Managing IP Addressing at Scale with Amazon VPC IP Address Manager or IPAM
Start course

In this course, we introduce the Amazon VPC IP address Manager, also called IPAM, as the centerpiece to managing IP addressing at scale.

Learning Objectives

  • Understand the need for IP Address Management
  • Gain insight into VPC IP Address Management (IPAM)
  • Discover IPAM features for IP collisions and BYOIP
  • Learn how to provision IPAM for your systems 
  • Complete an IPAM Console tour

Intended Audience

  • Architects and networking professionals using AWS
  • This course also covers some of the objectives for the AWS solutions architect professional and the AWS Advanced Networking Specialty certification exams



IPAM also simplifies the process of Bring Your Own IP for Amazon VPCs. This is a sought-after networking feature which enables customers with an existing IPv4 or IPv6 address range to be used on AWS. It allows you to maintain your IP address reputation and migrate applications to AWS along with the IPs that are being used in your data center. It also saves you from having to reconfigure allow list if you already have them in place. For IPv4, the process of Bring Your Own IP Address presents some issues as of recently because if you're bringing an IPv4 space into AWS, you need to bring a block into an account, and the smallest block that you can bring needs to be a CIDR of /24 which is over 250 usable IPv4 addresses. If you have multiple accounts, then each account needs to get a minimum of a /24 CIDR even if you're only going to use a dozen addresses per account, and this can lead to a large set of IP addresses wasted in the Bring Your Own IP model.

There is also the matter that for Bring Your Own IP, you need to first give Amazon authorization to advertise the IP address range you're bringing. To give AWS the authorization to advertise your IP address range, you need to create a route origin authorization or ROA for AWS Autonomous Systems Number or ASNs. And the ASNs for AWS are 16509 and 14618. This needs to be done for each CIDR you are bringing, which is tedious to say the least. Again, ideally, as you bring your own IPs into AWS, you will want to just bring your reputable IP address blocks into a single management account in an organization and then subdivide that block into other accounts and regions as needed without having to revalidate ownership and without being bound by a /24 requirement per account. This will improve the efficiency of your IP address usage. IPAM brings this ideal situations into reality by providing the ability to define a large block of IP addresses into a pool and then permit you to allocate CIDRs from that pool to regions, accounts, and organizational units. The route origin authorization is done only once instead of per account.

IPAM simplifies the BYOIP process for both IPv4 and IPv6, allowing you to define which addresses are advertised versus kept private for IPv6. If you keep in mind that all IPv6 addresses are public, you can choose to advertise some address blocks while keeping others without advertising as a way to use them privately. Now, in more detail for IPv6, BYOIP, you can define border gateway protocol advertisement for public access or maintain a CIDR block from all public access. If you are advertising a CIDR, the minimum size is /48. If you're not advertising an IPv6 CIDR, the minimum size is a /56. Allocation through IPAM then allows you to split the CIDRs as needed. You can use both types of addresses at the same time without issues. We have mentioned a few times the idea of IP address collisions. IPAM also allows you to create duplicate IP addresses and have it ignore the overlap. This will be rare but it happens as is the case with default VPCs in each region. It also happens when you're running multiple independent networks while using the same address space. The operational unit of a scope allows you to isolate a CIDR so that it's not reported as an overlap with another.

This allows you to isolate existing IP overlaps and have IPAM continue to operate without reporting an issue. Think of different sandbox environments using the same CIDR where there is no plan to connect them in the future. The idea of an IPAM scope allows you to reuse CIDRs and IPs where no interconnectivity is expected. By default, when you create an IPAM and define the operating regions, two scopes are created. One is dedicated to private CIDRs and the other to public CIDRs. You can create additional scopes if needed. A scope is the way to tell IPAM that the IP overlap is intentional and you're okay with it. It doesn't need to report the conflict. Last but not least, IPAM will only charge your account for the IPs that you actually use, making it cost efficient in terms of IP address management.


About the Author
Jorge Negrón
AWS Content Architect
Learning Paths

Experienced in architecture and delivery of cloud-based solutions, the development, and delivery of technical training, defining requirements, use cases, and validating architectures for results. Excellent leadership, communication, and presentation skills with attention to details. Hands-on administration/development experience with the ability to mentor and train current & emerging technologies, (Cloud, ML, IoT, Microservices, Big Data & Analytics).