Work with VPCs - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Work with VPCs

Use the following procedures to create and configure virtual private clouds (VPC).

Create a VPC

Follow the steps in this section to create a VPC. When you create a VPC, you have two options:

  • VPC, subnets, and other VPC resources: Creates a VPC, subnets, NAT gateways, and VPC endpoints.

  • VPC only: Creates only a VPC without any additional resources like subnets or NAT gateways within the VPC.

Follow the steps in either section below depending on the option that fits your needs.

Create a VPC, subnets, and other VPC resources

In this step, you create a VPC, subnets, Availability Zones, NAT gateways, and VPC endpoints.

To create a VPC, subnets, and other VPC resources

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Your VPCs, Create VPC.

  3. Under Resources to create, choose VPC and more.

  4. Modify the options as needed:

    • Name tag auto-generation: Choose the Name tag that will be applied to the resources you create. The tag can either be automatically generated for you or you can define the value. The defined value will be used to generate the Name tag in all resources as "name-resource". For example if you enter "Preproduction", each subnet will be tagged with a "Preproduction-" Name tag.

    • IPv4 CIDR block: Choose an IPv4 CIDR for the VPC. This option is required.

    • IPv6 CIDR block: Choose an IPv6 CIDR for the VPC.

    • Tenancy: Choose the tenancy option for this VPC.

      • Select Default to ensure that EC2 instances launched in this VPC use the EC2 instance tenancy attribute specified when the EC2 instance is launched.

      • Select Dedicated to ensure that EC2 instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch.

      For more information about tenancy see Configuring instance tenancy with a launch configuration in the Amazon EC2 Auto Scaling User Guide.

      Note

      If your Amazon Outposts require private connectivity, you must select Default. For more information about Amazon Outposts, see What is Amazon Outposts? in the Amazon Outposts User Guide.

    • Number of Availability Zones (AZs): Choose the number of AZs in which you want to create subnets. An AZ is one or more discrete data centers with redundant power, networking, and connectivity in an Amazon Region. AZs give you the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center. If you partition your applications running in subnets across AZs, you are better isolated and protected from issues such as power outages, lightning strikes, tornadoes, earthquakes, and more.

    • Customize AZs: Choose which AZs your subnets will be created in.

    • Number of public subnets: Choose the number of subnets you would like to be considered "public" subnets. A "public" subnet is a subnet that has a route table entry that points to an internet gateway. This enables EC2 instances running in the subnet to be publicly accessible over the internet.

    • Number of private subnets: Choose the number of subnets you would like to be considered "private" subnets. A "private" subnet is a subnet that does not have a route table entry that points to an internet gateway. Use private subnets to secure backend resources that do not need to be publicly accessible over the internet.

    • Customize subnets CIDR blocks: Choose the CIDR blocks for the public and or private subnets.

    • NAT gateways: Choose the number of AZs in which to create Network Address Translation (NAT) gateways. A NAT gateway is an Amazon-managed service that enables EC2 instances in private subnets to send outbound traffic to the internet. Resources on the internet, however, cannot establish a connection with the instances. Note that there is cost associated with NAT gateways. For more information, see NAT gateways.

    • VPC endpoints: Choose whether to create a VPC endpoint for Amazon S3. A VPC endpoint enables you to privately connect your VPC to supported Amazon services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. For more information, see Gateway VPC endpoints in the Amazon PrivateLink Guide

    • DNS options: Choose the domain name resolution options for the EC2 instances launched into this VPC.

      • Enable DNS hostnames: Enables hostnames to be provisioned for EC2 instance public IPv4 addresses.

      • Enable DNS resolution: Enables hostnames to be provisioned for EC2 instance public IPv4 addresses and enables domain name resolution of the hostnames.

      Note

      If you want to provision public IPv4 DNS hostnames to the EC2 instances launched into the subnets you are creating, you must enable both Enable DNS hostnames and Enable DNS resolution on the VPC. If you only enable Enable DNS hostnames, the Public IPv4 DNS hostname does not get provisioned.

  5. In the Preview pane, you can see the planned VPC, subnet, route tables, and network interfaces that will be created.

  6. Choose Create VPC.

Create a VPC only

Follow the steps in this section to create only a VPC and no additional resources.

To create a VPC only

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Your VPCs, Create VPC.

  3. Under Resources to create, choose VPC only.

  4. Specify the following VPC details as needed.

    • Name tag: Optionally provide a name for your VPC. Doing so creates a tag with a key of Name and the value that you specify.

