You can configure subnets and security groups in a non-default VPC region.
If the non-default VPC support is enabled in one of your regions, you must tag at least one subnet in each availability zone to be used as a default subnet in which the virtual machines deployed in that region and availability zone are placed. Do this in the Amazon VPC console of your account by adding a tag to the subnet with key TenantUUId and value "*". The value "*" indicates that this subnet is used for virtual machines for all projects.
It is possible to overwrite the "privateNetworkOnly definition on the region level per subnet. If you want to do this, add a tag with the name privateNetworkOnly and a value of either true or false to a subnet. The definition on the subnet has precedence over the definition on the region.
If you want to place virtual machines of a distinct project in another subnet, you can add the OpenStack tenant ID of your project as value for the TenantUUId tag. You can only have one of these tags on a given subnet. Multiple subnets tagged with the same OpenStack tenant ID are not allowed within a single availability zone.
Additionally, you can tag one of the existing security groups with the key TenantUUId and value "*" to be the default security group for all servers provisioned in this region. If you want to place virtual machines of a distinct project in another security group, you can add the OpenStack tenant ID of your project as a value for the TenantUUId tag. You can only have one of those tags on a given security group. Multiple security groups tagged with the same OpenStack tenant ID are not allowed within a single VPC. As opposed to with subnets, you do not have to tag a security group. In this case, the default security group of the VPC is assigned.