# Getting started with IPAM
<a name="getting-started-ipam"></a>

Follow the steps in this section to get started with IPAM. This section is intended to get you started quickly with IPAM, but you may find that what you can achieve with the steps in this section doesn't fit your needs. For information about different ways you can use IPAM, see [Plan for IP address provisioning](planning-ipam.md) and [Tutorials for Amazon VPC IP Address Manager](tutorials-ipam.md).

In this section, you’ll begin by accessing IPAM and deciding if you want to delegate an IPAM account. By the end of this section, you will have created an IPAM, created multiple pools of IP addresses, and allocated a CIDR in a pool to a VPC.

**Topics**
+ [

# Access IPAM
](access-ipam.md)
+ [

# Configure integration options for your IPAM
](choose-single-user-or-orgs-ipam.md)
+ [

# Create an IPAM
](create-ipam.md)
+ [

# Plan for IP address provisioning
](planning-ipam.md)
+ [

# Allocate CIDRs from an IPAM pool
](allocate-cidrs-ipam.md)

# Access IPAM
<a name="access-ipam"></a>

As with other AWS services, you can create, access, and manage your IPAM using the following methods:
+ **AWS Management Console**: Provides a web interface that you can use to create and manage your IPAM. See [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
+ **AWS Command Line Interface (AWS CLI)**: Provides commands for a broad set of AWS services, including Amazon VPC. The AWS CLI is supported on Windows, macOS, and Linux. To get the AWS CLI, see [AWS Command Line Interface](https://aws.amazon.com/cli/).
+ **AWS SDKs**: Provide language-specific APIs. The AWS SDKs take care of many of the connection details, such as calculating signatures, handling request retries, and handling errors. For more information, see [AWS SDKs](http://aws.amazon.com/tools/#SDKs).
+ **Query API**: Provides low-level API actions that you call using HTTPS requests. Using the Query API is the most direct way to access IPAM. However, it requires your application to handle low-level details such as generating the hash to sign the request, and handling errors. For more information, see Amazon IPAM actions in the [Amazon EC2 API Reference](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/).

This guide primarily focuses on using the AWS Management Console to create, access, and manage your IPAM. In each description of how to complete a process in the console, we include links to the *AWS CLI Command Reference* so that you can do the same tasks by using the AWS CLI.

If you are a first-time user of IPAM, review [How IPAM works](how-it-works-ipam.md) to learn about the role of IPAM in Amazon VPC and then continue with the instructions in [Configure integration options for your IPAM](choose-single-user-or-orgs-ipam.md).

# Configure integration options for your IPAM
<a name="choose-single-user-or-orgs-ipam"></a>

This section describes your options for how you can integrate IPAM with AWS Organizations, other AWS accounts, or use it with a single AWS account.

Before you begin using IPAM, you must choose one of the options in this section to enable IPAM to monitor CIDRs associated with EC2 networking resources and store metrics:
+ To enable IPAM to integrate with AWS Organizations to enable the Amazon VPC IPAM service to manage and monitor networking resources created by all AWS Organizations member accounts, see [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md).
+ After you integrate with AWS Organizations, to integrate IPAM with accounts outside of your organization, see [Integrate IPAM with accounts outside of your organization](enable-integ-ipam-outside-org.md).
+ To use a single AWS account with IPAM and enable the Amazon VPC IPAM service to manage and monitor the networking resources you create with the single account, see [Use IPAM with a single account](enable-single-user-ipam.md).

If you do not choose one of these options, you can still create IPAM resources, such as pools, but you won't see metrics in your dashboard and you will not be able to monitor the status of resources.

**Topics**
+ [

# Integrate IPAM with accounts in an AWS Organization
](enable-integ-ipam.md)
+ [

# Integrate IPAM with accounts outside of your organization
](enable-integ-ipam-outside-org.md)
+ [

# Use IPAM with a single account
](enable-single-user-ipam.md)

# Integrate IPAM with accounts in an AWS Organization
<a name="enable-integ-ipam"></a>

Optionally, you can follow the steps in this section to integrate IPAM with AWS Organizations and delegate a member account as the IPAM account.

The IPAM account is responsible for creating an IPAM and using it to manage and monitor IP address usage.

Integrating IPAM with AWS Organizations and delegating an IPAM admin has the following benefits:
+ **Share your IPAM pools with your organization**: When you delegate an IPAM account, IPAM enables other AWS Organizations member accounts in the organization to allocate CIDRs from IPAM pools that are shared using AWS Resource Access Manager (RAM). For more information on setting up an organization, see [What is AWS Organizations?](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) in the *AWS Organizations User Guide*.
+ **Monitor IP address usage in your organization**: When you delegate an IPAM account, you give IPAM permission to monitor IP usage across all of your accounts. As a result, IPAM automatically imports CIDRs that are used by existing VPCs across other AWS Organizations member accounts into IPAM.

If you do not delegate an AWS Organizations member account as an IPAM account, IPAM will monitor resources only in the AWS account that you use to create the IPAM.

**Note**  
When integrating with AWS Organizations:  
You must enable integration with AWS Organizations by using IPAM in the AWS management console or the [enable-ipam-organization-admin-account](https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-ipam-organization-admin-account.html) AWS CLI command. This ensures that the `AWSServiceRoleForIPAM` service-linked role is created. If you enable trusted access with AWS Organizations by using the AWS Organizations console or the [register-delegated-administrator](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/register-delegated-administrator.html) AWS CLI command, the `AWSServiceRoleForIPAM` service-linked role isn't created, and you can't manage or monitor resources within your organization.
**The IPAM account must be an AWS Organizations member account.** You cannot use the AWS Organizations management account as the IPAM account. To check whether your IPAM is already integrated with AWS Organizations, use the steps below and view the details of the integration in *Organization settings*.
IPAM charges you for each active IP address that it monitors in your organization's member accounts. For more information about pricing, see [IPAM pricing](https://aws.amazon.com/vpc/pricing/).
You must have an account in AWS Organizations and a management account set up with one or more member accounts. For more information about account types, see [ Terminology and concepts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) in the *AWS Organizations User Guide*. For more information on setting up an organization, see [Getting started with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started.html).
The IPAM account must use an IAM role that has an IAM policy attached to it that permits the `iam:CreateServiceLinkedRole` action. When you create the IPAM, you automatically create the AWSServiceRoleForIPAM service-linked role.
The user associated with the AWS Organizations management account must use an IAM role that has the following IAM policy actions attached:  
`ec2:EnableIpamOrganizationAdminAccount`
`organizations:EnableAwsServiceAccess`
`organizations:RegisterDelegatedAdministrator`
`iam:CreateServiceLinkedRole`
For more information on creating IAM roles, see [Creating a role to delegate permissions to an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
The user associated with the AWS Organizations management account may use an IAM role that has the following IAM policy actions attached to list your current AWS Orgs delegated administrators: `organizations:ListDelegatedAdministrators`

------
#### [ AWS Management Console ]

**To select an IPAM account**

1. Using the AWS Organizations management account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).

1. In the AWS Management Console, choose the AWS Region in which you want to work with IPAM.

1. In the navigation pane, choose **Organization settings**.

1. The **Delegate** option is only available if you've logged in to the console as the AWS Organizations management account. Choose **Delegate**. 

