a subset of the CIDR block for the VPC (to create multiple subnets in the VPC). If you create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap. For example, if you create a VPC with CIDR block `10.0.0.0/24`, it supports 256 IP addresses. You can break this CIDR block into two subnets, each supporting 128 IP addresses. One subnet uses CIDR block `10.0.0.0/25` (for addresses `10.0.0.0` - `10.0.0.127`) and the other uses CIDR block `10.0.0.128/25` (for addresses `10.0.0.128` - `10.0.0.255`). ![\[A VPC with CIDR block 10.0.0.0/24 divided into two subnets.\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/subnet-cidrs.png) There are tools available on the internet to help you calculate and create IPv4 and IPv6 subnet CIDR blocks. You can find tools that suit your needs by searching for terms such as 'subnet calculator' or 'CIDR calculator'. Your network engineering group can also help you determine the IPv4 and IPv6 CIDR blocks to specify for your subnets. ## Subnet sizing for IPv4 The allowed IPv4 CIDR block size for a subnet is between a `/28` netmask and `/16` netmask. The first four IP addresses and the last IP address in each subnet CIDR block are not available for your use, and they cannot be assigned to a resource, such as an EC2 instance. For example, in a subnet with CIDR block `10.0.0.0/24`, the following five IP addresses are reserved: + 10.0.0.0: Network address. + 10.0.0.1: Reserved by AWS for the VPC router. + 10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC. For more information, see [Amazon DNS server](AmazonDNS-concepts.md#AmazonDNS). + 10.0.0.3: Reserved by AWS for future use. + 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address. If you create a subnet using a command line tool or the Amazon EC2 API, the CIDR block is automatically modified to its canonical form. For example, if you specify 100.68.0.18/18 for the CIDR block, we create a CIDR block of 100.68.0.0/18. If you bring an IPv4 address range to AWS using [BYOIP](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html), you can use all of the IP addresses in the range, including the first address (the network address) and the last address (the broadcast address). ## Subnet sizing for IPv6 If you've associated an IPv6 CIDR block with your VPC, you can associate an IPv6 CIDR block with an existing subnet in your VPC, or when you create a new subnet. Possible IPv6 netmask lengths are between `/44` and `/64` in increments of `/4`. There are tools available on the internet to help you calculate and create IPv6 subnet CIDR blocks. You can find tools that suit your needs by searching for terms such as 'IPv6 subnet calculator' or 'IPv6 CIDR calculator'. Your network engineering group can also help you determine the IPv6 CIDR blocks to specify for your subnets. The first four IPv6 addresses and the last IPv6 address in each subnet CIDR block are not available for your use, and they cannot be assigned to an EC2 instance. For example, in a subnet with CIDR block `2001:db8:1234:1a00/64`, the following five IP addresses are reserved: + `2001:db8:1234:1a00::` + `2001:db8:1234:1a00::1`: Reserved by AWS for the VPC router. + `2001:db8:1234:1a00::2` + `2001:db8:1234:1a00::3` + `2001:db8:1234:1a00:ffff:ffff:ffff:ffff` In addition to the IP address reserved by AWS for the VPC router in the example above, the following IPv6 addresses are reserved for the default VPC router: + A link-local IPv6 address in the FE80::/10 range generated using EUI-64. For more information about link-local addresses, see [Link-local address](https://en.wikipedia.org/wiki/Link-local_address). + The link-local IPv6 address `FE80:ec2::1`. If you need to communicate with the VPC router over IPv6, you can configure your applications to communicate with whichever address best fits your need. # Compare IPv4 and IPv6 The following table summarizes the differences between IPv4 and IPv6 in Amazon EC2 and Amazon VPC. For a list of AWS services that support dual-stack configuration (IPv4 and IPv6) and IPv6-only configurations, see [Services that support IPv6](aws-ipv6-support.md#ipv6-service-support). | Characteristic | IPv4 | IPv6 | | --- | --- | --- | | VPC size | Up to 5 CIDRs from /16 to /28. This [quota](amazon-vpc-limits.md#vpc-limits-vpcs-subnets) is adjustable. | Up to 5 CIDRs from /44 to /60 in increments of /4. This [quota](amazon-vpc-limits.md#vpc-limits-vpcs-subnets) is adjustable. | | Subnet size | From /16 to /28. | From /44 to /64 in increments of /4. | | Address selection | You can choose the IPv4 CIDR block for your VPC or you can allocate a CIDR block from Amazon VPC IP Address Manager (IPAM). For more information, see [What is IPAM?](https://docs.aws.amazon.com/vpc/latest/ipam/what-it-is-ipam.html) in the Amazon VPC IPAM User Guide. | You can bring your own IPv6 CIDR block to AWS for your VPC, choose an Amazon-provided IPv6 CIDR block, or you can allocate a CIDR block from Amazon VPC IP Address Manager (IPAM). For more information, see [What is IPAM?](https://docs.aws.amazon.com/vpc/latest/ipam/what-it-is-ipam.html) in the Amazon VPC IPAM User Guide. | | Internet access | Requires an [internet gateway](VPC_Internet_Gateway.md). | Requires an internet gateway. Supports outbound-only communication using an [egress-only internet gateway](egress-only-internet-gateway.md). | | Elastic IP addresses | Supported. Gives an EC2 instance a permanent, static public IPv4 address. | Not supported. EIPs keep the public IPv4 address of an instance static on instance restart. IPv6 addresses are static by default. | | NAT gateways | Supported. Instances in private subnets can connect to the internet using a public NAT gateway or to resources in other VPCs using a private NAT gateway. | Supported. You can use a NAT gateway with NAT64 to enable instances in IPv6-only subnets to communicate with IPv4-only resources within VPCs, between VPCs, in your on-premises networks, or over the internet. | | DNS names | Instances receive Amazon-provided IPBN or RBN-based DNS names. The DNS name resolves to the DNS records selected for the instance. | Instance receive Amazon-provided IPBN or RBN-based DNS names. The DNS name resolves to the DNS records selected for the instance. | # Consolidate and manage network CIDR blocks with managed prefix lists Managed prefix lists A managed prefix list is a set of one or more CIDR blocks. You can use prefix lists to make it easier to configure and maintain your security groups and route tables. You can create a prefix list from the IP addresses that you frequently use, and reference them as a set in security group rules and routes instead of referencing them individually. For example, you can consolidate security group rules with different CIDR blocks but the same port and protocol into a single rule that uses a prefix list. If you scale your network and need to allow traffic from another CIDR block, you can update the relevant prefix list and all security groups that use the prefix list are updated. You can also use managed prefix lists with other AWS accounts using Resource Access Manager (RAM). There are two types of prefix lists: + **Customer-managed prefix lists** — Sets of IP address ranges that you define and manage. You can share your prefix list with other AWS accounts, enabling those accounts to reference the prefix list in their own resources. + **AWS-managed prefix lists** — Sets of IP address ranges for AWS services. You cannot create, modify, share, or delete an AWS-managed prefix list. **Topics** + [ ## Prefix lists concepts and rules ](#managed-prefix-lists-concepts) + [ ## Identity and access management for prefix lists ](#managed-prefix-lists-iam) + [ # Customer-managed prefix lists ](working-with-managed-prefix-lists.md) + [ # AWS-managed prefix lists ](working-with-aws-managed-prefix-lists.md) + [ # Optimize AWS infrastructure management with prefix lists ](managed-prefix-lists-referencing.md) ## Prefix lists concepts and rules A prefix list consists of *entries*. Each entry consists of a CIDR block and, optionally, a description for the CIDR block. **Customer-managed prefix lists** The following rules apply to customer-managed prefix lists: + A prefix list supports a single type of IP addressing only (IPv4 or IPv6). You cannot combine IPv4 and IPv6 CIDR blocks in a single prefix list. + A prefix list applies only to the Region where you created it. + When you create a prefix list, you must specify the maximum number of entries that the prefix list can support. + When you reference a prefix list in a resource, the maximum number of entries for the prefix lists counts against the quota for the number of entries for the resource. For example, if you create a prefix list with 20 maximum entries and you reference that prefix list in a security group rule, this counts as 20 security group rules. + When you reference a prefix list in a route table, route priority rules apply. For more information, see [Route priority for prefix lists](route-tables-priority.md#route-priority-managed-prefix-list). + You can modify a prefix list. When you add or remove entries, we create a new version of the prefix list. Resources that reference the prefix always use the current (latest) version. You can restore the entries from a previous version of the prefix list, which also creates a new version. + There are quotas related to prefix lists. For more information, see [Customer-managed prefix lists](amazon-vpc-limits.md#vpc-quotas-managed-prefix-lists). + Customer-managed prefix lists are available in all commercial [AWS Regions](https://aws.amazon.com//about-aws/global-infrastructure/regions_az/) (including GovCloud (US) and China Regions). **AWS-managed prefix lists** The following rules apply to AWS-managed prefix lists: + You cannot create, modify, share, or delete an AWS-managed prefix list. + Different AWS-managed prefix lists have a different weight when you use them. For more information, see [AWS-managed prefix list weight](working-with-aws-managed-prefix-lists.md#aws-managed-prefix-list-weights). + You cannot view the version number of an AWS-managed prefix list. ## Identity and access management for prefix lists By default, users do not have permission to create, view, modify, or delete prefix lists. You can create an IAM policy and attach it to a role that allows users to work with prefix lists. To see a list of Amazon VPC actions and the resources and condition keys that you can use in an IAM policy, see [Actions, resources, and condition keys for Amazon EC2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html) in the *Service Authorization Reference*. The following example policy allows users to view and work with prefix list `pl-123456abcde123456` only. Users cannot create or delete prefix lists. