Bring your own public IPv4 CIDR to IPAM using only the AWS CLI
Follow these steps to bring an IPv4 CIDR to IPAM and allocate an Elastic IP address (EIP) with the CIDR using only the AWS CLI.
Important
This tutorial assumes you have already completed the steps in the following sections:
-
Each step of this tutorial must be done by one of three AWS Organizations accounts:
The management account.
The member account configured to be your IPAM administrator in Integrate IPAM with accounts in an AWS Organization. In this tutorial, this account will be called the IPAM account.
The member account in your organization which will allocate CIDRs from an IPAM pool. In this tutorial, this account will be called the member account.
Contents
- Step 1: Create AWS CLI named profiles and IAM roles
- Step 2: Create an IPAM
- Step 3: Create a top-level IPAM pool
- Step 4: Provision a CIDR to the top-level pool
- Step 5: Create a Regional pool within the top-level pool
- Step 6: Provision a CIDR to the Regional pool
- Step 7: Advertise the CIDR
- Step 8: Share the Regional pool
- Step 9: Allocate an Elastic IP address from the pool
- Step 10: Associate the Elastic IP address with an EC2 instance
- Step 11: Cleanup
- Alternative to Step 9
Step 1: Create AWS CLI named profiles and IAM roles
To complete this tutorial as a single AWS user, you can use AWS CLI named profiles to switch
from one IAM role to another. Named profiles are
collections of settings and credentials that you
refer to when using the --profile option with the AWS CLI.
For more
information about how to create IAM roles and named profiles for AWS accounts, see
Using an IAM role in the AWS CLI in the AWS Identity and Access Management User
Guide.
Create one role and one named profile for each of the three AWS accounts you will use in this tutorial:
A profile called
management-accountfor the AWS Organizations management account.A profile called
ipam-accountfor the AWS Organizations member account that is configured to be your IPAM administrator.A profile called
member-accountfor the AWS Organizations member account in your organization which will allocate CIDRs from an IPAM pool.
After you have created the IAM roles and named profiles, return to this page and go to the next step. You will notice throughout the rest of this tutorial that the sample AWS CLI commands use the --profile option with one of the named profiles to indicate which account must run the command.
Step 2: Create an IPAM
This step is optional. If you already have an IPAM created with operating Regions of
us-east-1 and us-west-2 created, you can skip this step.
Create an IPAM and specify an operating region of us-east-1 and
us-west-2 . You must select an operating region so that you can use the
locale option when you create your IPAM pool. The IPAM integration with BYOIP requires
that the locale is set on whichever pool will be used for the BYOIP CIDR.
This step must be done by the IPAM account.
Run the following command:
aws ec2 create-ipam --descriptionmy-ipam--regionus-east-1--operating-regionsRegionName=us-west-2--profileipam-account
In the output, you'll see the IPAM you've created. Note the value for
PublicDefaultScopeId. You will need your public scope ID in the next
step. You are using the public scope because BYOIP CIDRs are public IP addresses, which
is what the public scope is meant for.
{
"Ipam": {
"OwnerId": "123456789012",
"IpamId": "ipam-090e48e75758de279",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"PublicDefaultScopeId": "ipam-scope-0087d83896280b594",
"PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d",
"ScopeCount": 2,
"Description": "my-ipam",
"OperatingRegions": [
{
"RegionName": "us-east-1"
},
{
"RegionName": "us-west-2"
}
],
"Tags": []
}
}
Step 3: Create a top-level IPAM pool
Complete the steps in this section to create a top-level IPAM pool.
This step must be done by the IPAM account.
To create an IPv4 address pool for all of your AWS resources using the AWS CLI
-
Run the following command to create an IPAM pool. Use the ID of the public scope of the IPAM that you created in the previous step.
This step must be done by the IPAM account.
aws ec2 create-ipam-pool --regionus-east-1--ipam-scope-idipam-scope-0087d83896280b594--description"top-level-IPv4-pool"--address-familyipv4--profileipam-accountIn the output, you'll see
create-in-progress, which indicates that pool creation is in progress.{ "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0a03d430ca3f5c035", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "None", "PoolDepth": 1, "State": "create-in-progress", "Description": "top-level-pool", "AutoImport": false, "AddressFamily": "ipv4", "Tags": [] } } -
Run the following command until you see a state of
create-completein the output.aws ec2 describe-ipam-pools --regionus-east-1--profileipam-accountThe following example output shows the state of the pool.
