# Bring your own IP to CloudFront using IPAM
<a name="bring-your-own-ip-address-using-ipam"></a>

This tutorial shows how to use IPAM to manage your BYOIP CIDRs for CloudFront Anycast Static IP lists.

**Topics**
+ [What is BYOIP for Anycast Static IPs?](#what-is-byoip-anycast)
+ [Why use this feature?](#why-use-byoip)
+ [Prerequisites](#byoip-prerequisites)
+ [Step 1: Request an Anycast static IP list](#request-anycast-static-ip-list)
+ [Step 2: Create an Anycast static IP list](#create-anycast-static-ip-list)
+ [Step 3: Create a CloudFront distribution](#create-cloudfront-distribution)
+ [Step 4: Associate with CloudFront resources](#associate-with-cloudfront-resources)
+ [Step 5: Prepare for migration](#prepare-for-migration)
+ [Step 6: Advertise CIDR globally](#advertise-cidr-globally)

## What is BYOIP for Anycast Static IPs?
<a name="what-is-byoip-anycast"></a>

CloudFront supports bringing your own IPv4 and IPv6 addresses through IPAM's BYOIP for global services. Through IPAM's unified interface, customers can create dedicated IP address pools using their own IP addresses (BYOIP) and assign them to CloudFront distributions while leveraging the AWS worldwide content delivery network to deliver their applications and content. Your IP addresses are advertised from multiple CloudFront edge locations simultaneously using anycast routing.

## Why use this feature?
<a name="why-use-byoip"></a>

**Control network access in allow lists to:**
+ Allow-list IP addresses with network providers to waive data charges for approved viewers
+ Configure outbound security firewalls to restrict traffic to approved applications only

**Simplify operations and migrations**
+ Route apex domains (example.com) directly to CloudFront by adding A records that point to your static IPs
+ Migrate from other CDNs without updating IP infrastructure or firewall configurations
+ Maintain existing IP allowlists with partners and clients
+ Share a single Anycast static IP list across multiple CloudFront distributions

**Consistent branding**
+ Keep your existing IP address space for consistent branding when moving to AWS

## Prerequisites
<a name="byoip-prerequisites"></a>

To use Anycast static IP lists with your CloudFront distribution, you must select **Use all edge locations** for the price class for the distribution. For more information about pricing, see [CloudFront pricing](https://aws.amazon.com/cloudfront/pricing/). For Bring Your Own IP (BYOIP), you also need to disable IPv6 for the distribution or connection group when using IPv4-only BYOIP. For dual-stack BYOIP, associate a dual-stack Anycast static IP List and enable IPv6 for the distribution or connection group.

Complete these steps before starting:
+ IPAM setup: See [Integrate IPAM with accounts](https://docs.aws.amazon.com/vpc/latest/ipam/enable-integ-ipam.html) and [Create an IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/create-ipam.html).
+ Domain verification: [Verify domain control](https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-byoip-ipam-domain-verification-methods.html).
+ Create a top-level pool: Follow steps 1 to 2 in [Bring your own IPv4 CIDR to IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-byoip-ipam-console-ipv4.html) and/or [Bring your own IPv6 CIDR to IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-byoip-ipam-console-ipv6.html).
+ Create an IPAM pool with locale as global to use with CloudFront. For more information, see [Bring your own IP to CloudFront using IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-byoip-cloudfront.html).

**Note**  
Requires **three /24 and/or /48** IPv4 CIDR blocks.

## Step 1: Request an Anycast static IP list
<a name="request-anycast-static-ip-list"></a>

Request an Anycast static IP list to use with your CloudFront distribution.<a name="request-anycast-static-ip-list-procedure"></a>

**To request an Anycast static IP list**

1. Sign in to the AWS Management Console and open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).

1. In the left navigation pane, choose **Static IPs**.

1. For **Request**, choose the link to contact CloudFront support engineering.

1. Provide your workload information (request bytes per second and requests per second).

1. CloudFront support engineering reviews your request. The review process might take up to two days.

1. After your request is approved, you can create an Anycast static IP list and associate it with one or more distributions.

## Step 2: Create an Anycast static IP list
<a name="create-anycast-static-ip-list"></a>

Before you begin, request an Anycast static IP list as explained in the preceding section.<a name="create-anycast-static-ip-list-procedure"></a>

**To create an Anycast static IP list**

1. Sign in to the AWS Management Console and open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).

1. In the left navigation pane, choose **Static IPs**.

1. Choose **Create Anycast IP list**.

1. For **Name**, enter a name.

1. For **Static IP use cases**, select **BYOIP** as your use case.

1. For **IP address type**, pick **IPv4** or **Dualstack**.

1. For **IPAM pool**, pick the IPAM pool(s) you provisioned through IPAM and CIDR group(s) from them.

The following steps differ from the standard regional BYOIP process and establish the pattern for global services:

### AWS CLI
<a name="create-anycast-cli"></a>

Installing or updating to the latest version of the AWS CLI. For more information, see the [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).

1. Retrieve the IpamPoolArn of the IPAM pool where your CIDR blocks were provisioned. For more information, see [Bring your own public IPv4 CIDR to IPAM using only the AWS CLI](https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-byoip-ipam-ipv4.html) or [Bring your own public IPv6 CIDR to IPAM using only the AWS CLI](https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-byoip-ipam-ipv6.html).

1. Create an Anycast IP list with your CIDR blocks and IPAM configuration:

   For IPv4:

   ```
   aws cloudfront create-anycast-ip-list \
       --name byoip-aip-1 \
       --ip-count 3 \
       --region us-east-1 \
       --ip-address-type ipv4 \
       --ipam-cidr-configs '[{"Cidr":"1.1.1.0/24","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-005d58a8aa8147abc"},{"Cidr":"2.2.2.0/24","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-005d58a8aa8147abc"},{"Cidr":"3.3.3.0/24","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-005d58a8aa8147abc"}]'
   ```

   For IPv6:

   ```
   aws cloudfront create-anycast-ip-list \
       --name byoip-aip-dualstack \
       --ip-count 3 \
       --region us-east-1 \
       --ip-address-type dualstack \
       --ipam-cidr-configs '[{"Cidr":"1.1.1.0/24","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-005d58a8aa8147abc"},{"Cidr":"2.2.2.0/24","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-005d58a8aa8147abc"},{"Cidr":"3.3.3.0/24","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-005d58a8aa8147abc"},{"Cidr":"2600:9000:a100::/48","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a3b7c9e2f41d6789"},{"Cidr":"2600:9000:a200::/48","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a3b7c9e2f41d6789"},{"Cidr":"2600:9000:a300::/48","IpamPoolArn":"arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a3b7c9e2f41d6789"}]'
   ```

**Note**  
You can't select the specific IP address from the pool. CloudFront will do this automatically.

## Step 3: Create a CloudFront distribution
<a name="create-cloudfront-distribution"></a>

For CloudFront, you can follow instructions to [create a standard distribution ](distribution-web-creating-console.md) or use [multi-tenant distributions](distribution-config-options.md).

## Step 4: Associate with CloudFront resources
<a name="associate-with-cloudfront-resources"></a>
+ [Associate an Anycast static IP list with an existing distribution](request-static-ips.md#associate-static-ip-list-existing)
+ [Associate an Anycast static IP list with a new distribution](request-static-ips.md#associate-static-ip-list-new)
+ [Associate an Anycast static IP list with a connection group](request-static-ips.md#associate-anycast-ip-connection-group)

## Step 5: Prepare for migration
<a name="prepare-for-migration"></a>

For more information, see [Step 4: Prepare for migration](https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-byoip-cloudfront.html#step-4-prepare-for-migration) in the *Amazon VPC User Guide*.

## Step 6: Advertise CIDR globally
<a name="advertise-cidr-globally"></a>

For more information, see [Step 5: Advertise CIDR globally](https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-byoip-cloudfront.html#step-5-advertise-cidr-globally) in the *Amazon VPC User Guide*.