# Tutorial: Bring your IP addresses to IPAM Bring your IP addresses to IPAM The tutorials in this section walk you through the process of bringing public IP address space to AWS and managing the space with IPAM. Managing public IP address space with IPAM has the following benefits: + **Improves public IP addresses utilization across your organization**: You can use IPAM to share IP address space across AWS accounts. Without using IPAM, you cannot share your public IP space across AWS Organizations accounts. + **Simplifies the process of bringing public IP space to AWS**: You can use IPAM to onboard public IP address space once, and then use IPAM to distribute your public IPs across Regions to resources like EC2 instances and [application load balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-ip-pools.html). Without IPAM, you have to onboard your public IPs for each AWS Region. **Topics** + [ # Verify domain control ](tutorials-byoip-ipam-domain-verification-methods.md) + [ # Bring your own IP to IPAM using both the AWS Management Console and the AWS CLI ](tutorials-byoip-ipam-console-intro.md) + [ # Bring your own IP CIDR to IPAM using only the AWS CLI ](tutorials-byoip-ipam-cli-only-intro.md) + [ # Bring your own IP to CloudFront using IPAM (supports IPv4 and IPv6) ](tutorials-byoip-cloudfront.md) # Verify domain control Before you bring an IP address range to AWS, you have to use one of the options described in this section to verify that you control the IP address space. This applies to both IPv4 and IPv6 address ranges. Later, when you bring the IP address range to AWS, AWS validates that you control the IP address range. This validation ensures that customers cannot use IP ranges belonging to others, preventing routing and security issues. There are two methods that you can use to verify that you control the range: + **X.509 certificate**: If your IP address range is registered with an Internet Registry that supports RDAP (such as ARIN, RIPE and APNIC), you can use an X.509 certificate to verify ownership of your domain. + **DNS TXT record**: Regardless of whether your Internet Registry supports RDAP, you can use a verification token and a DNS TXT record to verify ownership of your domain. **Topics** + [ ## Verify your domain with an X.509 certificate ](#tutorials-byoip-ipam-domain-verification-cert) + [ ## Verify your domain with a DNS TXT record ](#tutorials-byoip-ipam-domain-verification-dns-txt) ## Verify your domain with an X.509 certificate This section describes how to verify your domain with an X.509 certificate before you bring your IP address range to IPAM. **To verify your domain with an X.509 certificate** 1. Complete the three steps in [Prerequisites for BYOIP in Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/prepare-for-byoip.html) in the *Amazon EC2 User Guide*. **Note** When you create the ROAs, for IPv4 CIDRs you must set the maximum length of an IP address prefix to `/24`. For IPv6 CIDRs, if you are adding them to an advertisable pool, the maximum length of an IP address prefix must be `/48`. This ensures that you have full flexibility to divide your public IP address across AWS Regions. IPAM enforces the maximum length you set. The maximum length is the smallest prefix length announcement you will allow for this route. For example, if you bring a `/20` CIDR block to AWS, by setting the maximum length to `/24`, you can divide the larger block any way you like (such as with `/21`, `/22`, or `/24`) and distribute those smaller CIDR blocks to any Region. If you were to set the maximum length to `/23`, you would not be able to divide and advertise a `/24` from the larger block. Also, note that `/24` is the smallest IPv4 block and `/48` is the smallest IPv6 block you can advertise from a Region to the internet. 1. Complete steps 1 and 2 only under [Provision a publicly advertisable address range in AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-provision) in the *Amazon EC2 User Guide*, **and don't provision the address range (step 3) yet**. Save the `text_message` and `signed_message`. You'll need them later in this process. When you've completed these steps, continue with [Bring your own IP to IPAM using both the AWS Management Console and the AWS CLI](tutorials-byoip-ipam-console-intro.md) or [Bring your own IP CIDR to IPAM using only the AWS CLI](tutorials-byoip-ipam-cli-only-intro.md). ## Verify your domain with a DNS TXT record Complete the steps in this section to verify your domain with a DNS TXT record before you bring your IP address range to IPAM. You can use DNS TXT records to validate that you control a public IP address range. DNS TXT records are a type of DNS record that contain information about your domain name. This feature enables you to bring IP addresses registered with any internet registry (such as JPNIC, LACNIC, and AFRINIC), not just those that support RDAP (Registration Data Access Protocol) record-based validations (such as ARIN, RIPE and APNIC). **Important** Before you can continue, you must have already created an IPAM in the Free or Advanced Tier. If you don’t have an IPAM, complete [Create an IPAM](create-ipam.md) first. **Topics** + [ ### Step 1: Create a ROA if you don't have one ](#tutorials-byoip-ipam-domain-verification-dns-txt-roa) + [ ### Step 2. Create a verification token ](#tutorials-byoip-ipam-domain-verification-dns-txt-token) + [ ### Step 3. Set up the DNS zone and TXT record ](#tutorials-byoip-ipam-domain-verification-dns-txt-dns) ### Step 1: Create a ROA if you don't have one You must have a Route Origin Authorization (ROA) in your Regional Internet Registry (RIR) for IP address ranges you wish to advertise. If you don’t have a ROA in your RIR, complete [3. Create a ROA object in your RIR](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-create-roa-object) in the *Amazon EC2 User Guide*. Ignore the other steps. The most specific IPv4 address range that you can bring is /24. The most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable. ### Step 2. Create a verification token A verification token is an AWS-generated random value that you can use to prove control of an external resource. For example, you can use a verification token to validate that you control a public IP address range when you bring an IP address range to AWS (BYOIP). Complete the steps in this section to create a verification token which you'll need in a later step in this tutorial to bring your IP address range to IPAM. Use the instructions below for either the AWS console or the AWS CLI. ------ #### [ AWS Management Console ] **To create a verification token** 1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the AWS Management Console, choose the AWS Region where you created your IPAM. 1. In the left navigation pane, choose **IPAMs**. 1. Choose your IPAM and then choose the **Verification tokens tab**. 1. Select **Create verification token**. 1. After you create the token, leave this browser tab open. You’ll need the **Token value**, **Token name** in the next step and the **Token ID** in a later step. Note the following: + Once you create a verification token, you can reuse the token for multiple BYOIP CIDRs that you provision from your IPAM within 72 hours. If you want to provision more CIDRs after 72 hours, you need a new token. + You can create up to 100 tokens. If you reach the limit, delete expired tokens. ------ #### [ Command line ] + Request that IPAM creates a verification token that you will use for the DNS configuration with [create-ipam-external-resource-verification-token](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-ipam-external-resource-verification-token.html): ``` aws ec2 create-ipam-external-resource-verification-token --ipam-id ipam-id ``` This will return an IpamExternalResourceVerificationTokenId and token with `TokenName` and `TokenValue`, and the expiration time (`NotAfter`) of the token. ``` { "IpamExternalResourceVerificationToken": { "IpamExternalResourceVerificationTokenId": "ipam-ext-res-ver-token-0309ce7f67a768cf0", "IpamId": "ipam-0f9e8725ac3ae5754", "TokenValue": "a34597c3-5317-4238-9ce7-50da5b6e6dc8", "TokenName": "86950620", "NotAfter": "2024-05-19T14:28:15.927000+00:00", "Status": "valid", "Tags": [], "State": "create-in-progress" } } ``` Note the following: + Once you create a verification token, you can reuse the token for multiple BYOIP CIDRs that you provision from your IPAM within 72 hours. If you want to provision more CIDRs after 72 hours, you need a new token. + You can view your tokens using [describe-ipam-external-resource-verification-tokens](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-ipam-external-resource-verification-tokens.html). + You can create up to 100 tokens. If you reach the limit, you can delete expired tokens using [delete-ipam-external-resource-verification-token](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-ipam-external-resource-verification-token.html). ------ ### Step 3. Set up the DNS zone and TXT record Complete the steps in this section to set up the DNS zone and TXT record. If you are not using Route53 as your DNS, then follow the documentation provided by your DNS provider to set up a DNS Zone and add a TXT record. If you are using Route53, note the following: + To create a Reverse Lookup Zone in the AWS console, see [Creating a public hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html) in the *Amazon Route 53 Developer Guide* or use the AWS CLI command [create-hosted-zone](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-hosted-zone.html). + To create a record in the Reverse Lookup Zone in the AWS console, see [Creating records by using the Amazon Route 53 console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) in the *Amazon Route 53 Developer Guide* or use the AWS CLI command [change-resource-record-sets](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/change-resource-record-sets.html). + After you are done creating your hosted zone, delegate the hosted zone from your RIR to the name servers provided by Route53 (such as for [LACNIC](https://www.lacnic.net/1017/2/lacnic/reverse-dns-resolution) or [APNIC](https://www.apnic.net/manage-ip/manage-resources/reverse-dns/)). Whether you are using another DNS provider or Route53, when you set up the TXT record, note the following: + Record name should be your token name. + Record type should be TXT. + ResourceRecord Value should be the token value. Example: + **Name**: `86950620.113.0.203.in-addr.arpa` + **Type**: `TXT` + **ResourceRecords Value**: `a34597c3-5317-4238-9ce7-50da5b6e6dc8` Where: + `86950620` is the verification token name. + `113.0.203.in-addr.arpa` is the Reverse Lookup Zone name. + `TXT` is the record type. + `a34597c3-5317-4238-9ce7-50da5b6e6dc8` is the verification token value. **Note** Depending on the size of the prefix to be brought to IPAM with BYOIP, one or more authentication records must be created in the DNS. These authentication records are of the record type TXT and must be placed into the reverse zone of the prefix itself or its parent prefix. For IPv4, authentication records need to align to ranges at an octet boundary that make up the prefix. **Examples** For 198.18.123.0/24, which is already aligned at an octet boundary, you would need to create a single authentication record at: `token-name.123.18.198.in-addr.arpa. IN TXT “token-value”` For 198.18.12.0/22, which itself is not aligned to octet boundary, you would need to create four authentication records. These records must cover the subnets 198.18.12.0/24, 198.18.13.0/24, 198.18.14.0/24, and 198.18.15.0/24 which are aligned at an octet boundary. The corresponding DNS entries must be: `token-name.12.18.198.in-addr.arpa. IN TXT “token-value”` `token-name.13.18.198.in-addr.arpa. IN TXT “token-value”` `token-name.14.18.198.in-addr.arpa. IN TXT “token-value”` `token-name.15.18.198.in-addr.arpa. IN TXT “token-value”` For 198.18.0.0/16, which is already aligned at an octet boundary, you need to create a single authentication record: `token-name.18.198.in-addr.arpa. IN TXT “token-value”` For IPv6, authentication records need to align to ranges at nibble boundary that make up the prefix. Valid nibble values are e.g. 32, 36, 40, 44, 48, 52, 56, and 60. **Examples** For 2001:0db8::/40, which is already aligned at nibble boundary, you need to create a single authentication record: `token-name.0.0.8.b.d.0.1.0.0.2.ip6.arpa TXT “token-value”` For 2001:0db8:80::/42, which is itself not aligned at nibble boundary, you need to create four authentication records. These records must cover the subnets 2001:db8:80::/44, 2001:db8:90::/44, 2001:db8:a0::/44, and 2001:db8:b0::/44 which are aligned at a nibble boundary. The corresponding DNS entries must be: `token-name.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa TXT “token-value”` `token-name.9.0.0.8.b.d.0.1.0.0.2.ip6.arpa TXT “token-value”` `token-name.a.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”` `token-name.b.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”` For the non-advertised range 2001:db8:0:1000::/54, which is itself not aligned at a nibble boundary, you need to create four authentication records. These records must cover the subnets 2001:db8:0:1000::/56, 2001:db8:0:1100::/56, 2001:db8:0:1200::/56, and 2001:db8:0:1300::/56 which are aligned at a nibble boundary. The corresponding DNS entries must be: `token-name.0.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”` `token-name.1.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”` `token-name.2.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”` `token-name.3.