Creating a VPC

You can create an empty VPC using the Amazon VPC console.
To create a VPC using the console
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Your VPCs, Create VPC.
3. Specify the following VPC details as necessary and choose Create VPC.
 Name tag: Optionally provide a name for your VPC. Doing so creates a tag with a key of Name and the value
that you specify.
 IPv4 CIDR block: Specify an IPv4 CIDR block for the VPC. We recommend that you specify a CIDR block from the
private (non-publicly routable) IP address ranges as specified in RFC 1918; for example, 10.0.0.0/16, or
192.168.0.0/16.
Note
You can specify a range of publicly routable IPv4 addresses; however, we currently do not support direct access to the internet
from publicly routable CIDR blocks in a VPC. Windows instances cannot boot correctly if launched into a VPC with ranges from
224.0.0.0 to 255.255.255.255 (Class D and Class E IP address ranges).
 IPv6 CIDR block: Optionally associate an IPv6 CIDR block with your VPC by choosing Amazon-provided IPv6
CIDR block.
 Tenancy: Select a tenancy option. Dedicated tenancy ensures that your instances run on single-tenant
hardware. For more information, see Dedicated Instances in the Amazon EC2 User Guide for Linux Instances.
Alternatively, you can use a command line tool.
To create a VPC using a command line tool
 create-vpc (AWS CLI)
 New-EC2Vpc (AWS Tools for Windows PowerShell)
To describe a VPC using a command line tool
 describe-vpcs (AWS CLI)
 Get-EC2Vpc (AWS Tools for Windows PowerShell)
For more information about IP addresses, see IP Addressing in Your VPC.
After you've created a VPC, you can create subnets. For more information, see Creating a Subnet in Your VPC.
Creating a Subnet in Your VPC
To add a new subnet to your VPC, you must specify an IPv4 CIDR block for the subnet from the range of your VPC. You can
specify the Availability Zone in which you want the subnet to reside. You can have multiple subnets in the same Availability
Zone.
You can optionally specify an IPv6 CIDR block for your subnet if an IPv6 CIDR block is associated with your VPC.
To add a subnet to your VPC using the console
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Subnets, Create Subnet.
3. Specify the subnet details as necessary and choose Create Subnet.
 Name tag: Optionally provide a name for your subnet. Doing so creates a tag with a key of Name and the value
that you specify.
 VPC: Choose the VPC for which you're creating the subnet.
 Availability Zone: Optionally choose an Availability Zone in which your subnet will reside, or leave the default
No Preference to let AWS choose an Availability Zone for you.
 IPv4 CIDR block: Specify an IPv4 CIDR block for your subnet, for example, 10.0.1.0/24. For more information,
see VPC and Subnet Sizing for IPv4.
 IPv6 CIDR block: (Optional) If you've associated an IPv6 CIDR block with your VPC, choose Specify a custom
IPv6 CIDR. Specify the hexadecimal pair value for the subnet, or leave the default value.
4. (Optional) If required, repeat the steps above to create more subnets in your VPC.
Alternatively, you can use a command line tool.
To add a subnet using a command line tool
 create-subnet (AWS CLI)
 New-EC2Subnet (AWS Tools for Windows PowerShell)
To describe a subnet using a command line tool
 describe-subnets (AWS CLI)
 Get-EC2Subnet (AWS Tools for Windows PowerShell)
After you've created a subnet, you can do the following:
  Configure your routing. To make your subnet a public subnet, you must attach an internet gateway to your VPC. For
more information, see Creating and Attaching an Internet Gateway. You can then create a custom route table, and add
route to the internet gateway. For more information, see Creating a Custom Route Table. For other routing options, see
Route Tables.
 Modify the subnet settings to specify that all instances launched in that subnet receive a public IPv4 address, or an IPv6
address, or both. For more information, see IP Addressing Behavior for Your Subnet.
 Create or modify your security groups as needed. For more information, see Security Groups for Your VPC.
 Create or modify your network ACLs as needed. For more information about network ACLs, see Network ACLs.