{ "IpamPools": [ { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0a03d430ca3f5c035", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "None", "PoolDepth": 1, "State": "create-complete", "Description": "top-level-IPV4-pool", "AutoImport": false, "AddressFamily": "ipv4", "Tags": [] } ] }
Step 4: Provision a CIDR to the top-level pool
Provision a CIDR block to the top-level pool. Note that when provisioning an IPv4 CIDR
to a pool within the top-level pool, the minimum IPv4 CIDR you can provision is
/24; more specific CIDRs (such as /25) are not
permitted.
Note
-
If you verified your domain control with an X.509 certificate, you must include the CIDR and the BYOIP message and certificate signature that you created in that step so we can verify that you control the public space.
-
If you verified your domain control with a DNS TXT record, you must include the CIDR and IPAM verification token that you created in that step so we can verify that you control the public space.
You only need to verify domain control when you provision the BYOIP CIDR to the top-level pool. For the Regional pool within the top-level pool, you can omit the domain ownership verification option.
This step must be done by the IPAM account.
Important
You only need to verify domain control when you provision the BYOIP CIDR to the top-level pool. For the Regional pool within the top-level pool, you can omit the domain control option. Once you onboard your BYOIP to IPAM, you are not required to perform ownership validation when you divide the BYOIP across Regions and accounts.
To provision a CIDR block to the pool using the AWS CLI
-
To provision the CIDR with certificate information, use the following command example. In addition to replacing the values as needed in the example, ensure that you replace
MessageandSignaturevalues with thetext_messageandsigned_messagevalues that you got in Verify your domain with an X.509 certificate.aws ec2 provision-ipam-pool-cidr --regionus-east-1--ipam-pool-idipam-pool-0a03d430ca3f5c035--cidr130.137.245.0/24--verification-method remarks-x509 --cidr-authorization-context Message="1|aws|470889052444|130.137.245.0/24|20250101|SHA256|RSAPSS",Signature="W3gdQ9PZHLjPmrnGM~cvGx~KCIsMaU0P7ENO7VRnfSuf9NuJU5RUveQzus~QmF~Nx42j3z7d65uyZZiDRX7KMdW4KadaLiClyRXN6ps9ArwiUWSp9yHM~U-hApR89Kt6GxRYOdRaNx8yt-uoZWzxct2yIhWngy-du9pnEHBOX6WhoGYjWszPw0iV4cmaAX9DuMs8ASR83K127VvcBcRXElT5URr3gWEB1CQe3rmuyQk~gAdbXiDN-94-oS9AZlafBbrFxRjFWRCTJhc7Cg3ASbRO-VWNci-C~bWAPczbX3wPQSjtWGV3k1bGuD26ohUc02o8oJZQyYXRpgqcWGVJdQ__" --profileipam-accountTo provision the CIDR with verification token information, use the following command example. In addition to replacing the values as needed in the example, ensure that you replace
ipam-ext-res-ver-token-0309ce7f67a768cf0with theIpamExternalResourceVerificationTokenIdtoken ID that you got in Verify your domain with a DNS TXT record.aws ec2 provision-ipam-pool-cidr --regionus-east-1--ipam-pool-idipam-pool-0a03d430ca3f5c035--cidr130.137.245.0/24--verification-method dns-token --ipam-external-resource-verification-token-idipam-ext-res-ver-token-0309ce7f67a768cf0--profileipam-accountIn the output, you'll see the CIDR pending provision.
{ "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "pending-provision" } } -
Ensure that this CIDR has been provisioned before you continue.
Important
While most provisioning will be completed within two hours, it may take up to one week to complete the provisioning process for publicly advertisable ranges.
Run the following command until you see a state of
provisionedin the output.aws ec2 get-ipam-pool-cidrs --regionus-east-1--ipam-pool-idipam-pool-0a03d430ca3f5c035--profileipam-accountThe following example output shows the state.
