Amazon Virtual Private Cloud endpoints and quotas
The following are the service endpoints and service quotas for this service. To connect programmatically to an AWS service, you use an endpoint. In addition to the standard AWS endpoints, some AWS services offer FIPS endpoints in selected Regions. For more information, see AWS service endpoints. Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. For more information, see AWS service quotas.
Service endpoints
The API actions to manage Amazon VPC resources (for example, virtual private clouds, subnets, and gateways) are part of the Amazon EC2 API. For more information, see Amazon VPC actions in the Amazon EC2 API Reference.
For the service endpoints for Amazon EC2, see Amazon EC2 endpoints and quotas.
Service quotas
Name | Default | Adjustable | Description |
---|---|---|---|
Active VPC peering connections per VPC | Each supported Region: 50 |
Yes |
The maximum number of active VPC peering connections per VPC. This quota can be increased up to a maximum of 125. |
Characters per VPC endpoint policy | Each supported Region: 20,480 | No | The maximum number of characters in a VPC endpoint policy, including white space. |
Egress-only internet gateways per Region | Each supported Region: 5 |
Yes |
The maximum number of egress-only (outbound-only) internet gateways per Region. This quota is directly tied to the maximum number of VPCs per Region. To increase this quota, increase the number of VPCs per Region. |
Elastic IP address quota per NAT gateway | Each supported Region: 2 |
Yes |
The maximum number of Elastic IP addresses that can be associated with a single NAT Gateway of connectivity type public. |
Gateway VPC endpoints per Region | Each supported Region: 20 |
Yes |
The maximum number of gateway VPC endpoints per Region. The maximum is 255 gateway endpoints per VPC. |
IPv4 CIDR blocks per VPC | Each supported Region: 5 |
Yes |
The maximum number of IPv4 CIDR blocks per VPC. The primary CIDR block and all secondary CIDR blocks count toward this quota. This quota can be increased up to a maximum of 50. |
IPv6 CIDR blocks per VPC | Each supported Region: 5 |
Yes |
The maximum number of IPv6 CIDR blocks per VPC. |
Inbound or outbound rules per security group | Each supported Region: 60 |
Yes |
The maximum number of inbound or outbound rules per VPC security group (120 rules in total). This quota is enforced separately for IPv4 and IPv6 rules. A rule that references a security group or prefix list ID counts as one rule each for IPv4 and IPv6. This quota multiplied by the security groups per network interface quota cannot exceed 1000. |
Interface VPC endpoints per VPC | Each supported Region: 50 |
Yes |
The maximum number of interface VPC endpoints per VPC. |
Internet gateways per Region | Each supported Region: 5 |
Yes |
The maximum number of internet gateways per Region. This quota is directly tied to the maximum number of VPCs per Region. To increase this quota, increase the number of VPCs per Region. |
NAT gateways per Availability Zone | Each supported Region: 5 |
Yes |
The maximum number of NAT gateways per Availability Zone. This includes NAT gateways in the pending, active, or deleting state. |
Network ACLs per VPC | Each supported Region: 200 |
Yes |
The maximum number of network ACLs per VPC. |
Network Address Usage | Each supported Region: 64,000 |
Yes |
The maximum Network Address Usage for a single VPC. |
Network interfaces per Region | Each supported Region: 5,000 |
Yes |
The maximum number of network interfaces per Availability Zone in a Region. |
Outstanding VPC peering connection requests | Each supported Region: 25 |
Yes |
The maximum number of outstanding VPC peering connection requests that youve requested. |
Participant accounts per VPC | Each supported Region: 100 |
Yes |
The maximum number of distinct participant accounts that subnets in a VPC can be shared with. This is a per VPC quota and applies across all the subnets shared in a VPC. |
Peered Network Address Usage | Each supported Region: 128,000 |
Yes |
The maximum Network Address Usage for a VPC and its peers. |
Private IP address quota per NAT gateway | Each supported Region: 8 |
Yes |
The maximum number of private IP addresses that can be assigned to a single NAT Gateway of connectivity type private. |
Route tables per VPC | Each supported Region: 200 |
Yes |
The maximum number of route tables per VPC. The main route table counts toward this quota. |
Routes per route table | Each supported Region: 50 |
Yes |
The maximum number of non-propagated routes per route table. This quota can be increased up to a maximum of 1000; however, network performance might be impacted. This quota is enforced separately for IPv4 and IPv6 routes. |
Rules per network ACL | Each supported Region: 20 |
Yes |
The maximum number of inbound rules or outbound rules per network ACL (a total of 40 rules). This includes both IPv4 and IPv6 rules, and the default deny rules. This quota can be increased up to a maximum of 40; however, network performance might be impacted. |
Security groups per network interface | Each supported Region: 5 |
Yes |
The maximum number of security groups per network interface. The maximum is 16. This quota, multiplied by the quota for rules per security group, cannot exceed 1000. |
Subnets per VPC | Each supported Region: 200 |
Yes |
The maximum number of subnets per VPC. |
Subnets that can be shared with an account | Each supported Region: 100 |
Yes |
The maximum number of subnets that can be shared with an AWS account. |
VPC Block Public Access exclusions per account per Region | Each supported Region: 50 | No | The maximum number of VPC Block Public Access exclusions that an account can have in a single Region at a time. |
VPC endpoints of type resource per VPC | Each supported Region: 200 |
Yes |
The maximum number of single resource endpoints in a VPC. For additional capacity and limit increases, contact AWS Support. |
VPC endpoints of type service network per VPC | Each supported Region: 50 |
Yes |
The maximum number of service network endpoints in a VPC. For additional capacity and limit increases, contact AWS Support. |
VPC peering connection request expiry hours | Each supported Region: 168 | No | The maximum number of hours after which an unaccepted VPC peering connection request expires. The default value is 168 hours (one week). |
VPC security groups per Region | Each supported Region: 2,500 |
Yes |
The maximum number of VPC security groups per Region. |
VPCs per Region | Each supported Region: 5 |
Yes |
The maximum number of VPCs per Region. This quota is directly tied to the maximum number of internet gateways per Region. |
Note
The VPC Block Public Access exclusions per
account per Region quota is adjustable. To request an adjustment, open a service limit increase case
For more information, see the following: