docs.aws.amazon.com Open in urlscan Pro
13.35.58.82  Public Scan

Submitted URL: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip
Effective URL: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html
Submission: On September 18 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English



Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. Amazon VPC
 5. User Guide

Feedback
Preferences


AMAZON VIRTUAL PRIVATE CLOUD


USER GUIDE

 * What is Amazon VPC?
 * How Amazon VPC works
 * Plan your VPC
 * IP addressing
    * VPC CIDR blocks
    * Subnet CIDR blocks
    * Compare IPv4 and IPv6
    * Managed prefix lists
       * Customer-managed prefix lists
          * Work with customer-managed prefix lists
             * Share customer-managed prefix lists
                * Shared prefix list permissions
                * Work with shared prefix lists
      
       * AWS-managed prefix lists
       * Optimize AWS infrastructure management with prefix lists
   
    * AWS IP address ranges
       * Find address ranges
       * Syntax
       * Subscribe to notifications
   
    * IPv6 support for your VPC
       * Add IPv6 support for your VPC
       * Example dual-stack VPC
   
    * IPv6 support on AWS

 * Virtual private clouds
    * VPC basics
    * VPC configuration options
    * Default VPCs
       * Default VPC components
       * Default subnets
       * Work with your default VPC and default subnets
   
    * Create a VPC
    * Visualize the resources in your VPC
    * Add or remove CIDR block
    * DHCP option sets
       * DHCP option set concepts
       * Work with DHCP option sets
   
    * DNS attributes
       * Understanding Amazon DNS
       * View DNS hostnames for your EC2 instance
       * View and update DNS attributes for your VPC
   
    * Network Address Usage
    * Share a VPC subnet
       * Shared subnet prerequisites
       * Working with shared subnets
       * Billing and metering for owner and participants
       * Responsibilities and permissions for owners and participants
       * AWS resources and shared VPC subnets
   
    * Extend a VPC to other Zones
       * Subnets in AWS Local Zones
       * Subnets in AWS Wavelength
       * Subnets in AWS Outposts
   
    * Delete your VPC

 * Subnets
    * Create a subnet
    * Add or remove an IPv6 CIDR block from your subnet
    * Modify the IP addressing attributes of your subnet
    * Subnet CIDR reservations
    * Route tables
       * Route table concepts
       * Subnet route tables
       * Gateway route tables
       * Example routing options
       * Change a subnet route table
       * Replace the main route table
       * Control traffic entering your VPC with a gateway route table
       * Replace or restore the target for a local route
       * Troubleshoot reachability issues
   
    * Middlebox routing wizard
       * Redirect VPC traffic to a security appliance
       * Middlebox scenarios
          * Inspect traffic destined for a subnet
          * Inspect traffic using security appliances
          * Inspect traffic between subnets
   
    * Delete a subnet

 * Connect your VPC
    * Internet gateways
       * Configuration for internet access
       * Add internet access to a subnet
   
    * Egress-only internet gateways
       * Add egress-only internet access to a subnet
   
    * NAT devices
       * NAT gateways
          * NAT gateway basics
          * Work with NAT gateways
          * Use cases
          * DNS64 and NAT64
          * CloudWatch metrics
             * NAT gateway metrics and dimensions
             * View NAT gateway CloudWatch metrics
             * Create CloudWatch alarms to monitor a NAT gateway
         
          * Troubleshooting
          * Pricing
      
       * NAT instances
          * NAT instance tutorial
      
       * Compare NAT devices
   
    * Elastic IP addresses
       * Elastic IP address concepts and rules
       * Start using Elastic IP addresses
   
    * AWS Transit Gateway
    * AWS Virtual Private Network
    * VPC peering connections

 * Monitoring
    * VPC Flow Logs
       * Flow logs basics
       * Flow log records
       * Flow log record examples
       * Flow log limitations
       * Pricing
       * Work with flow logs
       * Publish to CloudWatch Logs
          * IAM role for publishing flow logs to CloudWatch Logs
          * Create a flow log that publishes to CloudWatch Logs
          * View flow log records with CloudWatch Logs
          * Search flow log records
          * Process flow log records in CloudWatch Logs
      
       * Publish to Amazon S3
          * Flow log files
          * Amazon S3 bucket permissions for flow logs
          * Required key policy for use with SSE-KMS
          * Amazon S3 log file permissions
          * Create a flow log that publishes to Amazon S3
          * View flow log records with Amazon S3
      
       * Publish to Amazon Data Firehose
          * IAM roles for cross account delivery
          * Create a flow log that publishes to Amazon Data Firehose
      
       * Query using Athena
          * Generate the CloudFormation template using the console
          * Generate the CloudFormation template using the AWS CLI
          * Run a predefined query
      
