Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Share an IPAM pool using Amazon RAM
Follow the steps in this section to share an IPAM pool using Amazon Resource Access Manager
(RAM). When you share an IPAM pool with RAM, “principals” can allocate CIDRs from the pool
to Amazon resources, such as VPCs, from their respective accounts. A principal is a concept
in RAM that means any Amazon account, IAM role or organizational unit in Amazon Organizations.
For more information, see Sharing
your Amazon resources in the Amazon RAM User
Guide.
-
You can only share an IPAM pool with Amazon RAM if you've integrated IPAM with Amazon Organizations. For
more information, see Integrate IPAM with accounts in an Amazon Organization. You cannot share an
IPAM pool with Amazon RAM if you are a single account IPAM user.
-
You must enable resource sharing with Amazon Organizations in Amazon RAM. For
more information, see Enable resource sharing within Amazon Organizations in the Amazon RAM User Guide.
-
RAM sharing is only available in the home Amazon Region of your IPAM. You must create the share in
the Amazon Region that the IPAM is in, not in the Region of the IPAM pool.
-
The account that creates and deletes IPAM pool resource shares must have the
following permissions in the IAM policy attached to their IAM role:
-
ec2:PutResourcePolicy
-
ec2:DeleteResourcePolicy
You can add multiple IPAM pools to a RAM share.
- Amazon Management Console
-
To share an IPAM pool using RAM
Open the IPAM console at
https://console.amazonaws.cn/ipam/.
-
In the navigation pane, choose Pools.
-
By default, the default private scope is selected. If you don’t want to use the default
private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see How IPAM works.
-
In the content pane, choose the pool you want to share and choose Actions > View details.
-
Under Resource sharing, choose Create resource share. As a result, the Amazon RAM console opens. You'll create the shared pool in Amazon RAM.
-
Choose Create a resource share.
-
Add a Name for the shared resource.
-
Under Select resource type, select IPAM pools and choose
one or more IPAM pools.
-
Choose Next.
Choose one of the permissions for the resource share:
-
AWSRAMDefaultPermissionsIpamPool: Choose this permission to
allow principals to view the CIDRs and allocations in the shared
IPAM pool and allocate/release CIDRs in the pool.
-
AWSRAMPermissionIpamPoolByoipCidrImport: Choose this
permission to allow principals to import BYOIP CIDRs into the shared IPAM pool. You will
need this permission only if you have existing BYOIP CIDRs and you want to import them to IPAM and
share them with principals. For additional information on BYOIP CIDRs to IPAM,
see Tutorial: Transfer a BYOIP IPv4 CIDR to IPAM.
-
Choose the principals that are allowed to access this resource. If principals will be importing existing BYOIP CIDRs
to this shared IPAM pool, add the BYOIP CIDR owner account as principal.
-
Review the resource share options and the principals you’ll be sharing with and choose Create.
- Command line
-
The command(s) in this section link to the Amazon CLI Reference documentation. There you’ll find detailed descriptions
of the options you can use when you run the command(s).
Use the following Amazon CLI commands to share an IPAM pool using RAM:
As a result of creating the resource share in RAM, other principals can now allocate CIDRs
to resources using the IPAM pool. For information on monitoring resources
created by principals, see Monitor CIDR usage by resource. For more information
on how to create a VPC and allocate a CIDR from a shared IPAM pool, see Creating a VPC in the Amazon VPC User Guide.