Amazon EC2 instance IP addressing
Amazon EC2 and Amazon VPC support both the IPv4 and IPv6 addressing protocols. By default, Amazon VPC uses the IPv4 addressing protocol; you can't disable this behavior. When you create a VPC, you must specify an IPv4 CIDR block (a range of private IPv4 addresses). You can optionally assign an IPv6 CIDR block to your VPC and assign IPv6 addresses from that block to instances in your subnets.
Contents
- Private IPv4 addresses
- Public IPv4 addresses
- Public IPv4 address optimization
- IPv6 addresses
- EC2 instance hostnames
- Link-local addresses
- Manage the IPv4 addresses for your EC2 instances
- Manage the IPv6 addresses for your EC2 instances
- Multiple IP addresses for your EC2 instances
- Configure secondary private IPv4 addresses for Windows instances
Private IPv4 addresses
A private IPv4 address is an IP address that's not reachable over the Internet. You
can use private IPv4 addresses for communication between instances in the same VPC. For
more information about the standards and specifications of private IPv4 addresses, see
RFC 1918
Note
You can create a VPC with a publicly routable CIDR block that falls outside of the private IPv4 address ranges specified in RFC 1918. However, for the purposes of this documentation, we refer to private IPv4 addresses (or 'private IP addresses') as the IP addresses that are within the IPv4 CIDR range of your VPC.
VPC subnets can be one of the following types:
-
IPv4-only subnets – You can only create resources in these subnets with IPv4 addresses assigned to them.
-
IPv6-only subnets – You can only create resources in these subnets with IPv6 addresses assigned to them.
-
IPv4 and IPv6 subnets – You can create resources in these subnets with either IPv4 or IPv6 addresses assigned to them.
When you launch an EC2 instance into an IPv4-only or dual stack (IPv4 and IPv6) subnet, the instance receives a primary private IP address from the IPv4 address range of the subnet. For more information, see IP addressing in the Amazon VPC User Guide. If you don't specify a primary private IP address when you launch the instance, we select an available IP address in the subnet's IPv4 range for you. Each instance has a default network interface (eth0) that is assigned the primary private IPv4 address. You can also specify additional private IPv4 addresses, known as secondary private IPv4 addresses. Unlike primary private IP addresses, secondary private IP addresses can be reassigned from one instance to another. For more information, see Multiple IP addresses for your EC2 instances.
A private IPv4 address, regardless of whether it is a primary or secondary address, remains associated with the network interface when the instance is stopped and started, or hibernated and started, and is released when the instance is terminated.
Public IPv4 addresses
A public IP address is an IPv4 address that's reachable from the Internet. You can use public addresses for communication between your instances and the Internet.
When you launch an instance in a default VPC, we assign it a public IP address by default. When you launch an instance into a nondefault VPC, the subnet has an attribute that determines whether instances launched into that subnet receive a public IP address from the public IPv4 address pool. By default, we don't assign a public IP address to instances launched in a nondefault subnet.
You can control whether your instance receives a public IP address as follows:
-
Modifying the public IP addressing attribute of your subnet. For more information, see Modify the public IPv4 addressing attribute for your subnet in the Amazon VPC User Guide.
-
Enabling or disabling the public IP addressing feature during launch, which overrides the subnet's public IP addressing attribute. For more information, see Assign a public IPv4 address during instance launch.
-
You can unassign a public IP address from your instance after launch by managing the IP addresses associated with a network interface.
A public IP address is assigned to your instance from Amazon's pool of public IPv4 addresses, and is not associated with your AWS account. When a public IP address is disassociated from your instance, it is released back into the public IPv4 address pool, and you cannot reuse it.
In certain cases, we release the public IP address from your instance, or assign it a new one:
-
We release your instance's public IP address when it is stopped, hibernated, or terminated. Your stopped or hibernated instance receives a new public IP address when it is started.
-
We release your instance's public IP address when you associate an Elastic IP address with it. When you disassociate the Elastic IP address from your instance, it receives a new public IP address.
-
If the public IP address of your instance in a VPC has been released, it will not receive a new one if there is more than one network interface attached to your instance.
-
If your instance's public IP address is released while it has a secondary private IP address that is associated with an Elastic IP address, the instance does not receive a new public IP address.
If you require a persistent public IP address that can be associated to and from instances as you require, use an Elastic IP address instead.
If you use dynamic DNS to map an existing DNS name to a new instance's public IP address, it might take up to 24 hours for the IP address to propagate through the Internet. As a result, new instances might not receive traffic while terminated instances continue to receive requests. To solve this problem, use an Elastic IP address. You can allocate your own Elastic IP address, and associate it with your instance. For more information, see Elastic IP addresses.
If you are using Amazon VPC IP Address Manager (IPAM), you can get a contiguous block of public IPv4 addresses from AWS and use it to allocate Elastic IP addresses to AWS resources. Using contiguous IPv4 address blocks can significantly reduce management overhead for security access control lists and simplify IP address allocation and tracking for enterprises scaling on AWS. For more information, see Allocate sequential Elastic IP addresses from an IPAM pool in the Amazon VPC IPAM User Guide.
Note
-
AWS charges for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the Public IPv4 Address tab on the Amazon VPC pricing page
. -
Instances that access other instances through their public NAT IP address are charged for regional or Internet data transfer, depending on whether the instances are in the same Region.
