# Tutorials for Amazon VPC IP Address Manager
The following tutorials show you how to perform common IPAM tasks using the AWS CLI. To get the AWS CLI, see [Access IPAM](access-ipam.md). For more information about the IPAM concepts that are mentioned in these tutorials, see [How IPAM works](how-it-works-ipam.md).
**Topics**
+ [Getting started with IPAM using the AWS CLI](getting-started-with-ipam-using-the-aws-cli.md)
+ [Create an IPAM and pools using the console](tutorials-get-started-console.md)
+ [Create an IPAM and pools using the AWS CLI](tutorials-create-vpc-ipam.md)
+ [View IP address history using the AWS CLI](tutorials-historical-insights.md)
+ [Bring your ASN to IPAM](tutorials-byoasn.md)
+ [Bring your IP addresses to IPAM](tutorials-byoip-ipam.md)
+ [Transfer a BYOIP IPv4 CIDR to IPAM](tutorials-byoip-ipam-transfer-ipv4.md)
+ [Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md)
+ [Allocate sequential Elastic IP addresses from an IPAM pool](tutorials-eip-pool.md)
# Getting started with IPAM using the AWS CLI
This tutorial guides you through the process of setting up and using Amazon VPC IP Address Manager (IPAM) with the AWS CLI using a single AWS account. By the end of this tutorial, you will have created an IPAM, created a hierarchy of IP address pools, and allocated a CIDR to a VPC.
## Prerequisites
Before you begin this tutorial, make sure you have:
+ An AWS account with permissions to create and manage IPAM resources.
+ The AWS CLI installed and configured with appropriate credentials. For information about installing the AWS CLI, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). For information about configuring the AWS CLI, see [Configuration basics](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html).
+ Basic understanding of IP addressing and CIDR notation.
+ Basic knowledge of Amazon VPC concepts.
+ Approximately 30 minutes to complete the tutorial.
## Create an IPAM
The first step is to create an IPAM with operating regions. An IPAM helps you plan, track, and monitor IP addresses for your AWS workloads.
Create an IPAM with operating regions in us-east-1 and us-west-2:
```
aws ec2 create-ipam \
--description "My IPAM" \
--operating-regions RegionName=us-east-1 RegionName=us-west-2
```
This command creates an IPAM and enables it to manage IP addresses in the specified regions. The operating regions are the AWS Regions where the IPAM is allowed to manage IP address CIDRs.
Verify that your IPAM was created:
```
aws ec2 describe-ipams
```
Take note of the IPAM ID from the output, as you'll need it for subsequent steps.
Wait for the IPAM to be fully created and available (approximately 20 seconds):
```
sleep 20
```
## Get the IPAM scope ID
When you create an IPAM, AWS automatically creates a private and a public scope. For this tutorial, we'll use the private scope.
Retrieve the IPAM details and extract the private scope ID:
```
aws ec2 describe-ipams --ipam-id ipam-0abcd1234
```
Replace `ipam-0abcd1234` with your actual IPAM ID.
From the output, identify and note the private scope ID from the `PrivateDefaultScopeId` field. It will look something like `ipam-scope-0abcd1234`.
## Create a top-level IPv4 pool
Now, let's create a top-level pool in the private scope. This pool will serve as the parent for all other pools in our hierarchy.
Create a top-level IPv4 pool:
```
aws ec2 create-ipam-pool \
--ipam-scope-id ipam-scope-0abcd1234 \
--address-family ipv4 \
--description "Top-level pool"
```
Replace `ipam-scope-0abcd1234` with your actual private scope ID.
Wait for the pool to be fully created and available:
```
aws ec2 describe-ipam-pools --ipam-pool-ids ipam-pool-0abcd1234 --query 'IpamPools[0].State' --output text
```
Replace `ipam-pool-0abcd1234` with your actual top-level pool ID. The state should be `create-complete` before proceeding.
After the pool is available, provision a CIDR block to it:
```
aws ec2 provision-ipam-pool-cidr \
--ipam-pool-id ipam-pool-0abcd1234 \
--cidr 10.0.0.0/8
```
Wait for the CIDR to be fully provisioned:
```
aws ec2 get-ipam-pool-cidrs --ipam-pool-id ipam-pool-0abcd1234 --query "IpamPoolCidrs[?Cidr=='10.0.0.0/8'].State" --output text
```
The state should be `provisioned` before proceeding.