1. Enter the AWS account ID for an IPAM account. The IPAM administrator must be an AWS Organizations member account.

1. Choose **Save changes**.

------
#### [ Command line ]

The commands in this section link to the *AWS CLI Command Reference*. The documentation provides detailed descriptions of the options that you can use when you run the commands.
+ To delegate an IPAM admin account using AWS CLI, use the following command: [enable-ipam-organization-admin-account](https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-ipam-organization-admin-account.html)

------

When you delegate an Organizations member account as an IPAM account, IPAM automatically creates a service-linked IAM role in all member accounts in your organization. IPAM monitors the IP address usage in these accounts by assuming the service-linked IAM role in each member account, discovering the resources and their CIDRs, and integrating them with IPAM. The resources within all member accounts will be discoverable by IPAM regardless of their Organizational Unit. If there are member accounts that have created a VPC, for example, you’ll see the VPC and its CIDR in the Resources section of the IPAM console.

**Important**  
The role of the AWS Organizations management account that delegated the IPAM admin is now complete. To continue using IPAM, the IPAM admin account must log into Amazon VPC IPAM and create an IPAM. 

# Integrate IPAM with accounts outside of your organization
<a name="enable-integ-ipam-outside-org"></a>

This section describes how to integrate your IPAM with AWS accounts outside of your organization. To complete steps in this section, you must have already completed the steps in [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md) and delegated an IPAM account.

Integrating IPAM with AWS accounts outside of your organization enables you to do the following:
+ Manage IP addresses outside of your organization from a single IPAM account.
+ Share IPAM pools with third-party services hosted by other AWS accounts in other AWS Organizations.

After you integrate IPAM with AWS accounts outside of your organization, you can share an IPAM pool directly with the desired accounts of other organizations.

**Topics**
+ [

# Considerations and limitations
](enable-integ-ipam-outside-org-considerations.md)
+ [

# Process overview
](enable-integ-ipam-outside-org-process.md)

# Considerations and limitations
<a name="enable-integ-ipam-outside-org-considerations"></a>

This section contains considerations and limitations for integrating IPAM with accounts outside of your organization:
+ When you share a resource discovery with another account, the only data that is exchanged is IP address and account status monitoring data. You can view this data before sharing using the [get-ipam-discovered-resource-cidrs](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-ipam-discovered-resource-cidrs.html) and [get-ipam-discovered-accounts](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-ipam-discovered-accounts.html) CLI commands or [GetIpamDiscoveredResourceCidrs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamDiscoveredResourceCidrs.html) and [GetIpamDiscoveredAccounts](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamDiscoveredAccounts.html) APIs. For resource discoveries that monitor resources across an organization, no organization data (such as the names of Organizational Units in your organization) are shared.
+ When you create a resource discovery, the resource discovery monitors all visible resources in the owner account. If the owner account is a third-party service AWS account that creates resources for multiple of their own customers, those resources will be discovered by the resource discovery. If the third-party AWS service account shares the resource discovery with an end-user AWS account, the end-user will have visibility into the resources of the other customers of the third-party AWS service. For that reason, the third-party AWS service should exercise caution creating and sharing resource discoveries or use a separate AWS account for each customer. 

# Process overview
<a name="enable-integ-ipam-outside-org-process"></a>

This section explains how to integrate your IPAM with AWS accounts outside of your organization. It refers to topics that are covered in other sections of this guide. Keep this page visible, and open the topics linked below in a new window so that you can return to this page for guidance.

When you integrate IPAM with AWS accounts outside of your organization, there are 4 AWS accounts involved in the process:
+ **Primary Org Owner** - The AWS Organizations management account for organization 1.
+ **Primary Org IPAM Account** - The IPAM delegated administrator account for organization 1.
+ **Secondary Org Owner** - The AWS Organizations management account for organization 2.
+ **Secondary Org Admin Account** - The IPAM delegated administrator account for organization 2.

**Steps**

1. Primary Org Owner delegates a member of their organization as the Primary Org IPAM Account (see [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md)).

1. Primary Org IPAM Account creates an IPAM (see [Create an IPAM](create-ipam.md)).

1. Secondary Org Owner delegates a member of their organization as the Secondary Org Admin Account (see [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md)).

1. Secondary Org Admin Account creates a resource discovery and shares it with the Primary Org IPAM Account using AWS RAM (see [Create a resource discovery to integrate with another IPAMCreate a resource discovery](res-disc-work-with-create.md) and [Share a resource discovery with another AWS accountShare a resource discovery](res-disc-work-with-share.md)). The resource discovery must be created in the same home Region as the Primary Org IPAM. 

1. Primary Org IPAM Account accepts the resource share invitation using AWS RAM (see [Accepting and rejecting resource share invitations](https://docs.aws.amazon.com/ram/latest/userguide/working-with-shared-invitations.html) in the *AWS RAM User Guide*).

1. Primary Org IPAM Account associates the resource discovery with their IPAM (see [Associate a resource discovery with an IPAM](res-disc-work-with-associate.md)).

1. Primary Org IPAM Account can now monitor and/or manage IPAM resources created by the accounts in Secondary Org.

1. (Optional) Primary Org IPAM Account shares IPAM pools with member accounts in Secondary Org (see [Share an IPAM pool using AWS RAM](share-pool-ipam.md)).

1. (Optional) If Primary Org IPAM Account wants to stop discovering resources in Secondary Org, it can disassociate the resource discovery from the IPAM (see [Disassociate a resource discovery](res-disc-work-with-disassociate.md)).

1. (Optional) If the Secondary Org Admin Account wants to stop participating in the Primary Org’s IPAM, they can unshare the shared resource discovery (see [Update a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-update.html) in the *AWS RAM User Guide*) or delete the resource discovery (see [Delete a resource discovery](res-disc-work-with-delete.md)).

# Use IPAM with a single account
<a name="enable-single-user-ipam"></a>

If you choose not to [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md), you can use IPAM with a single AWS account.

When you create an IPAM in the next section, a service-linked role is automatically created for the Amazon VPC IPAM service in AWS Identity and Access Management (IAM). 

Service-linked roles are a type of IAM role that allows AWS services to access other AWS services on your behalf. They simplify the permission management process by automatically creating and managing the necessary permissions for specific AWS services to perform their required actions, streamlining the setup and administration of these services.

IPAM uses the service-linked role to monitor and store metrics for CIDRs associated with EC2 networking resources. For more information on the service-linked role and how IPAM uses it, see [Service-linked roles for IPAM](iam-ipam-slr.md).