{ "IpamPoolCidrs": [ { "Cidr": "130.137.245.0/24", "State": "provisioned" } ] }
Step 5: Create a Regional pool within the top-level pool
Create a Regional pool within the top-level pool.
The locale for the pool should be one of the following:
An AWS Region where you want this IPAM pool to be available for allocations.
The network border group for an AWS Local Zone where you want this IPAM pool to be available for allocations (supported Local Zones). This option is only available for IPAM IPv4 pools in the public scope.
An AWS Dedicated Local Zone
. To create a pool within an AWS Dedicated Local Zone, enter the AWS Dedicated Local Zone in the selector input.
For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses.
When you run the commands in this section, the value for --region must
include the --locale option you entered when you created the pool that will
be used for the BYOIP CIDR. For example, if you created the BYOIP pool with a locale of
us-east-1, the --region should be
us-east-1. If you created the BYOIP pool with a
locale of us-east-1-scl-1 (a network border group
used for Local Zones), the --region should be us-east-1 because that Region manages the locale us-east-1-scl-1.
This step must be done by the IPAM account.
Choosing a locale ensures there are no
cross-region dependencies between your pool and the resources allocating from
it. The available options come from the operating Regions that you chose when
you created your IPAM. In this tutorial, we'll use us-west-2 as the
locale for the Regional pool.
Important
When you create the pool, you must include --aws-service ec2. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is ec2, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service (for Elastic IP addresses) and the Amazon VPC service (for CIDRs associated with VPCs).
To create a Regional pool using the AWS CLI
-
Run the following command to create the pool.
aws ec2 create-ipam-pool --description"Regional-IPv4-pool"--regionus-east-1--ipam-scope-idipam-scope-0087d83896280b594--source-ipam-pool-idipam-pool-0a03d430ca3f5c035--localeus-west-2--address-familyipv4--aws-service ec2 --profileipam-accountIn the output, you'll see IPAM creating the pool.
{ "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0d8f3646b61ca5987", "SourceIpamPoolId": "ipam-pool-0a03d430ca3f5c035", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0d8f3646b61ca5987", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-west-2", "PoolDepth": 2, "State": "create-in-progress", "Description": "Regional--pool", "AutoImport": false, "AddressFamily": "ipv4", "Tags": [], "ServiceType": "ec2" } } -
Run the following command until you see a state of
create-completein the output.aws ec2 describe-ipam-pools --regionus-east-1--profileipam-accountIn the output, you see the pools that you have in your IPAM. In this tutorial, we created a top-level and a Regional pool, so you'll see them both.
Step 6: Provision a CIDR to the Regional pool
Provision a CIDR block to the Regional pool.
Note
When provisioning a CIDR to a Regional pool within the top-level pool, the
most specific IPv4 CIDR you can provision is /24; more specific
CIDRs (such as /25) are not permitted. After you create the
Regional pool, you can create smaller pools (such as /25)
within the same Regional pool. Note that if you share the Regional pool or
pools within it, these pools can only be used in the locale set on the same
Regional pool.
This step must be done by the IPAM account.
To assign a CIDR block to the Regional pool using the AWS CLI
-
Run the following command to provision the CIDR.
aws ec2 provision-ipam-pool-cidr --regionus-east-1--ipam-pool-idipam-pool-0d8f3646b61ca5987--cidr130.137.245.0/24--profileipam-accountIn the output, you'll see the CIDR pending provision.
{ "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "pending-provision" } } -
Run the following command until you see the state of
provisionedin the output.aws ec2 get-ipam-pool-cidrs --regionus-east-1--ipam-pool-idipam-pool-0d8f3646b61ca5987--profileipam-accountThe following example output shows the correct state.
{ "IpamPoolCidrs": [ { "Cidr": "130.137.245.0/24", "State": "provisioned" } ] }
Step 7: Advertise the CIDR
The steps in this section must be done by the IPAM account. Once you associate the
Elastic IP address (EIP) with an instance or Elastic Load Balancer, you can then start
advertising the CIDR you brought to AWS that is in pool that has --aws-service
ec2 defined. In this tutorial, that's your Regional pool. By default the CIDR
is not advertised, which means it's not publicly accessible over the internet. When you
run the command in this section, the value for --region must match the
--locale option you entered when you created the pool that will be used
for the BYOIP CIDR.