Associating a Secondary IPv4 CIDR Block with Your VPC
You can add another IPv4 CIDR block to your VPC. Ensure that you have read the applicable restrictions.
After you've associated a CIDR block, the status goes to associating. The CIDR block is ready to use when it's in the associated
state.
To add a CIDR block to your VPC using the console
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Your VPCs.
3. Select the VPC, and choose Actions, Edit CIDRs.
4. Choose Add IPv4 CIDR, and enter the CIDR block to add; for example, 10.2.0.0/16. Choose the tick icon.
5. Choose Close.
Alternatively, you can use a command line tool.
To add a CIDR block using a command line tool
 associate-vpc-cidr-block (AWS CLI)
 Register-EC2VpcCidrBlock (AWS Tools for Windows PowerShell)
After you've added the IPv4 CIDR blocks that you need, you can create subnets. For more information, see Creating a Subnet in
Your VPC.
Associating an IPv6 CIDR Block with Your VPC
You can associate an IPv6 CIDR block with any existing VPC. The VPC must not have an existing IPv6 CIDR block associated with
it.
To associate an IPv6 CIDR block with a VPC using the console
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Your VPCs.
3. Select your VPC, choose Actions, Edit CIDRs.
4. Choose Add IPv6 CIDR. After the IPv6 CIDR block is added, choose Close.
Alternatively, you can use a command line tool.
To associate an IPv6 CIDR block with a VPC using a command line tool
 associate-vpc-cidr-block (AWS CLI)
 Register-EC2VpcCidrBlock (AWS Tools for Windows PowerShell)
Associating an IPv6 CIDR Block with Your Subnet
You can associate an IPv6 CIDR block with an existing subnet in your VPC. The subnet must not have an existing IPv6 CIDR block
associated with it.
To associate an IPv6 CIDR block with a subnet using the console
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Subnets.
3. Select your subnet, choose Subnet Actions, Edit IPv6 CIDRs.
4. Choose Add IPv6 CIDR. Specify the hexadecimal pair for the subnet (for example, 00) and confirm the entry by choosing
the tick icon.
5. Choose Close.
Alternatively, you can use a command line tool.
To associate an IPv6 CIDR block with a subnet using a command line tool
 associate-subnet-cidr-block (AWS CLI)
 Register-EC2SubnetCidrBlock (AWS Tools for Windows PowerShell)
Launching an Instance into Your Subnet
After you've created your subnet and configured your routing, you can launch an instance into your subnet using the Amazon
EC2 console.
To launch an instance into your subnet using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
 2. On the dashboard, choose Launch Instance.
3. Follow the directions in the wizard. Select an AMI and an instance type and choose Next: Configure Instance Details.
Note
If you want your instance to communicate over IPv6, you must select a supported instance type. All current generation instance
types support IPv6 addresses.
4. On the Configure Instance Details page, ensure that you have selected the required VPC in the Network list, then select
the subnet in to which to launch the instance. Keep the other default settings on this page and choose Next: Add
Storage.
5. On the next pages of the wizard, you can configure storage for your instance, and add tags. On the Configure Security
Group page, choose from any existing security group that you own, or follow the wizard directions to create a new
security group. Choose Review and Launch when you're done.
6. Review your settings and choose Launch.
7. Select an existing key pair that you own or create a new one, and then choose Launch Instances when you're done.
Alternatively, you can use a command line tool.
To launch an instance into your subnet using a command line tool
 run-instances (AWS CLI)
 New-EC2Instance (AWS Tools for Windows PowerShell)
Deleting Your Subnet
If you no longer need your subnet, you can delete it. You must terminate any instances in the subnet first.
To delete your subnet using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. Terminate all instances in the subnet. For more information, see Terminate Your Instance in the EC2 User Guide.
3. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
4. In the navigation pane, choose Subnets.
5. Select the subnet to delete and choose Subnet Actions, Delete.
6. In the Delete Subnet dialog box, choose Yes, Delete.
Alternatively, you can use a command line tool.