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:GetManagedPrefixListAssociations", "ec2:GetManagedPrefixListEntries", "ec2:ModifyManagedPrefixList", "ec2:RestoreManagedPrefixListVersion" ], "Resource": "arn:aws:ec2:us-east-1:123456789012:prefix-list/pl-123456abcde123456" }, { "Effect": "Allow", "Action": "ec2:DescribeManagedPrefixLists", "Resource": "*" } ] } ``` ------ For more information about working with IAM in Amazon VPC, see [Identity and access management for Amazon VPC](security-iam.md). # Customer-managed prefix lists Customer-managed prefix lists allow you to define and maintain your own sets of IP address ranges, known as prefixes, within AWS. Instead of hardcoding these IP addresses into your various resources, you can create a centralized prefix list and reference it wherever needed. This not only simplifies the management of your IP addresses but also promotes consistency and reusability across your AWS landscape. One of the standout features of customer-managed prefix lists is the ability to share them with other AWS accounts. By granting access to your prefix lists, you can enable other teams or organizations to leverage your defined IP address ranges in their own resources. This collaborative approach fosters a more cohesive and efficient cloud experience, where IP address management is shared and synchronized. In the sections that follow, we'll dive deeper into the practical aspects of working with customer-managed prefix lists, including step-by-step guidance on creating, managing, and sharing your IP address ranges. **Note** You can automate prefix list management using Amazon VPC IPAM to automatically sync CIDRs based on rules you define. This eliminates manual updates when your infrastructure changes. For more information, see [Automate prefix list updates with IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/automate-prefix-list-updates.html) in the *Amazon VPC IPAM User Guide*. **Topics** + [ # Work with customer-managed prefix lists ](work-with-cust-managed-prefix-lists.md) # Work with customer-managed prefix lists This section describes how to work with customer-managed prefix lists. **Topics** + [ ## Create a prefix list ](#create-managed-prefix-list) + [ ## View prefix lists ](#view-managed-prefix-lists) + [ ## View the entries for a prefix list ](#view-managed-prefix-list-entries) + [ ## View associations (references) for your prefix list ](#view-managed-prefix-list-associations) + [ ## Modify a prefix list ](#modify-managed-prefix-list) + [ ## Resize a prefix list ](#resize-managed-prefix-list) + [ ## Restore a previous version of a prefix list ](#restore-managed-prefix-list) + [ ## Delete a prefix list ](#delete-managed-prefix-list) + [ # Share customer-managed prefix lists ](sharing-managed-prefix-lists.md) ## Create a prefix list When you create a prefix list, you must specify the maximum number of entries that the prefix list can support. **Limitation** You can't add a prefix list to a security group rule if the number of rules plus the max entries for the prefix list exceeds the quota for rules per security group for your account. **To create a prefix list using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Managed Prefix Lists**. 1. Choose **Create prefix list**. 1. For **Prefix list name**, enter a name for the prefix list. 1. For **Max entries**, enter the maximum number of entries for the prefix list. 1. For **Address family**, choose whether the prefix list supports IPv4 or IPv6 entries. 1. For **Prefix list entries**, choose **Add new entry**, and enter the CIDR block and a description for the entry. Repeat this step for each entry. 1. (Optional) For **Tags**, add tags to the prefix list to help you identify it later. 1. Choose **Create prefix list**. **To create a prefix list using the AWS CLI** Use the [create-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-managed-prefix-list.html) command. ## View prefix lists You can view your prefix lists, prefix lists that are shared with you, and AWS-managed prefix lists. **To view prefix lists using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Managed Prefix Lists**. 1. The **Owner ID** column shows the AWS account ID of the prefix list owner. For AWS-managed prefix lists, the **Owner ID** is **AWS**. **To view prefix lists using the AWS CLI** Use the [describe-managed-prefix-lists](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-managed-prefix-lists.html) command. ## View the entries for a prefix list You can view the entries for your prefix lists, prefix lists that are shared with you, and AWS-managed prefix lists. **To view the entries for a prefix list using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Managed Prefix Lists**. 1. Select the checkbox for the prefix list. 1. In the lower pane, choose **Entries** to view the entries for the prefix list. **To view the entries for a prefix list using the AWS CLI** Use the [get-managed-prefix-list-entries](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-managed-prefix-list-entries.html) command. ## View associations (references) for your prefix list You can view the IDs and owners of the resources that are associated with your prefix list. Associated resources are resources that reference your prefix list in their entries or rules. **Limitation** You cannot view associated resources for an AWS-managed prefix list. **To view prefix list associations using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Managed Prefix Lists**. 1. Select the checkbox for the prefix list. 1. In the lower pane, choose **Associations** to view the resources that are referencing the prefix list. **To view prefix list associations using the AWS CLI** Use the [get-managed-prefix-list-associations](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-managed-prefix-list-associations.html) command. ## Modify a prefix list You can modify the name of your prefix list, and you can add or remove entries. To modify the maximum number of entries, see [Resize a prefix list](#resize-managed-prefix-list). Updating the entries of a prefix list creates a new version of the prefix list. Updating the name or maximum number of entries for a prefix list does not create a new version of the prefix list. **Considerations** + You cannot modify an AWS-managed prefix list. + When you increase the maximum number of entries in a prefix list, the increased maximum size is applied to the quota of entries for the resources that reference the prefix list. If any of these resources can't support the increased maximum size, the modify operation fails and the previous maximum size is restored. **To modify a prefix list using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Managed Prefix Lists**. 1. Select the checkbox for prefix list, and choose **Actions**, **Modify prefix list**. 1. For **Prefix list name**, enter a new name for the prefix list. 1. If the managed prefix list has been configured as an IPAM prefix list resolver target, you'll see an **IPAM prefix list resolver sync** option. Choose whether to enable or disable synchronization with the IPAM prefix list resolver. When enabled, the prefix list CIDRs are automatically updated based on the associated resolver's CIDR selection rules. When disabled, the prefix list CIDRs are not automatically updated. For more information about this feature, see [Automate prefix list updates with IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/automate-prefix-list-updates.html) in the *Amazon VPC IPAM User Guide*. 1. For **Prefix list entries**, choose **Remove** to remove an existing entry. To add a new entry, choose **Add new entry** and enter the CIDR block and a description for the entry. 1. Choose **Save prefix list**. **To modify a prefix list using the AWS CLI** Use the [modify-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-managed-prefix-list.html) command. ## Resize a prefix list You can resize a prefix list and modify the maximum number of entries for the prefix list up to 1000. For more information about customer-managed prefix list quotas, see [Customer-managed prefix lists](amazon-vpc-limits.md#vpc-quotas-managed-prefix-lists). **To resize a prefix list using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Managed Prefix Lists**. 1. Select the checkbox for the prefix list, and choose **Actions**, **Resize prefix list**. 1. For **New max entries**, enter a value. 1. Choose **Resize**. **To resize a prefix list using the AWS CLI** Use the [modify-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-managed-prefix-list.html) command. ## Restore a previous version of a prefix list You can restore the entries from a previous version of your prefix list. This creates a new version of the prefix list. If you decreased the size of the prefix list, you must ensure that the prefix list is large enough to contain the entries from the previous version. **To restore a previous version of a prefix list using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Managed Prefix Lists**. 1. Select the checkbox for the prefix list, and choose **Actions**, **Restore prefix list**. 1. For **Select prefix list version**, choose a previous version. The entries for the selected version are displayed in **Prefix list entries**. 1. Choose **Restore prefix list**. **To restore a previous version of a prefix list using the AWS CLI** Use the [restore-managed-prefix-list-version](https://docs.aws.amazon.com/cli/latest/reference/ec2/restore-managed-prefix-list-version.html) command. ## Delete a prefix list To delete a prefix list, you must first remove any references to it in your resources (such as in your route tables). If you've shared the prefix list using AWS RAM, any references in consumer-owned resources must first be removed. **Limitation** You cannot delete an AWS-managed prefix list. **To delete a prefix list using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Managed Prefix Lists**. 1. Select the prefix list, and choose **Actions**, **Delete prefix list**. 