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”` To validate the correct number of hexadecimal numbers between the *token-name* and the "ip6.arpa" string, multiply the number by four. The result should match the prefix length. For example, for a /56 prefix you should have 14 hexadecimal digits. When you've completed these steps, continue with [Bring your own IP to IPAM using both the AWS Management Console and the AWS CLI](tutorials-byoip-ipam-console-intro.md) or [Bring your own IP CIDR to IPAM using only the AWS CLI](tutorials-byoip-ipam-cli-only-intro.md). # Bring your own IP to IPAM using both the AWS Management Console and the AWS CLI BYOIP with AWS console and CLI Bringing Your Own IP (BYOIP) to IPAM allows you to use your organization's existing IPv4 and IPv6 address ranges in AWS. This enables you to maintain consistent branding, improve network performance, enhance security, and simplify management by unifying on-premises and cloud environments under your own IP address space. Follow these steps to bring an IPv4 or IPv6 CIDR to IPAM using both the AWS Management Console and the AWS CLI. **Note** Before you begin, you must have first [verified domain control](tutorials-byoip-ipam-domain-verification-methods.md). Once you bring an IPv4 address range to AWS, you can use all of the IP addresses in the range, including the first address (the network address) and the last address (the broadcast address). **Topics** + [ # Bring your own IPv4 CIDR to IPAM using both the AWS Management Console and the AWS CLI ](tutorials-byoip-ipam-console-ipv4.md) + [ # Bring your own IPv6 CIDR to IPAM using the AWS Management Console ](tutorials-byoip-ipam-console-ipv6.md) # Bring your own IPv4 CIDR to IPAM using both the AWS Management Console and the AWS CLI IPv4 CIDR Follow these steps to bring an IPv4 CIDR to IPAM and allocate an Elastic IP address (EIP) using both the AWS Management Console and the AWS CLI. **Important** This tutorial assumes you have already completed the steps in the following sections: [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). [Create an IPAM](create-ipam.md). Each step of this tutorial must be done by one of three AWS Organizations accounts: The management account. The member account configured to be your IPAM administrator in [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). In this tutorial, this account will be called the IPAM account. The member account in your organization which will allocate CIDRs from an IPAM pool. In this tutorial, this account will be called the member account. **Topics** + [ ## Step 1: Create AWS CLI named profiles and IAM roles ](#tutorials-create-profiles) + [ ## Step 2: Create a top-level IPAM pool ](#tutorials-byoip-ipam-ipv4-console-create-top) + [ ## Step 3. Create a Regional pool within the top-level pool ](#tutorials-byoip-ipam-ipv4-console-create-reg) + [ ## Step 4: Advertise the CIDR ](#tutorials-byoip-ipam-ipv4-console-adv) + [ ## Step 5. Share the Regional pool ](#tutorials-byoip-ipam-ipv4-console-share-reg) + [ ## Step 6: Allocate an Elastic IP address from the pool ](#tutorials-byoip-ipam-ipv4-console-all-eip) + [ ## Step 7: Associate the Elastic IP address with an EC2 instance ](#tutorials-byoip-ipam-ipv4-console-assoc-eip) + [ ## Step 8: Cleanup ](#tutorials-byoip-ipam-ipv4-console-cleanup) + [ ## Alternative to Step 6 ](#tutorials-byoip-ipam-ipv4-alt) ## Step 1: Create AWS CLI named profiles and IAM roles To complete this tutorial as a single AWS user, you can use AWS CLI named profiles to switch from one IAM role to another. [Named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles) are collections of settings and credentials that you refer to when using the `--profile` option with the AWS CLI. For more information about how to create IAM roles and named profiles for AWS accounts, see [Using an IAM role in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html). Create one role and one named profile for each of the three AWS accounts you will use in this tutorial: + A profile called `management-account` for the AWS Organizations management account. + A profile called `ipam-account` for the AWS Organizations member account that is configured to be your IPAM administrator. + A profile called `member-account` for the AWS Organizations member account in your organization which will allocate CIDRs from an IPAM pool. After you have created the IAM roles and named profiles, return to this page and go to the next step. You will notice throughout the rest of this tutorial that the sample AWS CLI commands use the `--profile` option with one of the named profiles to indicate which account must run the command. ## Step 2: Create a top-level IPAM pool Complete the steps in this section to create a top-level IPAM pool. This step must be done by the IPAM account. **To create a pool** 1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. By default, when you create a pool, the default private scope is selected. Choose the public scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md). 1. Choose **Create pool**. 1. (Optional) Add a **Name tag** for the pool and a **Description** for the pool. 1. Under **Source**, choose **IPAM scope**. 1. Under **Address family**, choose **IPv4**. 1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md). 1. Under **Locale**, choose **None**. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR. Since we are going to create a top-level IPAM pool with a Regional pool within it, and we’re going to allocate space to an Elastic IP address from the Regional pool, you will set the locale on the Regional pool and not the top-level pool. You’ll add the locale to the Regional pool when you create the Regional pool in a later step. **Note** If you are creating a single pool only and not a top-level pool with Regional pools within it, you would want to choose a Locale for this pool so that the pool is available for allocations. 1. Under **Public IP source**, choose **BYOIP**. 1. Under **CIDRs to provision**, do one of the following: + If you [verified your domain control with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert), you must include the CIDR and the BYOIP message and certificate signature that you created in that step so we can verify that you control the public space. + If you [verified your domain control with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt), you must include the CIDR and IPAM verification token that you created in that step so we can verify that you control the public space. Note that when provisioning an IPv4 CIDR to a pool within the top-level pool, the minimum IPv4 CIDR you can provision is `/24`; more specific CIDRs (such as `/25`) are not permitted. **Important** While most provisioning will be completed within two hours, it may take up to one week to complete the provisioning process for publicly advertisable ranges. 1. Leave **Configure this pool's allocation rule settings** unselected. 1. (Optional) Choose **Tags** for the pool. 1. Choose **Create pool**. Ensure that this CIDR has been provisioned before you continue. You can see the state of provisioning in the **CIDRs** tab in the pool details page. ## Step 3. Create a Regional pool within the top-level pool Create a Regional pool within the top-level pool. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR. You’ll add the locale to the Regional pool when you create the Regional pool in this section. The `Locale` must be part of one of the operating Regions you configured when you created the IPAM. For example, a locale of *us-east-1* means that *us-east-1* must be an operating Region for the IPAM. A locale of *us-east-1-scl-1* (a network border group used for Local Zones) means that the IPAM must have an operating Region of *us-east-1*. This step must be done by the IPAM account. **To create a Regional pool within a top-level pool** 1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. By default, when you create a pool, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see [How IPAM works](how-it-works-ipam.md). 1. Choose **Create pool**. 1. (Optional) Add a **Name tag** for the pool and a **Description** for the pool. 1. Under **Source**, choose the top-level pool that you created in the previous section. 1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md). 1. Under **Locale**, choose the locale for the pool. In this tutorial, we'll use `us-east-2` as the locale for the Regional pool. The available options come from the operating Regions that you chose when you created your IPAM. The locale for the pool should be one of the following: + An AWS Region where you want this IPAM pool to be available for allocations. + The network border group for an AWS Local Zone where you want this IPAM pool to be available for allocations ([supported Local Zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-zone-avail)). This option is only available for IPAM IPv4 pools in the public scope. + An [AWS Dedicated Local Zone](https://aws.amazon.com/dedicatedlocalzones/). To create a pool within an AWS Dedicated Local Zone, enter the AWS Dedicated Local Zone in the selector input. + `Global` when you want to use IP addresses globally across all AWS Regions, such as CloudFront locations. The `Global` locale is only available for public IPv4 pools. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses. Choosing a locale ensures there are no cross-region dependencies between your pool and the resources allocating from it. 1. Under **Service**, choose **EC2 (EIP/VPC)**. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is **EC2 (EIP/VPC)**, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service (for Elastic IP addresses) and the Amazon VPC service (for CIDRs associated with VPCs). 1. Under **CIDRs to provision**, choose a CIDR to provision for the pool. **Note** When provisioning a CIDR to a Regional pool within the top-level pool, the most specific IPv4 CIDR you can provision is `/24`; more specific CIDRs (such as `/25`) are not permitted. After you create the Regional pool, you can create smaller pools (such as `/25`) within the same Regional pool. Note that if you share the Regional pool or pools within it, these pools can only be used in the locale set on the same Regional pool. 1. Enable **Configure this pool's allocation rule settings**. You have the same allocation rule options here as you did when you created the top-level pool. See [Create a top-level IPv4 pool](create-top-ipam.md) for an explanation of the options that are available when you create pools. The allocation rules for the Regional pool are not inherited from the top-level pool. If you do not apply any rules here, there will be no allocation rules set for the pool. 1. (Optional) Choose **Tags** for the pool. 1. When you’ve finished configuring your pool, choose **Create pool**. Ensure that this CIDR has been provisioned before you continue. You can see the state of provisioning in the **CIDRs** tab in the pool details page. ## Step 4: Advertise the CIDR The steps in this section must be done by the IPAM account. Once you associate the Elastic IP address (EIP) with an instance or Elastic Load Balancer, you can then start advertising the CIDR you brought to AWS that is in pool that has the **Service EC2 (EIP/VPC)** configured. In this tutorial, that's your Regional pool. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. This step must be done by the IPAM account. **Note** The advertisement status doesn't not restrict your ability to allocate Elastic IP addresses. Even if your BYOIPv4 CIDR is not advertised, you can still can create EIPs from the IPAM pool. **To advertise the CIDR** 1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. By default, when you create a pool, the default private scope is selected. Choose the public scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md). 1. Choose the Regional pool you created in this tutorial. 1. Choose the **CIDRs** tab. 1. Select the BYOIP CIDR and choose **Actions** > **Advertise**. 1. Choose **Advertise CIDR**. As a result, the BYOIP CIDR is advertised and the value in the **Advertising** column changes from **Withdrawn** to **Advertised**. ## Step 5. Share the Regional pool Follow the steps in this section to share the IPAM pool using AWS Resource Access Manager (RAM). ### Enable resource sharing in AWS RAM After you create your IPAM, you’ll want to share the regional pool with other accounts in your organization. Before you share an IPAM pool, complete the steps in this section to enable resource sharing with AWS RAM. If you are using the AWS CLI to enable resource sharing, use the `--profile management-account` option. **To enable resource sharing** 1. Using the AWS Organizations management account, open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/). 1. In the left navigation pane, choose **Settings**, choose **Enable sharing with AWS Organizations**, and then choose **Save settings**. You can now share an IPAM pool with other members of the organization. ### Share an IPAM pool using AWS RAM In this section you’ll share the regional pool with another AWS Organizations member account. For complete instructions on sharing IPAM pools, including information on the required IAM permissions, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md). If you are using the AWS CLI to enable resource sharing, use the `--profile ipam-account` option. **To share an IPAM pool using AWS RAM** 1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. Choose the private scope, choose the IPAM pool, and choose **Actions** > **View details**. 1. Under **Resource sharing**, choose **Create resource share**. The AWS RAM console opens. You share the pool using AWS RAM. 1. Choose **Create a resource share**. 1. In the AWS RAM console, choose **Create a resource share** again. 1. Add a **Name** for the shared pool. 1. Under **Select resource type**, choose **IPAM pools,** and then choose the ARN of the pool you want to share. 1. Choose **Next**. 1. Choose the **AWSRAMPermissionIpamPoolByoipCidrImport** permission. The details of the permission options are out of scope for this tutorial, but you can find out more about these options in [Share an IPAM pool using AWS RAM](share-pool-ipam.md). 1. Choose **Next**. 1. Under **Principals** > **Select principal type**, choose **AWS account** and enter the account ID of the account that will be bringing an IP address range to IPAM and choose **Add** . 1. Choose **Next**. 1. Review the resource share options and the principals that you’ll be sharing with, and then choose **Create**. 1. To allow the **member-account** account to allocate IP address CIDRS from the IPAM pool, create a second resource share with `AWSRAMDefaultPermissionsIpamPool`. The value for `--resource-arns` is the ARN of the IPAM pool that you created in the previous section. The value for `--principals` is the account ID of the **member-account**. The value for `--permission-arns` is the ARN of the `AWSRAMDefaultPermissionsIpamPool` permission. ## Step 6: Allocate an Elastic IP address from the pool Complete the steps in this section to allocate an Elastic IP address from the pool. Note that if you are using public IPv4 pools to allocate Elastic IP addresses, you can use the alternative steps in [Alternative to Step 6](#tutorials-byoip-ipam-ipv4-alt) rather than the steps in this section. **Important** If you see an error related to not having permissions to call ec2:AllocateAddress, the managed permission currently assigned to the IPAM pool that was shared with you needs to be updated. Contact the person who created the resource share and ask them to update the managed permission `AWSRAMPermissionIpamResourceDiscovery` to the default version. For more information, see [Update a resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-update.html) in the *AWS RAM User Guide *. ------ #### [ AWS Management Console ] Follow the steps in [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide* to allocate the address, but note the following: + This step must be done by the member account. + Ensure that the AWS Region you are in in the EC2 console matches the Locale option you chose when you created the Regional pool. + When you choose the address pool, choose the option to **Allocate using an IPv4 IPAM pool** and choose the Regional pool you created. ------ #### [ Command line ] Allocate an address from the pool with the [allocate-address](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/allocate-address.html) command. The `--region` you use must match the `-locale` option you chose when you created the pool in Step 2. Include the ID of the IPAM pool you created in Step 2 in `--ipam-pool-id`. Optionally, you can also choose a specific `/32` in your IPAM pool by using the `--address` option. ``` aws ec2 allocate-address --region us-east-1 --ipam-pool-id ipam-pool-07ccc86aa41bef7ce ``` Example response: ``` { "PublicIp": "18.97.0.41", "AllocationId": "eipalloc-056cdd6019c0f4b46", "PublicIpv4Pool": "ipam-pool-07ccc86aa41bef7ce", "NetworkBorderGroup": "us-east-1", "Domain": "vpc" } ``` For more information, see [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide*. ------ ## Step 7: Associate the Elastic IP address with an EC2 instance Complete the steps in this section to associate the Elastic IP address with an EC2 instance. ------ #### [ AWS Management Console ] Follow the steps in [Associate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-associating) in the *Amazon EC2 User Guide* to allocate an Elastic IP address from the IPAM pool, but note the following: When you use AWS Management Console option, the AWS Region you associate the Elastic IP address in must match the Locale option you chose when you created the Regional pool. This step must be done by the member account. ------ #### [ Command line ] This step must be done by the member account. Use the `--profile member-account` option. Associate the Elastic IP address with an instance with the [associate-address](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/allocate-address.html) command. The `--region` you associate the Elastic IP address in must match the `--locale` option you chose when you created the Regional pool. ``` aws ec2 associate-address --region us-east-1 --instance-id i-07459a6fca5b35823 --public-ip 18.97.0.41 ``` Example response: ``` { "AssociationId": "eipassoc-06aa85073d3936e0e" } ``` For more information, see [Associate an Elastic IP address with an instance or network interface](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-associating) in the *Amazon EC2 User Guide*. ------ ## Step 8: Cleanup Follow the steps in this section to clean up the resources you've provisioned and created in this tutorial. **Step 1: Withdraw the CIDR from advertising** This step must be done by the IPAM account. 