       * Troubleshoot
   
    * CloudWatch metrics

 * Security
    * Data protection
       * Internetwork traffic privacy
   
    * Identity and access management
       * How Amazon VPC works with IAM
       * Policy examples
       * Troubleshoot
       * AWS managed policies
   
    * Infrastructure security
    * Security groups
       * Security group rules
       * Default security groups
       * Create a security group
       * Configure security group rules
       * Delete a security group
   
    * Network ACLs
       * Network ACL basics
       * Network ACL rules
       * Default network ACL
       * Custom network ACLs
       * Ephemeral ports
       * Path MTU Discovery
       * Work with network ACLs
       * Example: Control access to instances in a subnet
       * Troubleshoot reachability issues
   
    * Resilience
    * Compliance validation
    * Best practices

 * Use with other services
    * AWS PrivateLink
    * AWS Network Firewall
    * Route 53 Resolver DNS Firewall
    * Reachability Analyzer

 * Examples
    * Test environment
    * Web and database servers
    * Private servers

 * Quotas
 * Document history

IP addressing for your VPCs and subnets - Amazon Virtual Private Cloud
AWSDocumentationAmazon VPCUser Guide
Private IPv4 addressesPublic IPv4 addressesIPv6 addressesUse your own IP
addressesUse Amazon VPC IP Address Manager


IP ADDRESSING FOR YOUR VPCS AND SUBNETS

PDFRSS

IP addresses enable resources in your VPC to communicate with each other, and
with resources over the internet.

Classless Inter-Domain Routing (CIDR) notation is a way to represent an IP
address and its network mask. The format of these addresses is as follows:

 * An individual IPv4 address is 32 bits, with 4 groups of up to 3 decimal
   digits. For example, 10.0.1.0.

 * An IPv4 CIDR block has four groups of up to three decimal digits, 0-255,
   separated by periods, followed by a slash and a number from 0 to 32. For
   example, 10.0.0.0/16.

 * An individual IPv6 address is 128 bits, with 8 groups of 4 hexadecimal
   digits. For example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

 * An IPv6 CIDR block has four groups of up to four hexadecimal digits,
   separated by colons, followed by a double colon, followed by a slash and a
   number from 1 to 128. For example, 2001:db8:1234:1a00::/56.

For more information, see What is CIDR?

CONTENTS

 * Private IPv4 addresses
 * Public IPv4 addresses
 * IPv6 addresses
 * Use your own IP addresses
 * Use Amazon VPC IP Address Manager
 * VPC CIDR blocks
 * Subnet CIDR blocks
 * Compare IPv4 and IPv6
 * Managed prefix lists
 * AWS IP address ranges
 * IPv6 support for your VPC
 * IPv6 support on AWS


PRIVATE IPV4 ADDRESSES


Private IPv4 addresses (also referred to as private IP addresses in this topic)
are not reachable over the internet, and can be used for communication between
the instances in your VPC. When you launch an instance into a VPC, a primary
private IP address from the IPv4 address range of the subnet is assigned to the
default network interface (eth0) of the instance. Each instance is also given a
private (internal) DNS hostname that resolves to the private IP address of the
instance. The hostname can be of two types: resource-based or IP-based. For more
information, see EC2 instance naming. If you don't specify a primary private IP
address, we select an available IP address in the subnet range for you. For more
information about network interfaces, see Elastic Network Interfaces in the
Amazon EC2 User Guide.

You can assign additional private IP addresses, known as secondary private IP
addresses, to instances that are running in a VPC. Unlike a primary private IP
address, you can reassign a secondary private IP address from one network
interface to another. A private IP address remains associated with the network
interface when the instance is stopped and restarted, and is released when the
instance is terminated. For more information about primary and secondary IP
addresses, see Multiple IP Addresses in the Amazon EC2 User Guide.

We refer to private IP addresses as the IP addresses that are within the IPv4
CIDR range of the VPC. Most VPC IP address ranges fall within the private
(non-publicly routable) IP address ranges specified in RFC 1918; however, you
can use publicly routable CIDR blocks for your VPC. Regardless of the IP address
range of your VPC, we do not support direct access to the internet from your
VPC's CIDR block, including a publicly-routable CIDR block. You must set up
internet access through a gateway; for example, an internet gateway, virtual
private gateway, a AWS Site-to-Site VPN connection, or AWS Direct Connect.

We never advertise the IPv4 address range of a subnet to the internet.


PUBLIC IPV4 ADDRESSES


All subnets have an attribute that determines whether a network interface
created in the subnet automatically receives a public IPv4 address (also
referred to as a public IP address in this topic). Therefore, when you launch an
instance into a subnet that has this attribute enabled, a public IP address is
assigned to the primary network interface (eth0) that's created for the
instance. A public IP address is mapped to the primary private IP address
through network address translation (NAT).