To delete a subnet using a command line tool
 delete-subnet (AWS CLI)
 Remove-EC2Subnet (AWS Tools for Windows PowerShell)
Disassociating an IPv4 CIDR Block from Your VPC
If your VPC has more than one IPv4 CIDR block associated with it, you can disassociate an IPv4 CIDR block from the VPC. You
cannot disassociate the primary IPv4 CIDR block. You can only disassociate an entire CIDR block; you cannot disassociate a
subset of a CIDR block or a merged range of CIDR blocks. You must first delete all subnets in the CIDR block.
To remove a CIDR block from a VPC using the console
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Your VPCs.
3. Select the VPC, and choose Actions, Edit CIDRs.
4. Under VPC IPv4 CIDRs, choose the delete button (a cross) for the CIDR block to remove.
5. Choose Close.
Alternatively, you can use a command line tool.
To remove an IPv4 CIDR block from a VPC using a command line tool
 disassociate-vpc-cidr-block (AWS CLI)
 Unregister-EC2VpcCidrBlock (AWS Tools for Windows PowerShell)
Disassociating an IPv6 CIDR Block from Your VPC or Subnet
If you no longer want IPv6 support in your VPC or subnet, but you want to continue using your VPC or subnet for creating and
communicating with IPv4 resources, you can disassociate the IPv6 CIDR block.
To disassociate an IPv6 CIDR block, you must first unassign any IPv6 addresses that are assigned to any instances in your subnet.
For more information, see Unassigning an IPv6 Address From an Instance.
To disassociate an IPv6 CIDR block from a subnet using the console
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Subnets.
3. Select your subnet, choose Subnet Actions, Edit IPv6 CIDRs.
4. Remove the IPv6 CIDR block for the subnet by choosing the cross icon.
5. Choose Close.
To disassociate an IPv6 CIDR block from a VPC using the console
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Your VPCs.
3. Select your VPC, choose Actions, Edit CIDRs.
4. Remove the IPv6 CIDR block by choosing the cross icon.
5. Choose Close.
Note
Disassociating an IPv6 CIDR block does not automatically delete any security group rules, network ACL rules, or route table
routes that you've configured for IPv6 networking. You must manually modify or delete these rules or routes.
Alternatively, you can use a command line tool.
To disassociate an IPv6 CIDR block from a subnet using a command line tool
 disassociate-subnet-cidr-block (AWS CLI)
 Unregister-EC2SubnetCidrBlock (AWS Tools for Windows PowerShell)
To disassociate an IPv6 CIDR block from a VPC using a command line tool
 disassociate-vpc-cidr-block (AWS CLI)
 Unregister-EC2VpcCidrBlock (AWS Tools for Windows PowerShell)
Deleting Your VPC
You can delete your VPC at any time. However, you must terminate all instances in the VPC first. When you delete a VPC using
the VPC console, we delete all its components, such as subnets, security groups, network ACLs, route tables, internet gateways,
VPC peering connections, and DHCP options.
If you have a VPN connection, you don't have to delete it or the other components related to the VPN (such as the customer
gateway and virtual private gateway). If you plan to use the customer gateway with another VPC, we recommend that you keep
the VPN connection and the gateways. Otherwise, your network administrator must configure the customer gateway again
after you create a new VPN connection.
To delete your VPC using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. Terminate all instances in the VPC. For more information, see Terminate Your Instance in the Amazon EC2 User Guide
for Linux Instances.
3. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
4. In the navigation pane, choose Your VPCs.
5. Select the VPC to delete and choose Actions, Delete VPC.
6. To delete the VPN connection, select the option to do so; otherwise, leave it unselected. Choose Yes, Delete.
Alternatively, you can use a command line tool. When you delete a VPC using the command line, you must first terminate all
instances, delete all subnets, custom security groups, and custom route tables, and detach any internet gateway in the VPC.
To delete a VPC using a command line tool
 delete-vpc (AWS CLI)
 Remove-EC2Vpc (AWS Tools for Windows PowerShell)
Creating a Security Group
You can create a custom security group using the Amazon EC2 console. For EC2-VPC, you must specify the VPC for which you're
creating the security group.