## Create a regional IPv4 pool
Next, create a regional pool within the top-level pool. This pool will be specific to a particular AWS Region.
Create a regional IPv4 pool:
```
aws ec2 create-ipam-pool \
--ipam-scope-id ipam-scope-0abcd1234 \
--source-ipam-pool-id ipam-pool-0abcd1234 \
--locale us-east-1 \
--address-family ipv4 \
--description "Regional pool in us-east-1"
```
Replace `ipam-scope-0abcd1234` with your actual private scope ID and `ipam-pool-0abcd1234` with your top-level pool ID.
Wait for the regional pool to be fully created and available:
```
aws ec2 describe-ipam-pools --ipam-pool-ids ipam-pool-1abcd1234 --query 'IpamPools[0].State' --output text
```
Replace `ipam-pool-1abcd1234` with your actual regional pool ID. The state should be `create-complete` before proceeding.
After the pool is available, provision a CIDR block to it:
```
aws ec2 provision-ipam-pool-cidr \
--ipam-pool-id ipam-pool-1abcd1234 \
--cidr 10.0.0.0/16
```
Wait for the CIDR to be fully provisioned:
```
aws ec2 get-ipam-pool-cidrs --ipam-pool-id ipam-pool-1abcd1234 --query "IpamPoolCidrs[?Cidr=='10.0.0.0/16'].State" --output text
```
The state should be `provisioned` before proceeding.
## Create a development IPv4 pool
Now, create a development pool within the regional pool. This pool will be used for development environments.
Create a development IPv4 pool:
```
aws ec2 create-ipam-pool \
--ipam-scope-id ipam-scope-0abcd1234 \
--source-ipam-pool-id ipam-pool-1abcd1234 \
--locale us-east-1 \
--address-family ipv4 \
--description "Development pool"
```
Replace `ipam-scope-0abcd1234` with your actual private scope ID and `ipam-pool-1abcd1234` with your regional pool ID.
Note: It's important to include the `--locale` parameter to match the parent pool's locale.
Wait for the development pool to be fully created and available:
```
aws ec2 describe-ipam-pools --ipam-pool-ids ipam-pool-2abcd1234 --query 'IpamPools[0].State' --output text
```
Replace `ipam-pool-2abcd1234` with your actual development pool ID. The state should be `create-complete` before proceeding.
After the pool is available, provision a CIDR block to it:
```
aws ec2 provision-ipam-pool-cidr \
--ipam-pool-id ipam-pool-2abcd1234 \
--cidr 10.0.0.0/24
```
Wait for the CIDR to be fully provisioned:
```
aws ec2 get-ipam-pool-cidrs --ipam-pool-id ipam-pool-2abcd1234 --query "IpamPoolCidrs[?Cidr=='10.0.0.0/24'].State" --output text
```
The state should be `provisioned` before proceeding.
## Create a VPC using an IPAM pool CIDR
Finally, create a VPC that uses a CIDR from your IPAM pool. This demonstrates how IPAM can be used to allocate IP address space to AWS resources.
Create a VPC using an IPAM pool CIDR:
```
aws ec2 create-vpc \
--ipv4-ipam-pool-id ipam-pool-2abcd1234 \
--ipv4-netmask-length 26 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=IPAM-VPC}]'
```
Replace `ipam-pool-2abcd1234` with your actual development pool ID.
The `--ipv4-netmask-length 26` parameter specifies that you want a /26 CIDR block (64 IP addresses) allocated from the pool. This netmask length is chosen to ensure it's smaller than the pool's CIDR block (/24).
Verify that your VPC was created:
```
aws ec2 describe-vpcs --filters "Name=tag:Name,Values=IPAM-VPC"
```
## Verify the IPAM pool allocation
Check that the CIDR was allocated from your IPAM pool:
```
aws ec2 get-ipam-pool-allocations \
--ipam-pool-id ipam-pool-2abcd1234
```
Replace `ipam-pool-2abcd1234` with your actual development pool ID.