**Important**  
If you use IPAM with a single AWS account, you must ensure that the AWS account you use to create the IPAM uses a IAM role with a policy attached to it that permits the `iam:CreateServiceLinkedRole` action. When you create the IPAM, you automatically create the AWSServiceRoleForIPAM service-linked role. For more information on managing IAM policies, see [Editing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html) in the *IAM User Guide*. 

Once the single AWS account has permission to create the IPAM service-linked role, go to [Create an IPAM](create-ipam.md).

# Create an IPAM
<a name="create-ipam"></a>

Follow the steps in this section to create your IPAM. If you have delegated an IPAM administrator, these steps should be completed by the IPAM account.

**Important**  
When you create an IPAM, you will be asked to allow IPAM to replicate data from source accounts into an IPAM delegate account. To integrate IPAM with AWS Organizations, IPAM needs your permission to replicate resource and IP usage details across accounts (from member accounts to the delegated IPAM member account) and across AWS Regions (from operating Regions to the home Region of your IPAM). For single account IPAM users, IPAM needs your permission to replicate resource and IP usage details across operating Regions to the home Region of your IPAM.

When you create the IPAM, you choose the AWS Regions where the IPAM is allowed to manage IP address CIDRs. These AWS Regions are called *operating Regions*. IPAM discovers and monitors resources only in the AWS Regions that you select as operating Regions. IPAM doesn't store any data outside of the operating Regions that you select.

The following example hierarchy shows how the AWS Regions that you assign when you create the IPAM will impact the Regions that will be available for pools that you create later.
+ **IPAM operating in AWS Region 1 and AWS Region 2**
  + Private scope
    + Top-level IPAM pool
      + Regional IPAM pool in **AWS Region 2** 
        + Development pool
          + Allocation for a VPC in **AWS Region 2**

You can only create one IPAM. For more information about increasing quotas related to IPAM, see [Quotas for your IPAM](quotas-ipam.md).

------
#### [ AWS Management Console ]

**To create an IPAM**

1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 

1. In the AWS Management Console, choose the AWS Region in which you want to create the IPAM. Create the IPAM in your main Region of operations.

1. On the service home page, choose **Create IPAM**.

1. Select **Allow Amazon VPC IP Address Manager to replicate data from source account(s) into the IPAM delegate account**. If you do not select this option, you cannot create an IPAM.

1. Choose an **IPAM tier**. For more information about the features available in each tier and the costs associated with the tiers, see the IPAM tab on the [Amazon VPC pricing page](https://aws.amazon.com//vpc/pricing/).

1. Under **Operating regions**, select the AWS Regions in which this IPAM can manage and discover resources. The AWS Region in which you are creating your IPAM is selected as one of the operating Regions by default. For example, if you’re creating this IPAM in AWS Region `us-east-1` but you want to create Regional IPAM pools later that provide CIDRs to VPCs in `us-west-2`, select `us-west-2` here. If you forget an operating Region, you can return at a later time and edit your IPAM settings.
**Note**  
If you are creating an IPAM in the Free Tier, you can select multiple operating Regions for your IPAM, but the only IPAM feature that will be available across operating Regions is [Public IP insights](view-public-ip-insights.md). You cannot use other features in the Free Tier, like BYOIP, across the IPAM's operating Regions. You can only use them in the IPAM's home Region. To use all IPAM features across operating Regions, [create an IPAM in the Advanced Tier](mod-ipam-tier.md).

1. Choose if you want to enable **Private IPv6 GUA CIDRs**. For more information about this option, see [Enable provisioning private IPv6 GUA CIDRs](enable-prov-ipv6-gua.md).

1. Choose if you want to enable **Metering mode**. For more information about this option, see [Enable cost distribution](ipam-enable-cost-distro.md).

1. Choose **Create IPAM**.

------
#### [ Command line ]

The commands in this section link to the *AWS CLI Command Reference*. The documentation provides detailed descriptions of the options that you can use when you run the commands.

Use the following AWS CLI commands to create, modify, and view details related to your IPAM:

1. Create the IPAM: [create-ipam](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-ipam.html)

1. View the IPAM that you've created: [describe-ipams](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipams.html)

1. View the scopes that are created automatically: [describe-ipam-scopes](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipam-scopes.html)

1. Modify an existing IPAM: [modify-ipam](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-ipam.html)

------

When you have completed these steps, IPAM has done the following:
+ Created your IPAM. You can see the IPAM and the currently selected operating Regions by choosing IPAMs in the left navigation pane of the console. 
+ Created one private and one public scope. You can see the scopes by choosing **Scopes** in the navigation pane. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).

# Plan for IP address provisioning
<a name="planning-ipam"></a>

Follow the steps in this section to plan for IP address provisioning by using IPAM pools. If you have configured an IPAM account, these steps should be completed by that account. The pool creation process is different for pools in public and private scopes. This section includes steps for creating a regional pool in the private scope. For BYOIP and BYOASN tutorials, see [Tutorials](tutorials-ipam.md).

**Important**  
To use IPAM pools across AWS accounts, you must integrate IPAM with AWS Organizations or some features may not work properly. For more information, see [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md).

In IPAM, a pool is a collection of contiguous IP address ranges (or CIDRs). Pools enable you to organize your IP addresses according to your routing and security needs. You can create pools for AWS Regions outside of your IPAM Region. For example, if you have separate routing and security needs for development and production applications, you can create a pool for each.

In the first step in this section, you’ll create a top-level pool. Then, you’ll create a Regional pool within the top-level pool. Within the Regional pool, you can create additional pools as needed, such as a production and development environment pools. By default, you can create pools up to a depth of 10. For information on IPAM quotas, see [Quotas for your IPAM](quotas-ipam.md).

**Note**  
The terms *provision* and *allocate* are used throughout this user guide and the IPAM console. *Provision* is used when you add a CIDR to an IPAM pool. *Allocate* is used when you associate a CIDR from an IPAM pool with a resource.

The following is an example hierarchy of the pool structure that you will create by completing the steps in this section:
+ IPAM operating in AWS Region 1 and AWS Region 2
  + Private scope
    + Top-level pool
      + Regional pool in AWS Region 1
        + Development pool
          + Allocation for a VPC

This structure serves as an example of how you might want to use IPAM, but you can use IPAM to suit the needs of your organization. For more information on best practices, see [Amazon VPC IP Address Manager Best Practices](https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-vpc-ip-address-manager-best-practices/). 

If you are creating a single IPAM pool, complete the steps in [Create a top-level IPv4 pool](create-top-ipam.md) and then skip to [Allocate CIDRs from an IPAM pool](allocate-cidrs-ipam.md).