1. In the confirmation dialog box, enter `delete`, and choose **Delete**. **To delete a prefix list using the AWS CLI** Use the [delete-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-managed-prefix-list.html) command. # Share customer-managed prefix lists With AWS Resource Access Manager (AWS RAM), the owner of a customer-managed prefix list can share the prefix list with the following: + Specific AWS accounts inside or outside of its organization in AWS Organizations + An organizational unit inside its organization in AWS Organizations + An entire organization in AWS Organizations Consumers with whom a prefix list has been shared can view the prefix list and its entries, and they can reference the prefix list in their AWS resources. For more information about AWS RAM, see the [AWS RAM User Guide](https://docs.aws.amazon.com/ram/latest/userguide/). For more information quotas, see [Service quotas](https://docs.aws.amazon.com/general/latest/gr/ram.html#limits_ram) in the AWS RAM User Guide. **Important** There are no additional charges for sharing prefix lists. **Topics** + [ # Shared prefix list permissions ](sharing-perms.md) + [ # Work with shared prefix lists ](work-with-shared-prefixes.md) # Shared prefix list permissions **Permissions for owners** Owners are responsible for managing a shared prefix list and its entries. Owners can view the IDs of the AWS resources that reference the prefix list. However, they cannot add or remove references to a prefix list in AWS resources that are owned by consumers. Owners cannot delete a prefix list if the prefix list is referenced in a resource that's owned by a consumer. **Permissions for consumers** Consumers can view the entries in a shared prefix list, and they can reference a shared prefix list in their AWS resources. However, consumers can't modify, restore, or delete a shared prefix list. # Work with shared prefix lists AWS prefix lists provide a convenient way to manage and reference the IP address ranges used by various AWS services. In addition to the AWS-managed prefix lists, you also can create and share your own customer-managed prefix lists with other AWS accounts. Sharing prefix lists can be particularly useful for organizations with complex networking requirements or those that need to coordinate IP address usage across multiple AWS workloads. By sharing a prefix list, you can ensure consistent IP address management and simplify networking configurations for your collaborators. This section describes and how to share prefix lists and how to identify and use prefix lists that have been shared with your account. **Topics** + [ ## Share a prefix list ](#sharing-share) + [ ## Unshare a shared prefix list ](#sharing-unshare) + [ ## Identify a shared prefix list ](#sharing-identify) + [ ## Identify references to a shared prefix list ](#sharing-identify-references) ## Share a prefix list To share a prefix list, you must add it to a resource share. If you do not have a resource share, you must first create one using the [AWS RAM console](https://console.aws.amazon.com/ram). If you are part of an organization in AWS Organizations, and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared prefix list. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared prefix list after accepting the invitation. You can create a resource share and share a prefix list that you own using the AWS RAM console, or the AWS CLI. **Important** To share a prefix list, you must own it. You cannot share a prefix list that has been shared with you. You cannot share an AWS-managed prefix list. To share a prefix list with your organization or an organizational unit in AWS Organizations, you must enable sharing with AWS Organizations. For more information, see [ Enable sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS RAM User Guide*. **To create a resource share and share a prefix list using the AWS RAM console** Follow the steps in [Create a resource share](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-create) in the *AWS RAM User Guide*. For **Select resource type**, choose **Prefix Lists**, and then select the check box for your prefix list. **To add a prefix list to an existing resource share using the AWS RAM console** To add a managed prefix that you own to an existing resource share, follow the steps in [Updating a resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-update) in the *AWS RAM User Guide*. For **Select resource type**, choose **Prefix Lists**, and then select the check box for your prefix list. **To share a prefix list that you own using the AWS CLI** Use the following commands to create and update a resource share: + [create-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/create-resource-share.html) + [associate-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/associate-resource-share.html) + [update-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/update-resource-share.html) ## Unshare a shared prefix list When you unshare a prefix list, consumers can no longer view the prefix list or its entries in their account, and they cannot reference the prefix list in their resources. If the prefix list is already referenced in the consumer's resources, those references continue to function as normal, and you can continue to [view those references](#sharing-identify-references). If you update the prefix list to a new version, the references use the latest version. To unshare a shared prefix list that you own, you must remove it from the resource share using AWS RAM. **To unshare a shared prefix list that you own using the AWS RAM console** See [Updating a resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-update) in the *AWS RAM User Guide*. **To unshare a shared prefix list that you own using the AWS CLI** Use the [disassociate-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/disassociate-resource-share.html) command. ## Identify a shared prefix list Owners and consumers can identify shared prefix lists using the Amazon VPC console and AWS CLI. **To identify a shared prefix list using the Amazon VPC console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Managed Prefix Lists**. 1. The page displays the prefix lists that you own and the prefix lists that are shared with you. The **Owner ID** column shows the AWS account ID of the prefix list owner. 1. To view the resource share information for a prefix list, select the prefix list and choose **Sharing** in the lower pane. **To identify a shared prefix list using the AWS CLI** Use the [describe-managed-prefix-lists](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-managed-prefix-lists.html) command. The command returns the prefix lists that you own and the prefix lists that are shared with you. `OwnerId` shows the AWS account ID of the prefix list owner. ## Identify references to a shared prefix list Owners can identify the consumer-owned resources that are referencing a shared prefix list. **To identify references to a shared prefix list using the Amazon VPC console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Managed Prefix Lists**. 1. Select the prefix list and choose **Associations** in the lower pane. 1. The IDs of the resources that are referencing the prefix list are listed in the **Resource ID** column. The owners of the resources are listed in the **Resource Owner** column. **To identify references to a shared prefix list using the AWS CLI** Use the [get-managed-prefix-list-associations](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-managed-prefix-list-associations.html) command. # AWS-managed prefix lists AWS-managed prefix lists are sets of IP address ranges for AWS services. These prefix lists are maintained by Amazon Web Services and provide a way to reference the IP addresses used by various AWS offerings. This can be particularly useful when configuring security groups or other network-level controls within a VPC. The prefix lists cover a wide range of AWS services, including S3 and DynamoDB, and many others. By using the managed prefix lists, you can ensure that your network configurations are up-to-date and properly account for the IP addresses used by the AWS services you depend on. This can help simplify networking tasks and reduce the administrative overhead of manually maintaining lists of IP addresses. In addition to the practical benefits, using the managed prefix lists also aligns with AWS security best practices. By relying on the authoritative IP address information provided by AWS, you can minimize the risk of misconfiguration or unexpected connectivity issues. This can be especially important for mission-critical applications or workloads with strict compliance requirements. **Topics** + [ ## Available AWS-managed prefix lists ](#available-aws-managed-prefix-lists) + [ ## AWS-managed prefix list weight ](#aws-managed-prefix-list-weights) + [ ## Use an AWS-managed prefix list ](#use-aws-managed-prefix-list) ## Available AWS-managed prefix lists The following services provide AWS-managed prefix lists. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) **To view the AWS-managed prefix lists using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Managed Prefix Lists**. 1. In the search field, add the **Owner ID: AWS** filter. **To view the AWS-managed prefix lists using the AWS CLI** Use the [describe-managed-prefix-lists](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-managed-prefix-lists.html) command as follows. ``` aws ec2 describe-managed-prefix-lists --filters Name=owner-id,Values=AWS ``` ## AWS-managed prefix list weight The weight of an AWS-managed prefix list refers to the number of entries that it takes up in a resource. For example, the weight of a Amazon CloudFront managed prefix list is 55. Here's how the this affects your Amazon VPC quotas: + **Security groups** – The [default quota](amazon-vpc-limits.md#vpc-limits-security-groups) is 60 rules, leaving room for only 5 additional rules in a security group. You can [request a quota increase](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-0EA8095F) for this quota. + **Route tables** – The [default quota](amazon-vpc-limits.md#vpc-limits-route-tables) is 50 routes, so you must [request a quota increase](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-93826ACB) before you can add the prefix list to a route table. ## Use an AWS-managed prefix list AWS-managed prefix lists are created and maintained by AWS and can be used by anyone with an AWS account. You cannot create, modify, share, or delete an AWS-managed prefix list. As with customer-managed prefix lists, you can use AWS-managed prefix lists with AWS resources such as security groups and route tables. For more information, see [Optimize AWS infrastructure management with prefix lists](managed-prefix-lists-referencing.md). # Optimize AWS infrastructure management with prefix lists You can reference a prefix list in the following AWS resources. **Topics** + [ ## VPC security groups ](#prefix-list-vpc-security-group) + [ ## Subnet route tables ](#prefix-list-subnet-route-table) + [ ## Transit gateway route tables ](#prefix-list-tgw-route-table) + [ ## AWS Network Firewall rule groups ](#prefix-list-nfw-rule-groups) + [ ## Amazon Managed Grafana network access control ](#prefix-list-grafana) + [ ## AWS Outposts rack local gateways ](#prefix-list-outpost-racks-lgw) ## VPC security groups You can specify a prefix list as the source for an inbound rule, or as the destination for an outbound rule. For more information, see [Security groups](vpc-security-groups.md). **Important** You can't modify an existing rule to use a prefix list. You have to create a new rule to use a prefix list. **To reference a prefix list in a security group rule using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Security Groups**. 1. Select the security group to update. 1. Choose **Actions**, **Edit inbound rules** or **Actions**, **Edit outbound rules**. 1. Choose **Add rule**. For **Type**, select the traffic type. For **Source** (inbound rules) or **Destination** (outbound rules), choose **Custom**. Then, in the next field, under **Prefix lists**, choose the ID of the prefix list. 1. Choose **Save rules**. **To reference a prefix list in a security group rule using the AWS CLI** Use the [authorize-security-group-ingress](https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html) and [authorize-security-group-egress](https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-egress.html) commands. For the `--ip-permissions` parameter, specify the ID of the prefix list using `PrefixListIds`. ## Subnet route tables You can specify a prefix list as the destination for route table entry. You cannot reference a prefix list in a gateway route table. For more information about route tables, see [Configure route tables](VPC_Route_Tables.md). **To reference a prefix list in a route table using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Route Tables**, and select the route table. 