NOTE

AWS charges for all public IPv4 addresses, including public IPv4 addresses
associated with running instances and Elastic IP addresses. For more
information, see the Public IPv4 Address tab on the Amazon VPC pricing page.

You can control whether your instance receives a public IP address by doing the
following:

 * Modifying the public IP addressing attribute of your subnet. For more
   information, see Modify the IP addressing attributes of your subnet.

 * Enabling or disabling the public IP addressing feature during instance
   launch, which overrides the subnet's public IP addressing attribute.

 * You can unassign a public IP address from your instance after launch by
   managing the IP addresses associated with a network interface. For more
   information, see Manage IP addresses in the Amazon EC2 User Guide.

A public IP address is assigned from Amazon's pool of public IP addresses; it's
not associated with your account. When a public IP address is disassociated from
your instance, it's released back into the pool, and is no longer available for
you to use. In certain cases, we release the public IP address from your
instance, or assign it a new one. For more information, see Public IP addresses
in the Amazon EC2 User Guide.

If you require a persistent public IP address allocated to your account that can
be assigned to and removed from instances as you require, use an Elastic IP
address instead. For more information, see Associate Elastic IP addresses with
resources in your VPC.

If your VPC is enabled to support DNS hostnames, each instance that receives a
public IP address or an Elastic IP address is also given a public DNS hostname.
We resolve a public DNS hostname to the public IP address of the instance
outside the instance network, and to the private IP address of the instance from
within the instance network. For more information, see DNS attributes for your
VPC.

If you are using Amazon VPC IP Address Manager (IPAM), you can get a contiguous
block of public IPv4 addresses from AWS and use it to allocate sequential
Elastic IP addresses to AWS resources. Using contiguous IPv4 address blocks can
significantly reduce management overhead for security access control lists and
simplify IP address allocation and tracking for enterprises scaling on AWS. For
more information, see Allocate sequential Elastic IP addresses from an IPAM pool
in the Amazon VPC IPAM User Guide.


IPV6 ADDRESSES


As the internet continues to grow, so does the need for IP addresses. The most
common format for IP addresses is IPv4. The new format for IP addresses is IPv6,
which provides a larger address space than IPv4. IPv6 resolves the IPv4 address
exhaustion issue and enables you to connect more devices to the internet. The
transition is gradual, but as IPv6 adoption grows, you can simplify your
networks and take advantage of IPv6 advanced capabilities for better
connectivity, performance, and security.

Many AWS services, such as Amazon EC2, Amazon S3, and Amazon CloudFront, offer
either dual-stack (IPv4 and IPv6) or IPv6-only support, allowing resources to be
assigned IPv6 addresses and accessed over the IPv6 protocol and simplifying
network configuration and management for those customers adopting IPv6. Other
services offer limited or partial dual-stack and IPv6-only support. For more
information about services that support IPv6, see AWS services that support
IPv6.

Note that some IPv6 addresses are reserved by the Internet Engineering Task
Force. For more information about reserved IPv6 address ranges, see IANA IPv6
Special-Purpose Address Registry and RFC4291.

NOTE

Both public and private IPv6 addressing is available in AWS. AWS considers
public IP addresses those advertised on the internet from AWS, while private IP
addresses are not and cannot be advertised on the internet from AWS.

CONTENTS

 * Public IPv6 addresses
 * Private IPv6 addresses


PUBLIC IPV6 ADDRESSES

Public IPv6 addresses are IPv6 addresses that can be configured to remain
private or configured to be reachable over the Internet.

These are some of the ways you can prepare to use public IPv6 addresses for your
workloads:

 * Create an IPAM with Amazon VPC IP Address Manager and provision an
   Amazon-owned public IPv6 address range to an IPAM address pool. For more
   information, see Create IPv6 pools in the Amazon VPC IPAM User Guide.

 * If you have an IPAM and you own a public IPv6 address range, bring some or
   all of the public IPv6 address range to IPAM and provision the public IPv6
   address range to an IPAM address pool. For more information, see Tutorial:
   Bring your IP addresses to IPAM in the Amazon VPC IPAM User Guide.

 * If you don't have an IPAM but you own a public IPv6 address range, bring some
   or all of the public IPv6 address range to AWS. For more information, see
   Bring your own IP addresses (BYOIP) to Amazon EC2 in the Amazon EC2 User
   Guide.

Once you are prepared to use public IPv6 addresses, you can assign public IPv6
addresses to instances (see IPv6 addresses in the Amazon EC2 User Guide), you
can allocate a public IPv6 CIDR block to your VPC (see Add or remove a CIDR
block from your VPC) and associate the IPv6 CIDR block with your subnets (see
Modify the IP addressing attributes of your subnet).


