The VPC, subnet, and AWS account you use for your SDDC must meet several requirements:

• The subnet must be in an AWS Availability Zone (AZ) where VMware Cloud on AWS is available. Start by creating a subnet in every AZ in the AWS Region where the SDDC will be created. It helps you identify all AZs where an SDDC can be deployed and select the one that best meets your SDDC placement needs, whether you want to keep your VMC workloads close to or isolated from your AWS workloads running in a particular AZ. See Creating a Subnet in Your VPC in the AWS documentation for information about how to use the Amazon VPC console to create a subnet in your VPC.
• The subnet must exist in the connected AWS account. It cannot be one owned by and shared from another account.
• The AWS account being linked must have sufficient capacity to create a minimum of 17 ENIs per SDDC in each region where an SDDC is deployed. Although you cannot provision more than 16 hosts in a cluster, SDDC operations including planned maintenance and Elastic DRS can require us to temporarily add as many as 16 more hosts, so we recommend using an account that has sufficient capacity for 32 ENIs per SDDC per region.
• We recommend dedicating a /26 CIDR block to each SDDC and not using that subnet for any other AWS services or EC2 instances. Because some of the IP addresses in this block are reserved for internal use, a /26 CIDR block is the smallest subnet that can accommodate SDDC IP address requirements.
• By default, AWS services or instances that communicate with the SDDC must be on VPC subnets associated with the main route table of the connected VPC. To use a custom route table, enable AWS Managed Prefix List Mode. See Enable AWS Managed Prefix List Mode for more information. By default, AWS limits the size of the main route table to 50 routes. Because the main route table must accommodate an entry for each routed SDDC network segment as well as the management network CIDR and any additional routes you create directly in your AWS account, the default limit might not be adequate for your SDDC networks, especially if you connect more than one SDDC to the VPC. You can request a route table size increase as described in Amazon VPC quotas.
• If necessary, you can link multiple SDDCs to a VPC if the VPC subnet used for ENI connectivity has a large enough CIDR block to accommodate them. Because all SDDCs in a VPC use the same main route table, make sure that network segments in those SDDCs do not overlap with each other or the VPC's primary CIDR block. Workload VMs on routed SDDC networks can communicate with all subnets in the VPC's primary CIDR block, but are unaware of other CIDR blocks that might exist in the VPC.

Every SDDC consumes at least 4 AWS Elastic IP (EIP) addresses that are not displayed on the VMware Cloud Console. These EIPs are required for core SDDC operations. Charges for them are listed in the VMware on AWS Pricing document under Additional charges not included. EIPs are billed per-hour. EIP address remaps, typically initiated by vMotion or a failover event on the edge gateway, are free of charge for the first 100 events. Here's a summary of how these core EIPs are used in a new SDDC:

Table 1. Core EIP Usage

Usage	Description
Management	Provides VMware support with access to your SDDC.
Management Gateway (MGW) SNAT	Provides the default SNAT address for traffic egressing the MGW to the Internet.
Compute Gateway (CGW) SNAT	Provides the default SNAT address for traffic egressing the CGW to the Internet.
vCenter Public IP	Provides the IP address used for vCenter when the vCenter FQDN is set to Public IP. See Set vCenter Server FQDN Resolution Address. This EIP is always consumed, even if you set the vCenter FQDN to Private IP.