Amazon VPC quotas
The following tables list the quotas, formerly referred to as limits, for Amazon VPC resources for your AWS account. Unless indicated otherwise, these quotas are per Region.
If you request a quota increase that applies per resource, we increase the quota for all resources in the Region.
VPC and subnets
Name | Default | Adjustable | Comments |
---|---|---|---|
VPCs per Region | 5 | Yes |
Increasing this quota increases the quota on internet gateways per Region by the same amount. You can increase this limit so that you can have hundreds of VPCs per Region. |
Subnets per VPC | 200 | Yes |
|
IPv4 CIDR blocks per VPC | 5 | Yes (up to 50) |
This primary CIDR block and all secondary CIDR blocks count toward this quota. |
IPv6 CIDR blocks per VPC | 5 | Yes (up to 50) |
The number of CIDRs you can allocate to a single VPC. |
VPC Block Public Access exclusions per account per Region | 50 | Yes. To request an increase, open a service limit increase case |
The number of VPC BPA exclusions you can create in an account. |
DNS
Each EC2 instance can send 1024 packets per second per network interface to RouteĀ 53 Resolver
(specifically the .2 address, such as 10.0.0.2 and 169.254.169.253). This quota cannot be increased.
The number of DNS queries per second supported by RouteĀ 53 Resolver varies by the type of query, the size of the
response, and the protocol in use. For more information and recommendations for a scalable DNS architecture,
see the AWS Hybrid DNS with Active Directory
Elastic IP addresses
Gateways
Name | Default | Adjustable | Comments |
---|---|---|---|
Egress-only internet gateways per Region | 5 | Yes |
To increase this quota, increase the quota for VPCs per Region. You can attach only one egress-only internet gateway to a VPC at a time. |
Internet gateways per Region | 5 | Yes |
To increase this quota, increase the quota for VPCs per Region. You can attach only one internet gateway to a VPC at a time. |
NAT gateways per Availability Zone | 5 | Yes |
NAT gateways only count toward your quota in the pending ,
active , and deleting states. |
Private IP address quota per NAT gateway | 8 | Yes |
|
Carrier gateways per VPC | 1 | No |
Customer-managed prefix lists
While the default quotas for customer-managed prefix lists are adjustable, you cannot
request an increase using the Service Quotas console. You must open a service limit increase case
Name | Default | Adjustable | Comments |
---|---|---|---|
Prefix lists per Region | 100 | Yes | |
Versions per prefix list | 1,000 | Yes | If a prefix list has 1,000 stored versions and you add a new version, the oldest version is removed so that the new version can be added. |
Maximum number of entries per prefix list | 1,000 | Yes |
You can resize a customer-managed prefix list up to 1000. For more information, see Resize a prefix list. When you reference a prefix list in a resource, the maximum number of entries for the prefix lists counts against the quota for the number of entries for the resource. For example, if you create a prefix list with 20 maximum entries and you reference that prefix list in a security group rule, this counts as 20 security group rules. |
References to a prefix list per resource type | 5,000 | Yes | This quota applies per resource type that can reference a prefix list. For example, you can have 5,000 references to a prefix list across all of your security groups plus 5,000 references to a prefix list across all of your subnet route tables. If you share a prefix list with other AWS accounts, the other accounts' references to your prefix list count toward this quota. |
Network ACLs
Name | Default | Adjustable | Comments |
---|---|---|---|
Network ACLs per VPC | 200 | Yes |
You can associate one network ACL to one or more subnets in a VPC. |
Rules per network ACL | 20 | Yes |
This quota determines both the maximum number of inbound rules and the maximum number of outbound rules. This quota can be increased up to a maximum of 40 inbound rules and 40 outbound rules (for a total of 80 rules), but network performance might be impacted. |
Network interfaces
Name | Default | Adjustable | Comments |
---|---|---|---|
Network interfaces per instance | Varies by instance type | No | For more information, see Network interfaces per instance type. |
Network interfaces per Region | 5,000 | Yes |
This quota applies to individual AWS account VPCs and shared VPCs. This limit is enforced per Availability Zone (AZ). If, for example, the network interfaces are in three AZs, each AZ will have a limit of 5,000 limit and the Region will have a limit of 15,000. |
Route tables
Name | Default | Adjustable | Comments |
---|---|---|---|
Route tables per VPC | 200 | Yes |
The main route table counts toward this quota. Note that if you request a quota increase for route tables, you may also want to request a quota increase for subnets. While route tables can be shared with multiple subnets, a subnet can only be associated with a single route table. |
Routes per route table (non-propagated routes) | 50 | Yes |
You can increase this quota up to a maximum of 1,000; however, network
performance might be impacted. This quota is enforced separately for IPv4 routes and
IPv6 routes. If you have more than 125 routes, we recommend that you paginate calls to describe your route tables for better performance. |
Propagated routes per route table | 100 | No |
If you require additional prefixes, advertise a default route. |
Security groups
Name | Default | Adjustable | Comments |
---|---|---|---|
VPC security groups per Region | 2,500 | Yes |
This quota applies to individual AWS account VPCs and shared VPCs.