This step must be done by the IPAM account.
Note
The advertisement status doesn't not restrict your ability to allocate Elastic IP addresses. Even if your BYOIPv4 CIDR is not advertised, you can still can create EIPs from the IPAM pool.
Start advertising the CIDR using the AWS CLI
-
Run the following command to advertise the CIDR.
aws ec2 advertise-byoip-cidr --regionus-west-2--cidr130.137.245.0/24--profileipam-accountIn the output, you'll see the CIDR is advertised.
{ "ByoipCidr": { "Cidr": "130.137.245.0/24", "State": "advertised" } }
Step 8: Share the Regional pool
Follow the steps in this section to share the IPAM pool using AWS Resource Access Manager (RAM).
Enable resource sharing in AWS RAM
After you create your IPAM, you’ll want to share the regional pool with other
accounts in your organization. Before you share an IPAM pool, complete the steps in
this section to enable resource sharing with AWS RAM. If you are using the AWS CLI to
enable resource sharing, use the --profile
option.management-account
To enable resource sharing
-
Using the AWS Organizations management account, open the AWS RAM console at https://console.aws.amazon.com/ram/
. -
In the left navigation pane, choose Settings, choose Enable sharing with AWS Organizations, and then choose Save settings.
You can now share an IPAM pool with other members of the organization.
Share an IPAM pool using AWS RAM
In this section you’ll share the regional pool with another AWS Organizations member
account. For complete instructions on sharing IPAM pools, including information on
the required IAM permissions, see Share an IPAM pool using AWS RAM. If you are using the AWS CLI to enable resource sharing, use the --profile option.ipam-account
To share an IPAM pool using AWS RAM
-
Using the IPAM admin account, open the IPAM console at https://console.aws.amazon.com/ipam/
. -
In the navigation pane, choose Pools.
-
Choose the private scope, choose the IPAM pool, and choose Actions > View details.
-
Under Resource sharing, choose Create resource share. The AWS RAM console opens. You share the pool using AWS RAM.
-
Choose Create a resource share.
-
In the AWS RAM console, choose Create a resource share again.
-
Add a Name for the shared pool.
-
Under Select resource type, choose IPAM pools, and then choose the ARN of the pool you want to share.
-
Choose Next.
-
Choose the AWSRAMPermissionIpamPoolByoipCidrImport permission. The details of the permission options are out of scope for this tutorial, but you can find out more about these options in Share an IPAM pool using AWS RAM.
-
Choose Next.
-
Under Principals > Select principal type, choose AWS account and enter the account ID of the account that will be bringing an IP address range to IPAM and choose Add .
-
Choose Next.
-
Review the resource share options and the principals that you’ll be sharing with, and then choose Create.
-
To allow the
member-accountaccount to allocate IP address CIDRS from the IPAM pool, create a second resource share withAWSRAMDefaultPermissionsIpamPool. The value for--resource-arnsis the ARN of the IPAM pool that you created in the previous section. The value for--principalsis the account ID of themember-account. The value for--permission-arnsis the ARN of theAWSRAMDefaultPermissionsIpamPoolpermission.
Step 9: Allocate an Elastic IP address from the pool
Complete the steps in this section to allocate an Elastic IP address from the pool. Note that if you are using public IPv4 pools to allocate Elastic IP addresses, you can use the alternative steps in Alternative to Step 9 rather than the steps in this section.
Important
If you see an error related to not having permissions to call ec2:AllocateAddress,
the managed permission currently assigned to the IPAM pool that was shared with you
needs to be updated. Contact the person who created the resource share and ask them
to update the managed permission AWSRAMPermissionIpamResourceDiscovery
to the default version. For more information, see Update a resource
share in the AWS RAM User Guide .
Step 10: Associate the Elastic IP address with an EC2 instance
Complete the steps in this section to associate the Elastic IP address with an EC2 instance.