**Topics**
+ [

# Example IPAM pool plans
](planning-examples-ipam.md)
+ [

# Create IPv4 pools
](intro-create-ipv4-pools.md)
+ [

# Create IPv6 address pools in your IPAM
](intro-create-ipv6-pools.md)

# Example IPAM pool plans
<a name="planning-examples-ipam"></a>

You can use IPAM to suit the needs of your organization. This section provides examples of how you might organize your IP addresses. 

## IPv4 pools in multiple AWS Regions
<a name="w2aab9c15c23b5"></a>

The following example shows an IPAM pool hierarchy for multiple AWS Regions within a top-level pool. Each AWS Regional pool has two IPAM development pools within it, one pool for development resources and one pool for production resources.

![\[IPAM pool hierarchy example 1\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/ipam-example-pool-base.png)


## IPv4 pools for multiple lines of business
<a name="w2aab9c15c23b7"></a>

The following example shows an IPAM pool hierarchy for multiple lines of business within a top-level pool. Each pool for each line of business contains three AWS Regional pools. Each Regional pool has two IPAM development pools within it, one pool for pre-production resources and one pool for production resources.

![\[IPAM pool hierarchy example 2\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/ipam-example-2-914px.png)


## IPv6 pools in an AWS Region
<a name="w2aab9c15c23b9"></a>

The following example shows an IPAM IPv6 pool hierarchy for multiple lines of business within a Regional pool. Each Regional pool has three IPAM pools within it, one pool for sandbox resources, one pool for development resources, and one pool for production resources.

![\[IPAM pool hierarchy example 3\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/ipam-example-34.png)


## Subnet pools for multiple lines of business
<a name="w2aab9c15c23c11"></a>

The following example shows a resource planning pool hierarchy for multiple lines of business and dev/ prod subnet pools. For more information on subnet IP address space planning using IPAM, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).

![\[IPAM pool hierarchy example 4\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/ipam-example-pool-subnet-integ.png)


# Create IPv4 pools
<a name="intro-create-ipv4-pools"></a>

Follow the steps in this section to create an IPv4 IPAM pool hierarchy.

The following example shows the hierarchy of the pool structure that you can create with instructions in this guide. In this section, you are creating an IPv4 IPAM pool hierarchy:
+ IPAM operating in AWS Region 1 and AWS Region 2
  + Private scope
    + Top-level pool (10.0.0.0/8)
      + Regional pool in AWS Region 2 (10.0.0.0/16)
        + Development pool (10.0.0.0/24)
          + Allocation for a VPC (10.0.0.0/25)

In the preceding example, the CIDRs that are used are examples only. They illustrate that each pool within the top-level pool is provisioned with a portion of the top-level CIDR.

**Topics**
+ [

# Create a top-level IPv4 pool
](create-top-ipam.md)
+ [

# Create a Regional IPv4 pool
](create-reg-ipam.md)
+ [

# Create a development IPv4 pool
](create-dev-ipam.md)

# Create a top-level IPv4 pool
<a name="create-top-ipam"></a>

Follow the steps in this section to create an IPv4 top-level IPAM pool. When you create the pool, you provision a CIDR for the pool to use. You then assign that space to an allocation. An allocation is a CIDR assignment from an IPAM pool to another IPAM pool or to a resource.

The following example shows the hierarchy of the pool structure that you can create with instructions in this guide. At this step, you are creating the top-level IPAM pool:
+ IPAM operating in AWS Region 1 and AWS Region 2
  + Private scope
    + **Top-level pool (10.0.0.0/8)**
      + Regional pool in AWS Region 1 (10.0.0.0/16)
        + Development pool for non-production VPCs (10.0.0.0/24)
          + Allocation for a VPC (10.0.0.0/25)

In the preceding example, the CIDRs that are used are examples only. They illustrate that each pool within the top-level pool is provisioned with a portion of the top-level CIDR.

When you create an IPAM pool, you can configure rules for the allocations that are made within the IPAM pool.

Allocation rules enable you to configure the following:
+ Whether IPAM should automatically import CIDRs into the IPAM pool if it finds them within this pool's CIDR range 
+ The required netmask length for allocations within the pool
+ The required tags for resources within the pool
+ The required locale for resources within the pool. The locale is the AWS Region where an IPAM pool is available for allocations.

Allocation rules determine whether resources are compliant or noncompliant. For additional information about compliance, see [Monitor CIDR usage by resource](monitor-cidr-compliance-ipam.md).

**Important**  
There is an additional implicit rule that is not displayed in the allocation rules. If the resource is in an IPAM pool that is a shared resource in AWS Resource Access Manager (RAM), the resource owner must be configured as a principal in AWS RAM. For more information about sharing pools with RAM, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md).

The following example shows how you might use allocation rules to control access to an IPAM pool:

**Example**  
When you create your pools based on routing and security needs, you might want to allow only certain resources to use a pool. In such cases, you can set an allocation rule stating that any resource that wants a CIDR from this pool must have a tag that matches the allocation rule tag requirements. For example, you could set an allocation rule stating that only VPCs with the tag *prod* can get CIDRs from an IPAM pool. You could also set a rule stating that CIDRs allocated from this pool can be no larger than /24. In this case, creating a resource using a CIDR larger than /24 from this pool violates an allocation rule on the pool and creation fails. Existing resources with a CIDR larger than /24 are flagged as noncompliant.  
This topic covers how to create a top-level IPv4 pool with an IP address range provided by AWS. If you want to bring your own IPv4 address range to AWS (BYOIP), there are prerequisites. For more information, see [Tutorial: Bring your IP addresses to IPAM](tutorials-byoip-ipam.md).

------
#### [ AWS Management Console ]

**To create a pool**

1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 

1. In the navigation pane, choose **Pools**.

1. Choose **Create pool**.

1. Under **IPAM scope**, choose the private scope you want to use. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).

   By default, when you create a pool, the default private scope is selected. Pools in the private scope must be IPv4 pools. Pools in the public scope can be IPv4 or IPv6 pools. The public scope is intended for all public space.

1. (Optional) Add a **Name tag** for the pool and a description for the pool.

1. Under **Source**, choose **IPAM scope**.

1. Under **Address family**, choose **IPv4**.

1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).

1. For the **Locale**, choose **None**. You will set the locale on the Regional pool.

   The locale is the AWS Region where you want this IPAM pool to be available for allocations. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses.

1. (Optional) You can create a pool without a CIDR, but you won’t be able to use the pool for allocations until you’ve provisioned a CIDR for it. To provision a CIDR, choose **Add new CIDR**. Enter an IPv4 CIDR to provision for the pool. If you want to bring your own IPv4 or IPv6 IP address range to AWS there are prerequisites. For more information, see [Tutorial: Bring your IP addresses to IPAM](tutorials-byoip-ipam.md).

