Bring your own IP to CloudFront using IPAM - Amazon Virtual Private Cloud
Why use this feature?Who should use this feature?When to use this feature?PrerequisitesGlobal service configuration stepsCleanup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Bring your own IP to CloudFront using IPAM

IPAM's BYOIP for global services lets you use your own IPv4 addresses with Amazon global services like CloudFront. Unlike regional BYOIP, your IP addresses are advertised from multiple edge locations simultaneously through anycast routing.

Why use this feature?

  • Maintain IP allowlisting – Use existing approved IP addresses instead of updating firewall configurations

  • Simplify migrations – Migrate from other CDNs without changing IP infrastructure

  • Consistent branding – Keep your existing IP address space when moving to Amazon

Who should use this feature?

Organizations that need their own IP addresses with global content delivery:

  • Large enterprises with IP allowlisting requirements

  • Companies migrating from other CDNs with existing IP addresses

  • Organizations with strict security policies requiring specific IP ranges

When to use this feature?

Use BYOIP for global services when you need to:

  • Maintain existing IP allowlisting with partners/clients

  • Migrate from another CDN using your IP addresses

  • Meet compliance requirements for specific IP ranges

Note

Requires /24 IPv4 CIDR blocks. Currently available for CloudFront only.

Prerequisites

Complete these steps before starting:

Global service configuration steps

The following steps differ from the standard regional BYOIP process and establish the pattern for global services:

Step 1: Create a global pool for anycast services

Instead of creating a regional pool, create a global pool for anycast services:

Console

To create a global pool using the console:

  1. Open the IPAM console at https://console.amazonaws.cn/ipam/.

  2. In the navigation pane, choose Pools

  3. Choose Create pool

  4. Source: Choose your top-level BYOIP pool

  5. Locale: Choose Global

  6. Service: Choose Global services (appears when Global is selected)

  7. Public IP source: Choose BYOIP

  8. CIDRs to provision: Specify your /24 CIDR range

  9. Choose Create pool

CLI

Use aws ec2 create-ipam-pool with locale set to "Global" and address family "ipv4".

Then provision the CIDR using aws ec2 provision-ipam-pool-cidr.

Important

You must allocate the full /24 block to this pool. You can provision more specific ranges within this block for different uses.

Step 2: Create service-specific resources

For CloudFront, create an anycast IP list that uses your IPAM pool. For detailed instructions, see CloudFront BYOIP documentation (link TBD).

Key parameters for IPAM integration:

  • IP address type – Choose BYOIP

  • IPAM pool – Select your global pool from Step 1

  • IP count – Enter 3 (required for CloudFront)

Step 3: Associate with service resources

Associate your Anycast Static IP list with a CloudFront distribution. For detailed instructions, see CloudFront BYOIP documentation (link TBD).

Key configuration:

  • In distribution settings, select your Anycast IP List from Step 2

Step 4: Prepare for migration

  • Lower DNS TTL – Set DNS TTL for your records to 60 seconds or lower

  • Wait for propagation – Allow time for the new TTL to take effect across the internet

Step 5: Advertise CIDR globally

Use the IPAM global advertisement command:

Console

To advertise the CIDR using the console:

  1. Open the IPAM console at https://console.amazonaws.cn/ipam/.

  2. In the navigation pane, choose Pools

  3. Select your global pool

  4. Choose the CIDRs tab

  5. Select your CIDR and choose Actions > Advertise CIDR

  6. Confirm the advertisement

CLI

Use aws ec2 advertise-ipam-byoip-cidr with your IPAM pool ID and CIDR.

Important

  • Withdraw advertisement from your previous provider before running this command

  • Update DNS records to point to CloudFront to complete the migration

Cleanup

To clean up resources created in this tutorial:

  • Delete CloudFront resources – Follow the cleanup instructions in CloudFront BYOIP documentation (link TBD)

  • Withdraw CIDR and delete IPAM pools – Follow the standard cleanup process in Step 8: Cleanup

Important

Delete CloudFront resources first, then proceed with IPAM cleanup to avoid service disruptions.