This command shows all allocations from the specified IPAM pool, including the VPC you just created.
## Troubleshooting
Here are some common issues you might encounter when working with IPAM:
+ **Permission errors**: Ensure that your IAM user or role has the necessary permissions to create and manage IPAM resources. You may need the `ec2:CreateIpam`, `ec2:CreateIpamPool`, and other related permissions.
+ **Resource limit exceeded**: By default, you can create only one IPAM per account. If you already have an IPAM, you'll need to delete it before creating a new one or use the existing one.
+ **CIDR allocation failures**: When provisioning CIDRs to pools, ensure that the CIDR you're trying to provision doesn't overlap with existing allocations in other pools.
+ **API request timeouts**: If you encounter "RequestExpired" errors, it might be due to network latency or time synchronization issues. Try the command again.
+ **Incorrect state errors**: If you receive "IncorrectState" errors, it might be because you're trying to perform an operation on a resource that's not in the correct state. Wait for the resource to be fully created or provisioned before proceeding.
+ **Allocation size errors**: If you receive "InvalidParameterValue" errors about allocation size, ensure that the netmask length you're requesting is appropriate for the pool size. For example, you can't allocate a /25 CIDR from a /24 pool.
+ **Dependency violations**: When cleaning up resources, you might encounter "DependencyViolation" errors. This is because resources have dependencies on each other. Make sure to delete resources in the reverse order of creation and deprovision CIDRs before deleting pools.
## Clean up resources
When you're done with this tutorial, you should clean up the resources you created to avoid incurring unnecessary charges.
1. Delete the VPC:
```
aws ec2 delete-vpc --vpc-id vpc-0abcd1234
```
1. Deprovision the CIDR from the development pool:
```
aws ec2 deprovision-ipam-pool-cidr --ipam-pool-id ipam-pool-2abcd1234 --cidr 10.0.0.0/24
```
1. Delete the development pool:
```
aws ec2 delete-ipam-pool --ipam-pool-id ipam-pool-2abcd1234
```
1. Deprovision the CIDR from the regional pool:
```
aws ec2 deprovision-ipam-pool-cidr --ipam-pool-id ipam-pool-1abcd1234 --cidr 10.0.0.0/16
```
1. Delete the regional pool:
```
aws ec2 delete-ipam-pool --ipam-pool-id ipam-pool-1abcd1234
```
1. Deprovision the CIDR from the top-level pool:
```
aws ec2 deprovision-ipam-pool-cidr --ipam-pool-id ipam-pool-0abcd1234 --cidr 10.0.0.0/8
```
1. Delete the top-level pool:
```
aws ec2 delete-ipam-pool --ipam-pool-id ipam-pool-0abcd1234
```
1. Delete the IPAM:
```
aws ec2 delete-ipam --ipam-id ipam-0abcd1234
```
Replace all IDs with your actual resource IDs.
**Note**
You may need to wait between these operations to allow the resources to be fully deleted before proceeding to the next step. If you encounter dependency violations, wait a few seconds and try again.
## Next steps
Now that you've learned how to create and use IPAM with the AWS CLI, you might want to explore more advanced features:
+ [Plan for IP address provisioning](planning-ipam.md) – Learn how to plan your IP address space effectively
+ [Monitor CIDR usage by resource](monitor-cidr-compliance-ipam.md) – Understand how to monitor IP address usage
+ [Share an IPAM pool using AWS RAM](share-pool-ipam.md) – Learn how to share IPAM pools across AWS accounts
+ [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md) – Discover how to use IPAM across your organization
# Tutorial: Create an IPAM and pools using the console
In this tutorial, you create an IPAM, integrate with AWS Organizations, create IP address pools, and create a VPC with a CIDR from an IPAM pool.
This tutorial shows you how you can use IPAM to organize IP address space based on different development needs. Once you’ve completed this tutorial, you’ll have one IP address pool for pre-production resources. You can then create other pools based on your routing and security needs, such as a pool for production resources.
While you can use IPAM as a single user, integrating with AWS Organizations enables you to manage IP addresses across accounts in your organization. This tutorial covers integrating IPAM with accounts in an organization. It does not cover how to [Integrate IPAM with accounts outside of your organization](enable-integ-ipam-outside-org.md).
