Bring your own IPv4 CIDR to IPAM using both the Amazon Management Console and the Amazon CLI - Amazon Virtual Private Cloud
Step 1: Create Amazon CLI named profiles and IAM rolesStep 2: Create a top-level IPAM poolStep 3. Create a Regional pool within the top-level poolStep 4. Share the Regional poolStep 5: Create a public IPv4 poolStep 6: Provision the public IPv4 CIDR to your public IPv4 poolStep 7: Create an Elastic IP address from the public IPv4 poolStep 8: Associate the Elastic IP address with an EC2 instanceStep 9: Advertise the CIDRStep 10: Cleanup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Bring your own IPv4 CIDR to IPAM using both the Amazon Management Console and the Amazon CLI

Follow these steps to bring an IPv4 CIDR to IPAM and allocate an Elastic IP address (EIP) using both the Amazon Management Console and the Amazon CLI.

Important

Step 1: Create Amazon CLI named profiles and IAM roles

To complete this tutorial as a single Amazon user, you can use Amazon CLI named profiles to switch from one IAM role to another. Named profiles are collections of settings and credentials that you refer to when using the --profile option with the Amazon CLI. For more information about how to create IAM roles and named profiles for Amazon accounts, see Using an IAM role in the Amazon CLI in the Amazon Identity and Access Management User Guide.

Create one role and one named profile for each of the three Amazon accounts you will use in this tutorial:

  • A profile called management-account for the Amazon Organizations management account.

  • A profile called ipam-account for the Amazon Organizations member account that is configured to be your IPAM administrator.

  • A profile called member-account for the Amazon Organizations member account in your organization which will allocate CIDRs from an IPAM pool.

After you have created the IAM roles and named profiles, return to this page and go to the next step. You will notice throughout the rest of this tutorial that the sample Amazon CLI commands use the --profile option with one of the named profiles to indicate which account must run the command.

Step 2: Create a top-level IPAM pool

Complete the steps in this section to create a top-level IPAM pool.

This step must be done by the IPAM account.

To create a pool

  1. Open the IPAM console at https://console.amazonaws.cn/ipam/.

  2. In the navigation pane, choose Pools.

  3. By default, when you create a pool, the default private scope is selected. Choose the public scope. For more information about scopes, see How IPAM works.

  4. Choose Create pool.

  5. (Optional) Add a Name tag for the pool and a Description for the pool.

  6. Under Source, choose IPAM scope.

  7. Under Address family, choose IPv4.

  8. Under Resource planning, leave Plan IP space within the scope selected. For more information about using this option to plan for subnet IP space within a VPC, see Tutorial: Plan VPC IP address space for subnet IP allocations.

  9. Under Locale, choose None.

    The locale is the Amazon Region where you want this IPAM pool to be available for allocations. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses.

    The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR. Since we are going to create a top-level IPAM pool with a Regional pool within it, and we’re going to allocate space to an Elastic IP address from the Regional pool, you will set the locale on the Regional pool and not the top-level pool. You’ll add the locale to the Regional pool when you create the Regional pool in a later step.

    Note

    If you are creating a single pool only and not a top-level pool with Regional pools within it, you would want to choose a Locale for this pool so that the pool is available for allocations.

  10. Under Public IP source, choose one of the following options:

    • BYOIP: You are bringing your own IPv4 or IPv6 address range (BYOIP) to this pool.

    • Amazon owned: You want to Amazon to provision an IPv4 or IPv6 address range to this pool.

  11. Do one of the following:

    • If you chose BYOIP in the previous step, under CIDRs to provision, choose a CIDR to provision for the pool. Note that when provisioning an IPv4 CIDR to a pool within the top-level pool, the minimum IPv4 CIDR you can provision is /24; more specific CIDRs (such as /25) are not permitted. You must include the CIDR and the BYOIP message and certificate signature in the request so we can verify that you own the public space. For a list of BYOIP prerequisites including how to get this BYOIP message and certificate signature, see Bring your own public IPv4 CIDR to IPAM using both the Amazon Management Console and the Amazon CLI.

      Important

      It can take up to one week for the BYOIP CIDR to be provisioned.

    • If you chose Amazon owned, under Netmask length choose a netmask length from /40 to /52. Default is /52.

  12. Leave Use this pool to allocate CIDRs to resources such as VPCs unchecked.

  13. (Optional) Choose Tags for the pool.

  14. Choose Create pool.

Ensure that this CIDR has been provisioned before you continue. You can see the state of provisioning in the CIDRs tab in the pool details page. Note that it can take up to one week for the BYOIP CIDR to be provisioned.