1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. By default, when you create a pool, the default private scope is selected. Choose the public scope. 1. Choose the Regional pool you created in this tutorial. 1. Choose the **CIDRs** tab. 1. Select the BYOIP CIDR and choose **Actions** > **Withdraw from advertising**. 1. Choose **Withdraw CIDR**. As a result, the BYOIP CIDR is no longer advertised and the value in the **Advertising** column changes from **Advertised** to **Withdrawn**. **Step 2: Disassociate the Elastic IP address** This step must be done by the member account. If you are using the AWS CLI, use the `--profile member-account` option. + Complete the steps in [Disassociate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-associating-different) in the *Amazon EC2 User Guide* to disassociate the EIP. When you open EC2 in the AWS Management console, the AWS Region you disassociate the EIP in must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR. In this tutorial, that pool is the Regional pool. **Step 3: Release the Elastic IP address** This step must be done by the member account. If you are using the AWS CLI, use the `--profile member-account` option. + Complete the steps in [Release an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-releasing) in the *Amazon EC2 User Guide* to release an Elastic IP address (EIP) from the public IPv4 pool. When you open EC2 in the AWS Management console, the AWS Region you allocate the EIP in must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR. **Step 4: Delete any RAM shares and disable RAM integration with AWS Organizations** This step must be done by the IPAM account and management account respectively. If you are using the AWS CLI to delete the RAM shares and disable RAM integration, use the ` --profile ipam-account` and ` --profile management-account` options. + Complete the steps in [Deleting a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-delete.html) and [Disabling resource sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/security-disable-sharing-with-orgs.html) in the *AWS RAM User Guide*, in that order, to delete the RAM shares and disable RAM integration with AWS Organizations. **Step 5: Deprovision the CIDRs from the Regional pool and top-level pool** This step must be done by the IPAM account. If you are using the AWS CLI to share the pool, use the `--profile ipam-account` option. + Complete the steps in [Deprovision CIDRs from a pool](depro-pool-cidr-ipam.md) to deprovision the CIDRs from the Regional pool and then the top-level pool, in that order. **Step 6: Delete the Regional pool and top-level pool** This step must be done by the IPAM account. If you are using the AWS CLI to share the pool, use the `--profile ipam-account` option. + Complete the steps in [Delete a pool](delete-pool-ipam.md) to delete the Regional pool and then the top-level pool, in that order. ## Alternative to Step 6 If you are using public IPv4 pools to allocate Elastic IP addresses, you can use the steps in this section rather than the steps in [Step 6: Allocate an Elastic IP address from the pool](#tutorials-byoip-ipam-ipv4-console-all-eip). **Topics** + [ ### Step 1: Create a public IPv4 pool ](#tutorials-byoip-ipam-ipv4-console-alt-pool) + [ ### Step 2: Provision the public IPv4 CIDR to your public IPv4 pool ](#tutorials-byoip-ipam-ipv4-console-alt-cidr) + [ ### Step 3: Allocate an Elastic IP address from the public IPv4 pool ](#tutorials-byoip-ipam-ipv4-console-alt-eip) + [ ### Alternative to Step 6 cleanup ](#tutorials-byoip-ipam-ipv4-console-alt-cleanup) ### Step 1: Create a public IPv4 pool This step should be done by the member account that will provision an Elastic IP address. **Note** This step must be done by the member account using the AWS CLI. Public IPv4 pools and IPAM pools are managed by distinct resources in AWS. Public IPv4 pools are single account resources that enable you to convert your publicly-owned CIDRs to Elastic IP addresses. IPAM pools can be used to allocate your public space to public IPv4 pools. **To create a public IPv4 pool using the AWS CLI** + Run the following command to provision the CIDR. When you run the command in this section, the value for `--region` must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR. ``` aws ec2 create-public-ipv4-pool --region us-east-2 --profile member-account ``` In the output, you'll see the public IPv4 pool ID. You will need this ID in the next step. ``` { "PoolId": "ipv4pool-ec2-09037ce61cf068f9a" } ``` ### Step 2: Provision the public IPv4 CIDR to your public IPv4 pool Provision the public IPv4 CIDR to your public IPv4 pool. The value for `--region` must match the `Locale` value you chose when you created the pool that will be used for the BYOIP CIDR. The `--netmask-length` is the amount of space out of the IPAM pool that you want to bring to your public pool. The value cannot be larger than the netmask length of the IPAM pool. The least specific `--netmask-length` you can define is `24`. **Note** If you are bringing a `/24` CIDR range to IPAM to share across an AWS Organization, you can provision smaller prefixes to multiple IPAM pools, say `/27` (using `-- netmask-length 27`), rather than provisioning the entire `/24` CIDR (using `-- netmask-length 24`) as is shown in this tutorial. This step must be done by the member account using the AWS CLI. **To create a public IPv4 pool using the AWS CLI** 1. Run the following command to provision the CIDR. ``` aws ec2 provision-public-ipv4-pool-cidr --region us-east-2 --ipam-pool-id ipam-pool-04d8e2d9670eeab21 --pool-id ipv4pool-ec2-09037ce61cf068f9a --netmask-length 24 --profile member-account ``` In the output, you'll see the provisioned CIDR. ``` { "PoolId": "ipv4pool-ec2-09037ce61cf068f9a", "PoolAddressRange": { "FirstAddress": "130.137.245.0", "LastAddress": "130.137.245.255", "AddressCount": 256, "AvailableAddressCount": 256 } } ``` 1. Run the following command to view the CIDR provisioned in the public IPv4 pool. ``` aws ec2 describe-public-ipv4-pools --region us-east-2 --max-results 10 --profile member-account ``` In the output, you'll see the provisioned CIDR. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. You will have the chance to set this CIDR to advertised in the last step of this tutorial. ``` { "PublicIpv4Pools": [ { "PoolId": "ipv4pool-ec2-09037ce61cf068f9a", "Description": "", "PoolAddressRanges": [ { "FirstAddress": "130.137.245.0", "LastAddress": "130.137.245.255", "AddressCount": 256, "AvailableAddressCount": 255 } ], "TotalAddressCount": 256, "TotalAvailableAddressCount": 255, "NetworkBorderGroup": "us-east-2", "Tags": [] } ] } ``` Once you create the public IPv4 pool, to view the public IPv4 pool allocated in the IPAM Regional pool, open the IPAM console and view the allocation in the Regional pool under **Allocations** or **Resources**. ### Step 3: Allocate an Elastic IP address from the public IPv4 pool Complete the steps in [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide* to allocate an EIP from the public IPv4 pool. When you open EC2 in the AWS Management console, the AWS Region you allocate the EIP in must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR. This step must be done by the member account. If you are using the AWS CLI, use the `--profile member-account` option. Once you've completed these three steps, return to [Step 7: Associate the Elastic IP address with an EC2 instance](#tutorials-byoip-ipam-ipv4-console-assoc-eip) and continue until you complete the tutorial. ### Alternative to Step 6 cleanup Complete these steps to clean up public IPv4 pools created with the alternative to Step 9. You should complete these steps after you release the Elastic IP address during the standard cleanup process in [Step 8: Cleanup](#tutorials-byoip-ipam-ipv4-console-cleanup). **Step 1: Deprovision the public IPv4 CIDR from your public IPv4 pool** **Important** This step must be done by the member account using the AWS CLI. 1. View your BYOIP CIDRs. ``` aws ec2 describe-public-ipv4-pools --region us-east-2 --profile member-account ``` In the output, you'll see the IP addresses in your BYOIP CIDR. ``` { "PublicIpv4Pools": [ { "PoolId": "ipv4pool-ec2-09037ce61cf068f9a", "Description": "", "PoolAddressRanges": [ { "FirstAddress": "130.137.245.0", "LastAddress": "130.137.245.255", "AddressCount": 256, "AvailableAddressCount": 256 } ], "TotalAddressCount": 256, "TotalAvailableAddressCount": 256, "NetworkBorderGroup": "us-east-2", "Tags": [] } ] } ``` 1. Run the following command to release the CIDR from the public IPv4 pool. ``` aws ec2 deprovision-public-ipv4-pool-cidr --region us-east-2 --pool-id ipv4pool-ec2-09037ce61cf068f9a --cidr 130.137.245.0/24 --profile member-account ``` 1. View your BYOIP CIDRs again and ensure there are no more provisioned addresses. When you run the command in this section, the value for `--region` must match the Region of your IPAM. ``` aws ec2 describe-public-ipv4-pools --region us-east-2 --profile member-account ``` In the output, you'll see the IP addresses count in your public IPv4 pool. ``` { "PublicIpv4Pools": [ { "PoolId": "ipv4pool-ec2-09037ce61cf068f9a", "Description": "", "PoolAddressRanges": [], "TotalAddressCount": 0, "TotalAvailableAddressCount": 0, "NetworkBorderGroup": "us-east-2", "Tags": [] } ] } ``` **Note** It can take some time for IPAM to discover that public IPv4 pool allocations have been removed. You cannot continue to clean up and deprovision the IPAM pool CIDR until you see that the allocation has been removed from IPAM. **Step 2: Delete the public IPv4 pool** This step must be done by the member account. + Run the following command to delete the public IPv4 pool the CIDR. When you run the command in this section, the value for `--region` must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR. In this tutorial, that pool is the Regional pool. This step must be done using the AWS CLI. ``` aws ec2 delete-public-ipv4-pool --region us-east-2 --pool-id ipv4pool-ec2-09037ce61cf068f9a --profile member-account ``` In the output, you'll see the return value **true**. ``` { "ReturnValue": true } ``` Once you delete the pool, to view the allocation unmanaged by IPAM, open the IPAM console and view the details of the Regional pool under **Allocations**. # Bring your own IPv6 CIDR to IPAM using the AWS Management Console IPv6 CIDR Follow the steps in this tutorial to bring an IPv6 CIDR to IPAM and allocate a VPC with the CIDR using both the AWS Management Console and the AWS CLI. If you do not need to advertise your IPv6 addresses over the Internet, you can provision a private GUA IPv6 address to an IPAM. For more information, see [Enable provisioning private IPv6 GUA CIDRs](enable-prov-ipv6-gua.md). **Important** This tutorial assumes you have already completed the steps in the following sections: [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). [Create an IPAM](create-ipam.md). Each step of this tutorial must be done by one of three AWS Organizations accounts: The management account. The member account configured to be your IPAM administrator in [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). In this tutorial, this account will be called the IPAM account. The member account in your organization which will allocate CIDRs from an IPAM pool. In this tutorial, this account will be called the member account. **Topics** + [ ## Step 1: Create a top-level IPAM pool ](#tutorials-byoip-ipam-ipv6-console-1) + [ ## Step 2. Create a Regional pool within the top-level pool ](#tutorials-byoip-ipam-ipv6-console-2) + [ ## Step 3. Share the Regional pool ](#tutorials-byoip-ipam-ipv4-console-4-deux) + [ ## Step 4: Create a VPC ](#tutorials-byoip-ipam-ipv6-console-4) + [ ## Step 5: Advertise the CIDR ](#tutorials-byoip-ipam-ipv6-console-5) + [ ## Step 6: Cleanup ](#tutorials-byoip-ipam-ipv6-console-cleanup) ## Step 1: Create a top-level IPAM pool Since you are going to create a top-level IPAM pool with a Regional pool within it, and we’re going to allocate space to a resource from the Regional pool, you will set the locale on the Regional pool and not the top-level pool. You’ll add the locale to the Regional pool when you create the Regional pool in a later step. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR. This step must be done by the IPAM account. **To create a pool** 1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. By default, when you create a pool, the default private scope is selected. Choose the public scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md). 1. Choose **Create pool**. 1. (Optional) Add a **Name tag** for the pool and a **Description** for the pool. 1. Under **Source**, choose **IPAM scope**. 1. Under **Address family**, choose **IPv6**. 1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md). 1. Under **Locale**, choose **None**. You will set the locale on the Regional pool. The locale is the AWS Region where you want this IPAM pool to be available for allocations. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses. **Note** If you are creating a single pool only and not a top-level pool with Regional pools within it, you would want to choose a Locale for this pool so that the pool is available for allocations. 1. Under **Public IP source**, **BYOIP** is selected by default. 1. Under **CIDRs to provision**, do one of the following: + If you [verified your domain control with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert), you must include the CIDR and the BYOIP message and certificate signature that you created in that step so we can verify that you control the public space. + If you [verified your domain control with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt), you must include the CIDR and IPAM verification token that you created in that step so we can verify that you control the public space. Note that when provisioning an IPv6 CIDR to a pool within the top-level pool, the most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable. **Important** While most provisioning will be completed within two hours, it may take up to one week to complete the provisioning process for publicly advertisable ranges. 