**Note**
For the purposes of this tutorial, the instructions will tell you to name IPAM resources in a particular way, create IPAM resources in specific Regions, and use specific IP address CIDR ranges for your pools. This is intended to streamline the choices available in IPAM and get you started with IPAM quickly. Once you’ve completed this tutorial, you may decide to create a new IPAM and configure it differently.
**Topics**
+ [Prerequisites](#prerequisites)
+ [How AWS Organizations integrates with IPAM](#how-aws-organizations-integrates-with-ipam)
+ [Step 1: Delegate an IPAM administrator](#1-delegate-an-ipam-administrator)
+ [Step 2: Create an IPAM](#2-create-an-ipam)
+ [Step 3: Create a top-level IPAM pool](#3-create-a-toplevel-ipam-pool)
+ [Step 4: Create Regional IPAM pools](#4-create-regional-ipam-pools)
+ [Step 5: Create a pre-production development pool](#5-create-a-preproduction-development-pool)
+ [Step 6: Share the IPAM pool](#6-share-the-ipam-pool)
+ [Step 7: Create a VPC with a CIDR allocated from an IPAM pool](#7-create-a-vpc-with-a-cidr-allocated-from-an-ipam-pool)
+ [Step 8: Cleanup](#8-cleanup)
## Prerequisites
Before you begin, you must have set up an AWS Organizations account with at least one member account. For how-to instructions, see [Creating and managing an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html) in the *AWS Organizations User Guide*.
## How AWS Organizations integrates with IPAM
This section shows an example of the AWS Organizations accounts you use in this tutorial. There are three accounts in your organization that you use when you integrate with IPAM in this tutorial:
+ The management account (called **example-management-account** in the following image) to log into the IPAM console and delegate an IPAM admin. You cannot use the organization’s management account as your IPAM admin.
+ A member account (called *example-member-account-1* in the following image) as the IPAM admin account. The IPAM admin account is responsible for creating an IPAM and using it to manage and monitor IP address usage across the organization. Any member account in your organization can be delegated as the IPAM admin.
+ A member account (called *example-member-account-2* in the following above) as the developer account. This account creates a VPC with a CIDR allocated from an IPAM pool.
![\[An example of an AWS Organizations org with example management and member accounts.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-10_4.png)
In addition to the accounts, you’ll need the ID of the organizational unit (**ou-fssg-q5brfv9c** in the preceding image) that contains the member account you’ll use as the developer account. You need this ID so that, in a later step, when you share your IPAM pool, you can share it with this OU.
**Note**
For more information about AWS Organizations account types like *management* and *member* accounts, see [AWS Organizations terminology and concepts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html).
## Step 1: Delegate an IPAM administrator
In this step, you’ll delegate an AWS Organizations member account as the IPAM admin. When you delegate an IPAM admin, [a service-linked role](iam-ipam-slr.md) is automatically created in each of your AWS Organizations member accounts. IPAM monitors the IP address usage in these accounts by assuming the service-linked role in each member account. It can then discover the resources and their CIDRs regardless of their Organizational Unit.
You cannot complete this step unless you have the required AWS Identity and Access Management (IAM) permissions. For more information, see [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md).
**To delegate an IPAM admin account**
1. Using the AWS Organizations management account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the AWS Management Console, choose the AWS Region in which you want to work with IPAM.
1. In the navigation pane, choose **Organization settings**.
1. Choose **Delegate**. The **Delegate** option is available only if you logged in to the console as the AWS Organizations management account.
1. Enter the AWS account ID for an organization member account. The IPAM administrator must be an AWS Organizations member account, not the management account.
![\[The edit settings option in the IPAM console where you delegate an IPAM administrator.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-_U_2bIBCUfjFZXB4le6FUg.png)
1. Choose **Save changes**. The **Delegated administrator** information is populated with details related to the member account.
## Step 2: Create an IPAM
In this step you’ll create an IPAM. When you create an IPAM, IPAM automatically creates two scopes for the IPAM: the private scope that’s intended for all private space, and the public scope that’s intended for all public space. The scopes, together with pools and allocations, are key components of your IPAM. For more information, see [How IPAM works](how-it-works-ipam.md).