Step 3. Create a Regional pool within the top-level pool

Create a Regional pool within the top-level pool. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR. You’ll add the locale to the Regional pool when you create the Regional pool in this section. The Locale must be one of the operating Regions you configured when you created the IPAM.

This step must be done by the IPAM account.

To create a Regional pool within a top-level pool

  1. Open the IPAM console at https://console.amazonaws.cn/ipam/.

  2. In the navigation pane, choose Pools.

  3. By default, when you create a pool, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see How IPAM works.

  4. Choose Create pool.

  5. (Optional) Add a Name tag for the pool and a Description for the pool.

  6. Under Source, choose the top-level pool that you created in the previous section.

  7. Under Resource planning, leave Plan IP space within the scope selected. For more information about using this option to plan for subnet IP space within a VPC, see Tutorial: Plan VPC IP address space for subnet IP allocations.

  8. Under Locale, choose the locale for the pool. In this tutorial, we'll use us-east-2 as the locale for the Regional pool. The available options come from the operating Regions that you chose when you created your IPAM.

    The locale is the Amazon Region where you want this IPAM pool to be available for allocations. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses. Choosing a locale ensures there are no cross-region dependencies between your pool and the resources allocating from it.

  9. Under Service, choose EC2 (EIP/VPC). The service you select determines the Amazon service where the CIDR will be advertisable. Currently, the only option is EC2 (EIP/VPC), which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service (for Elastic IP addresses) and the Amazon VPC service (for CIDRs associated with VPCs).

  10. Under CIDRs to provision, choose a CIDR to provision for the pool. Note that when provisioning a CIDR to a pool within the top-level pool, the minimum IPv4 CIDR you can provision is /24; more specific CIDRs (such as /25) are not permitted.

  11. Choose Use this pool to allocate CIDRs to resources such as VPCs. You have the same allocation rule options here as you did when you created the top-level pool. See Create a top-level IPv4 pool for an explanation of the options that are available when you create pools. The allocation rules for the Regional pool are not inherited from the top-level pool. If you do not apply any rules here, there will be no allocation rules set for the pool.

  12. Choose Use this pool to allocate CIDRs to resources such as VPCs and choose optional allocation rules for this pool:

    • Automatically import discovered resources: This option is not available if the Locale is set to None. If this option is selected, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM. Note the following:

      • The CIDRs that will be allocated for these resources must not already be allocated to other resources in order for the import to succeed.

      • IPAM will import a CIDR regardless of its compliance with the pool's allocation rules, so a resource might be imported and subsequently marked as noncompliant.

      • If IPAM discovers multiple CIDRs that overlap, IPAM will import the largest CIDR only.

      • If IPAM discovers multiple CIDRs with matching CIDRs, IPAM will randomly import one of them only.

    • Minimum netmask length: The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant and the largest size CIDR block that can be allocated from the pool. The minimum netmask length must be less than the maximum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.

    • Default netmask length: A default netmask length for allocations added to this pool. For example, if the CIDR that's provisioned to this pool is 10.0.0.0/8 and you enter 16 here, any new allocations in this pool will default to a netmask length of /16.

    • Maximum netmask length: The maximum netmask length that will be required for CIDR allocations in this pool. This value dictates the smallest size CIDR block that can be allocated from the pool.

    • Tagging requirements: The tags that are required for resources to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging rules are changed on the pool, the resource may be marked as noncompliant.

    • Locale: The locale that will be required for resources that use CIDRs from this pool. Automatically imported resources that do not have this locale will be marked noncompliant. Resources that are not automatically imported into the pool will not be allowed to allocate space from the pool unless they are in this locale.

  13. (Optional) Choose Tags for the pool.

  14. When you’ve finished configuring your pool, choose Create pool.

Ensure that this CIDR has been provisioned before you continue. You can see the state of provisioning in the CIDRs tab in the pool details page.

Step 4. Share the Regional pool

Follow the steps in this section to share the pre-production IPAM pool using Amazon Resource Access Manager (RAM).

4.1. Enable resource sharing in Amazon RAM

After you create your IPAM, you’ll want to share the regional pool with other accounts in your organization. Before you share an IPAM pool, complete the steps in this section to enable resource sharing with Amazon RAM. If you are using the Amazon CLI to enable resource sharing, use the --profile management-account option.

To enable resource sharing

  1. Using the Amazon Organizations management account, open the Amazon RAM console at https://console.aws.amazon.com/ram/.