    • IPv4 CIDR block: Specify an IPv4 CIDR block (or IP address range) for your VPC. Choose one of the following options:

      • IPv4 CIDR manual input: Manually input an IPv4 CIDR. The CIDR block size must have a size between /16 and /28. We recommend that you specify a CIDR block from the private (non-publicly routable) IP address ranges as specified in RFC 1918; for example, 10.0.0.0/16, or 192.168.0.0/16 .

        You can specify a range of publicly routable IPv4 addresses. However, we currently do not support direct access to the internet from publicly routable CIDR blocks in a VPC. Windows instances cannot boot correctly if launched into a VPC with ranges from 224.0.0.0 to 255.255.255.255 (Class D and Class E IP address ranges).

      • IPAM-allocated IPv4 CIDR block: If there is an Amazon VPC IP Address Manager (IPAM) IPv4 address pool available in this Region, you can get a CIDR from an IPAM pool. If you select an IPAM pool, the size of the CIDR is limited by the allocation rules on the IPAM pool (allowed minimum, allowed maximum, and default). For more information about IPAM, see What is IPAM? in the Amazon VPC IPAM User Guide.

    • IPv6 CIDR block: Optionally associate an IPv6 CIDR block with your VPC. Choose one of the following options, and then choose Select CIDR:

      • No IPv6 CIDR block: No IPv6 CIDR will be provisioned for this VPC.

      • IPAM-allocated IPv6 CIDR block: If there is an Amazon VPC IP Address Manager (IPAM) IPv6 address pool available in this Region, you can get a CIDR from an IPAM pool. If you select an IPAM pool, the size of the CIDR is limited by the allocation rules on the IPAM pool (allowed minimum, allowed maximum, and default). For more information about IPAM, see What is IPAM? in the Amazon VPC IPAM User Guide.

      • Amazon-provided IPv6 CIDR block: Requests an IPv6 CIDR block from an Amazon pool of IPv6 addresses. For Network Border Group, select the group from which Amazon advertises IP addresses. Amazon provides a fixed IPv6 CIDR block size of /56. You cannot configure the size of the IPv6 CIDR that Amazon provides.

      • IPv6 CIDR owned by me: (BYOIP) Allocates an IPv6 CIDR block from your IPv6 address pool. For Pool, choose the IPv6 address pool from which to allocate the IPv6 CIDR block.

    • Tenancy: Choose the tenancy option for this VPC.

      • Select Default to ensure that EC2 instances launched in this VPC use the EC2 instance tenancy attribute specified when the EC2 instance is launched.

      • Select Dedicated to ensure that EC2 instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch.

      For more information about tenancy see Configuring instance tenancy with a launch configuration in the Amazon EC2 Auto Scaling User Guide.

      Note

      If your Amazon Outposts require private connectivity, you must select Default. For more information about Amazon Outposts, see What is Amazon Outposts? in the Amazon Outposts User Guide.

    • Tags: Add optional tags on the VPC. A tag is a label that you assign to an Amazon resource. Each tag consists of a key and an optional value. You can use tags to search and filter your resources or track your Amazon costs.

  5. Choose Create VPC.

Alternatively, you can use a command line tool.

To create a VPC using a command line tool

To describe a VPC using a command line tool

For more information about IP addresses, see IP addressing.

After you have created a VPC, you can create subnets. For more information, see Create a subnet in your VPC.

View your VPCs

Use the following steps to view the details about your VPCs.

To view VPC details using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose VPCs.

  3. Select the VPC, and then choose View Details.

To describe a VPC using a command line tool

To view all of your VPCs across Regions

Open the Amazon EC2 Global View console at https://console.amazonaws.cn/ec2globalview/home.

For more information about using Amazon EC2 Global View, see List and filter resources using the Amazon EC2 Global View in the Amazon EC2 User Guide for Linux Instances.

Associate additional IPv4 CIDR blocks with your VPC

You can add up to five IPv4 CIDR blocks to your VPC by default, but the limit is adjustable. For more information on increasing the limit, see Amazon VPC quotas. For information about restrictions on IPv4 CIDR blocks associated with a VPC, see VPC sizing.

After you associate an IPv4 CIDR block with the VPC, the status changes to associating. The CIDR block is ready to use when it's in the associated state. After you've added the CIDR blocks that you need, you can create subnets that use the new CIDR blocks. For more information, see Create a subnet in your VPC.

To associate an IPv4 CIDR block with a VPC using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Your VPCs.

