> This page location: Tools & Workflows > API, CLI & SDKs > CLI > Org & network > vpc > Full Neon documentation index: https://neon.com/docs/llms.txt > Summary: The Neon CLI `neonctl vpc` command controls Private Networking by registering, updating, removing, and checking VPC endpoints at the organization level, and by restricting or removing per-project VPC access. Use it when you need to limit Neon project connections to a specific AWS or Azure VPC rather than the public internet. # Neon CLI command: vpc Manage Private Networking VPC endpoints and project-level restrictions The `vpc` command manages [Private Networking](https://neon.com/docs/guides/neon-private-networking) configurations in Neon. Use it to register VPC endpoints at the organization level and to restrict individual projects to connections from a specific VPC. Subcommands: [endpoint](https://neon.com/docs/cli/vpc#endpoint), [project](https://neon.com/docs/cli/vpc#project) ## VPC endpoints The `vpc endpoint` subcommands list, assign, remove, and check the status of VPC endpoints for a Neon organization. Subcommands: [list](https://neon.com/docs/cli/vpc#endpoint-list), [assign](https://neon.com/docs/cli/vpc#endpoint-assign), [remove](https://neon.com/docs/cli/vpc#endpoint-remove), [status](https://neon.com/docs/cli/vpc#endpoint-status) You only need `--org-id` if your Neon account belongs to more than one organization. If your account has a single organization, the CLI uses it automatically. Instead of passing IDs on each command, you can also set them in a [context file](https://neon.com/docs/cli/set-context#using-a-named-context-file) and reference it with the `--context-file` option. ### neonctl vpc endpoint list Lists the VPC endpoints configured for a Neon organization. ```bash neonctl vpc endpoint list [options] ``` | Option | Description | Type | Default | Required | | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ------- | :------: | | `--org-id` | Organization ID | string | — | No | | `--region-id` | The region ID. Possible values: aws-us-west-2, aws-ap-southeast-1, aws-ap-southeast-2, aws-eu-central-1, aws-us-east-2, aws-us-east-1, azure-eastus2 | string | — | Yes | ```bash neonctl vpc endpoint list --org-id org-bold-bonus-12345678 ``` ### neonctl vpc endpoint assign Adds or updates a VPC endpoint in a Neon organization. `add` and `update` are aliases for this command. ```bash neonctl vpc endpoint assign [options] ``` | Option | Description | Type | Default | Required | | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ------- | :------: | | `--label` | An optional descriptive label for the VPC endpoint | string | — | No | | `--org-id` | Organization ID | string | — | No | | `--region-id` | The region ID. Possible values: aws-us-west-2, aws-ap-southeast-1, aws-ap-southeast-2, aws-eu-central-1, aws-us-east-2, aws-us-east-1, azure-eastus2 | string | — | Yes | Add a VPC endpoint to a Neon organization in a specific region: ```bash neonctl vpc endpoint assign vpce-1234567890abcdef0 --org-id org-bold-bonus-12345678 --region-id aws-us-east-1 ``` After you assign a VPC endpoint to a Neon organization, client connections are accepted from the corresponding VPC for all projects in the organization unless you restrict access at the project level with [vpc project restrict](https://neon.com/docs/cli/vpc#project-restrict). ### neonctl vpc endpoint remove Removes a VPC endpoint from a Neon organization. ```bash neonctl vpc endpoint remove [options] ``` | Option | Description | Type | Default | Required | | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ------- | :------: | | `--org-id` | Organization ID | string | — | No | | `--region-id` | The region ID. Possible values: aws-us-west-2, aws-ap-southeast-1, aws-ap-southeast-2, aws-eu-central-1, aws-us-east-2, aws-us-east-1, azure-eastus2 | string | — | Yes | ```bash neonctl vpc endpoint remove vpce-1234567890abcdef0 --org-id org-bold-bonus-12345678 ``` **Note:** A removed VPC endpoint cannot be added back to the Neon organization. ### neonctl vpc endpoint status Gets the status of a VPC endpoint in a Neon organization. ```bash neonctl vpc endpoint status [options] ``` | Option | Description | Type | Default | Required | | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ------- | :------: | | `--org-id` | Organization ID | string | — | No | | `--region-id` | The region ID. Possible values: aws-us-west-2, aws-ap-southeast-1, aws-ap-southeast-2, aws-eu-central-1, aws-us-east-2, aws-us-east-1, azure-eastus2 | string | — | Yes | ```bash neonctl vpc endpoint status vpce-1234567890abcdef0 --org-id org-bold-bonus-12345678 ``` ## Project VPC restrictions The `vpc project` subcommands list, configure, or remove VPC endpoint restrictions for specific projects in your Neon organization. By default, a project accepts connections from any VPC configured at the organization level. A restriction limits a project to connections from a specific VPC. Subcommands: [list](https://neon.com/docs/cli/vpc#project-list), [restrict](https://neon.com/docs/cli/vpc#project-restrict), [remove](https://neon.com/docs/cli/vpc#project-remove) You only need `--project-id` if your Neon account has more than one project. ### neonctl vpc project list Lists all VPC endpoint restrictions for a Neon project. ```bash neonctl vpc project list [options] ``` | Option | Description | Type | Default | Required | | -------------- | ----------- | ------ | ------- | :------: | | `--project-id` | Project ID | string | — | No | ```bash neonctl vpc project list --project-id orange-credit-12345678 ``` ### neonctl vpc project restrict Configures or updates a VPC endpoint restriction for a Neon project. `update` is an alias for this command. ```bash neonctl vpc project restrict [options] ``` | Option | Description | Type | Default | Required | | -------------- | -------------------------------------------------------------- | ------ | ------- | :------: | | `--label` | An optional descriptive label for the VPC endpoint restriction | string | — | No | | `--project-id` | Project ID | string | — | No | ```bash neonctl vpc project restrict vpce-1234567890abcdef0 --project-id orange-credit-12345678 ``` ### neonctl vpc project remove Removes a VPC endpoint restriction from a Neon project. ```bash neonctl vpc project remove [options] ``` | Option | Description | Type | Default | Required | | -------------- | ----------- | ------ | ------- | :------: | | `--project-id` | Project ID | string | — | No | ```bash neonctl vpc project remove vpce-1234567890abcdef0 --project-id orange-credit-12345678 ``` --- ## Related docs (Org & network) - [orgs](https://neon.com/docs/cli/orgs) - [ip-allow](https://neon.com/docs/cli/ip-allow)