To create a new security group using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, choose Security Groups.
3. Choose Create Security Group.
4. Specify a name and description for the security group.
5. (EC2-Classic only) To create a security group for use in EC2-Classic, choose No VPC.
(EC2-VPC) For VPC, choose a VPC ID to create a security group for that VPC.
6. You can start adding rules, or you can choose Create to create the security group now (you can always add rules later).
For more information about adding rules, see Adding Rules to a Security Group.
To create a security group using the command line
 create-security-group (AWS CLI)
 New-EC2SecurityGroup (AWS Tools for Windows PowerShell)
The Amazon EC2 console enables you to copy the rules from an existing security group to a new security group.
To copy a security group using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, choose Security Groups.
3. Select the security group you want to copy, choose Actions, Copy to new.
4. The Create Security Group dialog opens, and is populated with the rules from the existing security group. Specify a
name and description for your new security group. In the VPC list, choose No VPC to create a security group for EC2-
Classic, or choose a VPC ID to create a security group for that VPC. When you are done, choose Create.
You can assign a security group to an instance when you launch the instance. When you add or remove rules, those changes are
automatically applied to all instances to which you've assigned the security group.
After you launch an instance in EC2-Classic, you can't change its security groups. After you launch an instance in a VPC, you can
change its security groups. For more information, see Changing an Instance's Security Groups in the Amazon VPC User Guide.
[EC2-VPC] To modify the security groups for an instance using the command line
 modify-instance-attribute (AWS CLI)
 Edit-EC2InstanceAttribute (AWS Tools for Windows PowerShell)
Describing Your Security Groups
You can view information about your security groups using the Amazon EC2 console or the command line.
To describe your security groups for EC2-Classic using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, choose Security Groups.
3. Select Network Platforms from the filter list, then choose EC2-Classic.
4. Select a security group. The Description tab displays general information. The Inbound tab displays the inbound rules.
To describe your security groups for EC2-VPC using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, choose Security Groups.
3. Select Network Platforms from the filter list, then choose EC2-VPC.
4. Select a security group. We display general information in the Description tab, inbound rules on the Inbound tab, and
outbound rules on the Outbound tab.
To describe one or more security groups using the command line
 describe-security-groups (AWS CLI)
 Get-EC2SecurityGroup (AWS Tools for Windows PowerShell)
Adding Rules to a Security Group
When you add a rule to a security group, the new rule is automatically applied to any instances associated with the security
group after a short period.
For more information about choosing security group rules for specific types of access, see Security Group Rules Reference.
To add rules to a security group using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, choose Security Groups and select the security group.
3. On the Inbound tab, choose Edit.
 4. In the dialog, choose Add Rule and do the following:
 For Type, select the protocol.
 If you select a custom TCP or UDP protocol, specify the port range in Port Range.
 If you select a custom ICMP protocol, choose the ICMP type name from Protocol, and, if applicable, the code
name from Port Range.
 For Source, choose one of the following:
o Custom: in the provided field, you must specify an IP address in CIDR notation, a CIDR block, or another
security group.
o Anywhere: automatically adds the 0.0.0.0/0 IPv4 CIDR block. This option enables all traffic of the
specified type to reach your instance. This is acceptable for a short time in a test environment, but it's
unsafe for production environments. In production, authorize only a specific IP address or range of
addresses to access your instance.
Note
If your security group is in a VPC that's enabled for IPv6, the Anywhere option creates two rules—one for IPv4 traffic (0.0.0.0/0)
and one for IPv6 traffic (::/0).
o My IP: automatically adds the public IPv4 address of your local computer.
 For Description, you can optionally specify a description for the rule.
For more information about the types of rules that you can add, see Security Group Rules Reference.
5. Choose Save.
6. For a VPC security group, you can also specify outbound rules. On the Outbound tab, choose Edit, Add Rule, and do the
following:
 For Type, select the protocol.
