# Connect agent to private VPC resources
If the application you want to run a penetration test on is not available on the public internet, you need to provide AWS Security Agent with a VPC configuration. AWS Security Agent will use this VPC configuration, including a VPC, subnet, and security groups, to access the application.
**Note**
When testing endpoints in a private VPC, only endpoints resolving to IPs in known private IP ranges are allowed (see [VPC CIDR blocks](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html) for more information). The following IPv4 and IPv6 ranges are allowed:
```
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
fd00::/8
```
**Note**
When connecting to a subnet, AWS Security Agent will create an ENI ([Elastic Network Interface](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html)) in the subnet configured for the penetration test. This ENI does not have an associated public IP address, meaning that it cannot communicate with [VPC Internet Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html) in public subnets. If your penetration test requires open internet access, please use a private subnet with an associated [VPC NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) instead
You grant AWS Security Agent general access to a VPC from the AWS Management Console. In the Security Agent web app, users select the specific configuration for a penetration test.
## To add a VPC in the Agent Space
1. Navigate to the Agent Space overview page
1. Select **Actions** and then **Edit penetration test configuration**
1. Under the **VPC** heading, specify the **VPC**, **Subnets**, and **Security groups**
You can add up to 5 VPCs.
## To select a specific VPC configuration for a penetration test in the Security Agent web app
1. Navigate to the Penetration Tests overview page
1. Select the penetration test that you need to add VPC configuration for, and then choose **Modify pentest details**
1. Select **Next** at the bottom of the page to reach the **VPC Resources** section
1. Select the **VPC**, **Subnet**, and **Security groups**
1. Select **Next** to reach the last section and **Save** the penetration test
## Running a penetration test against VPC resources in another AWS account
You can run penetration tests against VPC resources shared with your account using AWS Resource Access Manager. Both accounts must be part of the same AWS Organization.
1. (Optional) Enable automatic resource sharing for your AWS organization
```
aws ram enable-sharing-with-aws-organization
```
1. Using credentials from the AWS account that owns the VPC resources, share subnet and security group resources with the penetration test owner account
```
aws ram create-resource-share \
--name SharePentestResources \
--resource-arns \
--principals
```
1. Navigate to the Agent Space overview page
1. Select **Penetration test** and locate **Service role name**
1. Verify that the IAM role grants access to the shared VPC resources
1. Select **Actions** and then **Edit penetration test configuration**
1. Under the **VPC** heading, specify the shared **VPC**, **Subnets**, and **Security groups** and save the updated configuration.
1. Navigate to the Penetration Tests overview page on the AWS Security Agent web app
1. Select the penetration test that you need to add VPC configuration for, and then choose **Modify pentest details**
1. Update the penetration test to use the shared VPC resources