1. Leave **Configure this pool's allocation rule settings** unselected. 1. (Optional) Choose **Tags** for the pool. 1. Choose **Create pool**. Ensure that this CIDR has been provisioned before you continue. You can see the state of provisioning in the **CIDRs** tab in the pool details page. ## Step 2. Create a Regional pool within the top-level pool Create a Regional pool within the top-level pool. A Locale is required on the pool and it must be one of the operating Regions you configured when you created the IPAM. This step must be done by the IPAM account. **To create a Regional pool within a top-level pool** 1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. By default, when you create a pool, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see [How IPAM works](how-it-works-ipam.md). 1. Choose **Create pool**. 1. (Optional) Add a **Name tag** for the pool and a description for the pool. 1. Under **Source**, choose the top-level pool that you created in the previous section. 1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md). 1. Choose the locale for the pool. Choosing a locale ensures there are no cross-region dependencies between your pool and the resources allocating from it. The available options come from the operating Regions that you chose when you created your IPAM. In this tutorial, we'll use `us-east-2` as the locale for the Regional pool. The locale is the AWS Region where you want this IPAM pool to be available for allocations. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses. 1. Under **Service**, choose **EC2 (EIP/VPC)**. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is **EC2 (EIP/VPC)**, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service and the Amazon VPC service (for CIDRs associated with VPCs). 1. Under **CIDRs to provision**, choose a CIDR to provision for the pool. Note that when provisioning an IPv6 CIDR to a pool within the top-level pool, the most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable. 1. Enable **Configure this pool's allocation rule settings** and choose optional allocation rules for this pool: + **Automatically import discovered resources**: This option is not available if the **Locale** is set to **None**. If selected, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM. Note the following: + The CIDRs that will be allocated for these resources must not already be allocated to other resources in order for the import to succeed. + IPAM will import a CIDR regardless of its compliance with the pool's allocation rules, so a resource might be imported and subsequently marked as noncompliant. + If IPAM discovers multiple CIDRs that overlap, IPAM will import the largest CIDR only. + If IPAM discovers multiple CIDRs with matching CIDRs, IPAM will randomly import one of them only. + **Minimum netmask length**: The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant and the largest size CIDR block that can be allocated from the pool. The minimum netmask length must be less than the maximum netmask length. Possible netmask lengths for IPv4 addresses are `0` - `32`. Possible netmask lengths for IPv6 addresses are `0` - `128`. + **Default netmask length**: A default netmask length for allocations added to this pool. + **Maximum netmask length**: The maximum netmask length that will be required for CIDR allocations in this pool. This value dictates the smallest size CIDR block that can be allocated from the pool. Ensure that this value is minimum **/48**. + **Tagging requirements**: The tags that are required for resources to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging rules are changed on the pool, the resource may be marked as noncompliant. + **Locale**: The locale that will be required for resources that use CIDRs from this pool. Automatically imported resources that do not have this locale will be marked noncompliant. Resources that are not automatically imported into the pool will not be allowed to allocate space from the pool unless they are in this locale. 1. (Optional) Choose **Tags** for the pool. 1. When you’ve finished configuring your pool, choose **Create pool**. Ensure that this CIDR has been provisioned before you continue. You can see the state of provisioning in the **CIDRs** tab in the pool details page. ## Step 3. Share the Regional pool Follow the steps in this section to share the IPAM pool using AWS Resource Access Manager (RAM). ### Enable resource sharing in AWS RAM After you create your IPAM, you’ll want to share the regional pool with other accounts in your organization. Before you share an IPAM pool, complete the steps in this section to enable resource sharing with AWS RAM. If you are using the AWS CLI to enable resource sharing, use the `--profile management-account` option. **To enable resource sharing** 1. Using the AWS Organizations management account, open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/). 1. In the left navigation pane, choose **Settings**, choose **Enable sharing with AWS Organizations**, and then choose **Save settings**. You can now share an IPAM pool with other members of the organization. ### Share an IPAM pool using AWS RAM In this section you’ll share the regional pool with another AWS Organizations member account. For complete instructions on sharing IPAM pools, including information on the required IAM permissions, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md). If you are using the AWS CLI to enable resource sharing, use the `--profile ipam-account` option. **To share an IPAM pool using AWS RAM** 1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. Choose the private scope, choose the IPAM pool, and choose **Actions** > **View details**. 1. Under **Resource sharing**, choose **Create resource share**. The AWS RAM console opens. You share the pool using AWS RAM. 1. Choose **Create a resource share**. 1. In the AWS RAM console, choose **Create a resource share** again. 1. Add a **Name** for the shared pool. 1. Under **Select resource type**, choose **IPAM pools,** and then choose the ARN of the pool you want to share. 1. Choose **Next**. 1. Choose the **AWSRAMPermissionIpamPoolByoipCidrImport** permission. The details of the permission options are out of scope for this tutorial, but you can find out more about these options in [Share an IPAM pool using AWS RAM](share-pool-ipam.md). 1. Choose **Next**. 1. Under **Principals** > **Select principal type**, choose **AWS account** and enter the account ID of the account that will be bringing an IP address range to IPAM and choose **Add** . 1. Choose **Next**. 1. Review the resource share options and the principals that you’ll be sharing with, and then choose **Create**. 1. To allow the **member-account** account to allocate IP address CIDRS from the IPAM pool, create a second resource share with `AWSRAMDefaultPermissionsIpamPool`. The value for `--resource-arns` is the ARN of the IPAM pool that you created in the previous section. The value for `--principals` is the account ID of the **member-account**. The value for `--permission-arns` is the ARN of the `AWSRAMDefaultPermissionsIpamPool` permission. ## Step 4: Create a VPC Complete the steps in [Create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html) in the *Amazon VPC User Guide*. This step must be done by the member account. **Note** When you open VPC in the AWS Management console, the AWS Region you create the VPC in must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR. When you reach the step to choose a CIDR for the VPC, you will have an option to use a CIDR from an IPAM pool. Choose the Regional pool you created in this tutorial. When you create the VPC, AWS allocates a CIDR in the IPAM pool to the VPC. You can view the allocation in IPAM by choosing a pool in the content pane of the IPAM console and viewing the **Allocations** tab for the pool. ## Step 5: Advertise the CIDR The steps in this section must be done by the IPAM account. Once you create the VPC, you can then start advertising the CIDR you brought to AWS that is in the pool that has the **Service EC2 (EIP/VPC)** configured. In this tutorial, that's your Regional pool. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. This step must be done by the IPAM account. **To advertise the CIDR** 1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. By default, when you create a pool, the default private scope is selected. Choose the public scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md). 1. Choose the Regional pool you created in this tutorial. 1. Choose the **CIDRs** tab. 1. Select the BYOIP CIDR and choose **Actions** > **Advertise**. 1. Choose **Advertise CIDR**. As a result, the BYOIP CIDR is advertised and the value in the **Advertising** column changes from **Withdrawn** to **Advertised**. ## Step 6: Cleanup Follow the steps in this section to clean up the resources you've provisioned and created in this tutorial. **Step 1: Withdraw the CIDR from advertising** This step must be done by the IPAM account. 1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. By default, when you create a pool, the default private scope is selected. Choose the public scope. 1. Choose the Regional pool you created in this tutorial. 1. Choose the **CIDRs** tab. 1. Select the BYOIP CIDR and choose **Actions** > **Withdraw from advertising**. 1. Choose **Withdraw CIDR**. As a result, the BYOIP CIDR is no longer advertised and the value in the **Advertising** column changes from **Advertised** to **Withdrawn**. **Step 2: Delete the VPC** This step must be done by the member account. + Complete the steps in [Delete a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/delete-vpc.html) in the *Amazon VPC User Guide* to delete the VPC. When you open VPC in the AWS Management console, the AWS Region delete the VPC from must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR. In this tutorial, that pool is the Regional pool. When you delete the VPC, it takes time for IPAM to discover that the resource has been deleted and to deallocate the CIDR allocated to the VPC. You cannot continue to the next step in the cleanup until you see that IPAM has removed the allocation from the pool in the pool details **Allocations** tab. **Step 3: Delete the RAM shares and disable RAM integration with AWS Organizations** This step must be done by the IPAM account and management account respectively. + Complete the steps in [Deleting a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-delete.html) and [Disabling resource sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/security-disable-sharing-with-orgs.html) in the *AWS RAM User Guide*, in that order, to delete the RAM shares and disable RAM integration with AWS Organizations. **Step 4: Deprovision the CIDRs from the Regional pool and top-level pool** This step must be done by the IPAM account. + Complete the steps in [Deprovision CIDRs from a pool](depro-pool-cidr-ipam.md) to deprovision the CIDRs from the Regional pool and then the top-level pool, in that order. **Step 5: Delete the Regional pool and top-level pool** This step must be done by the IPAM account. + Complete the steps in [Delete a pool](delete-pool-ipam.md) to delete the Regional pool and then the top-level pool, in that order. # Bring your own IP CIDR to IPAM using only the AWS CLI BYOIP with AWS CLI only Bringing Your Own IP (BYOIP) to IPAM allows you to use your organization's existing IPv4 and IPv6 address ranges in AWS. This enables you to maintain consistent branding, improve network performance, enhance security, and simplify management by unifying on-premises and cloud environments under your own IP address space. Follow these steps to bring an IPv4 or IPv6 CIDR to IPAM using only the AWS CLI. **Note** Before you begin, you must have first [verified domain control](tutorials-byoip-ipam-domain-verification-methods.md). Once you bring an IPv4 address range to AWS, you can use all of the IP addresses in the range, including the first address (the network address) and the last address (the broadcast address). **Topics** + [ # Bring your own public IPv4 CIDR to IPAM using only the AWS CLI ](tutorials-byoip-ipam-ipv4.md) + [ # Bring your own IPv6 CIDR to IPAM using only the AWS CLI ](tutorials-byoip-ipam-ipv6.md) # Bring your own public IPv4 CIDR to IPAM using only the AWS CLI IPv4 CIDR Follow these steps to bring an IPv4 CIDR to IPAM and allocate an Elastic IP address (EIP) with the CIDR using only the AWS CLI. **Important** This tutorial assumes you have already completed the steps in the following sections: [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). [Create an IPAM](create-ipam.md). Each step of this tutorial must be done by one of three AWS Organizations accounts: The management account. The member account configured to be your IPAM administrator in [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). In this tutorial, this account will be called the IPAM account. The member account in your organization which will allocate CIDRs from an IPAM pool. In this tutorial, this account will be called the member account. **Topics** + [ ## Step 1: Create AWS CLI named profiles and IAM roles ](#tutorials-create-profiles) + [ ## Step 2: Create an IPAM ](#tutorials-byoip-ipam-ipv4-2) + [ ## Step 3: Create a top-level IPAM pool ](#tutorials-byoip-ipam-ipv4-3) + [ ## Step 4: Provision a CIDR to the top-level pool ](#tutorials-byoip-ipam-ipv4-4) + [ ## Step 5: Create a Regional pool within the top-level pool ](#tutorials-byoip-ipam-ipv4-5) + [ ## Step 6: Provision a CIDR to the Regional pool ](#tutorials-byoip-ipam-ipv4-6) + [ ## Step 7: Advertise the CIDR ](#tutorials-byoip-ipam-ipv4-11) + [ ## Step 8: Share the Regional pool ](#tutorials-byoip-ipam-ipv4-console-4-deux) + [ ## Step 9: Allocate an Elastic IP address from the pool ](#tutorials-byoip-ipam-ipv4-console-cli-all-eip) + [ ## Step 10: Associate the Elastic IP address with an EC2 instance ](#tutorials-byoip-ipam-ipv4-console-cli-assoc-eip) + [ ## Step 11: Cleanup ](#tutorials-byoip-ipam-ipv4-cli-cleanup) + [ ## Alternative to Step 9 ](#tutorials-byoip-ipam-ipv4-cli-alt) ## Step 1: Create AWS CLI named profiles and IAM roles To complete this tutorial as a single AWS user, you can use AWS CLI named profiles to switch from one IAM role to another. [Named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles) are collections of settings and credentials that you refer to when using the `--profile` option with the AWS CLI. For more information about how to create IAM roles and named profiles for AWS accounts, see [Using an IAM role in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html). Create one role and one named profile for each of the three AWS accounts you will use in this tutorial: + A profile called `management-account` for the AWS Organizations management account. + A profile called `ipam-account` for the AWS Organizations member account that is configured to be your IPAM administrator. + A profile called `member-account` for the AWS Organizations member account in your organization which will allocate CIDRs from an IPAM pool. After you have created the IAM roles and named profiles, return to this page and go to the next step. You will notice throughout the rest of this tutorial that the sample AWS CLI commands use the `--profile` option with one of the named profiles to indicate which account must run the command. ## Step 2: Create an IPAM This step is optional. If you already have an IPAM created with operating Regions of `us-east-1` and `us-west-2` created, you can skip this step. Create an IPAM and specify an operating region of `us-east-1` and `us-west-2` . You must select an operating region so that you can use the locale option when you create your IPAM pool. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR. This step must be done by the IPAM account. Run the following command: ``` aws ec2 create-ipam --description my-ipam --region us-east-1 --operating-regions RegionName=us-west-2 --profile ipam-account ``` In the output, you'll see the IPAM you've created. Note the value for `PublicDefaultScopeId`. You will need your public scope ID in the next step. You are using the public scope because BYOIP CIDRs are public IP addresses, which is what the public scope is meant for. ``` { "Ipam": { "OwnerId": "123456789012", "IpamId": "ipam-090e48e75758de279", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "PublicDefaultScopeId": "ipam-scope-0087d83896280b594", "PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d", "ScopeCount": 2, "Description": "my-ipam", "OperatingRegions": [ { "RegionName": "us-east-1" }, { "RegionName": "us-west-2" } ], "Tags": [] } } ``` ## Step 3: Create a top-level IPAM pool Complete the steps in this section to create a top-level IPAM pool. This step must be done by the IPAM account. **To create an IPv4 address pool for all of your AWS resources using the AWS CLI** 1. Run the following command to create an IPAM pool. Use the ID of the public scope of the IPAM that you created in the previous step. This step must be done by the IPAM account. ``` aws ec2 create-ipam-pool --region us-east-1 --ipam-scope-id ipam-scope-0087d83896280b594 --description "top-level-IPv4-pool" --address-family ipv4 --profile ipam-account ``` In the output, you'll see `create-in-progress`, which indicates that pool creation is in progress. ``` { "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0a03d430ca3f5c035", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "None", "PoolDepth": 1, "State": "create-in-progress", "Description": "top-level-pool", "AutoImport": false, "AddressFamily": "ipv4", "Tags": [] } } ``` 1. Run the following command until you see a state of `create-complete` in the output. ``` aws ec2 describe-ipam-pools --region us-east-1 --profile ipam-account ``` The following example output shows the state of the pool. ``` { "IpamPools": [ { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0a03d430ca3f5c035", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "None", "PoolDepth": 1, "State": "create-complete", "Description": "top-level-IPV4-pool", "AutoImport": false, "AddressFamily": "ipv4", "Tags": [] } ] } ``` ## Step 4: Provision a CIDR to the top-level pool Provision a CIDR block to the top-level pool. Note that when provisioning an IPv4 CIDR to a pool within the top-level pool, the minimum IPv4 CIDR you can provision is `/24`; more specific CIDRs (such as `/25`) are not permitted. **Note** If you [verified your domain control with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert), you must include the CIDR and the BYOIP message and certificate signature that you created in that step so we can verify that you control the public space. If you [verified your domain control with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt), you must include the CIDR and IPAM verification token that you created in that step so we can verify that you control the public space. You only need to verify domain control when you provision the BYOIP CIDR to the top-level pool. For the Regional pool within the top-level pool, you can omit the domain ownership verification option. This step must be done by the IPAM account. **Important** You only need to verify domain control when you provision the BYOIP CIDR to the top-level pool. For the Regional pool within the top-level pool, you can omit the domain control option. Once you onboard your BYOIP to IPAM, you are not required to perform ownership validation when you divide the BYOIP across Regions and accounts. **To provision a CIDR block to the pool using the AWS CLI** 1. To provision the CIDR with certificate information, use the following command example. In addition to replacing the values as needed in the example, ensure that you replace `Message` and `Signature` values with the `text_message` and `signed_message` values that you got in [Verify your domain with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert). ``` aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --cidr 130.137.245.0/24 --verification-method remarks-x509 --cidr-authorization-context Message="1|aws|470889052444|130.137.245.0/24|20250101|SHA256|RSAPSS",Signature="W3gdQ9PZHLjPmrnGM~cvGx~KCIsMaU0P7ENO7VRnfSuf9NuJU5RUveQzus~QmF~Nx42j3z7d65uyZZiDRX7KMdW4KadaLiClyRXN6ps9ArwiUWSp9yHM~U-hApR89Kt6GxRYOdRaNx8yt-uoZWzxct2yIhWngy-du9pnEHBOX6WhoGYjWszPw0iV4cmaAX9DuMs8ASR83K127VvcBcRXElT5URr3gWEB1CQe3rmuyQk~gAdbXiDN-94-oS9AZlafBbrFxRjFWRCTJhc7Cg3ASbRO-VWNci-C~bWAPczbX3wPQSjtWGV3k1bGuD26ohUc02o8oJZQyYXRpgqcWGVJdQ__" --profile ipam-account ``` To provision the CIDR with verification token information, use the following command example. In addition to replacing the values as needed in the example, ensure that you replace `ipam-ext-res-ver-token-0309ce7f67a768cf0` with the `IpamExternalResourceVerificationTokenId` token ID that you got in [Verify your domain with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt). ``` aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --cidr 130.137.245.0/24 --verification-method dns-token --ipam-external-resource-verification-token-id ipam-ext-res-ver-token-0309ce7f67a768cf0 --profile ipam-account ``` In the output, you'll see the CIDR pending provision. ``` { "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "pending-provision" } } ``` 1. Ensure that this CIDR has been provisioned before you continue. **Important** While most provisioning will be completed within two hours, it may take up to one week to complete the provisioning process for publicly advertisable ranges. Run the following command until you see a state of `provisioned` in the output. ``` aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --profile ipam-account ``` The following example output shows the state. ``` { "IpamPoolCidrs": [ { "Cidr": "130.137.245.0/24", "State": "provisioned" } ] } ``` ## Step 5: Create a Regional pool within the top-level pool Create a Regional pool within the top-level pool. The locale for the pool should be one of the following: + An AWS Region where you want this IPAM pool to be available for allocations. + The network border group for an AWS Local Zone where you want this IPAM pool to be available for allocations ([supported Local Zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-zone-avail)). This option is only available for IPAM IPv4 pools in the public scope. + An [AWS Dedicated Local Zone](https://aws.amazon.com/dedicatedlocalzones/). To create a pool within an AWS Dedicated Local Zone, enter the AWS Dedicated Local Zone in the selector input. + `Global` when you want to use IP addresses globally across all AWS Regions, such as CloudFront locations. The `Global` locale is only available for public IPv4 pools. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses. When you run the commands in this section, the value for `--region` must include the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR. For example, if you created the BYOIP pool with a locale of *us-east-1*, the `--region` should be *us-east-1*. If you created the BYOIP pool with a locale of *us-east-1-scl-1* (a network border group used for Local Zones), the `--region` should be *us-east-1* because that Region manages the locale *us-east-1-scl-1*. This step must be done by the IPAM account. Choosing a locale ensures there are no cross-region dependencies between your pool and the resources allocating from it. The available options come from the operating Regions that you chose when you created your IPAM. In this tutorial, we'll use `us-west-2` as the locale for the Regional pool. **Important** When you create the pool, you must include `--aws-service ec2`. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is `ec2`, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service (for Elastic IP addresses) and the Amazon VPC service (for CIDRs associated with VPCs). **To create a Regional pool using the AWS CLI** 1. Run the following command to create the pool. ``` aws ec2 create-ipam-pool --description "Regional-IPv4-pool" --region us-east-1 --ipam-scope-id ipam-scope-0087d83896280b594 --source-ipam-pool-id ipam-pool-0a03d430ca3f5c035 --locale us-west-2 --address-family ipv4 --aws-service ec2 --profile ipam-account ``` In the output, you'll see IPAM creating the pool. ``` { "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0d8f3646b61ca5987", "SourceIpamPoolId": "ipam-pool-0a03d430ca3f5c035", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0d8f3646b61ca5987", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-west-2", "PoolDepth": 2, "State": "create-in-progress", "Description": "Regional--pool", "AutoImport": false, "AddressFamily": "ipv4", "Tags": [], "ServiceType": "ec2" } } ``` 1. Run the following command until you see a state of `create-complete` in the output. ``` aws ec2 describe-ipam-pools --region us-east-1 --profile ipam-account ``` In the output, you see the pools that you have in your IPAM. In this tutorial, we created a top-level and a Regional pool, so you'll see them both. ## Step 6: Provision a CIDR to the Regional pool Provision a CIDR block to the Regional pool. **Note** When provisioning a CIDR to a Regional pool within the top-level pool, the most specific IPv4 CIDR you can provision is `/24`; more specific CIDRs (such as `/25`) are not permitted. After you create the Regional pool, you can create smaller pools (such as `/25`) within the same Regional pool. Note that if you share the Regional pool or pools within it, these pools can only be used in the locale set on the same Regional pool. This step must be done by the IPAM account. **To assign a CIDR block to the Regional pool using the AWS CLI** 1. Run the following command to provision the CIDR. ``` aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --cidr 130.137.245.0/24 --profile ipam-account ``` In the output, you'll see the CIDR pending provision. ``` { "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "pending-provision" } } ``` 1. Run the following command until you see the state of `provisioned` in the output. ``` aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account ``` The following example output shows the correct state. ``` { "IpamPoolCidrs": [ { "Cidr": "130.137.245.0/24", "State": "provisioned" } ] } ``` ## Step 7: Advertise the CIDR The steps in this section must be done by the IPAM account. Once you associate the Elastic IP address (EIP) with an instance or Elastic Load Balancer, you can then start advertising the CIDR you brought to AWS that is in pool that has `--aws-service ec2` defined. In this tutorial, that's your Regional pool. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. When you run the command in this section, the value for `--region` must match the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR. This step must be done by the IPAM account. **Note** The advertisement status doesn't not restrict your ability to allocate Elastic IP addresses. Even if your BYOIPv4 CIDR is not advertised, you can still can create EIPs from the IPAM pool. **Start advertising the CIDR using the AWS CLI** + Run the following command to advertise the CIDR. ``` aws ec2 advertise-byoip-cidr --region us-west-2 --cidr 130.137.245.0/24 --profile ipam-account ``` In the output, you'll see the CIDR is advertised. ``` { "ByoipCidr": { "Cidr": "130.137.245.0/24", "State": "advertised" } } ``` ## Step 8: Share the Regional pool Follow the steps in this section to share the IPAM pool using AWS Resource Access Manager (RAM). ### Enable resource sharing in AWS RAM After you create your IPAM, you’ll want to share the regional pool with other accounts in your organization. Before you share an IPAM pool, complete the steps in this section to enable resource sharing with AWS RAM. If you are using the AWS CLI to enable resource sharing, use the `--profile management-account` option. **To enable resource sharing** 1. Using the AWS Organizations management account, open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/). 1. In the left navigation pane, choose **Settings**, choose **Enable sharing with AWS Organizations**, and then choose **Save settings**. You can now share an IPAM pool with other members of the organization. ### Share an IPAM pool using AWS RAM In this section you’ll share the regional pool with another AWS Organizations member account. For complete instructions on sharing IPAM pools, including information on the required IAM permissions, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md). If you are using the AWS CLI to enable resource sharing, use the `--profile ipam-account` option. **To share an IPAM pool using AWS RAM** 1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. Choose the private scope, choose the IPAM pool, and choose **Actions** > **View details**. 1. Under **Resource sharing**, choose **Create resource share**. The AWS RAM console opens. You share the pool using AWS RAM. 1. Choose **Create a resource share**. 1. In the AWS RAM console, choose **Create a resource share** again. 1. Add a **Name** for the shared pool. 1. Under **Select resource type**, choose **IPAM pools,** and then choose the ARN of the pool you want to share. 1. Choose **Next**. 1. Choose the **AWSRAMPermissionIpamPoolByoipCidrImport** permission. The details of the permission options are out of scope for this tutorial, but you can find out more about these options in [Share an IPAM pool using AWS RAM](share-pool-ipam.md). 1. Choose **Next**. 1. Under **Principals** > **Select principal type**, choose **AWS account** and enter the account ID of the account that will be bringing an IP address range to IPAM and choose **Add** . 1. Choose **Next**. 1. Review the resource share options and the principals that you’ll be sharing with, and then choose **Create**. 