 If you select a custom TCP or UDP protocol, specify the port range in Port Range.
 If you select a custom ICMP protocol, choose the ICMP type name from Protocol, and, if applicable, the code
name from Port Range.
 For Destination, choose one of the following:
o Custom: in the provided field, you must specify an IP address in CIDR notation, a CIDR block, or another
security group.
o Anywhere: automatically adds the 0.0.0.0/0 IPv4 CIDR block. This option enables outbound traffic to all
IP addresses.
Note
If your security group is in a VPC that's enabled for IPv6, the Anywhere option creates two rules—one for IPv4 traffic (0.0.0.0/0)
and one for IPv6 traffic (::/0).
o My IP: automatically adds the IP address of your local computer.
 For Description, you can optionally specify a description for the rule.
7. Choose Save.
To add one or more ingress rules to a security group using the command line
 authorize-security-group-ingress (AWS CLI)
 Grant-EC2SecurityGroupIngress (AWS Tools for Windows PowerShell)
[EC2-VPC] To add one or more egress rules to a security group using the command line
 authorize-security-group-egress (AWS CLI)
 Grant-EC2SecurityGroupEgress (AWS Tools for Windows PowerShell)
Updating Security Group Rules
When you modify the protocol, port range, or source or destination of an existing security group rule using the console, the
console deletes the existing rule and adds a new one for you.
To update a security group rule using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, choose Security Groups.
3. Select the security group to update, and choose Inbound Rules to update a rule for inbound traffic or Outbound Rules
to update a rule for outbound traffic.
4. Choose Edit. Modify the rule entry as required and choose Save.
To update the protocol, port range, or source or destination of an existing rule using the Amazon EC2 API or a command line
tool, you cannot modify the rule. Instead, you must delete the existing rule and add a new rule. To update the rule description
only, you can use the update-security-group-rule-descriptions-ingress and update-security-group-rule-descriptions-egress
commands.
To update the description for an ingress security group rule using the command line
 update-security-group-rule-descriptions-ingress (AWS CLI)
 Update-EC2SecurityGroupRuleIngressDescription (AWS Tools for Windows PowerShell)
[EC2-VPC] To update the description for an egress security group rule using the command line
 update-security-group-rule-descriptions-egress (AWS CLI)
 Update-EC2SecurityGroupRuleEgressDescription (AWS Tools for Windows PowerShell)
Deleting Rules from a Security Group
When you delete a rule from a security group, the change is automatically applied to any instances associated with the security
group after a short period.
To delete a security group rule using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, choose Security Groups.
3. Select a security group.
4. On the Inbound tab (for inbound rules) or Outbound tab (for outbound rules), choose Edit. Choose Delete (a cross
icon) next to each rule to delete.
5. Choose Save.
To remove one or more ingress rules from a security group using the command line
 revoke-security-group-ingress (AWS CLI)
 Revoke-EC2SecurityGroupIngress (AWS Tools for Windows PowerShell)
[EC2-VPC] To remove one or more egress rules from a security group using the command line
 revoke-security-group-egress (AWS CLI)
 Revoke-EC2SecurityGroupEgress (AWS Tools for Windows PowerShell)
Deleting a Security Group
You can't delete a security group that is associated with an instance. You can't delete the default security group. You can't
delete a security group that is referenced by a rule in another security group in the same VPC. If your security group is
referenced by one of its own rules, you must delete the rule before you can delete the security group.
To delete a security group using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, choose Security Groups.
3. Select a security group and choose Actions, Delete Security Group.
4. Choose Yes, Delete.
To delete a security group using the command line
 delete-security-group (AWS CLI)
 Remove-EC2SecurityGroup (AWS Tools for Windows PowerShell)
Creating a Network ACL
You can create a custom network ACL for your VPC. By default, a network ACL that you create blocks all inbound and outbound
traffic until you add rules, and is not associated with a subnet until you explicitly associate it with one.
To create a network ACL
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Network ACLs.