1. Choose **Actions**, **Edit routes**. 1. To add a route, choose **Add route**. 1. For **Destination** enter the ID of a prefix list. 1. For **Target**, choose a target. 1. Choose **Save changes**. **To reference a prefix list in a route table using the AWS CLI** Use the [create-route](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html) (AWS CLI) command. Use the `--destination-prefix-list-id` parameter to specify the ID of a prefix list. ## Transit gateway route tables You can specify a prefix list as the destination for a route. For more information, see [Prefix list references](https://docs.aws.amazon.com/vpc/latest/tgw/create-prefix-list-reference.html) in *Amazon VPC Transit Gateways*. ## AWS Network Firewall rule groups An AWS Network Firewall rule group is a reusable set of criteria for inspecting and handling network traffic. If you create Suricata-compatible stateful rule groups in AWS Network Firewall, you can reference a prefix list from the rule group. For more information, see [Referencing Amazon VPC prefix lists](https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups-ip-set-references.html#rule-groups-referencing-prefix-lists) and [Creating a stateful rule group](https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-group-stateful-creating.html) in the *AWS Network Firewall Developer Guide*. ## Amazon Managed Grafana network access control You can specify one or more prefix lists as an inbound rule for requests to Amazon Managed Grafana workspaces. For more information about Grafana workspace network access control, including how to reference prefix lists, see [Managing network access](https://docs.aws.amazon.com/grafana/latest/userguide/AMG-configure-nac.html) in the *Amazon Managed Grafana User Guide*. ## AWS Outposts rack local gateways Each AWS Outposts rack provides a local gateway that allows you to connect your Outpost resources with your on-premises networks. You can group CIDRs that you frequently use in a prefix list and reference this list as a route target in your local gateway route table. For more information, see [Manage local gateway route table routes](https://docs.aws.amazon.com/outposts/latest/userguide/routing.html#manage-lgw-routes) in the *AWS Outposts User Guide for racks*. # AWS IP address ranges AWS publishes its current IP address ranges in JSON format. With this information, you can identify traffic from AWS. You can also use this information to allow or deny traffic to or from some AWS services. **Considerations** + We publish the IP address ranges for services that customers commonly use to perform egress filtering. We don't publish the IP address ranges for all services. + Services use their IP address ranges to communicate with other services or to communicate with a customer network. + The IP address ranges that you bring to AWS through bring your own IP addresses (BYOIP) are not included in the `.json` file. For more information, see [Advertise your address range through AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/byoip-onboard.html#byoip-advertise) in the *Amazon EC2 User Guide*. Some services publish their address ranges using AWS-managed prefix lists. For more information, see [Available AWS-managed prefix lists](working-with-aws-managed-prefix-lists.md#available-aws-managed-prefix-lists). **Topics** + [Download](#aws-ip-download) + [ ## Egress control ](#aws-ip-egress-control) + [ ## Geolocation feed ](#aws-ip-geo-ip-feed) + [Find address ranges](aws-ip-work-with.md) + [Syntax](aws-ip-syntax.md) + [Subscribe to notifications](subscribe-notifications.md) ## Download the JSON file Download To view the current address ranges, download [ip-ranges.json](https://ip-ranges.amazonaws.com/ip-ranges.json). To maintain history, save successive versions of the JSON file on your own computer. To determine whether there have been changes since the last time that you saved the file, check the publication time in the current file and compare it to the publication time in the last file that you saved. The following is an example **curl** command that saves the JSON file to the current directory. ``` curl -O https://ip-ranges.amazonaws.com/ip-ranges.json ``` If you access this file programmatically, it is your responsibility to ensure that the application downloads the file only after successfully verifying the TLS certificate presented by the server. To receive notifications of updates to the JSON file, see [AWS IP address ranges notifications](subscribe-notifications.md). ## Egress control To allow resources you've created with one AWS service to only access other AWS services, you can use the IP address range information in the ip-ranges.json file to perform egress filtering. Ensure that the security group rules allow outbound traffic to the CIDR blocks in the AMAZON list. There are [quotas for security groups](amazon-vpc-limits.md#vpc-limits-security-groups). Depending on the number of IP address ranges in each Region, you might need multiple security groups per Region. **Note** Some AWS services are built on EC2 and use EC2 IP address space. If you block traffic to EC2 IP address space, you block traffic to these non-EC2 services as well. ## Geolocation feed The IP address ranges in `ip-ranges.json` are by AWS Region. However, a Local Zone is not in the same physical location as its parent Region. The geolocation data published in [geo-ip-feed.csv](https://ip-ranges.amazonaws.com/geo-ip-feed.csv) accounts for Local Zones. The data follows [RFC 8805](https://datatracker.ietf.org/doc/html/rfc8805). # Find the IP address ranges for AWS services Find address ranges The AWS IP address range JSON file provided by AWS can be a valuable resource for finding the IP addresses of various AWS services and leveraging that information to enhance your network security and access control. By parsing the detailed data contained within this JSON file, you can precisely identify the IP address ranges associated with specific AWS services and Regions. For example, you can utilize the IP address ranges to configure robust network security policies, setting up granular firewall rules to allow or deny access to certain AWS resources. This information can also be useful for a variety of AWS Network Firewall tasks. This level of control is crucial for protecting your applications and data, ensuring that only authorized traffic can reach the necessary AWS services. Additionally, having this IP intelligence can help you ensure your applications are properly configured to communicate with the right AWS endpoints, improving overall reliability and performance. Beyond just firewall rules, the `ip-ranges.json` file can also be leveraged to configure sophisticated egress filtering on your network infrastructure. By understanding the destination IP address ranges for different AWS services, you can set up routing policies or leverage advanced network security solutions like to selectively permit or block outbound traffic based on its intended destination. This egress control is essential for mitigating the risk of data leakage and unauthorized access. It's important to note that the `ip-ranges.json` file is regularly updated, so maintaining an up-to-date local copy is crucial to ensure you have the most accurate and current information. By continuously leveraging the contents of this file, you can efficiently manage network access and security for your AWS-based applications, strengthening your overall cloud security posture. The following examples can help you filter the AWS IP address ranges to just what you are looking for. On Linux, you can download and use the [the jq tool](https://stedolan.github.io/jq/) to parse a local copy of the JSON file. The [AWS Tools for Windows PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/) includes a cmdlet, [Get-AWSPublicIpAddressRange](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-AWSPublicIpAddressRange.html), that you can use to parse this JSON file. For more information, see the following blog: [Querying the Public IP Address Ranges for AWS](https://aws.amazon.com/blogs/developer/querying-the-public-ip-address-ranges-for-aws/). To get the JSON file, see [Download the JSON file](aws-ip-ranges.md#aws-ip-download). For more information about the syntax of the JSON file, see [Syntax for AWS IP address range JSON](aws-ip-syntax.md). **Topics** + [ ## Get the file creation date ](#filter-ip-ranges-creation-date) + [ ## Get the IP addresses for a specific Region ](#filter-ip-ranges-region) + [ ## Get all IPv4 addresses ](#filter-ip-ranges-ipv4) + [ ## Get all IPv4 addresses for a specific service ](#filter-ip-ranges-ipv4-service) + [ ## Get all IPv4 addresses for a specific service in a specific Region ](#filter-ip-ranges-ipv4-service-region) + [ ## Get all IPv6 addresses ](#filter-ip-ranges-ipv6) + [ ## Get all IPv6 addresses for a specific service ](#filter-ip-ranges-ipv6-service) + [ ## Get all IP addresses for a specific border group ](#filter-ip-ranges-border-group) ## Get the file creation date The following example gets the creation date of `ip-ranges.json`. ------ #### [ jq ] ``` $ jq .createDate < ip-ranges.json "2024-08-01-17-22-15" ``` ------ #### [ PowerShell ] ``` PS C:\> Get-AWSPublicIpAddressRange -OutputPublicationDate Thursday, August 1, 2024 9:22:35 PM ``` ------ ## Get the IP addresses for a specific Region The following example filters the JSON file for the IP addresses for the specified Region. ------ #### [ jq ] ``` $ jq '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json { "ip_prefix": "23.20.0.0/14", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, { "ip_prefix": "50.16.0.0/15", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, { "ip_prefix": "50.19.0.0/16", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, ... ``` ------ #### [ PowerShell ] ``` PS C:\> Get-AWSPublicIpAddressRange -Region us-east-1 IpPrefix Region NetworkBorderGroup Service -------- ------ ------- ------- 23.20.0.0/14 us-east-1 us-east-1 AMAZON 50.16.0.0/15 us-east-1 us-east-1 AMAZON 50.19.0.0/16 us-east-1 us-east-1 AMAZON ... ``` ------ ## Get all IPv4 addresses The following example filters the JSON file for the IPv4 addresses. ------ #### [ jq ] ``` $ jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json 23.20.0.0/14 27.0.0.0/22 43.250.192.0/24 ... ``` ------ #### [ PowerShell ] ``` PS C:\> Get-AWSPublicIpAddressRange | where {$_.IpAddressFormat -eq "Ipv4"} | select IpPrefix IpPrefix -------- 23.20.0.0/14 27.0.0.0/22 43.250.192.0/24 ... ``` ------ ## Get all IPv4 addresses for a specific service The following example filters the JSON file for the IPv4 addresses for the specified service. ------ #### [ jq ] ``` $ jq -r '.prefixes[] | select(.service=="GLOBALACCELERATOR") | .ip_prefix' < ip-ranges.json 13.248.117.0/24 15.197.34.0/23 15.197.36.0/22 ... ``` ------ #### [ PowerShell ] ``` PS C:\> Get-AWSPublicIpAddressRange -ServiceKey GLOBALACCELERATOR | where {$_.IpAddressFormat -eq "Ipv4"} | select IpPrefix IpPrefix -------- 13.248.117.0/24 15.197.34.0/23 15.197.36.0/22 ... ``` ------ ## Get all IPv4 addresses for a specific service in a specific Region The following example filters the JSON file for the IPv4 addresses for the specified service in the specified Region. ------ #### [ jq ] ``` $ jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="GLOBALACCELERATOR") | .ip_prefix' < ip-ranges.json 13.248.124.0/24 99.82.166.0/24 99.82.171.0/24 ... ``` ------ #### [ PowerShell ] ``` PS C:\> Get-AWSPublicIpAddressRange -Region us-east-1 -ServiceKey GLOBALACCELERATOR | where {$_.IpAddressFormat -eq "Ipv4"} | select IpPrefix IpPrefix -------- 13.248.117.0/24 99.82.166.0/24 99.82.171.0/24 ... ``` ------ ## Get all IPv6 addresses The following example filters the JSON file for the IPv6 addresses. ------ #### [ jq ] ``` $ jq -r '.ipv6_prefixes | .