1. Choose optional allocation rules for this pool:
   + **Automatically import discovered resources**: This option is not available if the **Locale** is set to **None**. If selected, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM. Note the following:
     + The CIDRs that will be allocated for these resources must not already be allocated to other resources in order for the import to succeed.
     + IPAM will import a CIDR regardless of its compliance with the pool's allocation rules, so a resource might be imported and subsequently marked as noncompliant.
     + If IPAM discovers multiple CIDRs that overlap, IPAM will import the largest CIDR only.
     + If IPAM discovers multiple CIDRs with matching CIDRs, IPAM will randomly import one of them only.
**Warning**  
After you create an IPAM, when you create a VPC, choose the IPAM-allocated CIDR block option. If you do not, the CIDR you choose for your VPC may overlap with an IPAM CIDR allocation.
If you have a VPC already allocated in an IPAM pool, a VPC with an overlapping CIDR cannot be automatically imported. For example, if you have a VPC with a 10.0.0.0/26 CIDR allocated in an IPAM pool, a VPC with a 10.0.0.0/23 CIDR (that would cover the 10.0.0.0/26 CIDR) cannot be imported.
It takes some time for existing VPC CIDR allocations to be auto-imported into IPAM.
   + **Minimum netmask length**: The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant and the largest size CIDR block that can be allocated from the pool. The minimum netmask length must be less than the maximum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
   + **Default netmask length**: A default netmask length for allocations added to this pool. For example, if the CIDR that's provisioned to this pool is **10.0.0.0/8** and you enter **16** here, any new allocations in this pool will default to a netmask length of /16.
   + **Maximum netmask length**: The maximum netmask length that will be required for CIDR allocations in this pool. This value dictates the smallest size CIDR block that can be allocated from the pool.
   + **Tagging requirements**: The tags that are required for resources to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging rules are changed on the pool, the resource may be marked as noncompliant.
   + **Locale**: The locale that will be required for resources that use CIDRs from this pool. Automatically imported resources that do not have this locale will be marked noncompliant. Resources that are not automatically imported into the pool will not be allowed to allocate space from the pool unless they are in this locale.
**Note**  
Allocation rules apply only to the [managed resources](monitor-cidr-compliance-ipam.md) within that pool. The rules do not apply to resources in pools within a pool.

1. (Optional) Choose **Tags** for the pool.

1. Choose **Create pool**.

1. See [Create a Regional IPv4 pool](create-reg-ipam.md).

------
#### [ Command line ]

The commands in this section link to the *AWS CLI Command Reference*. The documentation provides detailed descriptions of the options that you can use when you run the commands.

Use the following AWS CLI commands to create or edit a top-level pool in your IPAM:

1. Create a pool: [create-ipam-pool](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-ipam-pool.html).

1. Edit the pool after you create it to modify the allocation rules: [modify-ipam-pool](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-ipam-pool.html).

------

# Create a Regional IPv4 pool
<a name="create-reg-ipam"></a>

Follow the steps in this section to create a Regional pool within your top-level pool. If you need only a top-level pool, and don't need additional Regional and development pools, skip to [Allocate CIDRs from an IPAM pool](allocate-cidrs-ipam.md).

**Note**  
The pool creation process is different for pools in public and private scopes. This section includes steps for creating a regional pool in the private scope. For BYOIP and BYOASN tutorials, see [Tutorials](tutorials-ipam.md).

The following example shows the hierarchy of the pool structure that you create by following the instructions in this guide. At this step, you are creating the Regional IPAM pool:
+ IPAM operating in AWS Region 1 and AWS Region 2
  + Private scope
    + Top-level pool (10.0.0.0/8)
      + **Regional pool in AWS Region 1 (10.0.0.0/16)**
        + Development pool for non-production VPCs (10.0.0.0/24)
          + Allocation for a VPC (10.0.0.0/25)

In the preceding example, the CIDRs that are used are examples only. They illustrate that each pool within the top-level pool is provisioned with a portion of the top-level CIDR.

------
#### [ AWS Management Console ]

**To create a Regional pool within a top-level pool**

1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 

1. In the navigation pane, choose **Pools**.

1. Choose **Create pool**.

1. Under **IPAM scope**, choose the same scope that you used when you created the top-level pool. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).

1. (Optional) Add a **Name tag** for the pool and a description for the pool.

1. Under **Source**, choose **IPAM pool**. Then choose the top-level pool that you created in the previous section.

1. If you are creating this pool in the public scope, you'll see an option for **Address family**. Choose **IPv4**.

1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).

1. Choose the locale for the pool. Choosing a locale ensures there are no cross-region dependencies between your pool and the resources allocating from it. The available options come from the operating Regions that you chose when you created your IPAM.

   The locale is the AWS Region where you want this IPAM pool to be available for allocations. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses.
**Note**  
If you are creating a pool in the Free Tier, you can only choose the locale that matches the home Region of your IPAM. To use all IPAM features across locales, [upgrade to the Advanced Tier](mod-ipam-tier.md).

1. If you are creating this pool in the public scope, you'll see an option for **Service**. Choose **EC2 (EIP/VPC)**. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is **EC2 (EIP/VPC)**, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service (for Elastic IP addresses) and the Amazon VPC service (for CIDRs associated with VPCs).

1. (Optional) Choose a CIDR to provision for the pool. You can create a pool without a CIDR, but you won’t be able to use the pool for allocations until you’ve provisioned a CIDR for it. You can add CIDRs to a pool at any time by editing the pool.

1. You have the same allocation rule options here as you did when you created the top-level pool. See [Create a top-level IPv4 pool](create-top-ipam.md) for an explanation of the options that are available when you create pools. The allocation rules for the Regional pool are not inherited from the top-level pool. If you do not apply any rules here, there will be no allocation rules set for the pool.

1. (Optional) Choose **Tags** for the pool.

1. When you’ve finished configuring your pool, choose **Create pool**.

1. See [Create a development IPv4 pool](create-dev-ipam.md).

------
#### [ Command line ]

The commands in this section link to the *AWS CLI Command Reference*. The documentation provides detailed descriptions of the options that you can use when you run the commands.

Use the following AWS CLI commands to create a Regional pool in your IPAM:

1. Get the ID of the scope that you want to create the pool in: [describe-ipam-scopes](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipam-scopes.html)

1. Get the ID of the pool that you want to create the pool in: [describe-ipam-pools](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipam-pools.html)

1. Create the pool: [create-ipam-pool](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-ipam-pool.html)

1. View the new pool: [describe-ipam-pools](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipam-pools.html)

------

Repeat these steps to create additional pools within the top-level pool, as needed.

# Create a development IPv4 pool
<a name="create-dev-ipam"></a>

Follow the steps in this section to create a development pool within your Regional pool. If you need only a top-level and Regional pool, and don't need development pools, skip to [Allocate CIDRs from an IPAM pool](allocate-cidrs-ipam.md).

