Let's walk through the AWS console for IPAM. The landing page highlights the process of IPAM utilization. You can start using IPAM by first designating an IPAM delegated administrator for your organization. The management account of your organization cannot be set as the IPAM delegated administrator. In this case, it probably means you only use one account or have not configured AWS organizations. If that is the situation, you can still use your administrator account to create an IPAM, but the scope of operation will only be the specific and single account ID being utilized. The best practice is to allow IPAM to integrate with AWS organizations. This will allow you to share IPAM pools with your organization and monitor IP address usage across all of it. In order to do this, you need to enable integration with AWS organizations by using the IPAM settings in the AWS console or the enable IPAM organization admin account command using the AWS CLI. The result is a service-linked role called AWS service role for IPAM.

Please note that this is a small detail worth repeating in that you need to use the IPAM console settings or the enable IPAM organization admin account CLI command. If you are an experienced user of AWS organizations, you may be inclined to use the AWS organizations console or the registered delegated administrator CLI command. This approach using the AWS organization's console will not, I repeat, will not create the required role name AWS service role for IPAM. So, please make sure to use the IPAM console settings to assign an IPAM delegated administrator account. The AWS documentation defines the process as follows. To select an IPAM delegated administrator account, clearly you need to navigate to the IPAM AWS console. In that console, you're going to be able to choose the region in which you want to work with IPAM. Then on the navigation pane, you click on Settings. Once you do that, you're going to be able to enter the AWS account ID for an IPAM account.

The IPAM administrator must be an AWS organization member account. Following that, you simply click on delegate and this will perform the required delegation for you to use IPAM across your entire organization. It's also worth noting that you cannot use IPAM across multiple organizations. It is expected you have an account in AWS organizations and a management account already set up before performing the steps for IPAM delegation. Finally, please keep in mind you cannot use the AWS organization's management account as the IPAM delegated administrator account. It needs to be some other account in your organization if you want to have IPAM cover the entire organization. 

If you use the management account to create an IPAM, it will only work for the account ID of the management account and not the entire organization. In our demo, we chose the networking account in our organization to be the IPAM delegated administrator account. Creating an IPAM will require that you use the delegated IPAM administration account and select the regions in which IPAM will discover resources and manage IP addresses. The region in which you create the IPAM will always be included in the operating regions list.

Also, upon creation of an IPAM, two default scopes will be created. The first is a default private scope which is used for resources using private IP addresses when the discovery process is complete and the existing inventory is actually created. The second scope is a default public scope which is used for resources using public IP addresses when the discovery process completes. You can have multiple private scopes, but you can only have one public scope. Formally, a scope is the highest level container in IPAM. A scope defines the IP space for a single network. If for any reason you need to use the same CIDR or IP addresses in more than one location, the way you indicate to IPAM that this is your intended purpose is to include the same CIDR or IP address in different scopes. This will prevent IPAM from flagging the overlap as an issue in the main dashboard. You can also designate a name and a description for the IPAM. These are optional and if you enter a value in the name field, a tag by that value will be automatically created. In order to begin using IPAM allocation, you need to create a pool.

A pool is a group of consecutive IP addresses expressed in CIDR notation. A pool can be split into subsets allowing you to arrange your IP addresses as required by your business for efficient and secure allocation. The best practice is to define what is called a TopLevelPool, which can be made of one or more additional pools. To create a TopLevelPool, you need to create a pool with no source pool and a local configuration of none in the pool hierarchy definition. This becomes useful when security requirements dictate that you separate IP addressing between development and production workflows. Using pools, you can assign CIDRs accordingly and consistently. 

The subdivisions can be in any logical way that you desire. It's not unusual to segment IP address blocks into pools by region. Using IPAM, you can track when an IP went from one instance to another and you can answer the question of what has happened to this IP historically. In order to lock IP address assignment automation, you can define a service control policy in AWS organizations. The SCP can restrict VPC creation to IPAM and require members in your organization to use IPAM when creating VPCs.

You can attach the shown service control policy to one or more organizational units in your organization. You can also create a service control policy to restrict VPC creation to an IPAM pool using the policy shown. In this case, you will need to change the IPAM pool ID to the correct value for your implementation. IPAM is an automated and highly available global scope service which permits you to predefine IP address CIDR blocks into pools and automatically dispense them to VPCs or via its allocate IPAM pool CIDR and release IPAM pool allocation API calls. It's fully integrated with AWS organizations to dispense IP addresses across regions, accounts, and organizational units. It also makes it easier to bring your own IP address blocks into AWS by verifying it only once for your entire organization.