[].ipv6_prefix' < ip-ranges.json 2a05:d07c:2000::/40 2a05:d000:8000::/40 2406:dafe:2000::/40 ... ``` ------ #### [ PowerShell ] ``` PS C:\> Get-AWSPublicIpAddressRange | where {$_.IpAddressFormat -eq "Ipv6"} | select IpPrefix IpPrefix -------- 2a05:d07c:2000::/40 2a05:d000:8000::/40 2406:dafe:2000::/40 ... ``` ------ ## Get all IPv6 addresses for a specific service The following example filters the JSON file for the IPv6 addresses for the specified service. ------ #### [ jq ] ``` $ jq -r '.ipv6_prefixes[] | select(.service=="GLOBALACCELERATOR") | .ipv6_prefix' < ip-ranges.json 2600:1f01:4874::/47 2600:1f01:4802::/47 2600:1f01:4860::/47 2600:9000:a800::/40 ... ``` ------ #### [ PowerShell ] ``` PS C:\> Get-AWSPublicIpAddressRange -ServiceKey GLOBALACCELERATOR | where {$_.IpAddressFormat -eq "Ipv6"} | select IpPrefix IpPrefix -------- 2600:1f01:4874::/47 2600:1f01:4802::/47 2600:1f01:4860::/47 2600:9000:a800::/40 ... ``` ------ ## Get all IP addresses for a specific border group The following example filters the JSON file for all IP addresses for the specified border group. ------ #### [ jq ] ``` $ jq -r '.prefixes[] | select(.network_border_group=="us-west-2-lax-1") | .ip_prefix' < ip-ranges.json 70.224.192.0/18 52.95.230.0/24 15.253.0.0/16 ... ``` ------ #### [ PowerShell ] ``` PS C:\> Get-AWSPublicIpAddressRange | where {$_.NetworkBorderGroup -eq "us-west-2-lax-1"} | select IpPrefix IpPrefix -------- 70.224.192.0/18 52.95.230.0/24 15.253.0.0/16 ... ``` ------ # Syntax for AWS IP address range JSON Syntax AWS publishes its current IP address ranges in JSON format. To get the JSON file, see [Download the JSON file](aws-ip-ranges.md#aws-ip-download). The syntax of the JSON file is as follows. ``` { "syncToken": "0123456789", "createDate": "yyyy-mm-dd-hh-mm-ss", "prefixes": [ { "ip_prefix": "cidr", "region": "region", "network_border_group": "network_border_group", "service": "subset" } ], "ipv6_prefixes": [ { "ipv6_prefix": "cidr", "region": "region", "network_border_group": "network_border_group", "service": "subset" } ] } ``` **syncToken** The publication time, in Unix epoch time format. Type: String Example: `"syncToken": "1416435608"` **createDate** The publication date and time, in UTC YY-MM-DD-hh-mm-ss format. Type: String Example: `"createDate": "2014-11-19-23-29-02"` **prefixes** The IP prefixes for the IPv4 address ranges. Type: Array **ipv6\$1prefixes** The IP prefixes for the IPv6 address ranges. Type: Array **ip\$1prefix** The public IPv4 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges. For example, prefix 96.127.0.0/17 in the file may be advertised as 96.127.0.0/21, 96.127.8.0/21, 96.127.32.0/19, and 96.127.64.0/18. Type: String Example: `"ip_prefix": "198.51.100.2/24"` **ipv6\$1prefix** The public IPv6 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges. Type: String Example: `"ipv6_prefix": "2001:db8:1234::/64"` **network\$1border\$1group** The name of the network border group, which is a unique set of Availability Zones or Local Zones from which AWS advertises IP addresses, or `GLOBAL`. Traffic for `GLOBAL` services can be attracted to or originate from multiple (up to all) Availability Zones or Local Zones from which AWS advertises IP addresses. Type: String Example: `"network_border_group": "us-west-2-lax-1"` **region** The AWS Region or `GLOBAL`. Traffic for `GLOBAL` services can be attracted to or originate from multiple (up to all) AWS Regions. Type: String Valid values: `af-south-1` \$1 `ap-east-1` \$1 `ap-east-2` \$1 `ap-northeast-1` \$1 `ap-northeast-2` \$1 `ap-northeast-3` \$1 `ap-south-1` \$1 `ap-south-2` \$1 `ap-southeast-1` \$1 `ap-southeast-2` \$1 `ap-southeast-3` \$1 `ap-southeast-4` \$1 `ap-southeast-5` \$1 `ap-southeast-6` \$1 `ap-southeast-7` \$1 `ca-central-1` \$1 `ca-west-1` \$1 `cn-north-1` \$1 `cn-northwest-1` \$1 `eu-central-1` \$1 `eu-central-2` \$1 `eu-north-1` \$1 `eu-south-1` \$1 `eu-south-2` \$1 `eu-west-1` \$1 `eu-west-2` \$1 `eu-west-3` \$1 `il-central-1` \$1 `mx-central-1` \$1 `me-central-1` \$1 `me-south-1` \$1 `sa-east-1` \$1 `us-east-1` \$1 `us-east-2` \$1 `us-gov-east-1` \$1 `us-gov-west-1` \$1 `us-west-1` \$1 `us-west-2` \$1 `GLOBAL` Example: `"region": "us-east-1"` **service** The subset of IP address ranges. The addresses listed for `API_GATEWAY` are egress only. Specify `AMAZON` to get all IP address ranges (meaning that every subset is also in the `AMAZON` subset). However, some IP address ranges are only in the `AMAZON` subset (meaning that they are not also available in another subset). Type: String Valid values: `AMAZON` \$1 `AMAZON_APPFLOW` \$1 `AMAZON_CONNECT` \$1 `API_GATEWAY` \$1 `AURORA_DSQL` \$1 `CHIME_MEETINGS` \$1 `CHIME_VOICECONNECTOR` \$1 `CLOUD9` \$1 `CLOUDFRONT` \$1 `CLOUDFRONT_ORIGIN_FACING` \$1 `CODEBUILD` \$1 `DYNAMODB` \$1 `EBS` \$1 `EC2` \$1 `EC2_INSTANCE_CONNECT` \$1 `GLOBALACCELERATOR` \$1 `IVS_LOW_LATENCY` \$1 `IVS_REALTIME` \$1 `KINESIS_VIDEO_STREAMS` \$1 `MEDIA_PACKAGE_V2` \$1 `ROUTE53` \$1 `ROUTE53_HEALTHCHECKS` \$1 `ROUTE53_HEALTHCHECKS_PUBLISHING` \$1 `ROUTE53_RESOLVER` \$1 `S3` \$1 `WORKSPACES_GATEWAYS` Example: `"service": "AMAZON"` ## Range overlaps The IP address ranges returned by any service code are also returned by the `AMAZON` service code. For example, all IP address ranges that are returned by the `S3` service code are also returned by the `AMAZON` service code. When service A uses resources from service B, there are IP address ranges that are returned by the service codes for both service A and service B. However, these IP address ranges are used exclusively by service A, and can't be used by service B. For example, Amazon S3 uses resources from Amazon EC2, so there are IP address ranges that are returned by both the `S3` and `EC2` service codes. However these IP address ranges are used exclusively by Amazon S3. Therefore, the `S3` service code returns all IP address ranges that are used exclusively by Amazon S3. To identify the IP address ranges that are used exclusively by Amazon EC2, find the IP address ranges that are returned by the `EC2` service code but not the `S3` service code. ## Learn more This section provides links to additional information for different service codes. + `AMAZON_APPFLOW` – [IP address ranges](https://docs.aws.amazon.com/appflow/latest/userguide/general.html) + `AMAZON_CONNECT` – [Set up your network](https://docs.aws.amazon.com/connect/latest/adminguide/ccp-networking.html) + `CHIME_MEETINGS` – [Configuring for media and signaling](https://docs.aws.amazon.com/chime-sdk/latest/dg/network-config.html#media-signaling) + `CLOUDFRONT` – [Locations and IP address ranges of CloudFront edge servers](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html) + `DYNAMODB` – [IP address ranges](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/AccessingDynamoDB.html#Using.IPRanges) + `EC2` – [Public IPV4 addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses) + `EC2_INSTANCE_CONNECT` – [EC2 Instance Connect prerequisites](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-prerequisites.html#ec2-instance-connect-setup-security-group) + `GLOBALACCELERATOR` – [Location and IP address ranges of Global Accelerator edge servers](https://docs.aws.amazon.com/global-accelerator/latest/dg/introduction-ip-ranges.html) + `ROUTE53` – [IP address ranges of Amazon Route 53 servers](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-ip-addresses.html) + `ROUTE53_HEALTHCHECKS` – [IP address ranges of Amazon Route 53 servers](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-ip-addresses.html) + `ROUTE53_HEALTHCHECKS_PUBLISHING` – [IP address ranges of Amazon Route 53 servers](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-ip-addresses.html) + `WORKSPACES_GATEWAYS` – [PCoIP gateway servers](https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-port-requirements.html#gateway_IP) ## Release notes The following table describes updates to the syntax of `ip-ranges.json`. We also add new Region codes with each Region launch. | Description | Release date | | --- | --- | | Added the IVS\$1LOW\$1LATENCY service code. | July 29, 2025 | | Added the AURORA\$1DSQL service code. | May 21, 2025 | | Added the IVS\$1REALTIME service code. | June 11, 2024 | | Added the MEDIA\$1PACKAGE\$1V2 service code. | May 9, 2023 | | Added the CLOUDFRONT\$1ORIGIN\$1FACING service code. | October 12, 2021 | | Added the ROUTE53\$1RESOLVER service code. | June 24, 2021 | | Added the EBS service code. | May 12, 2021 | | Added the KINESIS\$1VIDEO\$1STREAMS service code. | November 19, 2020 | | Added the CHIME\$1MEETINGS and CHIME\$1VOICECONNECTOR service codes. | June 19, 2020 | | Added the AMAZON\$1APPFLOW service code. | June 9, 2020 | | Add support for the network border group. | April 7, 2020 | | Added the WORKSPACES\$1GATEWAYS service code. | March 30, 2020 | | Added the ROUTE53\$1HEALTHCHECK\$1PUBLISHING service code. | January 30, 2020 | | Added the API\$1GATEWAY service code. | September 26, 2019 | | Added the EC2\$1INSTANCE\$1CONNECT service code. | June 26, 2019 | | Added the DYNAMODB service code. | April 25, 2019 | | Added the GLOBALACCELERATOR service code. | December 20, 2018 | | Added the AMAZON\$1CONNECT service code. | June 20, 2018 | | Added the CLOUD9 service code. | June 20, 2018 | | Added the CODEBUILD service code. | April 19, 2018 | | Added the S3 service code. | February 28, 2017 | | Added support for IPv6 address ranges. | August 22, 2016 | | Initial release | November 19, 2014 | # AWS IP address ranges notifications Subscribe to notifications AWS publishes its current IP address ranges in JSON format. Whenever there is a change to the AWS IP address ranges, we send notifications to subscribers of the Amazon SNS topic named `AmazonIpSpaceChanged`. For more information about the syntax of the JSON file, see [Syntax for AWS IP address range JSON](aws-ip-syntax.md). The payload of the notification contains information in the following format. ``` { "create-time":"yyyy-mm-ddThh:mm:ss+00:00", "synctoken":"0123456789", "md5":"6a45316e8bc9463c9e926d5d37836d33", "url":"https://ip-ranges.amazonaws.com/ip-ranges.json" } ``` **create-time** The creation date and time. Notifications could be delivered out of order. Therefore, we recommend that you check the timestamps to ensure the correct order. **synctoken** The publication time, in Unix epoch time format. **md5** The cryptographic hash value of the `ip-ranges.json` file. You can use this value to check whether the downloaded file is corrupted. **url** The location of the `ip-ranges.json` file. For more information, see [Download the JSON file](aws-ip-ranges.md#aws-ip-download). You can subscribe to receive notifications as follows. **To subscribe to AWS IP address range notifications** 1. Open the Amazon SNS console at [https://console.aws.amazon.com/sns/v3/home](https://console.aws.amazon.com/sns/v3/home). 