The following example shows the hierarchy of the pool structure that you can create with the instructions in this guide. At this step, you are creating a development IPAM pool:
+ IPAM operating in AWS Region 1 and AWS Region 2
  + Private scope
    + Top-level pool (10.0.0.0/8)
      + Regional pool in AWS Region 1 (10.0.0.0/16)
        + **Development pool for non-production VPCs (10.0.0.0/24)**
          + Allocation for a VPC (10.0.1.0/25)

In the preceding example, the CIDRs that are used are examples only. They illustrate that each pool within the top-level pool is provisioned with a portion of the top-level CIDR.

------
#### [ AWS Management Console ]

**To create a development pool within a Regional pool**

1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 

1. In the navigation pane, choose **Pools**.

1. Choose **Create pool**.

1. Under **IPAM scope**, choose the same scope that you used when you created the top-level and Regional pools. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).

1. (Optional) Add a **Name tag** for the pool and a description for the pool.

1. Under **Source**, choose **IPAM pool**. Then choose the Regional pool.

1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).

1. (Optional) Choose a CIDR to provision for the pool. You can only provision a CIDR that was provisioned to the top-level pool. You can create a pool without a CIDR, but you won’t be able to use the pool for allocations until you’ve provisioned a CIDR for it. You can add CIDRs to a pool at any time by editing the pool.

1. You have the same allocation rule options here as you did when you created the top-level and Regional pool. See [Create a top-level IPv4 pool](create-top-ipam.md) for an explanation of the options that are available when you create pools. The allocation rules for the pool are not inherited from the pool above it in the hierarchy. If you do not apply any rules here, no allocation rules will be set for the pool.

1. (Optional) Choose **Tags** for the pool.

1. When you’ve finished configuring your pool, choose **Create pool**.

1. See [Allocate CIDRs from an IPAM pool](allocate-cidrs-ipam.md).

------
#### [ Command line ]

The commands in this section link to the *AWS CLI Command Reference*. The documentation provides detailed descriptions of the options that you can use when you run the commands.

Use the following AWS CLI commands to create a Regional pool in your IPAM:

1. Get the ID of the scope that you want to create the pool in: [describe-ipam-scopes](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipam-scopes.html)

1. Get the ID of the pool that you want to create the pool in: [describe-ipam-pools](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipam-pools.html)

1. Create the pool: [create-ipam-pool](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-ipam-pool.html)

1. View the new pool: [describe-ipam-pools](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipam-pools.html)

------

Repeat these steps to create additional development pools within the Regional pool, as needed.

# Create IPv6 address pools in your IPAM
<a name="intro-create-ipv6-pools"></a>

AWS offers IPv6 connectivity across many of its services, including EC2, VPC, and S3, enabling you to use the increased address space and enhanced security features of IPv6. IPv6 was designed to resolve this fundamental limitation of IPv4. By moving to a 128-bit address space, IPv6 offers a large number of unique IP addresses. This massive address expansion enables the continued proliferation of connected technologies, from smartphones and IoT devices to cloud infrastructure. 

In addition, you can use IPAM to ensure that you are using contiguous IPv6 CIDRs for VPC creation. Contiguously-allocated CIDRs are CIDRs that are allocated sequentially. They enable you to simplify your security and networking rules; the IPv6 CIDRs can be aggregated in a single entry across networking and security constructs like access control lists, route tables, security groups, and firewalls.

Follow the steps in this section to create an IPAM IPv6 pool hierarchy. When you create the pool, you can provision a CIDR for the pool to use. The pool assigns space within that CIDR to allocations within the pool. An allocation is a CIDR assignment from an IPAM pool to another resource or IPAM pool.

**Note**  
Both public and private IPv6 addressing is available in AWS. AWS considers public IP addresses those advertised on the internet from AWS, while private IP addresses are not and cannot be advertised on the internet from AWS. If you want your private networks to support IPv6 and have no intention of routing traffic from these addresses to the internet, create your IPv6 pool in a private scope. For more information about public and private IPv6 addresses, see [IPv6 addresses](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html#vpc-ipv6-addresses) in the *Amazon VPC User Guide*.

The following example shows the hierarchy of the pool structure that you can create with instructions in this guide. In this section, you are creating an IPv6 IPAM pool hierarchy:
+ IPAM operating in AWS Region 1 and AWS Region 2
  + Scope
    + Regional pool in AWS Region 1 (2001:db8::/52) 
      + Development pool (2001:db8::/54)
        +  Allocation for a VPC (2001:db8::/56)

In the preceding example, the CIDRs that are used are examples only. They illustrate that the Development pool within the Regional pool is provisioned with a portion of the Regional pool CIDR.

**Topics**
+ [

# Create a Regional IPv6 address pool in your IPAM
](create-ipv6-reg-pool.md)
+ [

# Create a development IPv6 address pool in your IPAM
](create-ipv6-dev-pool.md)

# Create a Regional IPv6 address pool in your IPAM
<a name="create-ipv6-reg-pool"></a>

Follow the steps in this section to create an IPv6 regional IPAM pool. When you provision an Amazon-provided IPv6 CIDR block to a pool, it must be provisioned to a pool with a locale (AWS Region) selected. When you create the pool, you can provision a CIDR for the pool to use or add it later. You then assign that space to an allocation. An allocation is a CIDR assignment from an IPAM pool to another IPAM pool or to a resource.

The following example shows the hierarchy of the pool structure that you can create with instructions in this guide. At this step, you are creating the IPv6 regional IPAM pool:
+ IPAM operating in AWS Region 1 and AWS Region 2
  + Scope
    + **Regional pool in AWS Region 1 (2001:db8::/52) **
      + Development pool (2001:db8::/54)
        +  Allocation for a VPC (2001:db8::/56)

In the preceding example, the CIDRs that are used are examples only. They illustrate that each pool within the IPv6 regional pool is provisioned with a portion of the IPv6 regional CIDR.

When you create an IPAM pool, you can configure rules for the allocations that are made within the IPAM pool.

Allocation rules enable you to configure the following:
+ The required netmask length for allocations within the pool
+ The required tags for resources within the pool
+ The required locale for resources within the pool. The locale is the AWS Region where an IPAM pool is available for allocations.

Allocation rules determine whether resources are compliant or noncompliant. For additional information about compliance, see [Monitor CIDR usage by resource](monitor-cidr-compliance-ipam.md).

**Note**  
There is an additional implicit rule that is not displayed in the allocation rules. If the resource is in an IPAM pool that is a shared resource in AWS Resource Access Manager (RAM), the resource owner must be configured as a principal in AWS RAM. For more information about sharing pools with RAM, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md).

The following example shows how you might use allocation rules to control access to an IPAM pool:

**Example**  
When you create your pools based on routing and security needs, you might want to allow only certain resources to use a pool. In such cases, you can set an allocation rule stating that any resource that wants a CIDR from this pool must have a tag that matches the allocation rule tag requirements. For example, you could set an allocation rule stating that only VPCs with the tag *prod* can get CIDRs from an IPAM pool.

