Define public IPv4 allocation strategy with IPAM policies

An IPAM policy is a set of rules that define how public IPv4 addresses from IPAM pools are allocated to AWS resources. Each rule maps an AWS service to IPAM pools that the service will use to get IP addresses. A single policy can have multiple rules and be applied to multiple AWS Regions. If the IPAM pool run out of addresses then the services fallback to Amazon-provided IP addresses. A policy can be applied to an individual AWS account or an entity within AWS Organizations. If you bring your own IP (BYOIP), this helps reduce your AWS public IPv4 costs.

When to use IPAM policies

Use IPAM policies to:

Reduce public IPv4 costs by using BYOIP addresses
Centrally control which IP pools your AWS resources use
Ensure consistent IP allocation across your organization

How it works

When you create an AWS resource that needs a public IP address in an account with IPAM policies enforced:

IPAM checks your policy rules in order.
If a rule matches the resource type, IPAM allocates an IP from the specified pool.
If the pool is empty and overflow is enabled, Amazon provides an IP address.
If no rules match, the default behavior applies.

Supported services and resources

You can create IPAM policies to define how public IPv4 addresses from IPAM pools are allocated to the following AWS services and resources:

Elastic IP addresses (EIPs)
Regional NAT gateways

Important

For EIPs, if you choose a specific IPAM pool when allocating a public IPv4 address to them, that will override the IPAM policy.

Prerequisites

An IPAM in the delegated administrator account with advanced tier enabled
A public IPAM pool with IPv4 addresses
IAM permissions for IPAM and EC2 operations

Terminology

IPAM policy: An IPAM policy is a set of rules that define how public IPv4 addresses from IPAM pools are allocated to AWS resources. Each rule maps an AWS service to IPAM pools that the service will use to get IP addresses. A single policy can have multiple rules and be applied to multiple AWS Regions. If the IPAM pool run out of addresses then the services fallback to Amazon-provided IP addresses. A policy can be applied to an individual AWS account or an entity within AWS Organizations. A policy can be applied to an individual AWS account or an entity within AWS Organizations.
Allocation rules: Optional configurations within an IPAM policy that map AWS resource types to specific IPAM pools. If no rules are defined, the resource types default to using Amazon-provided IP addresses.
Target: An individual AWS account or an entity within an AWS Organization to which an IPAM policy can be applied.

Step 1: Create an IPAM policy

Using the AWS Console:

Follow these steps to create an IPAM policy using the AWS Console:

Open the IPAM console at https://console.aws.amazon.com/ipam/.
In the left navigation pane, choose Policies.
Choose Create policy.
Enter a Name for your policy (optional).
Select the IPAM to associate with this policy.
(Optional) Add tags.
Choose Create policy.

Using the AWS CLI:

Use the create-ipam-policy command.

Step 2: Add allocation rules

After creating the policy, you need to add allocation rules that define how IP addresses are allocated:

Using the AWS Console:

Follow these steps to add allocation rules using the AWS Console:

In the left navigation pane, choose Policies.
Choose the policy you created in the previous step.
In your policy details page, choose the Allocation rules tab.
Choose Create allocation rules.
Configure the Service configuration:
- Locale: Choose the AWS Region (us-east-1) or Local Zone where you want this policy to apply.
- Resource type: Select the AWS service or resource type for this policy (Elastic IP addresses).
Configure Rules configuration:
- IPAM pool: Select the IPAM pool that will provide IP addresses.
- Review the pool details (locale, public IP source, space available, and CIDR ranges available).
(Optional) Choose Add new rule to create additional rules.
Choose Create allocation rule.

Using the AWS CLI:

Use the modify-ipam-policy-allocation-rules command.

Step 3: Enable the policy

Specify which accounts should use this policy.

Using the AWS Console:

Follow these steps to enable the policy using the AWS Console:

In your policy details page, choose the Targets tab.
Choose Manage policy targets.
Do one of the following:
- For single account usage (IPAM not integrated with AWS Organizations), choose Enable for your account.
- For IPAM integrated with AWS Organizations (when you're the delegated admin):
  - In the Organizational structure section, select the accounts or organizational units where you want to apply this policy.
  - Check the Enabled checkbox for each target.
  - Choose Save Changes.
  - Important: Enabling this policy will replace any active IPAM policies on the selected accounts or organizational units.

Using the AWS CLI:

Use the enable-ipam-policy command based on your setup:

For single account usage (IPAM not integrated with AWS Organizations):


aws ec2 enable-ipam-policy \
    --ipam-policy-id ipam-policy-12345678

For IPAM integrated with AWS Organizations (when you're the delegated admin):


aws ec2 enable-ipam-policy \
    --ipam-policy-id ipam-policy-12345678 \
    --organization-target-id 123456789012

Important

Enabling this policy will replace any active IPAM policies on the selected accounts or organizational units.

Step 4: (Optional) Organization-wide enforcement

If you've enabled this IPAM policy on an AWS Organizations entity, use declarative policies to add centralized management and governance on top of your IPAM policies.

What this adds:

Organization-wide enforcement provides the following benefits:

Centralized policy management across all organization accounts
Automatic enforcement without per-account configuration
Governance controls to prevent policy changes at the account level

Prerequisites:

Before setting up organization-wide enforcement, ensure you have:

AWS Organizations with all features enabled
IPAM in the organization management account or delegated administrator account
Appropriate permissions for Organizations and IPAM

For detailed instructions on setting up organization-wide enforcement with declarative policies, see Getting started with declarative policies in the AWS Organizations User Guide.

Step 5: Test your policy

Enable a new resource of the type you configured (like an EIP) in one of the target accounts. The resource will automatically use an IP address from your IPAM pool.

Important

For EIPs, if you choose a specific IPAM pool when allocating a public IPv4 address to them, that will override the IPAM policy.

Step 6: Monitor usage

Check your IPAM pool in the console to see IP addresses being allocated to your resources.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Move VPC CIDRs between scopes

Release an allocation