**To create an IPAM**
1. Using the AWS Organizations member account delegated as the IPAM admin in [the previous step](#1-delegate-an-ipam-administrator), open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the AWS Management Console, choose the AWS Region in which you want to create the IPAM. Create the IPAM in your main Region of operations.
1. On the service home page, choose **Create IPAM**.
1. Select **Allow Amazon VPC IP Address Manager to replicate data from source account(s) into the IPAM delegate account**. If you do not select this option, you cannot create an IPAM.
![\[Create an IPAM page in the IPAM console that includes a description of the Allow Amazon VPC IP Address Manager to replicate data from source account(s) into the IPAM delegate account checkbox.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-HxHJCv2B3DfNcq--wo_gGg.png)
1. Under **Operating Regions**, choose the AWS Regions in which this IPAM can manage and discover resources. The AWS Region in which you are creating your IPAM is automatically selected as one of the operating Regions. In this tutorial, the home Region of our IPAM is us-east-1, so we’ll choose us-west-1 and us-west-2 as additional operating Regions. If you forget an operating Region, you can edit your IPAM settings later and add or remove Regions.
![\[IPAM settings section in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-D85nBxGA1n7iyDVmB7HOCw.png)
1. Choose **Create IPAM**.
![\[The result page in the IPAM console after you successfully create an IPAM.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-FUAVxduwVP5FBYU2GLnlkQ.png)
## Step 3: Create a top-level IPAM pool
In this tutorial, you create a hierarchy of pools starting with the top-level IPAM pool. In the subsequent steps, you’ll create a pair of Regional pools and a pre-production development pool in one of the regional pools.
For more information about pool hierarchies that you can build with IPAM, see [Example IPAM pool plans](planning-examples-ipam.md).
**To create a top-level pool**
1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. Choose the private scope.
![\[Choosing the private scope in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-2QXpOvOj0i1rotyKoLjeMQ_update.png)
1. Choose **Create pool**.
1. Under **IPAM scope**, leave the private scope selected.
1. (Optional) Add a **Name tag** for the pool and a description for the pool, such as “Global pool”.
1. Under **Source**, choose **IPAM scope**. Because this is our top level pool, it will not have a source pool.
1. Under **Address family**, choose **IPv4**.
1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).
1. For the **Locale**, choose **None**. Locales are the AWS Regions where you want this IPAM pool to be available for allocations. You’ll set the locale for the Regional pools that you create in the next section of this tutorial.
![\[Creating a pool in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-daejldSm0ArWYGkedgKekQ.png)
1. Choose a CIDR to provision for the pool. In this example, we provision 10.0.0.0/16.
![\[Defining which CIDRs to provision for a pool in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-inrC8QzrnWgW6nmdPkk1rw.png)
1. Leave **Configure this pool’s allocation rule settings** disabled. This is our top-level pool, and you will not be allocating CIDRs to VPCs directly from this pool. Instead, you will allocate them from a sub-pool that you create from this pool.
![\[Choosing allocation rule settings for a pool in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-8j4A_Tr5hG95xWIFfi1wkw.png)
1. Choose **Create pool**. The pool is created and the CIDR is in a **Pending-provision** state:
![\[Pending provision message in the IPAM console after you create a pool.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-2_1.png)
1. Wait for the state to be **Provisioned** before you go to the next step.
![\[Provisioned message in the IPAM console after you successfully create a pool.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-3_1.png)
Now that you have created your top-level pool, you’ll create Regional pools in us-west-1 and us-west-2.
## Step 4: Create Regional IPAM pools
This section shows you how to organize your IP addresses using two Regional pools. In this tutorial, we’re following one of [the example IPAM pool plans](planning-examples-ipam.md) and creating two Regional pools which can be used by the member accounts in your organization for allocating CIDRs to their VPCs.
**To create a Regional pool**
1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. Choose the private scope.
![\[Choosing the private scope in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-Jb3iudGe4fGJDkVVMqnCpA_update.png)
1. Choose **Create pool**.
1. Under **IPAM scope**, leave the private scope selected.
1. (Optional) Add a **Name tag** for the pool and a description for the pool, such as **Regional pool us-west-1**.