  2. In the left navigation pane, choose Settings, choose Enable sharing with Amazon Organizations, and then choose Save settings.

You can now share an IPAM pool with other members of the organization.

4.2. Share an IPAM pool using Amazon RAM

In this section you’ll share the regional pool with another Amazon Organizations member account. For complete instructions on sharing IPAM pools, including information on the required IAM permissions, see Share an IPAM pool using Amazon RAM. If you are using the Amazon CLI to enable resource sharing, use the --profile ipam-account option.

To share an IPAM pool using Amazon RAM

  1. Using the IPAM admin account, open the IPAM console at https://console.amazonaws.cn/ipam/.

  2. In the navigation pane, choose Pools.

  3. Choose the private scope, choose the pre-production IPAM pool, and choose Actions > View details.

  4. Under Resource sharing, choose Create resource share. The Amazon RAM console opens. You share the pool using Amazon RAM.

  5. Choose Create a resource share.

  6. In the Amazon RAM console, choose Create a resource share again.

  7. Add a Name for the shared pool.

  8. Under Select resource type, choose IPAM pools, and then choose the ARN of the pre-production development pool.

  9. Choose Next.

  10. Choose the AWSRAMPermissionIpamPoolByoipCidrImport permission. The details of the permission options are out of scope for this tutorial, but you can find out more about these options in Share an IPAM pool using Amazon RAM.

  11. Choose Next.

  12. Under Principals > Select principal type, choose Amazon account and enter the account ID of the account that will be bringing an IP address range to IPAM and choose Add .

  13. Choose Next.

  14. Review the resource share options and the principals that you’ll be sharing with, and then choose Create.

  15. To allow the member-account account to allocate IP address CIDRS from the IPAM pool, create a second resource share with AWSRAMDefaultPermissionsIpamPool and create a second resource share. The value for --resource-arns is the ARN of the IPAM pool that you created in the previous section. The value for --principals is the account ID of the BYOIP CIDR owner account. The value for --permission-arns is the ARN of the AWSRAMDefaultPermissionsIpamPool permission.

Step 5: Create a public IPv4 pool

Creating a public IPv4 pool is a required step for bringing a public IPv4 address to Amazon to be managed with IPAM. This step should be done by the member account that will provision an Elastic IP address.

This step must be done by the member account using the Amazon CLI.

Important

Public IPv4 pools and IPAM pools are managed by distinct resources in Amazon. Public IPv4 pools are single account resources that enable you to convert your publicly-owned CIDRs to Elastic IP addresses. IPAM pools can be used to allocate your public space to public IPv4 pools.

To create a public IPv4 pool using the Amazon CLI

  • Run the following command to provision the CIDR. When you run the command in this section, the value for --region must match the Locale option you chose when you created the pool that will be used for the BYOIP CIDR.

    aws ec2 create-public-ipv4-pool --region us-east-2 --profile member-account

    In the output, you'll see the public IPv4 pool ID. You will need this ID in the next step.

    {
    "PoolId": "ipv4pool-ec2-09037ce61cf068f9a"
}

Step 6: Provision the public IPv4 CIDR to your public IPv4 pool

Provision the public IPv4 CIDR to your public IPv4 pool. The value for --region must match the Locale value you chose when you created the pool that will be used for the BYOIP CIDR. The --netmask-length is the amount of space out of the IPAM pool that you want to bring to your public pool. The value cannot be larger than the netmask length of the IPAM pool. The least specific IPv4 prefix you can bring is /24.

Note

If you are bringing a /24 CIDR range to IPAM to share across an Amazon Organization, you can provision smaller prefixes to multiple IPAM pools, say /27 (using -- netmask-length 27), rather than provisioning the entire /24 CIDR (using -- netmask-length 24) as is shown in this tutorial.

This step must be done by the member account using the Amazon CLI.

To create a public IPv4 pool using the Amazon CLI

  1. Run the following command to provision the CIDR.

    aws ec2 provision-public-ipv4-pool-cidr --region us-east-2 --ipam-pool-id ipam-pool-04d8e2d9670eeab21 --pool-id ipv4pool-ec2-09037ce61cf068f9a --netmask-length 24 --profile member-account

    In the output, you'll see the provisioned CIDR.