If you increase this quota to more than 5,000 security groups in a Region, we recommend that you paginate calls to describe your security groups for better performance. |
Inbound or outbound rules per security group | 60 | Yes |
This quota is enforced separately for inbound and outbound rules. For an account with the default quota of 60 rules, a security group can have 60 inbound rules and 60 outbound rules. In addition, this quota is enforced separately for IPv4 rules and IPv6 rules. For an account with the default quota of 60 rules, a security group can have 60 inbound rules for IPv4 traffic and 60 inbound rules for IPv6 traffic. For more information, see Security group size.
A quota change applies to both inbound and outbound rules. This quota multiplied by the quota for security groups per network interface cannot exceed 1,000. |
Security groups per network interface | 5 | Yes (up to 16) |
This quota multiplied by the quota for rules per security group cannot exceed 1,000. |
VPC subnet sharing
All standard VPC quotas apply to shared VPC subnets.
Name | Default | Adjustable | Comments |
---|---|---|---|
Participant accounts per VPC | 100 | Yes |
The maximum number of distinct participant accounts that subnets in a VPC can be
shared with. This is a per VPC quota and applies across all the subnets shared in a
VPC. VPC owners can view the network interfaces and security groups that are attached to the participant resources. |
Subnets that can be shared with an account | 100 | Yes |
This is the maximum number of subnets that can be shared with an AWS account. |
Network Address Usage
Network Address Usage (NAU) is comprised of IP addresses, network interfaces, and CIDRs in managed prefix lists. NAU is a metric applied to resources in a VPC to help you plan for and monitor the size of your VPC. For more information, see Network Address Usage.
The resources that make up the NAU count have their own individual service quotas. Even if a VPC has NAU capacity available, you won't be able to launch resources into the VPC if the resources have exceeded their service quotas.
Name | Default | Adjustable | Comments |
---|---|---|---|
Network Address Usage | 64,000 | Yes |
The maximum number of NAU units per VPC. |
Peered Network Address Usage | 128,000 | Yes |
The maximum number of NAU units for a VPC and all of its intra-Region peered VPCs. VPCs that are peered across different Regions do not contribute to this number. |
Amazon EC2 API throttling
For information about Amazon EC2 throttling, see API Request Throttling in the Amazon EC2 API Reference.
Additional quota resources
For more information, see the following:
-
AWS Client VPN quotas in the AWS Client VPN Administrator Guide
-
AWS Direct Connect quotas in the AWS Direct Connect User Guide
-
Peering quotas in the Amazon VPC Peering Guide
-
PrivateLink quotas in the AWS PrivateLink Guide
-
Site-to-Site VPN quotas in the AWS Site-to-Site VPN User Guide
-
Traffic Mirroring quotas in the Amazon VPC Traffic Mirroring Guide
-
Transit gateway quotas in the Amazon VPC Transit Gateways Guide