Public IPv4 address optimization
AWS charges for all public IPv4 addresses, including public IPv4 addresses
associated with running instances and Elastic IP addresses. For more information, see the Public IPv4 Address
tab on the Amazon VPC pricing page
The following list contains actions you can take to optimize the number of public IPv4 addresses you use:
-
Use an elastic load balancer to load balance traffic to your EC2 instances and disable Auto-assign public IP on the primary ENI assigned to the instances. Load balancers use a single public IPv4 address, so this reduces your public IPv4 address count. You may also want consolidate existing load balancers to further reduce the public IPv4 address count.
-
If the only reason for using a NAT gateway is to SSH into an EC2 instance in a private subnet for maintenance or emergencies, consider using EC2 Instance Connect Endpoint instead. With EC2 Instance Connect Endpoint, you can connect to an instance from the internet without requiring the instance to have a public IPv4 address.
-
If your EC2 instances are in a public subnet with public IP addresses allocated to them, consider moving the instances to a private subnet, removing the public IP addresses, and using a public NAT gateway to allow access to and from your EC2 instances. There are cost considerations for using NAT gateways. Use this calculation method to decide if NAT gateways are cost effective. You can get the
Number of public IPv4 addresses
required for this calculation by creating an AWS Billing Cost and Usage Report. NAT gateway per hour + NAT gateway public IPs + NAT gateway transfer / Existing public IP cost
Where:
NAT gateway per hour = $0.045 * 730 hours in a month * Number of Availability Zones the NAT gateways are in
NAT gateway public IPs = $0.005 * 730 hours in a month * Number of IPs associated with your NAT gateways
NAT gateway transfer = $0.045 * Number of GBs that will go through the NAT gateway in a month
Existing public IP cost = $0.005 * 730 hours in a month * Number of public IPv4 addresses
If the total is less than 1, NAT gateways are cheaper than public IPv4 addresses.
-
Use AWS PrivateLink to connect privately to AWS services or services hosted by other AWS accounts rather than using public IPv4 addresses and internet gateways.
-
Bring your own IP address range (BYOIP) to AWS and use the range for public IPv4 addresses rather than using Amazon-owned public IPv4 addresses.
-
Turn off auto-assign public IPv4 address for instances launched into subnets. This option is generally disabled by default for VPCs when you create a subnet, but you should check your existing subnets to ensure it’s disabled.
-
If you have EC2 instances that do not need public IPv4 addresses, check that the network interfaces attached to your instances have Auto-assign public IP disabled.
-
Configure accelerator endpoints in AWS Global Accelerator for EC2 instances in private subnets to enable internet traffic to flow directly to the endpoints in your VPCs without requiring public IP addresses. You can also bring your own addresses to AWS Global Accelerator and use your own IPv4 addresses for your accelerator’s static IP addresses.
IPv6 addresses
IPv6 addresses are globally unique and can be configured to remain private or reachable over the Internet. Both public and private IPv6 addressing is available in AWS:
Private IPv6: AWS considers private IPv6 addresses those that are not advertised and cannot be advertised on the Internet from AWS.
Public IPv6: AWS considers public IPv6 addresses those that are advertised on the Internet from AWS.
For more information about public and private IPv6 addresses, see IPv6 addresses in the Amazon VPC User Guide.
Your EC2 instances receive an IPv6 address if an IPv6 CIDR block is associated with your VPC and subnet, and if one of the following is true:
-
Your subnet is configured to automatically assign an IPv6 address to an instance during launch. For more information, see Modify the IP addressing attributes of your subnet.
-
You assign an IPv6 address to your instance during launch.
-
You assign an IPv6 address to the primary network interface of your instance after launch.
-
You assign an IPv6 address to a network interface in the same subnet, and attach the network interface to your instance after launch.
When your instance receives an IPv6 address during launch, the address is associated with the primary network interface (eth0) of the instance. You can manage the IPv6 addresses for your instances primary network interface (eth0) in the following ways:
-
Assign and unassign IPv6 addresses from the network interface. The number of IPv6 addresses you can assign to a network interface and the number of network interfaces you can attach to an instance varies per instance type. For more information, see Maximum IP addresses per network interface.
-
Enable a primary IPv6 address. A primary IPv6 address enables you to avoid disrupting traffic to instances or ENIs. For more information, see Create a network interface for your EC2 instance or Manage the IP addresses for your network interface.
An IPv6 address persists when you stop and start, or hibernate and start, your instance, and is released when you terminate your instance. You cannot reassign an IPv6 address while it's assigned to another network interface—you must first unassign it.
You can control whether instances are reachable via their IPv6 addresses by controlling the routing for your subnet or by using security group and network ACL rules. For more information, see Internetwork traffic privacy in the Amazon VPC User Guide.
For more information about reserved IPv6 address ranges, see IANA IPv6 Special-Purpose Address Registry
EC2 instance hostnames
When you create an EC2 instance, AWS creates a hostname for that instance. For more information on the types of hostnames and how they're provisioned by AWS, see Amazon EC2 instance hostname types. Amazon provides a DNS server that resolves Amazon-provided hostnames to IPv4 and IPv6 addresses. The Amazon DNS server is located at the base of your VPC network range plus two. For more information, see DNS attributes for your VPC in the Amazon VPC User Guide.
Link-local addresses
Link-local addresses are well-known, non-routable IP addresses. Amazon EC2 uses addresses from the link-local address space to provide services that are accessible only from an EC2 instance. These services do not run on the instance, they run on the underlying host. When you access the link-local addresses for these services, you're communicating with either the Xen hypervisor or the Nitro controller.
Link-local address ranges
-
IPv4 – 169.254.0.0/16 (169.254.0.0 to 169.254.255.255)
-
IPv6 – fe80::/10
Services that you access using link-local addresses
-
Amazon Route 53 Resolver (also known as the Amazon DNS server)