1. In the navigation bar, change the Region to **US East (N. Virginia)**, if necessary. You must select this Region because the SNS notifications that you are subscribing to were created in this Region. 1. In the navigation pane, choose **Subscriptions**. 1. Choose **Create subscription**. 1. In the **Create subscription** dialog box, do the following: 1. For **Topic ARN**, copy the following Amazon Resource Name (ARN): ``` arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged ``` 1. For **Protocol**, choose the protocol to use (for example, `Email`). 1. For **Endpoint**, type the endpoint to receive the notification (for example, your email address). 1. Choose **Create subscription**. 1. You'll be contacted on the endpoint that you specified and asked to confirm your subscription. For example, if you specified an email address, you'll receive an email message with the subject line `AWS Notification - Subscription Confirmation`. Follow the directions to confirm your subscription. Notifications are subject to the availability of the endpoint. Therefore, you might want to check the JSON file periodically to ensure that you've got the latest ranges. For more information about Amazon SNS reliability, see [https://aws.amazon.com/sns/faqs/#Reliability](https://aws.amazon.com/sns/faqs/#Reliability). If you no longer want to receive these notifications, use the following procedure to unsubscribe. **To unsubscribe from AWS IP address ranges notifications** 1. Open the Amazon SNS console at [https://console.aws.amazon.com/sns/v3/home](https://console.aws.amazon.com/sns/v3/home). 1. In the navigation pane, choose **Subscriptions**. 1. Select the check box for the subscription. 1. Choose **Actions**, **Delete subscriptions**. 1. When prompted for confirmation, choose **Delete**. For more information about Amazon SNS, see the *[Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/)*. # IPv6 support for your VPC If you have an existing VPC that supports IPv4 only, and resources in your subnet that are configured to use IPv4 only, you can add IPv6 support for your VPC and resources. Your VPC can operate in dual-stack mode — your resources can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 communication are independent of each other. You cannot disable IPv4 support for your VPC and subnets; this is the default IP addressing system for Amazon VPC and Amazon EC2. **Considerations** + There is no migration path from IPv4-only subnets to IPv6-only subnets. + This example assumes that you have an existing VPC with public and private subnets. For information about creating a new VPC for use with IPv6, see [Create a VPC](create-vpc.md). + Before you begin using IPv6, ensure that you have read the features of IPv6 addressing for Amazon VPC: [Compare IPv4 and IPv6](ipv4-ipv6-comparison.md). **Topics** + [ # Add IPv6 support for your VPC ](vpc-migrate-ipv6-add.md) + [ # Example dual-stack VPC configuration ](vpc-migrate-ipv6-example.md) # Add IPv6 support for your VPC The following table provides an overview of the process to enable IPv6 for your VPC. **Topics** + [ ## Step 1: Associate an IPv6 CIDR block with your VPC and subnets ](#vpc-migrate-ipv6-cidr) + [ ## Step 2: Update your route tables ](#vpc-migrate-ipv6-routes) + [ ## Step 3: Update your security group rules ](#vpc-migrate-ipv6-sg-rules) + [ ## Step 4: Assign IPv6 addresses to your instances ](#vpc-migrate-assign-ipv6-address) | Step | Notes | | --- | --- | | [Step 1: Associate an IPv6 CIDR block with your VPC and subnets](#vpc-migrate-ipv6-cidr) | Associate an Amazon-provided or BYOIP IPv6 CIDR block with your VPC and with your subnets. | | [Step 2: Update your route tables](#vpc-migrate-ipv6-routes) | Update your route tables to route your IPv6 traffic. For a public subnet, create a route that routes all IPv6 traffic from the subnet to the internet gateway. For a private subnet, create a route that routes all internet-bound IPv6 traffic from the subnet to an egress-only internet gateway. | | [Step 3: Update your security group rules](#vpc-migrate-ipv6-sg-rules) | Update your security group rules to include rules for IPv6 addresses. This enables IPv6 traffic to flow to and from your instances. If you've created custom network ACL rules to control the flow of traffic to and from your subnet, you must include rules for IPv6 traffic. | | [Step 4: Assign IPv6 addresses to your instances](#vpc-migrate-assign-ipv6-address) | Assign IPv6 addresses to your instances from the IPv6 address range of your subnet. | ## Step 1: Associate an IPv6 CIDR block with your VPC and subnets You can associate an IPv6 CIDR block with your VPC, and then associate a `/64` CIDR block from that range with each subnet. **To associate an IPv6 CIDR block with a VPC** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Your VPCs**. 1. Select your VPC. 1. Choose **Actions**, **Edit CIDRs** and then choose **Add new IPv6 CIDR**. 1. Select one of the following options, and then choose **Select CIDR**: + **Amazon-provided IPv6 CIDR block** – Use an IPv6 CIDR block from Amazon's pool of IPv6 addresses. For **Network Border Group**, choose the group from which AWS advertises IP addresses. + **IPAM-allocated IPv6 CIDR block** – Use an IPv6 CIDR block from an [IPAM pool](https://docs.aws.amazon.com/vpc/latest/ipam/how-it-works-ipam.html). Choose the IPAM pool and the IPv6 CIDR block. + **IPv6 CIDR owned by me** – Use an IPv6 CIDR block from your IPv6 address pool ([BYOIP](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html)). Choose the IPv6 address pool and the IPv6 CIDR block. 1. Choose **Close**. **To associate an IPv6 CIDR block with a subnet** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Subnets**. 1. Select a subnet. 1. Choose **Actions**, **Edit IPv6 CIDRs** and then choose **Add IPv6 CIDR**. 1. Edit the CIDR block as needed (for example, replace the `00`). 1. Choose **Save**. 1. Repeat this procedure for any other subnets in your VPC. For more information, see [IPv6 VPC CIDR blocks](vpc-cidr-blocks.md#vpc-sizing-ipv6). ## Step 2: Update your route tables When you associate an IPv6 CIDR block with your VPC, we automatically add a local route to each route table for the VPC to allow IPv6 traffic within the VPC. You must update the route tables for your public subnets to enable instances (such as web servers) to use the internet gateway for IPv6 traffic. You must also update the route tables for your private subnets to enable instances (such as database instances) to use an egress-only internet gateway for IPv6 traffic, because NAT gateways do not support IPv6. **To update the route table for a public subnet** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Subnets**. Select the public subnet. On the **Route table** tab, choose the route table ID to open the details page for the route table. 1. Select the route table. On the **Routes** tab, choose **Edit routes**. 1. Choose **Add route**. Choose `::/0` for **Destination**. Choose the ID of the internet gateway for **Target**. 1. Choose **Save changes**. **To update the route table for a private subnet** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Egress-only internet gateways**. Choose **Create egress only internet gateway**. Choose your VPC from **VPC**, and then choose **Create egress only internet gateway**. For more information, see [Enable outbound IPv6 traffic using an egress-only internet gateway](egress-only-internet-gateway.md). 1. In the navigation pane, choose **Subnets**. Select the private subnet. On the **Route table** tab, choose the route table ID to open the details page for the route table. 1. Select the route table. On the **Routes** tab, choose **Edit routes**. 1. Choose **Add route**. Choose `::/0` for **Destination**. Choose the ID of the egress-only internet gateway for **Target**. 1. Choose **Save changes**. **Note** A route table cannot have the same destination (::/0) pointing to both an internet gateway and an egress-only internet gateway simultaneously. If you receive an error message stating "There are existing ipv6 routes with next hop as internet Gateway" when configuring an egress-only internet gateway, you must first remove the existing IPv6 route to the internet gateway before adding the route to the egress-only internet gateway. For more information, see [Example routing options](route-table-options.md). ## Step 3: Update your security group rules To enable your instances to send and receive traffic over IPv6, you must update your security group rules to include rules for IPv6 addresses. For example, in the example above, you can update the web server security group (`sg-11aa22bb11aa22bb1`) to add rules that allow inbound HTTP, HTTPS, and SSH access from IPv6 addresses. You don't need to make any changes to the inbound rules for your database security group; the rule that allows all communication from `sg-11aa22bb11aa22bb1` includes IPv6 communication. **To update your inbound security group rules** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Security groups** and select your web server security group. 1. In the **Inbound rules** tab, choose **Edit inbound rules**. 1. For each rule that allows IPv4 traffic, choose **Add rule** and configure the rule to allow the corresponding IPv6 traffic. For example, to add a rule that allows all HTTP traffic over IPv6, choose **HTTP** for **Type** and `::/0` for **Source**. 