**Note**  
This topic covers how to create an IPv6 regional pool with an IPv6 address range provided by AWS or with a private IPv6 range. If you want to bring your own public IPv4 or IPv6 IP address ranges to AWS (BYOIP), there are prerequisites. For more information, see [Tutorial: Bring your IP addresses to IPAM](tutorials-byoip-ipam.md).
If you are creating an IPv6 pool in a private scope, you can use a private IPv6 GUA or ULA range. To use a private GUA range, you have to have first enabled the option on your IPAM (see [Enable provisioning private IPv6 GUA CIDRs](enable-prov-ipv6-gua.md)). 

------
#### [ AWS Management Console ]

**To create a pool**

1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 

1. In the navigation pane, choose **Pools**.

1. Choose **Create pool**.

1. Under **IPAM scope**, choose a private or public scope. If you want your private networks to support IPv6 and have no intention of routing traffic from these addresses to the internet, choose a private scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).

   By default, when you create a pool, the default private scope is selected.

1. (Optional) Add a **Name tag** for the pool and a description for the pool.

1. Under **Source**, choose **IPAM scope**.

1. For **Address family**, select **IPv6**. If you're creating this pool in the public scope, all CIDRs in this pool will be publicly advertisable.

1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).

1. Choose the **Locale** for the pool. If you want to provision an Amazon-provided IPv6 CIDR block to a pool, it must be provisioned to a pool with a locale (AWS Region) selected. Choosing a locale ensures there are no cross-region dependencies between your pool and the resources allocating from it. The available options come from the operating Regions that you chose for the IPAM when you created it. You can add additional operating Regions at any time.

   The locale is the AWS Region where you want this IPAM pool to be available for allocations. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses.
**Note**  
If you are creating a pool in the Free Tier, you can only choose the locale that matches the home Region of your IPAM. To use all IPAM features across locales, [upgrade to the Advanced Tier](mod-ipam-tier.md).

1. (Optional) If you are creating an IPv6 pool in the public scope, under **Service**, choose **EC2 (EIP/VPC)**. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is **EC2 (EIP/VPC)**, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service (for Elastic IP addresses) and the Amazon VPC service (for CIDRs associated with VPCs).

1. (Optional) If you are creating an IPv6 pool in the public scope, under **Public IP source** option, choose **Amazon owned** to have AWS provide an IPv6 address range for this pool. As noted at the top of this page, this topic covers how to create an IPv6 regional pool with an IP address range provided by AWS. If you want to bring your own IPv4 or IPv6 address range to AWS (BYOIP), there are prerequisites. For more information, see [Tutorial: Bring your IP addresses to IPAM](tutorials-byoip-ipam.md).

1. (Optional) You can create a pool without a CIDR, but you won’t be able to use the pool for allocations until you've provisioned a CIDR for it. To provision a CIDR, do one of the following:
   + If you are creating an IPv6 pool in the public scope with **Public IP source Amazon-owned**, to provision a CIDR, under **CIDRs to provision**, choose **Add Amazon-owned CIDR** and choose the netmask size between /40 and /52 for the CIDR. When you choose a netmask length in the dropdown menu, you see the netmask length as well as the number of /56 CIDRs that the netmask represents. By default, you can add one Amazon-provided IPv6 CIDR block to the Regional pool. For information on increasing the default limit, see [Quotas for your IPAM](quotas-ipam.md).
   + If you are creating an IPv6 pool in a private scope, you can use a private IPv6 GUA or ULA range:
     + For important details about private IPv6 addressing, see [Private IPv6 addresses](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html#vpc-ipv6-addresses-private) in the *Amazon VPC User Guide*.
     + To use a private IPv6 ULA range, under **CIDRs to provision**, choose **Add ULA CIDR by netmask** and choose a netmask size or choose **Input private IPv6 CIDR** and enter a ULA range. Valid IPv6 ULA space is anything under fd00::/8 that does not overlap with the Amazon reserved range fd00::/16.
     + To use a private IPv6 GUA range, you have to have first enabled the option on your IPAM (see [Enable provisioning private IPv6 GUA CIDRs](enable-prov-ipv6-gua.md)). Once you've enabled private IPv6 GUA CIDRs, enter an IPv6 GUA in **Input private IPv6 CIDR**.

1. Choose optional allocation rules for this pool:
   + **Minimum netmask length**: The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant and the largest size CIDR block that can be allocated from the pool. The minimum netmask length must be less than the maximum netmask length. Possible netmask lengths for IPv6 addresses are 0 - 128. 
   + **Default netmask length**: A default netmask length for allocations added to this pool. For example, if the CIDR that's provisioned to this pool is `2001:db8::/52` and you enter 56 here, any new allocations in this pool will default to a netmask length of /56.
   + **Maximum netmask length**: The maximum netmask length that will be required for CIDR allocations in this pool. This value dictates the smallest size CIDR block that can be allocated from the pool. For example, if you enter /56 here, the smallest netmask length that can be allocated for CIDRs from this pool is /56.
   + **Tagging requirements**: The tags that are required for resources to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging rules are changed on the pool, the resource may be marked as noncompliant.
   + **Locale**: The locale that will be required for resources that use CIDRs from this pool. Automatically imported resources that do not have this locale will be marked noncompliant. Resources that are not automatically imported into the pool will not be allowed to allocate space from the pool unless they are in this locale.

1. (Optional) Choose **Tags** for the pool.

1. Choose **Create pool**.

1. See [Create a development IPv6 address pool in your IPAM](create-ipv6-dev-pool.md).

------
#### [ Command line ]

The commands in this section link to the *AWS CLI Command Reference*. The documentation provides detailed descriptions of the options that you can use when you run the commands.

Use the following AWS CLI commands to create or edit an IPv6 regional pool in your IPAM:

1. If you want to enable provisioning private IPv6 GUA CIDRs, modify the IPAM with [modify-ipam](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-ipam.html) and include the option to `enable-private-gua`. For more information, see [Enable provisioning private IPv6 GUA CIDRs](enable-prov-ipv6-gua.md).

1. Create a pool with [create-ipam-pool](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-ipam-pool.html).

1. Provision a CIDR to the pool: [provision-ipam-pool-cidr](https://docs.aws.amazon.com/cli/latest/reference/ec2/provision-ipam-pool-cidr.html).

1. Edit the pool after you create it to modify the allocation rules: [modify-ipam-pool](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-ipam-pool.html).

------

# Create a development IPv6 address pool in your IPAM
<a name="create-ipv6-dev-pool"></a>

Follow the steps in this section to create a development pool within your IPv6 Regional pool. If you only need a Regional pool and don't need development pools, skip to [Allocate CIDRs from an IPAM pool](allocate-cidrs-ipam.md).