  3. Select the VPC, and then choose Actions, Edit CIDRs.

  4. Choose Add new IPv4 CIDR.

  5. For IPv4 CIDR block, do one of the following:

    • Choose IPv4 CIDR manual input and enter an IPv4 CIDR block.

    • Choose IPAM-allocated IPv4 CIDR and select a CIDR from an IPv4 IPAM pool.

To add a CIDR block using a command line tool

After you've added the IPv4 CIDR blocks that you need, you can create subnets. For more information, see Create a subnet in your VPC.

Associate IPv6 CIDR blocks with your VPC

You can associate up to five IPv6 CIDR blocks with any existing VPC. The limit is not adjustable. For more information, see Amazon VPC quotas. For information about restrictions on IPv6 CIDR blocks associated with a VPC, see VPC sizing.

To associate an IPv6 CIDR block with a VPC using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Your VPCs.

  3. Select the VPC, and then choose Actions, Edit CIDRs.

  4. Choose Add new IPv6 CIDR.

  5. The CIDR block options when you add a CIDR are the same as when you create a VPC. For complete information about what your CIDR block options are, see Create a VPC.

  6. Choose Select CIDR.

  7. Choose Close.

To associate an IPv4 CIDR block with a VPC using the command line

Disassociate an IPv4 CIDR block from your VPC

If your VPC has more than one IPv4 CIDR block associated with it, you can disassociate an IPv4 CIDR block from the VPC. You cannot disassociate the primary IPv4 CIDR block. You can only disassociate an entire CIDR block; you cannot disassociate a subset of a CIDR block or a merged range of CIDR blocks. You must first delete all subnets in the CIDR block.

To remove a CIDR block from a VPC using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Your VPCs.

  3. Select the VPC, and choose Actions, Edit CIDRs.

  4. Under VPC IPv4 CIDRs, choose the delete button (a cross) for the CIDR block to remove.

  5. Choose Close.

Alternatively, you can use a command line tool.

To remove an IPv4 CIDR block from a VPC using a command line tool

Disassociate an IPv6 CIDR block from your VPC

If you no longer want IPv6 support in your VPC, but you want to continue using your VPC to create and communicate with IPv4 resources, you can disassociate the IPv6 CIDR block.

To disassociate an IPv6 CIDR block, you must first unassign any IPv6 addresses that are assigned to any instances in your subnet.

To disassociate an IPv6 CIDR block from a VPC using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Your VPCs.

  3. Select your VPC, choose Actions, Edit CIDRs.

  4. Remove the IPv6 CIDR block by choosing the cross icon.

  5. Choose Close.

Note

Disassociating an IPv6 CIDR block does not automatically delete any security group rules, network ACL rules, or route table routes that you've configured for IPv6 networking. You must manually modify or delete these rules or routes.

Alternatively, you can use a command line tool.

To disassociate an IPv6 CIDR block from a VPC using a command line tool

Delete your VPC

When you are finished with a VPC, you can delete it. If you delete a VPC using the VPC console, we also delete the following VPC components for you:

  • DHCP options

  • Egress-only internet gateways

  • Gateway endpoints

  • Internet gateways

  • Network ACLs

  • Route tables

  • Security groups

  • Subnets

If you have a Amazon Site-to-Site VPN connection, you don't need to delete it or the other components related to the VPN (such as the customer gateway and virtual private gateway). If you plan to use the customer gateway with another VPC, we recommend that you keep the Site-to-Site VPN connection and the gateways. Otherwise, you must configure your customer gateway device again after you create a new Site-to-Site VPN connection.

Requirement

Before you can delete a VPC, you must first terminate or delete any resources that created a requester-managed network interface in the VPC. For example, you must terminate your EC2 instances and delete your load balancers, NAT gateways, transit gateways, and interface VPC endpoints.

To delete your VPC using the console

  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. Terminate all instances in the VPC. For more information, see Terminate Your Instance in the Amazon EC2 User Guide for Linux Instances.

  3. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  4. In the navigation pane, choose Your VPCs.

  5. Select the VPC to delete and choose Actions, Delete VPC.

  6. If you have a Site-to-Site VPN connection, select the option to delete it; otherwise, leave it unselected. Choose Delete VPC.

Alternatively, you can use a command line tool. Before you can delete a VPC using the command line, you must terminate or delete any resources that created a requester-managed network interface in the VPC, plus you must delete or detach all associated resources, such as subnets, custom security groups, custom network ACLs, custom route tables, internet gateways, and egress-only internet gateways.

To delete a VPC using the command line