3. Choose Create Network ACL.
4. In the Create Network ACL dialog box, optionally name your network ACL, and then select the ID of your VPC from the
VPC list, and choose Yes, Create.
Adding and Deleting Rules
When you add or delete a rule from an ACL, any subnets associated with the ACL are subject to the change. You don't have to
terminate and relaunch the instances in the subnet; the changes take effect after a short period.
If you're using the Amazon EC2 API or a command line tool, you can't modify rules; you can only add and delete rules. If you're
using the Amazon VPC console, you can modify the entries for existing rules (the console removes the rule and adds a new rule
for you). If you need to change the order of a rule in the ACL, you must add a new rule with the new rule number, and then
delete the original rule.
To add rules to a network ACL
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Network ACLs.
3. In the details pane, choose either the Inbound Rules or Outbound Rules tab, depending on the type of rule that you
need to add, and then choose Edit.
4. In Rule #, enter a rule number (for example, 100). The rule number must not already be used in the network ACL. We
process the rules in order, starting with the lowest number.
Tip
We recommend that you leave gaps between the rule numbers (such as 100, 200, 300), rather than using sequential numbers
(101, 102, 103). This makes it easier add a new rule without having to renumber the existing rules.
5. Select a rule from the Type list. For example, to add a rule for HTTP, choose HTTP. To add a rule to allow all TCP traffic,
choose All TCP. For some of these options (for example, HTTP), we fill in the port for you. To use a protocol that's not
listed, choose Custom Protocol Rule.
6. (Optional) If you're creating a custom protocol rule, select the protocol's number and name from the Protocol list. For
more information, see IANA List of Protocol Numbers.
7. (Optional) If the protocol you've selected requires a port number, enter the port number or port range separated by a
hyphen (for example, 49152-65535).
8. In the Source or Destination field (depending on whether this is an inbound or outbound rule), enter the CIDR range
that the rule applies to.
9. From the Allow/Deny list, select ALLOW to allow the specified traffic or DENY to deny the specified traffic.
10. (Optional) To add another rule, choose Add another rule, and repeat steps 4 to 9 as required.
11. When you are done, choose Save.
To delete a rule from a network ACL
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Network ACLs, and then select the network ACL.
3. In the details pane, select either the Inbound Rules or Outbound Rules tab, and then choose Edit. Choose Remove for
the rule you want to delete, and then choose Save.
Associating a Subnet with a Network ACL
To apply the rules of a network ACL to a particular subnet, you must associate the subnet with the network ACL. You can
associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL. Any subnet
not associated with a particular ACL is associated with the default network ACL by default.
To associate a subnet with a network ACL
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Network ACLs, and then select the network ACL.
3. In the details pane, on the Subnet Associations tab, choose Edit. Select the Associate check box for the subnet to
associate with the network ACL, and then choose Save.
Disassociating a Network ACL from a Subnet
You can disassociate a custom network ACL from a subnet — by doing so, the subnet is then automatically associated with the
default network ACL.
To disassociate a subnet from a network ACL
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Network ACLs, and then select the network ACL.
3. In the details pane, choose the Subnet Associations tab.
4. Choose Edit, and then deselect the Associate check box for the subnet. Choose Save.
Changing a Subnet's Network ACL
You can change the network ACL that's associated with a subnet. For example, when you create a subnet, it is initially
associated with the default network ACL. You might want to instead associate it with a custom network ACL that you've
created.
After changing a subnet's network ACL, you don't have to terminate and relaunch the instances in the subnet; the changes take
effect after a short period.
To change a subnet's network ACL association
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Subnets, and then select the subnet.
3. Choose the Network ACL tab, and then choose Edit.
4. Select the network ACL to associate the subnet with from the Change to list, and then choose Save.
Deleting a Network ACL
You can delete a network ACL only if there are no subnets associated with it. You can't delete the default network ACL.
To delete a network ACL
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Network ACLs.
