What is BYOIP for Anycast Static IPs?Why use this feature?Prerequisites Step 1: Request an Anycast static IP list Step 2: Create an Anycast static IP list Step 3: Create a CloudFront distribution Step 4: Associate with CloudFront resources Step 5: Prepare for migration Step 6: Advertise CIDR globally

Bring your own IP to CloudFront using IPAM

This tutorial shows how to use IPAM to manage your BYOIP CIDRs for CloudFront Anycast Static IP lists.

Topics

What is BYOIP for Anycast Static IPs?
Why use this feature?
Prerequisites
Step 1: Request an Anycast static IP list
Step 2: Create an Anycast static IP list
Step 3: Create a CloudFront distribution
Step 4: Associate with CloudFront resources
Step 5: Prepare for migration
Step 6: Advertise CIDR globally

What is BYOIP for Anycast Static IPs?

CloudFront supports bringing your own IPv4 addresses through IPAM's BYOIP for global services. Through IPAM's unified interface, customers can create dedicated IP address pools using their own IP addresses (BYOIP) and assign them to CloudFront distributions while leveraging the AWS worldwide content delivery network to deliver their applications and content. Your IP addresses are advertised from multiple CloudFront edge locations simultaneously using anycast routing.

Why use this feature?

Control network access in allow lists to:

Allow-list IP addresses with network providers to waive data charges for approved viewers
Configure outbound security firewalls to restrict traffic to approved applications only

Simplify operations and migrations

Route apex domains (example.com) directly to CloudFront by adding A records that point to your static IPs
Migrate from other CDNs without updating IP infrastructure or firewall configurations
Maintain existing IP allowlists with partners and clients
Share a single Anycast static IP list across multiple CloudFront distributions

Consistent branding

Keep your existing IP address space for consistent branding when moving to AWS

Prerequisites

To use Anycast static IP lists with your CloudFront distribution, you must select Use all edge locations for the price class for the distribution. For more information about pricing, see CloudFront pricing. For Bring Your Own IP (BYOIP), you also need to disable IPv6 for the distribution or connection group.

Complete these steps before starting:

IPAM setup: See Integrate IPAM with accounts and Create an IPAM.
Domain verification: Verify domain control.
Create a top-level pool: Follow steps 1 to 2 in Bring your own IPv4 CIDR to IPAM.
Create an IPAM pool with locale as global to use with CloudFront. For more information, see Bring your own IP to CloudFront using IPAM.

Note

Requires three /24 IPv4 CIDR blocks.

Step 1: Request an Anycast static IP list

Request an Anycast static IP list to use with your CloudFront distribution.

To request an Anycast static IP list

Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.
In the left navigation pane, choose Static IPs.
For Request, choose the link to contact CloudFront support engineering.
Provide your workload information (request bytes per second and requests per second).
CloudFront support engineering reviews your request. The review process might take up to two days.
After your request is approved, you can create an Anycast static IP list and associate it with one or more distributions.

Step 2: Create an Anycast static IP list

Before you begin, request an Anycast static IP list as explained in the preceding section.

To create an Anycast static IP list

Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.
In the left navigation pane, choose Static IPs.
Choose Create Anycast IP list.
For Name, enter a name.
For Static IP use cases, select BYOIP as your use case.

The following steps differ from the standard regional BYOIP process and establish the pattern for global services:

AWS CLI

Installing or updating to the latest version of the AWS CLI. For more information, see the AWS Command Line Interface User Guide.

Retrieve the IpamPoolArn of the IPAM pool where your CIDR blocks were provisioned. For more information, see Bring your own public IPv4 CIDR to IPAM using only the AWS CLI.

Create an Anycast IP list with your CIDR blocks and IPAM configuration:


aws cloudfront create-anycast-ip-list \
    --name byoip-aip-1 \
    --ip-count 3 \
    --region us-east-1 \
    --ip-address-type ipv4 \
    --ipam-cidr-configs '[{"Cidr":"1.1.1.0/24","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-005d58a8aa8147abc"},{"Cidr":"2.2.2.0/24","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-005d58a8aa8147abc"},{"Cidr":"3.3.3.0/24","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-005d58a8aa8147abc"}]'

Note

You can't select the specific IP address from the pool. CloudFront will do this automatically.

Step 3: Create a CloudFront distribution

For CloudFront, you can follow instructions to create a standard distribution or use multi-tenant distributions.

Step 4: Associate with CloudFront resources

Step 5: Prepare for migration

For more information, see Step 4: Prepare for migration in the Amazon VPC User Guide.

Step 6: Advertise CIDR globally

For more information, see Step 5: Advertise CIDR globally in the Amazon VPC User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Request Anycast static IPs to use for allowlisting

Using gRPC