IP Addressing in Your VPC

IP addresses enable resources in your VPC to communicate with each other, and with
resources over the Internet. Amazon EC2 and Amazon VPC support the IPv4 and IPv6
addressing protocols.

By default, Amazon EC2 and Amazon VPC use the IPv4 addressing protocol. When you
create a VPC, you must assign it an IPv4 CIDR block (a range of private IPv4
addresses). Private IPv4 addresses are not reachable over the Internet. To connect
to your instance over the Internet, or to enable communication between your
instances and other AWS services that have public endpoints, you can assign a
globally-unique public IPv4 address to your instance.

You can optionally associate an IPv6 CIDR block with your VPC and subnets, and
assign IPv6 addresses from that block to the resources in your VPC. IPv6 addresses
are public and reachable over the Internet.

Note

To ensure that your instances can communicate with the Internet, you must also
attach an Internet gateway to your VPC. For more information, see Internet
Gateways.

Your VPC can operate in dual-stack mode: your resources can communicate over IPv4,
or IPv6, or both. IPv4 and IPv6 addresses are independent of each other; you must
configure routing and security in your VPC separately for IPv4 and IPv6.

The following table summarizes the differences between IPv4 and IPv6 in Amazon EC2
and Amazon VPC.

IPv4 and IPv6 Characteristics and Restrictions

IPv4 IPv6
The format is 32-bit, 4 groups of up to 3 numerical digits. The format is 128-
bit, 8 groups of 4 hexadecimal digits.
Default and required for all VPCs; cannot be removed. Opt-in only.
The VPC CIDR block size can be from /16 to /28. The VPC CIDR block size is
fixed at /56.
The subnet CIDR block size can be from /16 to /28. The subnet CIDR block size is
fixed at /64.
You can choose the private IPv4 CIDR block for your VPC. We choose the IPv6 CIDR
block for your VPC from Amazon's pool of IPv6 addresses. You cannot select your own
range.
There is a distinction between private and public IP addresses. To enable
communication with the Internet, a public IPv4 address is mapped to the primary
private IPv4 address through network address translation (NAT). No distinction
between public and private IP addresses. IPv6 addresses are public.
Supported on all instance types. Supported on all current generation instance
types and the C3, R3, and I2 previous generation instance types. For more
information, see Instance Types.
Supported in EC2-Classic, and EC2-Classic connections with a VPC via ClassicLink.
Not supported in EC2-Classic, and not supported for EC2-Classic connections
with a VPC via ClassicLink.
Supported on all AMIs. Automatically supported on AMIs that are configured for
DHCPv6. Amazon Linux versions 2016.09.0 and later and Windows Server 2008 R2 and
later are configured for DHCPv6. For other AMIs, you must manually configure your
instance to recognize any assigned IPv6 addresses.
An instance receives an Amazon-provided private DNS hostname that corresponds to
its private IPv4 address, and if applicable, a public DNS hostname that corresponds
to its public IPv4 or Elastic IP address. Amazon-provided DNS hostnames are
not supported.
Elastic IPv4 addresses are supported. Elastic IPv6 addresses are not supported.
Supported for AWS Site-to-Site VPN connections and customer gateways, NAT devices,
and VPC endpoints. Not supported for AWS Site-to-Site VPN connections and
customer gateways, NAT devices, and VPC endpoints.

We support IPv6 traffic over a virtual private gateway to an AWS Direct Connect
connection. For more information, see the AWS Direct Connect User Guide.
Private IPv4 Addresses

Private IPv4 addresses (also referred to as private IP addresses in this topic) are
not reachable over the Internet, and can be used for communication between the
instances in your VPC. When you launch an instance into a VPC, a primary private IP
address from the IPv4 address range of the subnet is assigned to the default
network interface (eth0) of the instance. Each instance is also given a private
(internal) DNS hostname that resolves to the private IP address of the instance. If
you don't specify a primary private IP address, we select an available IP address
in the subnet range for you. For more information about network interfaces, see
Elastic Network Interfaces in the Amazon EC2 User Guide for Linux Instances.

You can assign additional private IP addresses, known as secondary private IP

addresses, to instances that are running in a VPC. Unlike a primary private IP
address, you can reassign a secondary private IP address from one network interface
to another. A private IP address remains associated with the network interface when
the instance is stopped and restarted, and is released when the instance is
terminated. For more information about primary and secondary IP addresses, see
Multiple IP Addresses in the Amazon EC2 User Guide for Linux Instances.

Note

We refer to private IP addresses as the IP addresses that are within the IPv4 CIDR
range of the VPC. Most VPC IP address ranges fall within the private (non-publicly
routable) IP address ranges specified in RFC 1918; however, you can use publicly
routable CIDR blocks for your VPC. Regardless of the IP address range of your VPC,
we do not support direct access to the Internet from your VPC's CIDR block,
including a publicly-routable CIDR block. You must set up Internet access through a
gateway; for example, an Internet gateway, virtual private gateway, a AWS Site-to-
Site VPN connection, or AWS Direct Connect.