    {                                      
    "PoolId": "ipv4pool-ec2-09037ce61cf068f9a", 
    "PoolAddressRange": {                       
        "FirstAddress": "130.137.245.0",        
        "LastAddress": "130.137.245.255",       
        "AddressCount": 256,                    
        "AvailableAddressCount": 256            
    }                                           
}

  2. Run the following command to view the CIDR provisioned in the public IPv4 pool.

    aws ec2 describe-public-ipv4-pools --region us-east-2 --max-results 10 --profile member-account

    In the output, you'll see the provisioned CIDR. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. You will have the chance to set this CIDR to advertised in the last step of this tutorial.

    {
    "PublicIpv4Pools": [
        {
            "PoolId": "ipv4pool-ec2-09037ce61cf068f9a",
            "Description": "",
            "PoolAddressRanges": [
                {
                    "FirstAddress": "130.137.245.0",
                    "LastAddress": "130.137.245.255",
                    "AddressCount": 256,
                    "AvailableAddressCount": 255
                }
            ],
            "TotalAddressCount": 256,
            "TotalAvailableAddressCount": 255,
            "NetworkBorderGroup": "us-east-2",
            "Tags": []
        }
    ]
}

Once you create the public IPv4 pool, to view the public IPv4 pool allocated in the IPAM Regional pool, open the IPAM console and view the allocation in the Regional pool under Allocations or Resources.

Step 7: Create an Elastic IP address from the public IPv4 pool

Complete the steps in Allocate an Elastic IP address in the Amazon EC2 User Guide for Linux Instances to create an Elastic IP address (EIP) from the public IPv4 pool. When you open EC2 in the Amazon Management console, the Amazon Region you allocate the EIP in must match the Locale option you chose when you created the pool that will be used for the BYOIP CIDR.

This step must be done by the member account. If you are using the Amazon CLI, use the --profile member-account option.

Step 8: Associate the Elastic IP address with an EC2 instance

Complete the steps in Associate an Elastic IP address with an instance or network interface in the Amazon EC2 User Guide for Linux Instances to associate the EIP with an EC2 instance. When you open EC2 in the Amazon Management console, the Amazon Region you associate the EIP in must match the Locale option you chose when you created the pool that will be used for the BYOIP CIDR. In this tutorial, that pool is the Regional pool.

This step must be done by the member account. If you are using the Amazon CLI, use the --profile member-account option.

Step 9: Advertise the CIDR

The steps in this section must be done by the IPAM account. Once you associate the Elastic IP address (EIP) with an instance or Elastic Load Balancer, you can then start advertising the CIDR you brought to Amazon that is in pool that has the Service EC2 (EIP/VPC) configured. In this tutorial, that's your Regional pool. By default the CIDR is not advertised, which means it's not publicly accessible over the internet.

This step must be done by the IPAM account.

To advertise the CIDR

  1. Open the IPAM console at https://console.amazonaws.cn/ipam/.

  2. In the navigation pane, choose Pools.

  3. By default, when you create a pool, the default private scope is selected. Choose the public scope. For more information about scopes, see How IPAM works.

  4. Choose the Regional pool you created in this tutorial.

  5. Choose the CIDRs tab.

  6. Select the BYOIP CIDR and choose Actions > Advertise.

  7. Choose Advertise CIDR.

As a result, the BYOIP CIDR is advertised and the value in the Advertising column changes from Withdrawn to Advertised.

Step 10: Cleanup

Follow the steps in this section to clean up the resources you've provisioned and created in this tutorial.

Step 1: Withdraw the CIDR from advertising

This step must be done by the IPAM account.

  1. Open the IPAM console at https://console.amazonaws.cn/ipam/.

  2. In the navigation pane, choose Pools.

  3. By default, when you create a pool, the default private scope is selected. Choose the public scope.

  4. Choose the Regional pool you created in this tutorial.

  5. Choose the CIDRs tab.

  6. Select the BYOIP CIDR and choose Actions > Withdraw from advertising.

  7. Choose Withdraw CIDR.

As a result, the BYOIP CIDR is no longer advertised and the value in the Advertising column changes from Advertised to Withdrawn.

Step 2: Disassociate the Elastic IP address

This step must be done by the member account. If you are using the Amazon CLI, use the --profile member-account option.

  • Complete the steps in Disassociate an Elastic IP address in the Amazon EC2 User Guide for Linux Instances to disassociate the EIP. When you open EC2 in the Amazon Management console, the Amazon Region you disassociate the EIP in must match the Locale option you chose when you created the pool that will be used for the BYOIP CIDR. In this tutorial, that pool is the Regional pool.

Step 3: Release the Elastic IP address

This step must be done by the member account. If you are using the Amazon CLI, use the --profile member-account option.