1. To allow the **member-account** account to allocate IP address CIDRS from the IPAM pool, create a second resource share with `AWSRAMDefaultPermissionsIpamPool`. The value for `--resource-arns` is the ARN of the IPAM pool that you created in the previous section. The value for `--principals` is the account ID of the **member-account**. The value for `--permission-arns` is the ARN of the `AWSRAMDefaultPermissionsIpamPool` permission. ## Step 9: Allocate an Elastic IP address from the pool Complete the steps in this section to allocate an Elastic IP address from the pool. Note that if you are using public IPv4 pools to allocate Elastic IP addresses, you can use the alternative steps in [Alternative to Step 9](#tutorials-byoip-ipam-ipv4-cli-alt) rather than the steps in this section. **Important** If you see an error related to not having permissions to call ec2:AllocateAddress, the managed permission currently assigned to the IPAM pool that was shared with you needs to be updated. Contact the person who created the resource share and ask them to update the managed permission `AWSRAMPermissionIpamResourceDiscovery` to the default version. For more information, see [Update a resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-update.html) in the *AWS RAM User Guide *. ------ #### [ AWS Management Console ] Follow the steps in [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide* to allocate the address, but note the following: + This step must be done by the member account. + Ensure that the AWS Region you are in in the EC2 console matches the Locale option you chose when you created the Regional pool. + When you choose the address pool, choose the option to **Allocate using an IPv4 IPAM pool** and choose the Regional pool you created. ------ #### [ Command line ] Allocate an address from the pool with the [allocate-address](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/allocate-address.html) command. The `--region` you use must match the `-locale` option you chose when you created the pool in Step 2. Include the ID of the IPAM pool you created in Step 2 in `--ipam-pool-id`. Optionally, you can also choose a specific `/32` in your IPAM pool by using the `--address` option. ``` aws ec2 allocate-address --region us-east-1 --ipam-pool-id ipam-pool-07ccc86aa41bef7ce ``` Example response: ``` { "PublicIp": "18.97.0.41", "AllocationId": "eipalloc-056cdd6019c0f4b46", "PublicIpv4Pool": "ipam-pool-07ccc86aa41bef7ce", "NetworkBorderGroup": "us-east-1", "Domain": "vpc" } ``` For more information, see [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide*. ------ ## Step 10: Associate the Elastic IP address with an EC2 instance Complete the steps in this section to associate the Elastic IP address with an EC2 instance. ------ #### [ AWS Management Console ] Follow the steps in [Associate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-associating) in the *Amazon EC2 User Guide* to allocate an Elastic IP address from the IPAM pool, but note the following: When you use AWS Management Console option, the AWS Region you associate the Elastic IP address in must match the Locale option you chose when you created the Regional pool. This step must be done by the member account. ------ #### [ Command line ] This step must be done by the member account. Use the `--profile member-account` option. Associate the Elastic IP address with an instance with the [associate-address](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/allocate-address.html) command. The `--region` you associate the Elastic IP address in must match the `--locale` option you chose when you created the Regional pool. ``` aws ec2 associate-address --region us-east-1 --instance-id i-07459a6fca5b35823 --public-ip 18.97.0.41 ``` Example response: ``` { "AssociationId": "eipassoc-06aa85073d3936e0e" } ``` For more information, see [Associate an Elastic IP address with an instance or network interface](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-associating) in the *Amazon EC2 User Guide*. ------ ## Step 11: Cleanup Follow the steps in this section to clean up the resources you've provisioned and created in this tutorial. When you run the commands in this section, the value for `--region` must include the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR. **Clean up using the AWS CLI** 1. View the EIP allocation managed in IPAM. This step must be done by the IPAM account. ``` aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account ``` The output shows the allocation in IPAM. ``` { "IpamPoolAllocations": [ { "Cidr": "130.137.245.0/24", "IpamPoolAllocationId": "ipam-pool-alloc-5dedc8e7937c4261b56dc3e3eb53dc45", "ResourceId": "ipv4pool-ec2-0019eed22a684e0b2", "ResourceType": "ec2-public-ipv4-pool", "ResourceOwner": "123456789012" } ] } ``` 1. Stop advertising the IPv4 CIDR. This step must be done by the IPAM account. ``` aws ec2 withdraw-byoip-cidr --region us-west-2 --cidr 130.137.245.0/24 --profile ipam-account ``` In the output, you'll see the CIDR State has changed from **advertised** to **provisioned**. ``` { "ByoipCidr": { "Cidr": "130.137.245.0/24", "State": "provisioned" } } ``` 1. Release the Elastic IP address. This step must be done by the member account. ``` aws ec2 release-address --region us-west-2 --allocation-id eipalloc-0db3405026756dbf6 --profile member-account ``` You will not see any output when you run this command. 1. View the EIP allocation is no longer managed in IPAM. It can take some time for IPAM to discover that the Elastic IP address has been removed. You cannot continue to clean up and deprovision the IPAM pool CIDR until you see that the allocation has been removed from IPAM. When you run the command in this section, the value for `--region` must include the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR. This step must be done by the IPAM account. ``` aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account ``` The output shows the allocation in IPAM. ``` { "IpamPoolAllocations": [] } ``` 1. Deprovision the Regional pool CIDR. When you run the commands in this step, the value for `--region` must match the Region of your IPAM. This step must be done by the IPAM account. ``` aws ec2 deprovision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --cidr 130.137.245.0/24 --profile ipam-account ``` In the output, you'll see the CIDR pending deprovision. ``` { "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "pending-deprovision" } } ``` Deprovisioning takes time to complete. Check the status of deprovisioning. ``` aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account ``` Wait until you see **deprovisioned** before you continue to the next step. ``` { "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "deprovisioned" } } ``` 1. Delete the RAM shares and disable RAM integration with AWS Organizations. Complete the steps in [Deleting a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-delete.html) and [Disabling resource sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/security-disable-sharing-with-orgs.html) in the *AWS RAM User Guide*, in that order, to delete the RAM shares and disable RAM integration with AWS Organizations. This step must be done by the IPAM account and management account respectively. If you are using the AWS CLI to delete the RAM shares and disable RAM integration, use the ` --profile ipam-account` and ` --profile management-account` options. 1. Delete the Regional pool. When you run the command in this step, the value for `--region` must match the Region of your IPAM. This step must be done by the IPAM account. ``` aws ec2 delete-ipam-pool --region us-east-1 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account ``` In the output, you can see the delete state. ``` { "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0d8f3646b61ca5987", "SourceIpamPoolId": "ipam-pool-0a03d430ca3f5c035", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0d8f3646b61ca5987", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-east-1", "PoolDepth": 2, "State": "delete-in-progress", "Description": "reg-ipv4-pool", "AutoImport": false, "Advertisable": true, "AddressFamily": "ipv4" } } ``` 1. Deprovision the top-level pool CIDR. When you run the commands in this step, the value for `--region` must match the Region of your IPAM. This step must be done by the IPAM account. ``` aws ec2 deprovision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --cidr 130.137.245.0/24 --profile ipam-account ``` In the output, you'll see the CIDR pending deprovision. ``` { "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "pending-deprovision" } } ``` Deprovisioning takes time to complete. Run the following command to check the status of deprovisioning. ``` aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --profile ipam-account ``` Wait until you see **deprovisioned** before you continue to the next step. ``` { "IpamPoolCidr": { "Cidr": "130.137.245.0/24", "State": "deprovisioned" } } ``` 1. Delete the top-level pool. When you run the command in this step, the value for `--region` must match the Region of your IPAM. This step must be done by the IPAM account. ``` aws ec2 delete-ipam-pool --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --profile ipam-account ``` In the output, you can see the delete state. ``` { "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0a03d430ca3f5c035", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-east-1", "PoolDepth": 2, "State": "delete-in-progress", "Description": "top-level-pool", "AutoImport": false, "Advertisable": true, "AddressFamily": "ipv4" } } ``` 1. Delete the IPAM. When you run the command in this step, the value for `--region` must match the Region of your IPAM. This step must be done by the IPAM account. ``` aws ec2 delete-ipam --region us-east-1 --ipam-id ipam-090e48e75758de279 --profile ipam-account ``` In the output, you'll see the IPAM response. This means that the IPAM was deleted. ``` { "Ipam": { "OwnerId": "123456789012", "IpamId": "ipam-090e48e75758de279", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "PublicDefaultScopeId": "ipam-scope-0087d83896280b594", "PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d", "ScopeCount": 2, "OperatingRegions": [ { "RegionName": "us-east-1" }, { "RegionName": "us-west-2" } ], } } ``` ## Alternative to Step 9 If you are using public IPv4 pools to allocate Elastic IP addresses, you can use the steps in this section rather than the steps in [Step 9: Allocate an Elastic IP address from the pool](#tutorials-byoip-ipam-ipv4-console-cli-all-eip). **Topics** + [ ### Step 1: Create a public IPv4 pool ](#tutorials-byoip-ipam-ipv4-9) + [ ### Step 2: Provision the public IPv4 CIDR to your public IPv4 pool ](#tutorials-byoip-ipam-ipv4-9) + [ ### Step 3: Create an Elastic IP address from the public IPv4 pool ](#tutorials-byoip-ipam-ipv4-10) + [ ### Alternative to Step 9 cleanup ](#tutorials-byoip-ipam-ipv4-cli-alt-cleanup) ### Step 1: Create a public IPv4 pool This step would typically be done by a different AWS account which wants to provision an Elastic IP address, such as the member account. **Important** Public IPv4 pools and IPAM pools are managed by distinct resources in AWS. Public IPv4 pools are single account resources that enable you to convert your publicly-owned CIDRs to Elastic IP addresses. IPAM pools can be used to allocate your public space to public IPv4 pools. **To create a public IPv4 pool using the AWS CLI** + Run the following command to provision the CIDR. When you run the command in this section, the value for `--region` must match the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR. ``` aws ec2 create-public-ipv4-pool --region us-west-2 --profile member-account ``` In the output, you'll see the public IPv4 pool ID. You will need this ID in the next step. ``` { "PoolId": "ipv4pool-ec2-0019eed22a684e0b2" } ``` ### Step 2: Provision the public IPv4 CIDR to your public IPv4 pool Provision the public IPv4 CIDR to your public IPv4 pool. The value for `--region` must match the `--locale` value you entered when you created the pool that will be used for the BYOIP CIDR. The least specific `--netmask-length` you can define is `24`. This step must be done by the member account. **To create a public IPv4 pool using the AWS CLI** 1. Run the following command to provision the CIDR. ``` aws ec2 provision-public-ipv4-pool-cidr --region us-west-2 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --pool-id ipv4pool-ec2-0019eed22a684e0b2 --netmask-length 24 --profile member-account ``` In the output, you'll see the provisioned CIDR. ``` { "PoolId": "ipv4pool-ec2-0019eed22a684e0b2", "PoolAddressRange": { "FirstAddress": "130.137.245.0", "LastAddress": "130.137.245.255", "AddressCount": 256, "AvailableAddressCount": 256 } } ``` 1. Run the following command to view the CIDR provisioned in the public IPv4 pool. ``` aws ec2 describe-byoip-cidrs --region us-west-2 --max-results 10 --profile member-account ``` In the output, you'll see the provisioned CIDR. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. You will have the chance to set this CIDR to advertised in the last step of this tutorial. ``` { "ByoipCidrs": [ { "Cidr": "130.137.245.0/24", "StatusMessage": "Cidr successfully provisioned", "State": "provisioned" } ] } ``` ### Step 3: Create an Elastic IP address from the public IPv4 pool Create an Elastic IP address (EIP) from the public IPv4 pool. When you run the commands in this section, the value for `--region` must match the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR. This step must be done by the member account. **To create an EIP from the public IPv4 pool using the AWS CLI** 1. Run the following command to create the EIP. ``` aws ec2 allocate-address --region us-west-2 --public-ipv4-pool ipv4pool-ec2-0019eed22a684e0b2 --profile member-account ``` In the output, you'll see the allocation. ``` { "PublicIp": "130.137.245.100", "AllocationId": "eipalloc-0db3405026756dbf6", "PublicIpv4Pool": "ipv4pool-ec2-0019eed22a684e0b2", "NetworkBorderGroup": "us-east-1", "Domain": "vpc" } ``` 1. Run the following command to view the EIP allocation managed in IPAM. This step must be done by the IPAM account. ``` aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account ``` The output shows the allocation in IPAM. ``` { "IpamPoolAllocations": [ { "Cidr": "130.137.245.0/24", "IpamPoolAllocationId": "ipam-pool-alloc-5dedc8e7937c4261b56dc3e3eb53dc45", "ResourceId": "ipv4pool-ec2-0019eed22a684e0b2", "ResourceType": "ec2-public-ipv4-pool", "ResourceOwner": "123456789012" } ] } ``` ### Alternative to Step 9 cleanup Complete these steps to clean up public IPv4 pools created with the alternative to Step 9. You should complete these steps after you release the Elastic IP address during the standard cleanup process in [Step 10: Cleanup](tutorials-byoip-ipam-ipv6.md#tutorials-byoip-ipam-ipv4-cleanup). 