PRIVATE IPV6 ADDRESSES

Private IPv6 addresses are IPv6 addresses that are not advertised and cannot be
advertised on the Internet from AWS.

You can use a private IPv6 address if you want your private networks to support
IPv6 and you have no intention of routing traffic from these addresses to the
Internet. If you want to connect to the internet from a resource that has a
private IPv6 address, you can, but you must route traffic through a resource in
another subnet with a public IPv6 address to do so.

There are two types of private IPv6 addresses:

 * IPv6 ULA ranges: IPv6 addresses as defined in RFC4193. These address ranges
   always start with “fc” or “fd”, which makes them easily identifiable. Valid
   IPv6 ULA space is anything under fd00::/8 that does not overlap with the
   Amazon reserved range fd00::/16.

 * IPv6 GUA ranges: IPv6 addresses as defined in RFC3587. The option to use IPv6
   GUA ranges as private IPv6 addresses is disabled by default and must be
   enabled before you can use it. For more information, see Enable provisioning
   private IPv6 GUA CIDRs in the Amazon VPC IPAM User Guide.

Note the following:

 * Private IPv6 addresses are only available through Amazon VPC IP Address
   Manager (IPAM). IPAM discovers resources with IPv6 ULA and GUA addresses and
   monitors pools for overlapping IPv6 ULA and GUA address space.

 * When you use private IPv6 GUA ranges, we require that you use IPv6 GUA ranges
   owned by you.

 * Private IPv6 addresses are not and cannot be advertised on the internet by
   AWS. AWS does not allow direct egress to the public internet from a private
   IPv6 range even if there is an internet gateway or egress only internet
   gateway in the VPC. Private IPv6 addresses are automatically dropped at the
   internet gateway edge ensuring that they are not routed publicly.

 * AWS reserves the first 4 subnet private IPv6 addresses and the last one.

 * Valid ranges for private IPv6 ULA are /9 to /60 starting with fd80::/9.

 * If you have a private IPv6 GUA range allocated to a VPC, you cannot use
   public IPv6 GUA space that overlaps the private IPv6 GUA space in the same
   VPC.

 * Communication between resources with private IPv6 ULA and GUA address ranges
   is supported (such as across Direct Connect, VPC peering, transit gateway, or
   VPN connections).

 * You can use private IPv6 addresses with IPv6-only and dual-stack VPC subnets,
   elastic load balancers and AWS Global Accelerator endpoints.

 * There is no charge for private IPv6 addresses.

These are some of the ways you can prepare to use private IPv6 addresses for
your workloads:

 * Create an IPAM with Amazon VPC IP Address Manager and provision a private
   IPv6 ULA range to an IPAM address pool. For more information, see Create IPv6
   pools in the Amazon VPC IPAM User Guide.

 * Create an IPAM with Amazon VPC IP Address Manager and provision a private
   IPv6 GUA range to an IPAM address pool. The option to use IPv6 GUA ranges as
   private IPv6 addresses is disabled by default and must be enabled on your
   IPAM before you can use it. For more information, see Enable provisioning
   private IPv6 GUA CIDRs in the Amazon VPC IPAM User Guide.

Once you are prepared to use private IPv6 addresses, you can allocate a private
IPv6 CIDR block from an IPAM pool to your VPC (see Add or remove a CIDR block
from your VPC) and associate the IPv6 CIDR block with your subnets (see Modify
the IP addressing attributes of your subnet).


USE YOUR OWN IP ADDRESSES


You can bring part or all of your own public IPv4 address range or IPv6 address
range to your AWS account. You continue to own the address range, but AWS
advertises it on the internet by default. After you bring the address range to
AWS, it appears in your account as an address pool. You can create an Elastic IP
address from your IPv4 address pool, and you can associate an IPv6 CIDR block
from your IPv6 address pool with a VPC.

For more information, see Bring your own IP addresses (BYOIP) in the Amazon EC2
User Guide.


USE AMAZON VPC IP ADDRESS MANAGER


Amazon VPC IP Address Manager (IPAM) is a VPC feature that makes it easier for
you to plan, track, and monitor IP addresses for your AWS workloads. You can use
IPAM to allocate IP address CIDRs to VPCs using specific business rules.

For more information, see What is IPAM? in the Amazon VPC IPAM User Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Plan your VPC
VPC CIDR blocks
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.





DID THIS PAGE HELP YOU?

Yes
No
Provide feedback

NEXT TOPIC:

VPC CIDR blocks

PREVIOUS TOPIC:

Plan your VPC

NEED HELP?

 * Try AWS re:Post 
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE

 * Private IPv4 addresses
 * Public IPv4 addresses
 * IPv6 addresses
 * Use your own IP addresses
 * Use Amazon VPC IP Address Manager