Step 11: Cleanup
Follow the steps in this section to clean up the resources you've provisioned and
created in this tutorial. When you run the commands in this section, the value for
--region must include the --locale option you entered when
you created the pool that will be used for the BYOIP CIDR.
Clean up using the AWS CLI
-
View the EIP allocation managed in IPAM.
This step must be done by the IPAM account.
aws ec2 get-ipam-pool-allocations --regionus-west-2--ipam-pool-idipam-pool-0d8f3646b61ca5987--profileipam-accountThe output shows the allocation in IPAM.
{ "IpamPoolAllocations": [ { "Cidr": "130.137.245.0/24", "IpamPoolAllocationId": "ipam-pool-alloc-5dedc8e7937c4261b56dc3e3eb53dc45", "ResourceId": "ipv4pool-ec2-0019eed22a684e0b2", "ResourceType": "ec2-public-ipv4-pool", "ResourceOwner": "123456789012" } ] } -
Stop advertising the IPv4 CIDR.
This step must be done by the IPAM account.
aws ec2 withdraw-byoip-cidr --regionus-west-2--cidr130.137.245.0/24--profileipam-accountIn the output, you'll see the CIDR State has changed from advertised to provisioned.
{ "ByoipCidr": { "Cidr": "130.137.245.0/24", "State": "provisioned" } } -
Release the Elastic IP address.
This step must be done by the member account.
aws ec2 release-address --regionus-west-2--allocation-ideipalloc-0db3405026756dbf6--profilemember-accountYou will not see any output when you run this command.
-
View the EIP allocation is no longer managed in IPAM. It can take some time for IPAM to discover that the Elastic IP address has been removed. You cannot continue to clean up and deprovision the IPAM pool CIDR until you see that the allocation has been removed from IPAM. When you run the command in this section, the value for
--regionmust include the--localeoption you entered when you created the pool that will be used for the BYOIP CIDR.This step must be done by the IPAM account.
aws ec2 get-ipam-pool-allocations --regionus-west-2--ipam-pool-idipam-pool-0d8f3646b61ca5987--profileipam-accountThe output shows the allocation in IPAM.
{ "IpamPoolAllocations": [] } -
Deprovision the Regional pool CIDR. When you run the commands in this step, the value for
--regionmust match the Region of your IPAM.This step must be done by the IPAM account.
aws ec2 deprovision-ipam-pool-cidr --regionus-east-1--ipam-pool-idipam-pool-0d8f3646b61ca5987--cidr130.137.245.0/24--profileipam-accountIn the output, you'll see the CIDR pending deprovision.
{ "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "pending-deprovision" } }Deprovisioning takes time to complete. Check the status of deprovisioning.
aws ec2 get-ipam-pool-cidrs --regionus-east-1--ipam-pool-idipam-pool-0d8f3646b61ca5987--profileipam-accountWait until you see deprovisioned before you continue to the next step.
{ "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "deprovisioned" } } -
Delete the RAM shares and disable RAM integration with AWS Organizations. Complete the steps in Deleting a resource share in AWS RAM and Disabling resource sharing with AWS Organizations in the AWS RAM User Guide, in that order, to delete the RAM shares and disable RAM integration with AWS Organizations.
This step must be done by the IPAM account and management account respectively. If you are using the AWS CLI to delete the RAM shares and disable RAM integration, use the
--profileandipam-account--profileoptions.management-account -
Delete the Regional pool. When you run the command in this step, the value for
--regionmust match the Region of your IPAM.This step must be done by the IPAM account.
aws ec2 delete-ipam-pool --regionus-east-1--ipam-pool-idipam-pool-0d8f3646b61ca5987--profileipam-accountIn the output, you can see the delete state.
{ "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0d8f3646b61ca5987", "SourceIpamPoolId": "ipam-pool-0a03d430ca3f5c035", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0d8f3646b61ca5987", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-east-1", "PoolDepth": 2, "State": "delete-in-progress", "Description": "reg-ipv4-pool", "AutoImport": false, "Advertisable": true, "AddressFamily": "ipv4" } } -
Deprovision the top-level pool CIDR. When you run the commands in this step, the value for
--regionmust match the Region of your IPAM.This step must be done by the IPAM account.
aws ec2 deprovision-ipam-pool-cidr --regionus-east-1--ipam-pool-idipam-pool-0a03d430ca3f5c035--cidr130.137.245.0/24--profileipam-accountIn the output, you'll see the CIDR pending deprovision.