1. View your BYOIP CIDRs. This step must be done by the member account. ``` aws ec2 describe-public-ipv4-pools --region us-west-2 --profile member-account ``` In the output, you'll see the IP addresses in your BYOIP CIDR. ``` { "PublicIpv4Pools": [ { "PoolId": "ipv4pool-ec2-0019eed22a684e0b2", "Description": "", "PoolAddressRanges": [ { "FirstAddress": "130.137.245.0", "LastAddress": "130.137.245.255", "AddressCount": 256, "AvailableAddressCount": 256 } ], "TotalAddressCount": 256, "TotalAvailableAddressCount": 256, "NetworkBorderGroup": "us-east-1", "Tags": [] } ] } ``` 1. Release the CIDR from the public IPv4 pool. When you run the command in this section, the value for `--region` must match the Region of your IPAM. This step must be done by the member account. ``` aws ec2 deprovision-public-ipv4-pool-cidr --region us-east-1 --pool-id ipv4pool-ec2-0019eed22a684e0b2 --cidr 130.137.245.0/24 --profile member-account ``` 1. View your BYOIP CIDRs again and ensure there are no more provisioned addresses. When you run the command in this section, the value for `--region` must match the Region of your IPAM. This step must be done by the member account. ``` aws ec2 describe-public-ipv4-pools --region us-east-1 --profile member-account ``` In the output, you'll see the IP addresses count in your public IPv4 pool. ``` { "PublicIpv4Pools": [ { "PoolId": "ipv4pool-ec2-0019eed22a684e0b2", "Description": "", "PoolAddressRanges": [], "TotalAddressCount": 0, "TotalAvailableAddressCount": 0, "NetworkBorderGroup": "us-east-1", "Tags": [] } ] } ``` # Bring your own IPv6 CIDR to IPAM using only the AWS CLI IPv6 CIDR Follow these steps to bring an IPv6 CIDR to IPAM and allocate a VPC using only the AWS CLI. If you do not need to advertise your IPv6 addresses over the Internet, you can provision a private GUA IPv6 address to an IPAM. For more information, see [Enable provisioning private IPv6 GUA CIDRs](enable-prov-ipv6-gua.md). **Important** This tutorial assumes you have already completed the steps in the following sections: [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). [Create an IPAM](create-ipam.md). Each step of this tutorial must be done by one of three AWS Organizations accounts: The management account. The member account configured to be your IPAM administrator in [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). In this tutorial, this account will be called the IPAM account. The member account in your organization which will allocate CIDRs from an IPAM pool. In this tutorial, this account will be called the member account. **Topics** + [ ## Step 1: Create AWS CLI named profiles and IAM roles ](#tutorials-create-profiles) + [ ## Step 2: Create an IPAM ](#tutorials-byoip-ipam-ipv6-2) + [ ## Step 3: Create an IPAM pool ](#tutorials-byoip-ipam-ipv6-3) + [ ## Step 4: Provision a CIDR to the top-level pool ](#tutorials-byoip-ipam-ipv6-4) + [ ## Step 5: Create a Regional pool within the top-level pool ](#tutorials-byoip-ipam-ipv6-5) + [ ## Step 6: Provision a CIDR to the Regional pool ](#tutorials-byoip-ipam-ipv6-6) + [ ## Step 7. Share the Regional pool ](#tutorials-byoip-ipam-ipv4-console-4-deux) + [ ## Step 8: Create a VPC using the IPv6 CIDR ](#tutorials-byoip-ipam-ipv6-8) + [ ## Step 9: Advertise the CIDR ](#tutorials-byoip-ipam-ipv6-9) + [ ## Step 10: Cleanup ](#tutorials-byoip-ipam-ipv4-cleanup) ## Step 1: Create AWS CLI named profiles and IAM roles To complete this tutorial as a single AWS user, you can use AWS CLI named profiles to switch from one IAM role to another. [Named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles) are collections of settings and credentials that you refer to when using the `--profile` option with the AWS CLI. For more information about how to create IAM roles and named profiles for AWS accounts, see [Using an IAM role in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html). Create one role and one named profile for each of the three AWS accounts you will use in this tutorial: + A profile called `management-account` for the AWS Organizations management account. + A profile called `ipam-account` for the AWS Organizations member account that is configured to be your IPAM administrator. + A profile called `member-account` for the AWS Organizations member account in your organization which will allocate CIDRs from an IPAM pool. After you have created the IAM roles and named profiles, return to this page and go to the next step. You will notice throughout the rest of this tutorial that the sample AWS CLI commands use the `--profile` option with one of the named profiles to indicate which account must run the command. ## Step 2: Create an IPAM This step is optional. If you already have an IPAM created with operating Regions of `us-east-1` and `us-west-2` created, you can skip this step. Create an IPAM and specify an operating region of `us-east-1` and `us-west-2` . You must select an operating region so that you can use the locale option when you create your IPAM pool. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR. This step must be done by the IPAM account. Run the following command: ``` aws ec2 create-ipam --description my-ipam --region us-east-1 --operating-regions RegionName=us-west-2 --profile ipam-account ``` In the output, you'll see the IPAM you've created. Note the value for `PublicDefaultScopeId`. You will need your public scope ID in the next step. ``` { "Ipam": { "OwnerId": "123456789012", "IpamId": "ipam-090e48e75758de279", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "PublicDefaultScopeId": "ipam-scope-0087d83896280b594", "PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d", "ScopeCount": 2, "Description": "my-ipam", "OperatingRegions": [ { "RegionName": "us-east-1" }, { "RegionName": "us-west-2" } ], "Tags": [] } } ``` ## Step 3: Create an IPAM pool Since you are going to create a top-level IPAM pool with a Regional pool within it, and we’re going to allocate space to a resource (a VPC) from the Regional pool, you will set the locale on the Regional pool and not the top-level pool. You’ll add the locale to the Regional pool when you create the Regional pool in a later step. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR. This step must be done by the IPAM account. Choose if you want this IPAM pool CIDR to be advertisable by AWS over the public internet (`--publicly-advertisable` or `--no-publicly-advertisable`). **Note** Note that the scope ID must be the ID for the public scope and the address family must be `ipv6`. **To create an IPv6 address pool for all of your AWS resources using the AWS CLI** 1. Run the following command to create an IPAM pool. Use the ID of the public scope of the IPAM that you created in the previous step. ``` aws ec2 create-ipam-pool --region us-east-1 --ipam-scope-id ipam-scope-0087d83896280b594 --description "top-level-IPv6-pool" --address-family ipv6 --publicly-advertisable --profile ipam-account ``` In the output, you'll see `create-in-progress`, which indicates that pool creation is in progress. ``` { "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-07f2466c7158b50c4", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-07f2466c7158b50c4", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "None", "PoolDepth": 1, "State": "create-in-progress", "Description": "top-level-Ipv6-pool", "AutoImport": false, "Advertisable": true, "AddressFamily": "ipv6", "Tags": [] } } ``` 1. Run the following command until you see a state of `create-complete` in the output. ``` aws ec2 describe-ipam-pools --region us-east-1 --profile ipam-account ``` The following example output shows the state of the pool. ``` { "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-07f2466c7158b50c4", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-07f2466c7158b50c4", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "None", "PoolDepth": 1, "State": "create-complete", "Description": "top-level-Ipv6-pool", "AutoImport": false, "Advertisable": true, "AddressFamily": "ipv6", "Tags": [] } } ``` ## Step 4: Provision a CIDR to the top-level pool Provision a CIDR block to the top-level pool. Note that when provisioning an IPv6 CIDR to a pool within the top-level pool, the most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable. **Note** If you [verified your domain control with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert), you must include the CIDR and the BYOIP message and certificate signature that you created in that step so we can verify that you control the public space. If you [verified your domain control with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt), you must include the CIDR and IPAM verification token that you created in that step so we can verify that you control the public space. You only need to verify domain control when you provision the BYOIP CIDR to the top-level pool. For the Regional pool within the top-level pool, you can omit the domain ownership option. This step must be done by the IPAM account. **To provision a CIDR block to the pool using the AWS CLI** 1. To provision the CIDR with certificate information, use the following command example. In addition to replacing the values as needed in the example, ensure that you replace `Message` and `Signature` values with the `text_message` and `signed_message` values that you got in [Verify your domain with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert). ``` aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --cidr 2605:9cc0:409::/48 --verification-method remarks-x509 --cidr-authorization-context Message="1|aws|470889052444|2605:9cc0:409::/48|20250101|SHA256|RSAPSS",Signature="FU26~vRG~NUGXa~akxd6dvdcCfvL88g8d~YAuai-CR7HqMwzcgdS9RlpBGtfIdsRGyr77LmWyWqU9Xp1g2R1kSkfD00NiLKLcv9F63k6wdEkyFxNp7RAJDvF1mBwxmSgH~Crt-Vp6LON3yOOXMp4JENB9uM7sMlu6oeoutGyyhXFeYPzlGSRdcdfKNKaimvPCqVsxGN5AwSilKQ8byNqoa~G3dvs8ueSaDcT~tW4CnILura70nyK4f2XzgPKKevAD1g8bpKmOFMbHS30CxduYknnDl75lvEJs1J91u3-wispI~r69fq515UR19TA~fmmxBDh1huQ8DkM1rqcwveWow__" --profile ipam-account ``` To provision the CIDR with verification token information, use the following command example. In addition to replacing the values as needed in the example, ensure that you replace `ipam-ext-res-ver-token-0309ce7f67a768cf0` with the `IpamExternalResourceVerificationTokenId` token ID that you got in [Verify your domain with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt). ``` aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --cidr 2605:9cc0:409::/48 --verification-method dns-token --ipam-external-resource-verification-token-id ipam-ext-res-ver-token-0309ce7f67a768cf0 --profile ipam-account ``` In the output, you'll see the CIDR pending provision. ``` { "IpamPoolCidr": { "Cidr": "2605:9cc0:409::/48", "State": "pending-provision" } } ``` 1. Ensure that this CIDR has been provisioned before you continue. **Important** While most provisioning will be completed within two hours, it may take up to one week to complete the provisioning process for publicly advertisable ranges. Run the following command until you see a state of `provisioned` in the output. ``` aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --profile ipam-account ``` The following example output shows the state. ``` { "IpamPoolCidrs": [ { "Cidr": "2605:9cc0:409::/48", "State": "provisioned" } ] } ``` ## Step 5: Create a Regional pool within the top-level pool Create a Regional pool within the top-level pool. `--locale` is required on the pool and it must be one of the operating Regions you configured when you created the IPAM. This step must be done by the IPAM account. **Important** When you create the pool, you must include `--aws-service ec2`. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is `ec2`, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service and the Amazon VPC service (for CIDRs associated with VPCs). **To create a Regional pool using the AWS CLI** 1. Run the following command to create the pool. ``` aws ec2 create-ipam-pool --description "Regional-IPv6-pool" --region us-east-1 --ipam-scope-id ipam-scope-0087d83896280b594 --source-ipam-pool-id ipam-pool-07f2466c7158b50c4 --locale us-west-2 --address-family ipv6 --aws-service ec2 --profile ipam-account ``` In the output, you'll see IPAM creating the pool. ``` { "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0053b7d2b4fc3f730", "SourceIpamPoolId": "ipam-pool-07f2466c7158b50c4", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0053b7d2b4fc3f730", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-west-2", "PoolDepth": 2, "State": "create-in-progress", "Description": "reg-ipv6-pool", "AutoImport": false, "Advertisable": true, "AddressFamily": "ipv6", "Tags": [], "ServiceType": "ec2" } } ``` 1. Run the following command until you see a state of `create-complete` in the output. ``` aws ec2 describe-ipam-pools --region us-east-1 --profile ipam-account ``` In the output, you see the pools that you have in your IPAM. In this tutorial, we created a top-level and a Regional pool, so you'll see them both. ## Step 6: Provision a CIDR to the Regional pool Provision a CIDR block to the Regional pool. Note that when provisioning the CIDR to a pool within the top-level pool, the most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable. This step must be done by the IPAM account. **To assign a CIDR block to the Regional pool using the AWS CLI** 1. Run the following command to provision the CIDR. ``` aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --cidr 2605:9cc0:409::/48 --profile ipam-account ``` In the output, you'll see the CIDR pending provision. ``` { "IpamPoolCidr": { "Cidr": "2605:9cc0:409::/48", "State": "pending-provision" } } ``` 1. Run the following command until you see the state of `provisioned` in the output. ``` aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account ``` The following example output shows the correct state. ``` { "IpamPoolCidrs": [ { "Cidr": "2605:9cc0:409::/48", "State": "provisioned" } ] } ``` ## Step 7. Share the Regional pool Follow the steps in this section to share the IPAM pool using AWS Resource Access Manager (RAM). ### Enable resource sharing in AWS RAM After you create your IPAM, you’ll want to share the regional pool with other accounts in your organization. Before you share an IPAM pool, complete the steps in this section to enable resource sharing with AWS RAM. If you are using the AWS CLI to enable resource sharing, use the `--profile management-account` option. **To enable resource sharing** 1. Using the AWS Organizations management account, open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/). 1. In the left navigation pane, choose **Settings**, choose **Enable sharing with AWS Organizations**, and then choose **Save settings**. You can now share an IPAM pool with other members of the organization. ### Share an IPAM pool using AWS RAM In this section you’ll share the regional pool with another AWS Organizations member account. For complete instructions on sharing IPAM pools, including information on the required IAM permissions, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md). If you are using the AWS CLI to enable resource sharing, use the `--profile ipam-account` option. **To share an IPAM pool using AWS RAM** 1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools**. 1. Choose the private scope, choose the IPAM pool, and choose **Actions** > **View details**. 1. Under **Resource sharing**, choose **Create resource share**. The AWS RAM console opens. You share the pool using AWS RAM. 1. Choose **Create a resource share**. 1. In the AWS RAM console, choose **Create a resource share** again. 1. Add a **Name** for the shared pool. 1. Under **Select resource type**, choose **IPAM pools,** and then choose the ARN of the pool you want to share. 1. Choose **Next**. 1. Choose the **AWSRAMPermissionIpamPoolByoipCidrImport** permission. The details of the permission options are out of scope for this tutorial, but you can find out more about these options in [Share an IPAM pool using AWS RAM](share-pool-ipam.md). 1. Choose **Next**. 1. Under **Principals** > **Select principal type**, choose **AWS account** and enter the account ID of the account that will be bringing an IP address range to IPAM and choose **Add** . 1. Choose **Next**. 1. Review the resource share options and the principals that you’ll be sharing with, and then choose **Create**. 1. To allow the **member-account** account to allocate IP address CIDRS from the IPAM pool, create a second resource share with `AWSRAMDefaultPermissionsIpamPool`. The value for `--resource-arns` is the ARN of the IPAM pool that you created in the previous section. The value for `--principals` is the account ID of the **member-account**. The value for `--permission-arns` is the ARN of the `AWSRAMDefaultPermissionsIpamPool` permission. ## Step 8: Create a VPC using the IPv6 CIDR Create a VPC using the IPAM pool ID. You must associate an IPv4 CIDR block to the VPC as well using the `--cidr-block` option or the request will fail. When you run the command in this section, the value for `--region` must match the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR. This step must be done by the member account. **To create a VPC with the IPv6 CIDR using the AWS CLI** 1. Run the following command to provision the CIDR. ``` aws ec2 create-vpc --region us-west-2 --ipv6-ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --cidr-block 10.0.0.0/16 --ipv6-netmask-length 56 --profile member-account ``` In the output, you'll see the VPC being created. ``` { "Vpc": { "CidrBlock": "10.0.0.0/16", "DhcpOptionsId": "dopt-2afccf50", "State": "pending", "VpcId": "vpc-00b5573ffc3b31a29", "OwnerId": "123456789012", "InstanceTenancy": "default", "Ipv6CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-01b5703d6cc695b5b", "Ipv6CidrBlock": "2605:9cc0:409::/56", "Ipv6CidrBlockState": { "State": "associating" }, "NetworkBorderGroup": "us-east-1", "Ipv6Pool": "ipam-pool-0053b7d2b4fc3f730" } ], "CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-09cccb07d4e9a0e0e", "CidrBlock": "10.0.0.0/16", "CidrBlockState": { "State": "associated" } } ], "IsDefault": false } } ``` 1. View the VPC allocation in IPAM. ``` aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account ``` In the output, you'll see allocation in IPAM. ``` { "IpamPoolAllocations": [ { "Cidr": "2605:9cc0:409::/56", "IpamPoolAllocationId": "ipam-pool-alloc-5f8db726fb9e4ff0a33836e649283a52", "ResourceId": "vpc-00b5573ffc3b31a29", "ResourceType": "vpc", "ResourceOwner": "123456789012" } ] } ``` ## Step 9: Advertise the CIDR Once you create the VPC with CIDR allocated in IPAM, you can then start advertising the CIDR you brought to AWS that is in pool that has `--aws-service ec2` defined. In this tutorial, that's your Regional pool. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. When you run the command in this section, the value for `--region` must match the `--locale` option you entered when you created the Regional pool that will be used for the BYOIP CIDR. This step must be done by the IPAM account. **Start advertising the CIDR using the AWS CLI** + Run the following command to advertise the CIDR. ``` aws ec2 advertise-byoip-cidr --region us-west-2 --cidr 2605:9cc0:409::/48 --profile ipam-account ``` In the output, you'll see the CIDR is advertised. ``` { "ByoipCidr": { "Cidr": "2605:9cc0:409::/48", "State": "advertised" } } ``` ## Step 10: Cleanup Follow the steps in this section to clean up the resources you've provisioned and created in this tutorial. When you run the commands in this section, the value for `--region` must match the `--locale` option you entered when you created the Regional pool that will be used for the BYOIP CIDR. **Clean up using the AWS CLI** 1. Run the following command to view the VPC allocation managed in IPAM. This step must be done by the IPAM account. ``` aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account ``` The output shows the allocation in IPAM. ``` { "IpamPoolAllocations": [ { "Cidr": "2605:9cc0:409::/56", "IpamPoolAllocationId": "ipam-pool-alloc-5f8db726fb9e4ff0a33836e649283a52", "ResourceId": "vpc-00b5573ffc3b31a29", "ResourceType": "vpc", "ResourceOwner": "123456789012" } ] } ``` 1. Run the following command to stop advertising the CIDR. When you run the command in this step, the value for `--region` must match the `--locale` option you entered when you created the Regional pool that will be used for the BYOIP CIDR. This step must be done by the IPAM account. ``` aws ec2 withdraw-byoip-cidr --region us-west-2 --cidr 2605:9cc0:409::/48 --profile ipam-account ``` In the output, you'll see the CIDR State has changed from **advertised** to **provisioned**. ``` { "ByoipCidr": { "Cidr": "2605:9cc0:409::/48", "State": "provisioned" } } ``` 1. Run the following command to delete the VPC. When you run the command in this section, the value for `--region` must match the `--locale` option you entered when you created the Regional pool that will be used for the BYOIP CIDR. This step must be done by the member account. ``` aws ec2 delete-vpc --region us-west-2 --vpc-id vpc-00b5573ffc3b31a29 --profile member-account ``` You will not see any output when you run this command. 1. Run the following command to view the VPC allocation in IPAM. It can take some time for IPAM to discover that the VPC has been deleted and remove this allocation. When you run the commands in this section, the value for `--region` must match the `--locale` option you entered when you created the Regional pool that will be used for the BYOIP CIDR. This step must be done by the IPAM account. ``` aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account ``` The output shows the allocation in IPAM. ``` { "IpamPoolAllocations": [ { "Cidr": "2605:9cc0:409::/56", "IpamPoolAllocationId": "ipam-pool-alloc-5f8db726fb9e4ff0a33836e649283a52", "ResourceId": "vpc-00b5573ffc3b31a29", "ResourceType": "vpc", "ResourceOwner": "123456789012" } ] } ``` Rerun the command and look for the allocation to be removed. You cannot continue to clean up and deprovision the IPAM pool CIDR until you see that the allocation has been removed from IPAM. ``` aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account ``` The output shows the allocation removed from IPAM. ``` { "IpamPoolAllocations": [] } ``` 1. Delete the RAM shares and disable RAM integration with AWS Organizations. Complete the steps in [Deleting a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-delete.html) and [Disabling resource sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/security-disable-sharing-with-orgs.html) in the *AWS RAM User Guide*, in that order, to delete the RAM shares and disable RAM integration with AWS Organizations. This step must be done by the IPAM account and management account respectively. If you are using the AWS CLI to delete the RAM shares and disable RAM integration, use the ` --profile ipam-account` and ` --profile management-account` options. 1. Run the following command to deprovision the Regional pool CIDR. This step must be done by the IPAM account. ``` aws ec2 deprovision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --cidr 2605:9cc0:409::/48 --profile ipam-account ``` In the output, you'll see the CIDR pending deprovision. ``` { "IpamPoolCidr": { "Cidr": "2605:9cc0:409::/48", "State": "pending-deprovision" } } ``` Deprovisioning takes time to complete. Continue to run the command until you see the CIDR state **deprovisioned**. ``` aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --cidr 2605:9cc0:409::/48 --profile ipam-account ``` In the output, you'll see the CIDR pending deprovision. ``` { "IpamPoolCidr": { "Cidr": "2605:9cc0:409::/48", "State": "deprovisioned" } } ``` 1. Run the following command to delete the Regional pool. This step must be done by the IPAM account. ``` aws ec2 delete-ipam-pool --region us-east-1 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account ``` In the output, you can see the delete state. ``` { "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0053b7d2b4fc3f730", "SourceIpamPoolId": "ipam-pool-07f2466c7158b50c4", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0053b7d2b4fc3f730", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-east-1", "PoolDepth": 2, "State": "delete-in-progress", "Description": "reg-ipv6-pool", "AutoImport": false, "Advertisable": true, "AddressFamily": "ipv6" } } ``` 1. Run the following command to deprovision the top-level pool CIDR. This step must be done by the IPAM account. ``` aws ec2 deprovision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --cidr 2605:9cc0:409::/48 --profile ipam-account ``` In the output, you'll see the CIDR pending deprovision. ``` { "IpamPoolCidr": { "Cidr": "2605:9cc0:409::/48", "State": "pending-deprovision" } } ``` Deprovisioning takes time to complete. Run the following command to check the status of deprovisioning. ``` aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --profile ipam-account ``` Wait until you see **deprovisioned** before you continue to the next step. ``` { "IpamPoolCidr": { "Cidr": "2605:9cc0:409::/48", "State": "deprovisioned" } } ``` 1. Run the following command to delete the top-level pool. This step must be done by the IPAM account. ``` aws ec2 delete-ipam-pool --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --profile ipam-account ``` In the output, you can see the delete state. ``` { "IpamPool": { "OwnerId": "123456789012", "IpamPoolId": "ipam-pool-0053b7d2b4fc3f730", "SourceIpamPoolId": "ipam-pool-07f2466c7158b50c4", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0053b7d2b4fc3f730", "IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594", "IpamScopeType": "public", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-east-1", "PoolDepth": 2, "State": "delete-in-progress", "Description": "reg-ipv6-pool", "AutoImport": false, "Advertisable": true, "AddressFamily": "ipv6" } } ``` 1. Run the following command to delete the IPAM. This step must be done by the IPAM account. ``` aws ec2 delete-ipam --region us-east-1 --ipam-id ipam-090e48e75758de279 --profile ipam-account ``` In the output, you'll see the IPAM response. This means that the IPAM was deleted. ``` { "Ipam": { "OwnerId": "123456789012", "IpamId": "ipam-090e48e75758de279", "IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "PublicDefaultScopeId": "ipam-scope-0087d83896280b594", "PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d", "ScopeCount": 2, "OperatingRegions": [ { "RegionName": "us-east-1" }, { "RegionName": "us-west-2" } ] } } ``` # Bring your own IP to CloudFront using IPAM (supports IPv4 and IPv6) IPAM's BYOIP for global services lets you use your own IPv4 and IPv6 addresses with AWS global services like CloudFront. Unlike regional BYOIP, your IP addresses are advertised from multiple edge locations simultaneously through anycast routing. This tutorial covers: + Creating global IPAM pools for IPv4 (/24) and/or IPv6 (/48) address ranges + Provisioning Anycast Static IP lists with your own IP addresses + Advertising your CIDRs globally through CloudFront edge locations + Dual-stack configurations using separate IPv4 and IPv6 IPAM pools ## Why use this feature? + **Maintain IP allowlisting** – Use existing approved IP addresses instead of updating firewall configurations + **Simplify migrations** – Migrate from other CDNs without changing IP infrastructure + **Consistent branding** – Keep your existing IP address space when moving to AWS + **IPv6 readiness** – Support modern dual-stack architectures with both IPv4 and IPv6 ## Who should use this feature? Organizations that need their own IP addresses with global content delivery: + Large enterprises with IP allowlisting requirements + Companies migrating from other CDNs with existing IP addresses + Organizations with strict security policies requiring specific IP ranges + Enterprises requiring dual-stack (IPv4/IPv6) configurations for global reach ## When to use this feature? Use BYOIP for global services when you need to: + Maintain existing IP allowlisting with partners/clients + Migrate from another CDN using your IP addresses + Meet compliance requirements for specific IP ranges + Deploy dual-stack architectures supporting both IPv4 and IPv6 clients **Note** Requires /24 CIDR blocks for IPv4. Dual-stack (IPv4 and IPv6) requires /24 IPv4 and /48 IPv6 CIDR blocks. Currently available for CloudFront only. ## Prerequisites Complete these steps before starting: + **IPAM setup** – [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md) and [Create an IPAM](create-ipam.md) + **Domain verification** – [Verify domain control](tutorials-byoip-ipam-domain-verification-methods.md) + **Create top-level pool(s)** – Follow steps 1-2 in [Bring your own IPv4 CIDR to IPAM](tutorials-byoip-ipam-console-ipv4.md) and/or [Bring your own IPv6 CIDR to IPAM](tutorials-byoip-ipam-console-ipv6.md) + **ROA (Route Origin Authorization)** – Ensure ROAs are configured for both IPv4 (/24) and IPv6 (/48) prefixes if deploying dual-stack ## Global service configuration steps The following steps differ from the standard regional BYOIP process and establish the pattern for global services. For dual-stack deployments, you'll create separate pools for IPv4 and IPv6, then provision both to CloudFront. ### Step 1: Create global pool(s) for anycast services Instead of creating a regional pool, create a global pool for anycast services: **Console** To create a global pool using the console: 1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools** 1. Choose **Create pool** 1. **Source**: Choose your top-level BYOIP pool 1. **Locale**: Choose **Global** 1. **Service**: Choose **Global services** (appears when Global is selected) 1. **Public IP source**: Choose **BYOIP** 1. **CIDRs to provision**: Specify your /24 CIDR range (for IPv4) or /48 CIDR range (for IPv6) 1. Choose **Create pool** **CLI** For IPv4: ``` aws ec2 create-ipam-pool \ --ipam-scope-id scope-id \ --locale None \ --address-family ipv4 \ --source-ipam-pool-id top-level-pool-id aws ec2 provision-ipam-pool-cidr \ --ipam-pool-id global-pool-id \ --cidr your-ipv4-/24 ``` For IPv6: ``` aws ec2 create-ipam-pool \ --ipam-scope-id scope-id \ --locale None \ --address-family ipv6 \ --source-ipam-pool-id top-level-pool-id aws ec2 provision-ipam-pool-cidr \ --ipam-pool-id global-pool-id \ --cidr your-ipv6-/48 ``` **Important** For IPv4: You must allocate the full /24 block to this pool. You can provision more specific ranges within this block for different uses. For IPv6: You must allocate the full /48 block to this pool. You can provision more specific ranges within this block for different uses. ### Step 2: Create service-specific resources For CloudFront, create an anycast IP list that uses your IPAM pool. For detailed instructions, see [Bring your own IP to CloudFront using IPAM](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/bring-your-own-ip-address-using-ipam.html) in the *Amazon CloudFront Developer Guide*. **Key parameters for IPAM integration:** + **IP address type** – Choose **BYOIP** + **IPAM pool** – Select your global pool from Step 1 (IPv4 or IPv6) + **IP count** – Enter **3** (required for CloudFront) ### Step 3: Associate with service resources Associate your Anycast Static IP list with a CloudFront distribution. For detailed instructions, see [Bring your own IP to CloudFront using IPAM](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/bring-your-own-ip-address-using-ipam.html) in the *Amazon CloudFront Developer Guide*. **Key configuration:** + In distribution settings, select your Anycast IP List from Step 2 ### Step 4: Prepare for migration + **Lower DNS TTL** – Set DNS TTL for your records to 60 seconds or lower + **Wait for propagation** – Allow time for the new TTL to take effect across the internet ### Step 5: Advertise CIDR globally Use the IPAM global advertisement command: **Console** To advertise the CIDR using the console: 1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/). 1. In the navigation pane, choose **Pools** 1. Select your global pool 1. Choose the **CIDRs** tab 1. Select your CIDR and choose **Actions** > **Advertise CIDR** 1. Confirm the advertisement **CLI** For IPv4: ``` aws ec2 advertise-byoip-cidr \ --cidr your-ipv4-/24 ``` For IPv6: ``` aws ec2 advertise-byoip-cidr \ --cidr your-ipv6-/48 ``` **Important** Withdraw advertisement from your previous provider before running this command Update DNS records to point to CloudFront to complete the migration (A records for IPv4, AAAA records for IPv6) ## Cleanup To clean up resources created in this tutorial: + **Delete CloudFront resources** – Follow the cleanup instructions in [Bring your own IP to CloudFront using IPAM](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/bring-your-own-ip-address-using-ipam.html) in the *Amazon CloudFront Developer Guide* + **Withdraw CIDR and delete IPAM pools** – Follow the standard cleanup process in [Step 8: Cleanup](tutorials-byoip-ipam-console-ipv4.md#tutorials-byoip-ipam-ipv4-console-cleanup) **Important** Delete CloudFront resources first, then proceed with IPAM cleanup to avoid service disruptions.