Bring your own IP addresses (BYOIP) to Amazon EC2

When you bring an IP address range to Amazon, Amazon validates that you control the IP address range. There are two methods that you can use to show that you control the range:

• If your IP address range is registered with an Internet Registry that supports RDAP (such as ARIN, RIPE and APNIC), you can verify control of your domain with an X.509 certificate by using the process on this page. The certificate must only be valid for the duration of the provisioning process. You can remove the certificate from your RIR's record after provisioning is complete.

• Regardless of whether your Internet Registry supports RDAP, you can use Amazon VPC IPAM to verify control of your domain with a DNS TXT record. That process is documented in Tutorial: Bring your IP addresses to IPAM in the Amazon VPC IPAM User guide.

• X.509 Self-sign certificate — A certificate standard most commonly used to encrypt and authenticate data within a network. It is a certificate used by Amazon to validate control over IP space from an RDAP record. For more information about X.509 certificates, see RFC 3280.

• Autonomous System Number (ASN) – A globally unique identifier that defines a group of IP prefixes run by one or more network operators that maintain a single, clearly-defined routing policy.

• Regional Internet Registry (RIR) – An organization that manages allocation and registration of IP addresses and ASNs within a region of the world.

• Registry Data Access Protocol (RDAP) — A read-only protocol to query current registration data within a RIR. Entries within the queried RIR database are referred to as "RDAP records". Certain record types need to be updated by customers via a RIR-provided mechanism. These records are queried by Amazon to verify control of an address space in the RIR.

• Route Origin Authorization (ROA) — An object created by RIRs for customers to authenticate IP advertisement in particular autonomous systems. For an overview, see Route Origin Authorizations (ROAs) on the ARIN website.

• Local Internet Registry (LIR) — Organizations such as internet service providers that allocate a block of IP addresses from an RIR for their customers.

• The address range must be registered with your Regional Internet Registry (RIR). See your RIR for any policies regarding geographic regions. BYOIP currently supports registration in the American Registry for Internet Numbers (ARIN), Réseaux IP Européens Network Coordination Centre (RIPE), or Asia-Pacific Network Information Centre (APNIC). It must be registered to a business or institutional entity and cannot be registered to an individual person.

• The most specific IPv4 address range that you can bring is /24.

• The most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable.

• ROAs are not required for CIDR ranges that are not publicly advertisable, but the RDAP records still need to be updated.

• You can bring each address range to one Amazon Region at a time.

• You can bring a total of five BYOIP IPv4 and IPv6 address ranges per Amazon Region to your Amazon account. You cannot adjust the quotas for BYOIP CIDRs using the Service Quotas console, but you can request a quota increase by contacting the Amazon Support Center as described in Amazon service quotas in the Amazon Web Services General Reference.

• You cannot share your IP address range with other accounts using Amazon RAM unless you use Amazon VPC IP Address Manager (IPAM) and integrate IPAM with Amazon Organizations. For more information, see Integrate IPAM with Amazon Organizations in the Amazon VPC IPAM User Guide.

• The addresses in the IP address range must have a clean history. We might investigate the reputation of the IP address range and reserve the right to reject an IP address range if it contains an IP address that has a poor reputation or is associated with malicious behavior.

• Legacy address space, the IPv4 address space that was distributed by the Internet Assigned Numbers Authority's (IANA) central registry prior to the formation of the Regional Internet Registry (RIR) system, still requires a corresponding ROA object.

• For LIRs, it is common that they use a manual process to update their records. This can take days to deploy depending on the LIR.

• A single ROA object and RDAP record are needed for a large CIDR block. You can bring multiple smaller CIDR blocks from that range to Amazon, even across multiple Amazon Regions, using the single object and record.

• BYOIP is not supported for Wavelength Zones or on Amazon Outposts.

• Do not make any manual changes for BYOIP in RADb or any other IRR. BYOIP will automatically update RADb. Any manual changes that include the BYOIP ASN will cause the BYOIP provision operation to fail.

• Once you bring an IPv4 address range to Amazon, you can use all of the IP addresses in the range, including the first address (the network address) and the last address (the broadcast address).