  • Complete the steps in Release an Elastic IP address in the Amazon EC2 User Guide for Linux Instances to release an Elastic IP address (EIP) from the public IPv4 pool. When you open EC2 in the Amazon Management console, the Amazon Region you allocate the EIP in must match the Locale option you chose when you created the pool that will be used for the BYOIP CIDR.

Step 4: Deprovision the public IPv4 CIDR from your public IPv4 pool

This step must be done by the member account using the Amazon CLI.

  1. View your BYOIP CIDRs.

    aws ec2 describe-public-ipv4-pools --region us-east-2 --profile member-account

    In the output, you'll see the IP addresses in your BYOIP CIDR.

    {
    "PublicIpv4Pools": [
        {
            "PoolId": "ipv4pool-ec2-09037ce61cf068f9a",
            "Description": "",
            "PoolAddressRanges": [
                {
                    "FirstAddress": "130.137.245.0",
                    "LastAddress": "130.137.245.255",
                    "AddressCount": 256,
                    "AvailableAddressCount": 256
                }
            ],
            "TotalAddressCount": 256,
            "TotalAvailableAddressCount": 256,
            "NetworkBorderGroup": "us-east-2",
            "Tags": []
        }
    ]
}

  2. Run the following command to release the last IP address in the CIDR from the public IPv4 pool. Enter the IP address with a netmask of /32.

    aws ec2 deprovision-public-ipv4-pool-cidr --region us-east-2 --pool-id ipv4pool-ec2-09037ce61cf068f9a --cidr 130.137.245.255/32 --profile member-account

    In the output, you'll see the deprovisioned CIDR.

    {
    "PoolId": "ipv4pool-ec2-09037ce61cf068f9a",                                                                                       
    "DeprovisionedAddresses": [                                                                                                       
        "130.137.245.255"                                                                                                             
    ]                                                                                                                                 
}
    Important

    You must rerun this command for each IP address in the CIDR range. If your CIDR is a /24, you will have to run this command to deprovision each of the 256 IP addresses in the /24 CIDR.

  3. View your BYOIP CIDRs again and ensure there are no more provisioned addresses. When you run the command in this section, the value for --region must match the Region of your IPAM.

    aws ec2 describe-public-ipv4-pools --region us-east-2 --profile member-account

    In the output, you'll see the IP addresses count in your public IPv4 pool.

    {
    "PublicIpv4Pools": [
        {
            "PoolId": "ipv4pool-ec2-09037ce61cf068f9a",
            "Description": "",
            "PoolAddressRanges": [],
            "TotalAddressCount": 0,
            "TotalAvailableAddressCount": 0,
            "NetworkBorderGroup": "us-east-2",
            "Tags": []
        }
    ]
}
Note

It can take some time for IPAM to discover that public IPv4 pool allocations have been removed. You cannot continue to clean up and deprovision the IPAM pool CIDR until you see that the allocation has been removed from IPAM.

Step 5: Delete the public IPv4 pool

This step must be done by the member account.

  • Run the following command to delete the public IPv4 pool the CIDR. When you run the command in this section, the value for --region must match the Locale option you chose when you created the pool that will be used for the BYOIP CIDR. In this tutorial, that pool is the Regional pool. This step must be done using the Amazon CLI.

    aws ec2 delete-public-ipv4-pool --region us-east-2 --pool-id ipv4pool-ec2-09037ce61cf068f9a --profile member-account

    In the output, you'll see the return value true.

    {
"ReturnValue": true
}

    Once you delete the pool, to view the allocation unmanaged by IPAM, open the IPAM console and view the details of the Regional pool under Allocations.

Step 6: Delete any RAM shares and disable RAM integration with Amazon Organizations

This step must be done by the IPAM account and management account respectively. If you are using the Amazon CLI to delete the RAM shares and disable RAM integration, use the --profile ipam-account and --profile management-account options.

Step 7: Deprovision the CIDRs from the Regional pool and top-level pool

This step must be done by the IPAM account. If you are using the Amazon CLI to share the pool, use the --profile ipam-account option.

  • Complete the steps in Deprovision CIDRs from a pool to deprovision the CIDRs from the Regional pool and then the top-level pool, in that order.

Step 8: Delete the Regional pool and top-level pool

This step must be done by the IPAM account. If you are using the Amazon CLI to share the pool, use the --profile ipam-account option.

  • Complete the steps in Delete a pool to delete the Regional pool and then the top-level pool, in that order.