Tutorial: BYOIP address CIDRs to IPAM - Amazon Virtual Private Cloud

Tutorial: BYOIP address CIDRs to IPAM

The tutorials in this section walk you through the process of bringing public IP address space to AWS and managing the space with IPAM.

Managing public IP address space with IPAM has the following benefits:

  • Improves public IP addresses utilization across your organization: You can use IPAM to share IP address space across AWS accounts. Without using IPAM, you cannot share your public IP space across AWS Organizations accounts.

  • Simplifies the process of bringing public IP space to AWS: You can use IPAM to onboard public IP address space once, and then use IPAM to distribute your public IPs across Regions. Without IPAM, you have to onboard your public IPs for each AWS Region.

Important

To complete the steps in this tutorial, you first need to complete the following steps using the Amazon EC2 User Guide for Linux Instances for the CIDR range you want to bring to AWS and IPAM. Once you complete these steps, continue with this tutorial.

Follow these steps to authorize Amazon to advertise your IP address range.

  1. Create a ROA object in your RIR. This may require you to create a key pair as described in Create a key pair and certificate.

    When you create the ROAs, for IPv4 CIDRs you must set the maximum length of an IP address prefix to /24. For IPv6 CIDRs, if you are adding them to an advertisable pool, the maximum length of an IP address prefix must be /48. This ensures that you have full flexibility to divide your public IP address across AWS Regions. IPAM enforces the maximum length you set. The maximum length is the smallest prefix length announcement you will allow for this route. For example, if you bring a /20 CIDR block to AWS, by setting the maximum length to /24, you can divide the larger block any way you like (such as with /21, /22, or /24) and distribute those smaller CIDR blocks to any Region. If you were to set the maximum length to /23,you would not be able to divide and advertise a /24 from the larger block. Also, note that /24 is the smallest IPv4 block and /48 is the smallest IPv6 block you can advertise from a Region to the internet.

  2. Update the RDAP record in your RIR.

Follow these steps to create a certificate to enable Amazon can verify that you own the IP address range you are bringing to Amazon.

  1. Create a key pair and certificate. This is not the same key pair used in creation of the ROA object but rather a new key pair only for Amazon verification purposes.

  2. Create an ROA object in your RIR.

    When you create the ROAs, for IPv4 CIDRs you must set the maximum length of an IP address prefix to /24. For IPv6 CIDRs, if you are adding them to an advertisable pool, the maximum length of an IP address prefix must be /48. This ensures that you have full flexibility to divide your public IP address across AWS Regions. IPAM enforces the maximum length you set. The maximum length is the smallest prefix length announcement you will allow for this route. For example, if you bring a /20 CIDR block to AWS, by setting the maximum length to /24, you can divide the larger block any way you like (such as with /21, /22, or /24) and distribute those smaller CIDR blocks to any Region. If you were to set the maximum length to /23,you would not be able to divide and advertise a /24 from the larger block. Also, note that /24 is the smallest IPv4 block and /48 is the smallest IPv6 block you can advertise from a Region to the internet.