{ "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "pending-deprovision" } }Deprovisioning takes time to complete. Run the following command to check the status of deprovisioning.
aws ec2 get-ipam-pool-cidrs --regionus-east-1--ipam-pool-idipam-pool-0a03d430ca3f5c035--profileipam-accountWait until you see deprovisioned before you continue to the next step.
{ "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "deprovisioned" } } -
Delete the top-level pool. When you run the command in this step, the value for
--regionmust match the Region of your IPAM.This step must be done by the IPAM account.
aws ec2 delete-ipam-pool --regionus-east-1--ipam-pool-idipam-pool-0a03d430ca3f5c035--profileipam-accountIn the output, you can see the delete state.
{ "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0a03d430ca3f5c035", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-east-1", "PoolDepth": 2, "State": "delete-in-progress", "Description": "top-level-pool", "AutoImport": false, "Advertisable": true, "AddressFamily": "ipv4" } } -
Delete the IPAM. When you run the command in this step, the value for
--regionmust match the Region of your IPAM.This step must be done by the IPAM account.
aws ec2 delete-ipam --regionus-east-1--ipam-idipam-090e48e75758de279--profileipam-accountIn the output, you'll see the IPAM response. This means that the IPAM was deleted.
{ "Ipam": { "OwnerId": "123456789012", "IpamId": "ipam-090e48e75758de279", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "PublicDefaultScopeId": "ipam-scope-0087d83896280b594", "PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d", "ScopeCount": 2, "OperatingRegions": [ { "RegionName": "us-east-1" }, { "RegionName": "us-west-2" } ], } }
Alternative to Step 9
If you are using public IPv4 pools to allocate Elastic IP addresses, you can use the steps in this section rather than the steps in Step 9: Allocate an Elastic IP address from the pool.
Contents
Step 1: Create a public IPv4 pool
This step would typically be done by a different AWS account which wants to provision an Elastic IP address, such as the member account.
Important
Public IPv4 pools and IPAM pools are managed by distinct resources in AWS. Public IPv4 pools are single account resources that enable you to convert your publicly-owned CIDRs to Elastic IP addresses. IPAM pools can be used to allocate your public space to public IPv4 pools.
To create a public IPv4 pool using the AWS CLI
-
Run the following command to provision the CIDR. When you run the command in this section, the value for
--regionmust match the--localeoption you entered when you created the pool that will be used for the BYOIP CIDR.aws ec2 create-public-ipv4-pool --regionus-west-2--profilemember-accountIn the output, you'll see the public IPv4 pool ID. You will need this ID in the next step.
{ "PoolId": "ipv4pool-ec2-0019eed22a684e0b2" }
Step 2: Provision the public IPv4 CIDR to your public IPv4 pool
Provision the public IPv4 CIDR to your public IPv4 pool. The value for
--region must match the --locale value you entered when
you created the pool that will be used for the BYOIP CIDR. The least specific
--netmask-length you can define is 24.
This step must be done by the member account.
To create a public IPv4 pool using the AWS CLI
-
Run the following command to provision the CIDR.
aws ec2 provision-public-ipv4-pool-cidr --regionus-west-2--ipam-pool-idipam-pool-0d8f3646b61ca5987--pool-idipv4pool-ec2-0019eed22a684e0b2--netmask-length24--profilemember-accountIn the output, you'll see the provisioned CIDR.
{ "PoolId": "ipv4pool-ec2-0019eed22a684e0b2", "PoolAddressRange": { "FirstAddress": "130.137.245.0", "LastAddress": "130.137.245.255", "AddressCount": 256, "AvailableAddressCount": 256 } } -
Run the following command to view the CIDR provisioned in the public IPv4 pool.
aws ec2 describe-byoip-cidrs --regionus-west-2--max-results10--profilemember-accountIn the output, you'll see the provisioned CIDR. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. You will have the chance to set this CIDR to advertised in the last step of this tutorial.