3. Select the network ACL, and then choose Delete.
4. In the confirmation dialog box, choose Yes, Delete.
Example: Controlling Access to Instances in a Subnet
In this example, instances in your subnet can communicate with each other, and are accessible from a trusted remote
computer. The remote computer may be a computer in your local network or an instance in a different subnet or VPC that you
use to connect to your instances to perform administrative tasks. Your security group rules and network ACL rules allow access
from the IP address of your remote computer (172.31.1.2/32). All other traffic from the Internet or other networks is denied.

All instances use the same security group (sg-1a2b3c4d), with the following rules.
Inbound Rules
Protocol Protocol Port Source Comments
Type Range
All traffic All All sg-1a2b3c4d Enables instances associated with the same security group to communicate
 with each other.
TCP SSH 22 172.31.1.2/32 Allows inbound SSH access from the remote computer. If the instance is a
Windows computer, then this rule must use the RDP protocol for port 3389
instead.
Outbound Rules
Protocol Protocol Port Destination Comments
Type Range
All traffic All All sg-1a2b3c4d Enables instances associated with the same security group to communicate
with each other.
The subnet is associated with a network ACL that has the following rules.
Inbound Rules
Rule Type Protoco Port Source Allow/Deny Comments
# l Range
100 SSH TCP 22 172.31.1.2/32 ALLOW Allows inbound traffic from the remote computer. If the
instance is a Windows computer, then this rule must use
the RDP protocol for port 3389 instead.
* All traffic All All 0.0.0.0/0 DENY Denies all other inbound traffic that does match the
previous rule.
Outbound Rules
Rule Type Protoco Port Destination Allow/Deny Comments
# l Range
100 Custom TCP 1024- 172.31.1.2/32 ALLOW Allows outbound responses to the remote computer.
TCP 65535 Network ACLs are stateless, therefore this rule is required to
allow response traffic for inbound requests.
* All traffic All All 0.0.0.0/0 DENY Denies all other outbound traffic that does not match the
previous rule.
This scenario gives you the flexibility to change the security groups or security group rules for your instances, and have the
network ACL as the backup layer of defense. The network ACL rules apply to all instances in the subnet, so if you accidentally
make your security group rules too permissive, the network ACL rules continue to permit access only from the single IP address.
For example, the following rules are more permissive than the earlier rules — they allow inbound SSH access from any IP
address.
Inbound Rules
Type Protocol Port Source Comments
Range
All All All sg- Enables instances associated with the same security group to communicate with
traffic 1a2b3c4d each other.
SSH TCP 22 0.0.0.0/0 Allows SSH access from any IP address.
Outbound Rules
Type Protocol Port Destination Comments
Range
All All All 0.0.0.0/0 Allows all outbound traffic.
traffic
However, only other instances within the subnet and your remote computer are able to access this instance. The network ACL
rules still prevent all inbound traffic to the subnet except from your remote computer.
API and Command Overview
You can perform the tasks described on this page using the command line or an API. For more information about the command
line interfaces and a list of available APIs, see Accessing Amazon VPC.
Create a network ACL for your VPC
 create-network-acl (AWS CLI)
 New-EC2NetworkAcl (AWS Tools for Windows PowerShell)
Describe one or more of your network ACLs
 describe-network-acls (AWS CLI)
 Get-EC2NetworkAcl (AWS Tools for Windows PowerShell)
Add a rule to a network ACL
 create-network-acl-entry (AWS CLI)
 New-EC2NetworkAclEntry (AWS Tools for Windows PowerShell)
Delete a rule from a network ACL
 delete-network-acl-entry (AWS CLI)
 Remove-EC2NetworkAclEntry (AWS Tools for Windows PowerShell)
Replace an existing rule in a network ACL
 replace-network-acl-entry (AWS CLI)
 Set-EC2NetworkAclEntry (AWS Tools for Windows PowerShell)
Replace a network ACL association
 replace-network-acl-association (AWS CLI)
 Set-EC2NetworkAclAssociation (AWS Tools for Windows PowerShell)
Delete a network ACL
 delete-network-acl (AWS CLI)
 Remove-EC2NetworkAcl (AWS Tools for Windows PowerShell)