Amazon VPC IPAM resolves all of the IP allocation requirements discussed and automates IP address allocation, provides IP monitoring of your network, and maintains a historical record of IP address utilization. Setting up IPAM is easy in that you create an IPAM usually in the region that has the most workloads. You then organize your IP address allocation according to your business requirements, and IPAM automates the allocation, discovery, monitoring, and visibility process. IPAM allows your users to request a CIDR in a self-service fashion and provides you visibility and historical analysis of IP utilization with data retention of up to three years. The primary operational unit in IPAM is called a pool. A pool represents a collection of one or more CIDRs which can be subdivided as needed. The best practice is to define what is called a top-level pool which represents a large block of IP addresses and then you can subdivide it as needed for your network topology. There are a few ways in which you can arrange your IP address allocation.

You can assign IP address pools by region and then subdivide by the type of workflow like dedicated development and production IP addresses. You can also designate pools by account, by principle or even use tags to dictate your IP address allocation. The structure of the IP address hierarchy is entirely up to your business requirements. Allocation rules are available by default for all of these use cases. By getting started with a top-level pool, you will avoid the result of fragmenting your IP address space, which will have a direct result in the simplicity of your route tables and firewall configurations. In short, you start with a single global pool that you then divide and share across accounts, regions, workloads, business units or tags. Pools have a unique ID and as such, your scripts and applications will point to the pool ID as the pool gets populated with additional CIDRs when needed.

Allocation rules will dictate who and where can obtain an IP address automatically. Once again, the pool ID used in scripts and code remains constant. A VPC is flag as compliant in the IPAM dashboard if its automatic CIDR allocation conforms with all of your allocation rules. With automatic allocation, a violation of just one rule will cause the request to fail. The allocation rules and automation will future-proof your IP address allocation strategy according to your specified compliance. You may have to deal with already existing resources and how IPAM assigned their compliance status. This will be the case with default VPCs and already existing VPCs and resources that have already been deployed. IPAM includes prefabricated allocation rules related to a region and the account or organizational unit that you can use for the pool. You can also define allocation based on tags and predefine the minimum, maximum and default size of an allocated CIDR to a VPC or any other resource. For resources other than VPCs, IPAM continues to operate by dispensing CIDRs to your users, who will then assign addresses to perhaps container overlay networks, VPNs, and any other resource that requires an IP.

Migrating to use IPAM could not be simpler in that IPAM automatically performs a discovery process and imports to an inventory all CIDRs for IPv4 and IPv6 being used in your organization. You can also choose which IPv6 CIDRs to advertise publicly or keep them for private use. Any VPCs that it discovers gets labeled as unmanaged in the compliance status field in the dashboard. You also get an overlap status field to indicate if you have repeating CIDRs. As you begin to use IPAM, many of the overlapping CIDRs will relate to default VPCs which use the same IP block of 172.31.0.0/16. What a default VPC per availability zone in each region, IPAM will label the VPCs as unmanaged and overlapping as shown on the screen. IPAM IP monitoring provides you a historical record of IP address utilization including allocation and release times. You get to explore the full lifecycle of an IP address used which makes it easier to troubleshoot connectivity issues. IPAM will track how an IP goes from one instance to another or a CIDR from one VPC to another. IPAM also tracks all IP movements in terms of assignment and release cycles. It can also manage and have visibility of your physical data center IP addresses.

Creating an IPAM requires that you provide a name and select the regions in which IPAM will manage the IP address allocation. You then define your IP address pools by providing the CIDRs to be used and allocation policies. IPAM will automatically perform a discovery process of IPs used in your organization and report on compliance status. In addition, you can define a service control policy in your organization to require IP allocation to be performed exclusively through IPAM. The service also has built-in integrations with both Cloud Formation, Terraform, and even CloudWatch so that you can automate allocation and even create alarms for an example if a CIDR reaches 80% utilization and it is about to run out of allocatable IP addresses.