AWS VPC Quotas

Question 1

VPCs per Region

Answer 1

Default 5, Adjustable Yes, increasing quota increases internet gateway by that amount. Can enable 100s of VPCs per region.

Question 2

Subnets per VPC

Answer 2

Default 200, Adjustable Yes

Question 3

IPv4 CIDR blocks per VPC

Answer 3

Default 5, Adjustable Yes, up to 50

Question 4

IPv6 CIDR blocks per VPC

Answer 4

Default 5, Adjustable No

Question 5

Elastic IP addresses per Region

Answer 5

Default 5, Adjustable Yes

Question 6

Egress-only internet gateways per Region

Answer 6

Default 5, Adjustable Yes, To increase this quota, increase the quota on VPCs per Region. You can attach only one egress-only internet gateway to a VPC at a time.

Question 7

Internet gateways per Region

Answer 7

Default 5, Adjustable Yes, To increase this quota, increase the quota on VPCs per Region. You can attach only one internet gateway to a VPC at a time.

Question 8

NAT gateways per Availability Zone

Answer 8

Default 5, Adjustable Yes, NAT gateways count toward your quota in the pending, active, or deleting state.

Question 9

Carrier gateways per VPC

Answer 9

Default 1, Adjustable No

Question 10

Prefix lists per Region

Answer 10

Default 100, Adjustable Yes

Question 11

Versions per prefix list

Answer 11

Default 1000, Adjustable Yes, If a prefix list has 1,000 stored versions and you add a new version, the oldest version is removed so that the new version can be added.

Question 12

Maximum number of entries per prefix list

Answer 12

Default 1000, Adjustable Yes, You can resize a customer-managed prefix list up to 1000. For more information, see Resize a prefix list. When you reference a prefix list in a resource, the maximum number of entries for the prefix lists counts against the quota for the number of entries for the resource. For example, if you create a prefix list with 20 maximum entries and you reference that prefix list in a security group rule, this counts as 20 security group rules.

Question 13

References to a prefix list per resource type

Answer 13

Default 5000, Adjustable Yes, This quota applies per resource type that can reference a prefix list. For example, you can have 5,000 references to a prefix list across all of your security groups plus 5,000 references to a prefix list across all of your subnet route tables. If you share a prefix list with other AWS accounts, the other accounts’ references to your prefix list count toward this quota.

Question 14

Customer-managed prefix lists

Answer 14

Sets of IP address ranges that you define and manage. You can share your prefix list with other AWS accounts, enabling those accounts to reference the prefix list in their own resources.

Question 15

AWS-managed prefix lists

Answer 15

Sets of IP address ranges for AWS services. You cannot create, modify, share, or delete an AWS-managed prefix list.

Question 16

Network ACLs per VPC

Answer 16

Default 200, Adjustable Yes, You can associate one network ACL to one or more subnets in a VPC.

Question 17

Rules per network ACL

Answer 17

Default 20, Adjustable Yes, This is the one-way quota for a single network ACL. This quota is enforced separately for IPv4 rules and IPv6 rules; for example, you can have 20 ingress rules for IPv4 traffic and 20 ingress rules for IPv6 traffic. This quota includes the default deny rules (rule number 32767 for IPv4 and 32768 for IPv6, or an asterisk * in the Amazon VPC console). This quota can be increased up to a maximum of 40; however, network performance might be impacted due to the increased workload to process the additional rules.

Question 18

Network interfaces per instance

Answer 18

Varies by instance type, Adjustable No

Question 19

Network interfaces per Region

Answer 19

Default 5000, Adjustable Yes, This quota applies to individual AWS account VPCs and shared VPCs.

Question 20

Route tables per VPC

Answer 20

Default 200, Adjustable Yes, The main route table counts toward this quota. Note that if you request a quota increase for route tables, you may also want to request a quota increase for subnets. While route tables can be shared with multiple subnets, a subnet can only be associated with a single route table.

Question 21

Routes per route table (non-propagated routes)

Answer 21

Default 50, Adjustable Yes, You can increase this quota up to a maximum of 1,000; however, network performance might be impacted. This quota is enforced separately for IPv4 routes and IPv6 routes. If you have more than 125 routes, we recommend that you paginate calls to describe your route tables for better performance.

Question 22

BGP advertised routes per route table (propagated routes)

Answer 22

Default 100, Adjustable No, If you require additional prefixes, advertise a default route.

Question 23

VPC security groups per Region

Answer 23

Default 2500, Adjustable Yes, This quota applies to individual AWS account VPCs and shared VPCs. If you increase this quota to more than 5,000 security groups in a Region, we recommend that you paginate calls to describe your security groups for better performance.

Question 24

Inbound or outbound rules per security group

Answer 24

Default 60, Adjustable Yes, You can have 60 inbound and 60 outbound rules per security group (making a total of 120 rules). This quota is enforced separately for IPv4 rules and IPv6 rules; for example, a security group can have 60 inbound rules for IPv4 traffic and 60 inbound rules for IPv6 traffic. A quota change applies to both inbound and outbound rules. This quota multiplied by the quota for security groups per network interface cannot exceed 1,000.

Question 25

Security groups per network interface

Answer 25

Default 5, Adjustable Yes (up to 16), This quota multiplied by the quota for rules per security group cannot exceed 1,000.

Question 26

Active VPC peering connections per VPC

Answer 26

Default 50, Adjustable Yes (up to 125), If you increase this quota, you should increase the number of entries per route table accordingly.

Question 27

Outstanding VPC peering connection requests

Answer 27

Default 25, Adjustable Yes, This is the number of outstanding VPC peering connection requests made from your account.

Question 28

Expiry time for an unaccepted VPC peering connection request

Answer 28

Default 1 week (168 hours), Adjustable No

Question 29

Gateway VPC endpoints per Region

Answer 29

Default 20, Adjustable Yes, You can’t have more than 255 gateway endpoints per VPC.

Question 30

Interface and Gateway Load Balancer endpoints per VPC

Answer 30

Default 50, Adjustable Yes, This is the combined quota for the maximum number of interface endpoints and Gateway Load Balancer endpoints in a VPC. To increase this quota, contact AWS Support.

Question 31

VPC endpoint policy size

Answer 31

Default 20480, Adjustable No, This quota includes white space.

Question 32

Participant accounts per VPC

Answer 32

Default 100, Adjustable Yes, This is the number of distinct participant accounts that subnets in a VPC can be shared with. This is a per VPC quota and applies across all the subnets shared in a VPC. To increase this quota, contact AWS Support. VPC owners can view the network interfaces and security groups that are attached to the participant resources.

Question 33

Subnets that can be shared with an account

Answer 33

Default 100, Adjustable Yes, This is the maximum number of subnets that can be shared with an AWS account.

Question 34

Network Address Usage

Answer 34

Default 64000, Adjustable Yes (up to 256000), The maximum number of NAU units that a single VPC can have.

Question 35

Peered Network Address Usage

Answer 35

Default 128000, Adjustable Yes (up to 512000), The maximum number of NAU units that a VPC and all of its peered VPCs can have in total. VPCs that are peered across different Regions do not contribute to this limit.