1. When you are finished adding rules, choose **Save rules**. **Update your outbound security group rules** When you associate an IPv6 CIDR block with your VPC, we automatically add an outbound rule to the security groups for the VPC that allows all IPv6 traffic. However, if you modified the original outbound rules for your security group, this rule is not automatically added, and you must add equivalent outbound rules for IPv6 traffic. **Update your network ACL rules** When you associate an IPv6 CIDR block with a VPC, we automatically add rules to the default network ACL to allow IPv6 traffic. However, if you modified your default network ACL or if you've created a custom network ACL, you must manually add rules for IPv6 traffic. For more information, see [Add and delete rules](create-network-acl.md#Rules). ## Step 4: Assign IPv6 addresses to your instances All current generation instance types support IPv6. If your instance type does not support IPv6, you must resize the instance to a supported instance type before you can assign an IPv6 address. The process that you'll use depends on whether the new instance type that you choose is compatible with the current instance type. For more information, see [Change the instance type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-resize.html) in the *Amazon EC2 User Guide*. If you must launch an instance from a new AMI to support IPv6, you can assign an IPv6 address to your instance during launch. After you've verified that your instance type supports IPv6, you can assign an IPv6 address to your instance using the Amazon EC2 console. The IPv6 address is assigned to the primary network interface (for example, eth0) for the instance. For more information, see [Assign an IPv6 address to an instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#assign-ipv6-address) in the *Amazon EC2 User Guide*. You can connect to an instance using its IPv6 address. For more information, see [Connect to your Linux instance using an SSH client](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-linux-inst-ssh.html#connect-linux-inst-sshClient) in the *Amazon EC2 User Guide*. If you launched your instance using an AMI for a current version of your operating system, your instance is configured for IPv6. If you can't ping an IPv6 address from your instance, refer to the documentation for your operating system to configure IPv6. # Example dual-stack VPC configuration Example dual-stack VPC With a dual-stack configuration, you can use both IPv4 and IPv6 addresses for communication between resources in your VPC and resources over the internet. The following diagram represents the architecture of your VPC. Your VPC has a public subnet and a private subnet. The VPC and subnets have both an IPv4 CIDR block and an IPv6 CIDR block. There is an EC2 instance in the private subnet that has both an IPv4 address and an IPv6 address. The instance can send outbound IPv4 traffic to the internet using a NAT gateway and outbound IPv6 traffic to the internet using an egress-only internet gateway. ![\[A VPC with a public subnet, private subnet, NAT gateway, internet gateway, and egress-only internet gateway.\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/vpc-example-dual-stack.png) **Route table for public subnet** The following is the route table for the public subnet. The first two entries are the local routes. The third entry sends all IPv4 traffic to the internet gateway. Note that the fourth entry is necessary only if you plan to launch EC2 instances with IPv6 addresses in the public subnet. | Destination | Target | | --- | --- | | VPC IPv4 CIDR | local | | VPC IPv6 CIDR | local | | 0.0.0.0/0 | internet-gateway-id | | ::/0 | internet-gateway-id | **Route table for the private subnet** The following is the route table for the private subnet. The first two entries are the local routes. The third entry sends all IPv4 traffic to the NAT gateway. The last entry sends all IPv6 traffic to the egress-only internet gateway. | Destination | Target | | --- | --- | | VPC IPv4 CIDR | local | | VPC IPv6 CIDR | local | | 0.0.0.0/0 | nat-gateway-id | | ::/0 | egress-only-gateway-id | # AWS services that support IPv6 IPv6 support on AWS Computers and smart devices use IP addresses to communicate with each other over the internet and other networks. As the internet continues to grow, so does the need for IP addresses. The most common format for IP addresses is IPv4. The new format for IP addresses is IPv6, which provides a larger address space than IPv4. AWS services support for IPv6 includes support for dual stack configuration (IPv4 and IPv6) or IPv6 only configurations. For example, a virtual private cloud (VPC) is a logically isolated section of the AWS Cloud where you can launch AWS resources. Within a VPC, you can create subnets that are IPv4 only, dual stack, or IPv6 only. AWS services support access through public endpoints. Some AWS services also support access using private endpoints powered by AWS PrivateLink. AWS services can support IPv6 through their private endpoints even if they do not support IPv6 through their public endpoints. Endpoints that support IPv6 can respond to DNS queries with AAAA records. ## Services that support IPv6 The following table lists the AWS services that provide dual stack support, IPv6 only support, and endpoints that support IPv6. We will update this table as we release additional support for IPv6. For the specifics about how a service supports IPv6, refer to the documentation for the service. | Service name | Dual stack support | IPv6 only support | Public endpoints support IPv6 | Private endpoints support IPv6 1 | | --- | --- | --- | --- | --- | | AWS Amplify | Yes | No | Yes | | | Amazon API Gateway | Yes | No | Yes | Yes | | AWS App Mesh | Yes | Yes | Yes | No | | AWS App Runner | Yes | No | Yes | Yes | | AWS AppConfig | [Yes](https://docs.aws.amazon.com/appconfig/latest/userguide/setting-up-IPv6.html) | No | Yes | Yes | | Application Auto Scaling | No | No | Yes | Yes | | AWS Application Discovery Service | Yes | No | Yes | Yes | | Application Recovery Controller (ARC) | Yes | No | Yes | | | Amazon WorkSpaces Applications | Yes | No | No | No | | AWS AppSync2 | Partial | No | Partial | Yes | | Amazon Athena | Yes | No | Yes | [Yes](https://aws.amazon.com/about-aws/whats-new/2023/05/amazon-athena-ipv6-endpoints-inbound-connections/) | | AWS Audit Manager | No | No | Yes | Yes | | Amazon Aurora | [Yes](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.IP_addressing) | No | Yes | No | | Amazon Aurora DSQL | No | No | Yes | Yes | | AWS Auto Scaling | No | No | Yes | Yes | | AWS B2B Data Interchange | Yes | No | Yes | Yes | | AWS Backup | Yes | No | [Yes](https://docs.aws.amazon.com/general/latest/gr/bk.html) | [Yes](https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-network.html#backup-privatelink) | | AWS Batch | [Yes](https://docs.aws.amazon.com/batch/latest/userguide/vpc-interface-endpoints.html) | No | Yes | Yes | | Amazon Bedrock | No | No | Yes | Yes | | AWS Billing and Cost Management Data Exports | Yes | No | Yes | Yes | | AWS Billing and Cost Management Pricing Calculator | Yes | No | Yes | Yes | | AWS Billing Conductor | Yes | No | Yes | Yes | | AWS Budgets | Yes | No | Yes | | | Amazon Braket | Yes | Yes | Yes | Yes | | AWS Certificate Manager | Yes | No | Yes | No | | Amazon Chime SDK | Yes | No | Yes | | | Amazon Comprehend | Yes | Yes | Yes | Yes | | AWS Clean Rooms | Yes | Yes | Yes | Yes | | AWS Clean Rooms ML | Yes | Yes | Yes | Yes | | AWS Cloud9 | [Yes](https://docs.aws.amazon.com/cloud9/latest/user-guide/vpc-settings.html) | No | Yes | | | AWS Cloud Control API | Yes | No | Yes | Yes | | CloudFormation | No | No | Yes | Yes | | Amazon CloudFront | [Yes](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-enable-ipv6.html) | [Yes](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-enable-ipv6.html) | [Yes](https://docs.aws.amazon.com/general/latest/gr/cf_region.html) | | | AWS CloudHSM | Yes | No | [Yes](https://docs.aws.amazon.com/cloudhsm/latest/userguide/ip-access.html) | [Yes](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm-vpc-endpoint.html) | | AWS CloudTrail | Yes | No | Yes | Yes | | Amazon CloudWatch | Yes | Yes | Yes | Yes | | Amazon CloudWatch Application Insights | No | No | Yes | Yes | | Amazon CloudWatch Internet Monitor | No | No | Yes | Yes | | Amazon CloudWatch Logs | Yes | Yes | Yes | Yes | | Amazon CloudWatch Observability Access Manager | Yes | Yes | Yes | | | Amazon CloudWatch Synthetics | Yes | No | [Yes](https://aws.amazon.com/about-aws/whats-new/2025/01/amazon-cloudwatch-synthetics-ipv6-support/) | Yes | | AWS Cloud Map | [Yes](https://docs.aws.amazon.com/cloud-map/latest/dg/registering-instances.html) | Yes | Yes | Yes | | AWS Cloud WAN | Yes | No | Yes | No | | AWS CodeArtifact | Yes | No | Yes | Yes | | Amazon Connect Customer Profiles | Yes | No | Yes | Yes | | AWS CodeBuild | No | No | Yes | Yes | | AWS CodeCommit | No | No | Yes | Yes | | AWS CodeDeploy | No | No | Yes | Yes | | AWS Compute Optimizer | No | No | Yes | Yes | | Amazon Comprehend Medical | No | No | Yes | Yes | | Amazon CodeGuru Profiler | Yes | No | Yes | Yes | | Amazon Cognito | Yes | No | Yes | | | AWS Config | No | No | Yes | Yes | | AWS Control Tower | No | No | Yes | Yes | | AWS Cost Explorer | Yes | No | Yes | Yes | | AWS Cost Optimization Hub | Yes | No | Yes | Yes | | AWS Data Exchange | No | No | Yes | Yes | | Amazon Data Firehose | No | No | Yes | Yes | | Amazon Data Lifecycle Manager | Yes | No | Yes | Yes | | AWS Database Migration Service | [Yes](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.IPAddressing.html) | No | No | Yes | | AWS DataSync | [Yes](https://docs.aws.amazon.com/datasync/latest/userguide/datasync-network.html#ipv6-support) | Yes | Yes | Yes | | Amazon DataZone | No | No | Yes | Yes | | AWS Deadline Cloud | Yes | No | Yes | [Yes](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/vpc-interface-endpoints.html) | | Amazon Detective | Yes | Yes | [Yes](https://docs.aws.amazon.com/general/latest/gr/detective.html) | | | Direct Connect | Yes | Yes | No | Yes | | Directory Service | No | No | Yes | Yes | | Amazon EBS direct APIs | Yes | No | Yes | Yes | | Amazon EC2 | [Yes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#ipv6-addressing) | Yes | [Yes](https://docs.aws.amazon.com/ec2/latest/devguide/ec2-endpoints.html) | No | | EC2 Image Builder | Yes | Yes | Yes | Yes | | Amazon ECR | Yes | No | [Yes](https://aws.amazon.com/about-aws/whats-new/2025/05/amazon-ecr-support-ipv6/) | No | | Amazon ECS | [Yes](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html) | Yes | Yes | Yes | | Amazon EFS | [Yes](https://docs.aws.amazon.com/efs/latest/ug/manage-fs-access-create-delete-mount-targets.html) | Yes | [Yes](https://aws.amazon.com/about-aws/whats-new/2025/06/amazon-efs-internet-protocol-version-6/) | Yes | | Amazon EKS | [Partial](https://docs.aws.amazon.com/eks/latest/userguide/network-reqs.html#network-requirements-ip-table) | [Partial](https://docs.aws.amazon.com/eks/latest/userguide/network-reqs.html#network-requirements-ip-table) | Yes | Yes | | Amazon EMR | No | No | Yes | Yes | | AWS Elastic Beanstalk | [Yes](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-elbv2-ipv6-dualstack.html) | No | [Yes](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-vpce.html#vpc-vpce.ipv6) | [Yes](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-vpce.html#vpc-vpce.ipv6) | | AWS Elastic Disaster Recovery | No | No | Yes | Yes | | Elastic Load Balancing | [Partial](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html#ip-address-types) | [Partial](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html#ip-address-types) | Yes | No | | Amazon ElastiCache | [Yes](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/network-type.html) | Yes | No | Yes | | AWS Elemental MediaConvert | No | No | Yes | Yes | | AWS Elemental MediaConnect | Yes | Yes | Yes | Partial | | AWS End User Messaging Social | Yes | No | Yes | No | | AWS Entity Resolution | Yes | No | Yes | Yes | | Amazon EventBridge | No | No | Yes | Yes | | AWS Fargate | [Yes](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fargate-task-networking.html) | No | Yes | Yes | | Amazon FSx | No | No | [Yes](https://docs.aws.amazon.com/general/latest/gr/fsxn.html) | [Yes](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/fsx-vpc-endpoints.html) | | Amazon GameLift Streams | Yes | No | [Yes](https://docs.aws.amazon.com/general/latest/gr/gameliftstreams.html) | Yes | | AWS Global Accelerator | [Yes](https://aws.amazon.com/about-aws/whats-new/2022/07/aws-global-accelerator-announces-ipv6-support/) | No | Yes | | | AWS Glue | Yes | No | No | Yes | | AWS Glue DataBrew | No | No | Yes | Yes | | Amazon Managed Grafana 3 | Yes | No | Yes | Yes | | AWS Ground Station 4 | Yes | No | Yes | Yes | | Amazon GuardDuty | No | No | Yes | Yes | | AWS HealthImaging | No | No | Yes | Yes | | AWS HealthLake | No | No | Yes | Yes | | AWS HealthOmics | No | No | Yes | Yes | | AWS Identity and Access Management (IAM) | [Yes](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_dual-stack_endpoint_support.html) | Yes | Yes | No | | AWS IAM Access Analyzer | [Yes](https://aws.amazon.com/about-aws/whats-new/2025/03/iam-access-analyzer-supports-ipv6/) | No | Yes | Yes | | AWS IAM Identity Center | Yes | No | Yes | | | AWS IAM Roles Anywhere | No | No | Yes | Yes | | Amazon Inspector | Yes | Yes | Yes | Yes | | Amazon Interactive Video Service (IVS) 5 | Yes | No | Yes | Yes | | AWS IoT Core | Yes | No | [Yes](https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html) | Yes | | AWS IoT Device Defender | Yes | No | Yes | No | | AWS IoT Device Management | Yes | No | Yes | No | | AWS IoT FleetWise | Yes | No | [Yes](https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/fleetwise-ipv6-access.html) | Yes | | AWS IoT Greengrass | Yes | No | Yes | No | | AWS IoT SiteWise | Yes | No | Yes | Yes | | AWS IoT TwinMaker | Yes | No | Yes | Yes | | AWS IoT Wireless | Yes | No | [Yes](https://docs.aws.amazon.com/iot-wireless/latest/developerguide/wireless-ipv6-access.html) | [Yes](https://docs.aws.amazon.com/iot-wireless/latest/developerguide/vpc-interface-endpoints.html) | | Amazon Kendra | No | No | Yes | No | | AWS Key Management Service | [Yes](https://docs.aws.amazon.com/kms/latest/developerguide/ipv6-kms.html) | [Partial](https://docs.aws.amazon.com/kms/latest/developerguide/ipv6-kms.html) | Yes | Yes | | Amazon Keyspaces | [Yes](https://docs.aws.amazon.com/keyspaces/latest/devguide/ipv6-support.html) | Yes | Yes | Yes | | Amazon Keyspaces CDC streams | Yes | Yes | Yes | Yes | | Amazon Kinesis Data Streams | Yes | No | Yes | Yes | | AWS Lake Formation | No | No | No | Yes | | AWS Lambda | [Yes](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#configuration-vpc-ipv6) | No | [Yes](https://aws.amazon.com/about-aws/whats-new/2021/12/aws-lambda-ipv6-endpoints-inbound-connections/) | Yes | | AWS Launch Wizard | No | No | Yes | Yes | | AWS License Manager | No | No | Yes | Yes | | Amazon Lightsail | [Yes](https://aws.amazon.com/about-aws/whats-new/2021/01/amazon-lightsail-supports-ipv6/) | [Yes](https://aws.amazon.com/about-aws/whats-new/2024/01/ipv6-instance-bundles-amazon-lightsail/) | [Yes](https://aws.amazon.com/about-aws/whats-new/2024/12/amazon-lightsail-api-endpoints-connectivity-ipv6/) | Yes | | Amazon Location Service | No | No | Yes | Yes | | Amazon MQ | No | No | Yes | Yes | | Amazon MWAA | No | No | Yes | Yes | | Amazon Macie | Yes | No | Yes | Yes | | AWS Mainframe Modernization | Yes | No | Yes | Yes | | Amazon Managed Grafana | No | No | Yes | Yes | | Amazon Managed Service for Prometheus | Yes | No | Yes | Yes | | AWS Migration Hub Orchestrator | No | No | Yes | Yes | | AWS Network Firewall | [Yes](https://aws.amazon.com/about-aws/whats-new/2023/01/aws-network-firewall-ipv6-support/) | [Yes](https://aws.amazon.com/about-aws/whats-new/2023/04/aws-network-firewall-ipv6-only-subnets/) | No | Yes | | AWS Network Manager | Yes | No | Yes | No | | Amazon OpenSearch Service | [Yes](https://aws.amazon.com/about-aws/whats-new/2023/10/amazon-opensearch-service-ipv6/) | No | Yes | | | AWS Organizations | Yes | No | Yes | Yes | | AWS Outposts | No | No | Yes | Yes | | Amazon Personalize | Yes | No | Yes | Yes | | Amazon Pinpoint | Yes | No | Yes | Yes | | Amazon Polly | Yes | No | Yes | Yes | | AWS Price List | No | No | Yes | No | | AWS Private Certificate Authority | Yes | No | Yes | Yes | | AWS Private CA Connector for Active Directory | Yes | No | Yes | Yes | | AWS Private CA Connector for SCEP | Yes | No | Yes | Yes | | AWS PrivateLink | Yes | Yes | Yes | | | Amazon Q Business | No | No | Yes | No | | Amazon RDS | [Yes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.IP_addressing) | No | Yes | No | | Amazon RDS Data API | No | No | Yes | Yes | | Amazon RDS Performance Insights | No | No | Yes | Yes | | Amazon Redshift | Yes | No | Yes | | | Amazon Rekognition | No | No | Yes | Yes | | Recycle Bin | Yes | No | Yes | Yes | | AWS re:Post Private | Yes | No | Yes | Yes | | AWS Resource Access Manager | Yes | No | Yes | Yes | | AWS Resource Explorer | Yes | No | Yes | No | | AWS Resource Groups | Yes | Yes | Yes | Yes | | AWS Resource Groups Tagging API | Yes | Yes | Yes | Yes | | Amazon Route 53 | Yes | Yes | Yes | Yes | | Amazon S3 | [Yes](https://docs.aws.amazon.com/AmazonS3/latest/API/ipv6-access.html) | No | [Yes](https://docs.aws.amazon.com/AmazonS3/latest/API/ipv6-access.html) | No | | Amazon S3 on Outposts | No | No | Yes | No | | Amazon SageMaker | No | No | Yes | Yes | | AWS Secrets Manager | Yes | No | [Yes](https://docs.aws.amazon.com/secretsmanager/latest/userguide/asm_access.html#endpoints) | Yes | | AWS Security Hub | No | No | Yes | Yes | | Amazon Security Lake | [Yes](https://aws.amazon.com/about-aws/whats-new/2025/04/amazon-security-lake-internet-protocol-version-6/) | No | [Yes](https://docs.aws.amazon.com/general/latest/gr/securitylake.html) | [Yes](https://docs.aws.amazon.com/security-lake/latest/userguide/security-vpc-endpoints.html) | | AWS Security Token Service | Yes | No | Yes | Yes | | AWS Service Catalog | No | No | Yes | Yes | | AWS Shield | Yes | Yes | No | Yes | | Amazon Simple Email Service | Yes | No | Yes | Yes | | Amazon Simple Notification Service | Yes | No | Yes | Yes | | Amazon Simple Queue Service | Yes | No | Yes | Yes | | Amazon Simple Workflow Service | Yes | No | Yes | Yes | | AWS Site-to-Site VPN | [Yes](https://docs.aws.amazon.com/vpn/latest/s2svpn/ipv4-ipv6.html) | No | [Yes](https://docs.aws.amazon.com/ec2/latest/devguide/ec2-endpoints.html) | No | | AWS Snow Family | No | No | Yes | | | AWS Step Functions | Yes | No | Yes | Yes | | AWS Storage Gateway | Yes | Yes | Yes | Yes | | AWS Systems Manager | No | No | Yes | Yes | | AWS Systems Manager Incident Manager | No | No | Yes | Yes | | AWS Systems Manager for SAP | No | No | Yes | Yes | | Amazon Textract | No | No | Yes | Yes | | Amazon Timestream | No | No | Yes | Yes | | Amazon Transcribe | Yes | Yes | Yes | Yes | | AWS Transfer Family 6 | [Yes](https://docs.aws.amazon.com/transfer/latest/userguide/ipv6-support.html) | No | Yes | Yes | | AWS Transit Gateway | Yes | No | Yes | No | | Amazon Translate | Yes | Yes | Yes | Yes | | AWS Trusted Advisor | No | No | Yes | Yes | | AWS User Notifications | No | No | Yes | Yes | | Amazon Verified Permissions | Yes | No | Yes | Yes | | VMware Cloud on AWS | No | No | Yes | Yes | | Amazon VPC | [Yes](https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html#vpc-ip-addressing) | Yes | [Yes](https://docs.aws.amazon.com/ec2/latest/devguide/ec2-endpoints.html) | No | | Amazon VPC Lattice | No | No | Yes | Yes | | AWS WAF | [Yes](https://aws.amazon.com/about-aws/whats-new/2016/10/ipv6-support-for-cloudfront-waf-and-s3-transfer-acceleration/) | Yes | No | | | AWS WAFV2 | No | No | Yes | Yes | | AWS Well-Architected Tool | No | No | Yes | Yes | | Amazon WorkMail | No | No | Yes | Yes | | Amazon WorkSpaces | [Yes](https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-vpc.html) | No | Yes | Yes | | AWS X-Ray | Yes | No | Yes | Yes | 1 An empty cell indicates that the service does not [integrate with AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html). 2 This entry represents IPv6 support for AWS AppSync GraphlQL and Event API configuration operations, through the [AWS AppSync SDK API](https://docs.aws.amazon.com/appsync/latest/APIReference/API_Operations.html). IPv6 is not supported for client connections to customer managed AWS AppSync GraphQL and Event APIs. 3 This entry represents IPv6 support for Grafana *workspace management* operations, such as updating workspaces and workspace permissions. There is no IPv6 support for general Grafana workspace operations, such as creating and editing dashboards or querying data sources. 4 This entry represents IPv6 support for AWS Ground Station *control plane* operations, such as calling the [AWS Ground Station API](https://docs.aws.amazon.com/ground-station/latest/APIReference/API_Operations.html). IPv6 is not supported by the AWS Ground Station *data plane*, so make sure the resources you are delivering data to (such as Amazon EC2 instances) are accessible over IPv4. 5 This entry represents IPv6 support for Amazon IVS *control plane* operations, such as calling an [IVS endpoint](https://docs.aws.amazon.com/general/latest/gr/ivs.html). 6 For more details on IPv6 support in AWS Transfer Family, visit [IPv6 limitations](https://docs.aws.amazon.com/transfer/latest/userguide/ipv6-support.html#ipv6-limitations). ## Additional IPv6 support **Compute** + Amazon EC2 supports launching instances based on the Nitro System into IPv6-only subnets. + Amazon EC2 provides IPv6 endpoints for Instance Metadata Service (IMDS) and Amazon Time Sync Service. **Game Development** + Amazon GameLift Streams supports streaming over IPv6 on the Microsoft Windows Server 2022 Base runtime. **Networking and Content Delivery** + Amazon VPC supports creating IPv6-only subnets. + Amazon VPC helps IPv6 AWS resources communicate with IPv4 resources by supporting DNS64 on your subnets and NAT64 on your NAT gateways. **Security, Identity, and Compliance** + Amazon Detective supports IPv6 addresses in its network-related findings and entity profiles. + AWS Identity and Access Management (IAM) supports IPv6 addresses in IAM identity-based policies. + Amazon Macie supports IPv6 addresses in personally identifiable information (PII). + Amazon Security Lake supports IPv6 addresses across all operations on log sources and subscribers. **Management and Governance** + AWS CloudTrail records include source IPv6 information. + AWS CLI v2 supports download over IPv6 connections for IPv6-only clients. ## Learn more + [IPv6 on AWS](https://docs.aws.amazon.com/whitepapers/latest/ipv6-on-aws/IPv6-on-AWS.html) + [Dual Stack and IPv6-only Amazon VPC Reference Architectures](https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/IPv6-reference-architectures-for-AWS-and-hybrid-networks-ra.pdf) (PDF)