The following example shows the hierarchy of the pool structure that you can create with the instructions in this guide. At this step, you are creating a development IPAM pool:
+ IPAM operating in AWS Region 1 and AWS Region 2
  + Scope
    + Regional pool in AWS Region 1 (2001:db8::/52)
      + **Development pool (2001:db8::/54)**
        +  Allocation for a VPC (2001:db8::/56)

In the preceding example, the CIDRs that are used are examples only. They illustrate that each pool within the top-level pool is provisioned with a portion of the top-level CIDR.

------
#### [ AWS Management Console ]

**To create a development pool within an IPv6 Regional pool**

1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 

1. In the navigation pane, choose **Pools**.

1. Choose **Create pool**.

1. Under **IPAM scope**, choose a scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).

1. (Optional) Add a **Name tag** for the pool and a description for the pool.

1. Under **Source**, choose **IPAM pool**. Then, under **Source pool**, choose the IPv6 Regional pool.

1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).

1. (Optional) Choose a CIDR to provision for the pool. You can only provision a CIDR that was provisioned to the top-level pool. You can create a pool without a CIDR, but you won’t be able to use the pool for allocations until you’ve provisioned a CIDR for it. You can add CIDRs to a pool at any time by editing the pool.

1. You have the same allocation rule options here as you did when you created the IPv6 Regional pool. See [Create a Regional IPv6 address pool in your IPAM](create-ipv6-reg-pool.md) for an explanation of the options that are available when you create pools. The allocation rules for the pool are not inherited from the pool above it in the hierarchy. If you do not apply any rules here, no allocation rules will be set for the pool.

1. (Optional) Choose **Tags** for the pool.

1. When you’ve finished configuring your pool, choose **Create pool**.

1. See [Allocate CIDRs from an IPAM pool](allocate-cidrs-ipam.md).

------
#### [ Command line ]

The commands in this section link to the *AWS CLI Command Reference*. The documentation provides detailed descriptions of the options that you can use when you run the commands.

Use the following AWS CLI commands to create an IPv6 Regional pool in your IPAM:

1. Get the ID of the scope that you want to create the pool in: [describe-ipam-scopes](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipam-scopes.html)

1. Get the ID of the pool that you want to create the pool in: [describe-ipam-pools](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipam-pools.html)

1. Create the pool: [create-ipam-pool](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-ipam-pool.html)

1. View the new pool: [describe-ipam-pools](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipam-pools.html)

------

Repeat these steps to create additional development pools within the IPv6 Regional pool, as needed.

# Allocate CIDRs from an IPAM pool
<a name="allocate-cidrs-ipam"></a>

One important feature of IPAM is the ability to allocate and manage IP address space. When creating a VPC, you must specify an IP address CIDR block, which defines the range of IP addresses available for that VPC. IPAM simplifies this process by providing a global view of your entire IP address inventory, helping you strategically assign and reuse IP prefixes across multiple VPCs.

This address space allocation is crucial for ensuring there are no overlapping IP ranges, which could cause routing conflicts and connectivity issues. IPAM also enables you to reserve IP address space for future VPC expansion, avoiding the need for complex renumbering later.

Follow the steps in this section to allocate a CIDR from an IPAM pool to a resource.

**Note**  
The terms *provision* and *allocate* are used throughout this user guide and the IPAM console. *Provision* is used when you add a CIDR to an IPAM pool. *Allocate* is used when you associate a CIDR from an IPAM pool with a resource.

You can allocate CIDRs from an IPAM pool in the following ways:
+ Use an AWS service that's integrated with IPAM, such as Amazon VPC, and select the option to use an IPAM pool for the CIDR. IPAM automatically creates the allocation in the pool for you.
+ Manually allocate a CIDR within an IPAM pool to reserve it for later use with an AWS service that's integrated with IPAM, such as Amazon VPC.

This section walks you through both options: how to use the AWS services integrated with IPAM to provision an IPAM pool CIDR, and how to manually reserve IP address space.

**Topics**
+ [

# Create a VPC that uses an IPAM pool CIDR
](create-vpc-ipam.md)
+ [

# Manually allocate a CIDR to a pool to reserve IP address space
](manually-allocate-ipam.md)

# Create a VPC that uses an IPAM pool CIDR
<a name="create-vpc-ipam"></a>

With Amazon Virtual Private Cloud (Amazon VPC), you can launch AWS resources in a logically isolated virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

A *virtual private cloud* (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can specify an IP address range for the VPC, add subnets, add gateways, and associate security groups.

Follow the steps in [Create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html) in the *Amazon VPC User Guide*. When you reach the step to choose a CIDR for the VPC, you will have an option to use a CIDR from an IPAM pool.

If you choose the option to use an IPAM pool when you create the VPC, AWS allocates a CIDR in the IPAM pool. You can view the allocation in IPAM by choosing a pool in the content pane of the IPAM console and viewing the Resources tab for the pool.

**Note**  
For complete instructions using the AWS CLI, including creating a VPC, see the [Tutorials for Amazon VPC IP Address Manager](tutorials-ipam.md) section.

# Manually allocate a CIDR to a pool to reserve IP address space
<a name="manually-allocate-ipam"></a>

Follow the steps in this section to manually allocate a CIDR to a pool. You might do this in order to reserve a CIDR within an IPAM pool for later use. You can also reserve space in your IPAM pool to represent an on-premises network. IPAM will manage that reservation for you and indicate if any CIDRs overlap with your on-premises IP space.

------
#### [ AWS Management Console ]

**To manually allocate a CIDR**

1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 

1. In the navigation pane, choose **Pools**.

1. By default, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).

1. In the content pane, choose a pool.

1. Choose **Actions** > **Create custom allocation**.

1. Choose whether to add a specific CIDR to allocate (for example, `10.0.0.0/24` for IPv4 or `2001:db8::/52` for IPv6) or add a CIDR by size by choosing the netmask length only (for example, `/24` for IPv4 or `/52` for IPv6).

1. Choose **Allocate**.

1. You can view the allocation in IPAM by choosing **Pools** in the navigation pane, choosing a pool, and viewing the **Allocations** tab for the pool.

------
#### [ Command line ]

The commands in this section link to the *AWS CLI Command Reference*. The documentation provides detailed descriptions of the options that you can use when you run the commands.

Use the following AWS CLI commands to manually allocate a CIDR to a pool:

1. Get the ID of the IPAM pool that you want to create the allocation in: [describe-ipam-pools](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-ipam-pools.html).

1. Create the allocation: [allocate-ipam-pool-cidr](https://docs.aws.amazon.com/cli/latest/reference/ec2/allocate-ipam-pool-cidr.html).

1. View the allocation: [get-ipam-pool-allocations](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-ipam-pool-allocations.html).

------

To release a manually allocated CIDR, see [Release an allocation](release-alloc-ipam.md).