{ "ByoipCidrs": [ { "Cidr": "130.137.245.0/24", "StatusMessage": "Cidr successfully provisioned", "State": "provisioned" } ] }
Step 3: Create an Elastic IP address from the public IPv4 pool
Create an Elastic IP address (EIP) from the public IPv4 pool. When you run the
commands in this section, the value for --region must match the
--locale option you entered when you created the pool that will be used
for the BYOIP CIDR.
This step must be done by the member account.
To create an EIP from the public IPv4 pool using the AWS CLI
-
Run the following command to create the EIP.
aws ec2 allocate-address --regionus-west-2--public-ipv4-poolipv4pool-ec2-0019eed22a684e0b2--profilemember-accountIn the output, you'll see the allocation.
{ "PublicIp": "130.137.245.100", "AllocationId": "eipalloc-0db3405026756dbf6", "PublicIpv4Pool": "ipv4pool-ec2-0019eed22a684e0b2", "NetworkBorderGroup": "us-east-1", "Domain": "vpc" } -
Run the following command to view the EIP allocation managed in IPAM.
This step must be done by the IPAM account.
aws ec2 get-ipam-pool-allocations --regionus-west-2--ipam-pool-idipam-pool-0d8f3646b61ca5987--profileipam-accountThe output shows the allocation in IPAM.
{ "IpamPoolAllocations": [ { "Cidr": "130.137.245.0/24", "IpamPoolAllocationId": "ipam-pool-alloc-5dedc8e7937c4261b56dc3e3eb53dc45", "ResourceId": "ipv4pool-ec2-0019eed22a684e0b2", "ResourceType": "ec2-public-ipv4-pool", "ResourceOwner": "123456789012" } ] }
Alternative to Step 9 cleanup
Complete these steps to clean up public IPv4 pools created with the alternative to Step 9. You should complete these steps after you release the Elastic IP address during the standard cleanup process in Step 10: Cleanup.
-
View your BYOIP CIDRs.
This step must be done by the member account.
aws ec2 describe-public-ipv4-pools --regionus-west-2--profilemember-accountIn the output, you'll see the IP addresses in your BYOIP CIDR.
{ "PublicIpv4Pools": [ { "PoolId": "ipv4pool-ec2-0019eed22a684e0b2", "Description": "", "PoolAddressRanges": [ { "FirstAddress": "130.137.245.0", "LastAddress": "130.137.245.255", "AddressCount": 256, "AvailableAddressCount": 256 } ], "TotalAddressCount": 256, "TotalAvailableAddressCount": 256, "NetworkBorderGroup": "us-east-1", "Tags": [] } ] } -
Release the last IP address in the CIDR from the public IPv4 pool. Enter the IP address with a netmask of /32. You must rerun this command for each IP address in the CIDR range. If your CIDR is a
/24, you will have to run this command to deprovision each of the 256 IP addresses in the/24CIDR. When you run the command in this section, the value for--regionmust match the Region of your IPAM.This step must be done by the member account.
aws ec2 deprovision-public-ipv4-pool-cidr --regionus-east-1--pool-idipv4pool-ec2-0019eed22a684e0b2--cidr130.137.245.255/32--profilemember-accountIn the output, you'll see the deprovisioned CIDR.
{ "PoolId": "ipv4pool-ec2-0019eed22a684e0b2", "DeprovisionedAddresses": [ "130.137.245.255" ] } -
View your BYOIP CIDRs again and ensure there are no more provisioned addresses. When you run the command in this section, the value for
--regionmust match the Region of your IPAM.This step must be done by the member account.
aws ec2 describe-public-ipv4-pools --regionus-east-1--profilemember-accountIn the output, you'll see the IP addresses count in your public IPv4 pool.
{ "PublicIpv4Pools": [ { "PoolId": "ipv4pool-ec2-0019eed22a684e0b2", "Description": "", "PoolAddressRanges": [], "TotalAddressCount": 0, "TotalAvailableAddressCount": 0, "NetworkBorderGroup": "us-east-1", "Tags": [] } ] }
