Introduction to IP Address Management Problems


Managing IP Addressing at Scale with Amazon VPC IP Address Manager or IPAM
Introduction to IP Address Management Problems

In this course, we introduce the Amazon VPC IP address Manager, also called IPAM, as the centerpiece to managing IP addressing at scale.

Learning Objectives

  • Understand the need for IP Address Management
  • Gain insight into VPC IP Address Management (IPAM)
  • Discover IPAM features for IP collisions and BYOIP
  • Learn how to provision IPAM for your systems 
  • Complete an IPAM Console tour

Intended Audience

  • Architects and networking professionals using AWS
  • This course also covers some of the objectives for the AWS solutions architect professional and the AWS Advanced Networking Specialty certification exams



Introduction to IP address management problems. The idea of IP address management is critical for us to be able to deploy network and related security without impacting existing resources. Fixing issues like IP address overlap is difficult once resources are deployed, and a proactive planning and visibility of IP allocation is essential to prevent production deployment issues. It doesn't matter if you're managing IPv4, IPv6, or both types of addresses. The problems with IP address management at scale are in general the same. When you start using Amazon VPCs, you start small, you test, and then grow as needed. Usually, this is manageable using a spreadsheet. Your engineers will ask for IP addresses, you check your documents, and then assign them what's needed. You assign CIDRs to VPCs, set routing tables, security groups, and firewall rules for your network topology.

Now, forward to having dozens if not hundreds of VPCs possibly across different regions and accounts, and the approach begins to take on some heavy lifting. Provisioning an IP address or a block of them takes longer by looking at the documents and making sure there are no collisions. This all needs to happen before assigning the requested blocks.

IP addressing overlap is a difficult problem to resolve once the network resources have been deployed. And so, detecting IP collisions is an important step. It doesn't matter if you have a single account with multiple VPCs or multiple accounts with multiple VPCs across organizational units and regions, the problems remain the same. Using third-party IP address management presents an integration problem with AWS resources, in general, your developers will have to wait longer, and priority or automated IP address allocation becomes necessary. Ideally, it makes sense to start with a big block of IP addresses and then assign subsets via CDIRs from that big block of addresses. This approach will simplify the managing of route tables and firewalls as you will have similar entries related to the entire block already in place. It will also provide a significantly more cohesive IP address base in your organization which results in less waste of IP addresses.

Unfortunately, until the introduction of Amazon VPC IP address manager, this was not possible. Most of us end up with a fragmented address space which was difficult and time consuming to manage in terms of complex route tables and firewall configurations. This was particularly difficult when managing a fragmented IP version six space. It is important to have a robust and cohesive IP address strategy. This will help prevent issues with network connectivity and duplicate addresses as well as providing accurate documentation and usage history of your allocated blocks. A cohesive IP addressing strategy is simpler and easier to manage. Also, please keep in mind that for IPv6, AWS portal assigns a /56 CDIR to a VPC and a /64 to subnets, and you don't get much of a choice unless you bring your own IP addresses also called BYOIP. You can do B YOIP for both IPv4 and IPv6 if you want to make migrations to AWS easier as the IPs move to AWS along with the applications that use them in your data center.

More on this a bit later. And for now, the idea is to pursue a homogeneous IP address allocation strategy and reuse a large CIDR by partitioning it into pools accordingly. The need to monitor IPutilization is also critical, in that without monitoring IP collisions may remain invisible until it is too late, and the fix is usually difficult, expensive, and disruptive. With regards to monitoring IP allocation, there is also the matter of gaining visibility into IP address exhaustion so that running out of IP addresses does not happen. Visibility into IP address utilization makes it significantly easier to troubleshoot connectivity issues as well as perform security and network compliance audits.


About the Author
Jorge Negrón
AWS Content Architect
Learning Paths

Experienced in architecture and delivery of cloud-based solutions, the development, and delivery of technical training, defining requirements, use cases, and validating architectures for results. Excellent leadership, communication, and presentation skills with attention to details. Hands-on administration/development experience with the ability to mentor and train current & emerging technologies, (Cloud, ML, IoT, Microservices, Big Data & Analytics).