![\[Adding a name for a pool in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-U9TfeMAvqPNqdM3o18oNCA.png)
1. Under **Source**, select **IPAM pool** and select the top-level pool (“Global pool”) that you created in [Step 3: Create a top-level IPAM pool](#3-create-a-toplevel-ipam-pool). Then, under **Locale**, choose **us-west-1**.
![\[Choosing a source pool in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-Qg017oruyE3w2MEkQXr1EQ.png)
1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).
1. Under **CIDRs to provision**, enter 10.0.0.0/18, which will give this pool around 16,000 available IP addresses.
![\[Choosing CIDRs to provision for the pool in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-os9vwNonWgaIGDkbq3Pjbg.png)
1. Leave **Configure this pool’s allocation rule settings** disabled. You will not be allocating CIDRs to VPCs directly from this pool. Instead, you will allocate them from a sub-pool that you create from this pool.
![\[The Configure this pool’s allocation rule settings toggle in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-8j4A_Tr5hG95xWIFfi1wkw.png)
1. Choose **Create pool**.
1. Return to the **Pools** view to see the hierarchy of IPAM pools that you’ve created.
![\[Pools view with two pools in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-Ki7fsgUEn6miZE5Hg2TmrA_update.png)
1. Repeat the steps in this section and create a second Regional pool in **us-west-2** locale with the CIDR ** 10.0.64.0/18** provisioned to it. When you complete that process, you’ll have three pools in a hierarchy similar to this one:
![\[Pools view with three pools in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-5_update.png)
## Step 5: Create a pre-production development pool
Follow the steps in this section to create a development pool for pre-production resources within one of your Regional pools.
**To create a pre-production development pool**
1. In the same way that you did in the previous section, using the IPAM admin account, create a pool called **Pre-prod pool**, but this time use **Regional pool us-west-1** as the source pool.
![\[Creating a pool in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-BxJv7N7ierzIQDRiC4_R0Q.png)
1. Specify a CIDR of 10.0.0.0/20 to provision, which will give this pool around 4,000 IP addresses.
![\[Choosing CIDRs for a pool in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-jn0QtJsRo5iF5R5oHp7Sqw.png)
1. Toggle the option for **Configure this pool's allocation rule settings**. Do the following:
1. Under **CIDR management**, for **Automatically import discovered resources**, leave the default **Don't allow** option selected. This option would enable IPAM to automatically import resource CIDRs it discovers in the pool's locale. A detailed description of this option is outside the scope of this tutorial, but you can read more about the option in [Create a top-level IPv4 pool](create-top-ipam.md).
1. Under **Netmask compliancy**, choose **/24** for the minimum, default, and maximum netmask length. A detailed description of this option is outside the scope of this tutorial, but you can read more about the option in [Create a top-level IPv4 pool](create-top-ipam.md). What’s important to note is that the VPC that you create later with a CIDR from this pool will be limited to /24 based on what we set here.
1. Under **Tag compliance**, enter **environment/pre-prod**. This tag will be required for VPCs to allocate space from the pool. We will demonstrate later how this works.
![\[View of all pool settings when creating a pool in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-D2Yr4efRG3X7MeME2urYJA.png)
1. Choose **Create pool**.
1. The pool hierarchy now includes an additional subpool under **Regional pool us-west-1**:
![\[Pool view with four pools in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-DrNlvRjI9cFmNfq7Xa4x0w_update.png)
Now you’re ready to share the IPAM pool with another member account in your organization and enable that account to allocate a CIDR from the pool to create a VPC.
## Step 6: Share the IPAM pool
Follow the steps in this section to share the pre-production IPAM pool using AWS Resource Access Manager (RAM).
This section consists of two subsections:
+ [Step 6.1. Enable resource sharing in AWS RAM](#61-enable-resource-sharing-in-aws-ram): This step must be done by the AWS Organizations management account.
+ [Step 6.2. Share an IPAM pool using AWS RAM](#62-share-an-ipam-pool-using-aws-ram): This step must be done by the IPAM admin.
### Step 6.1. Enable resource sharing in AWS RAM
After you create your IPAM, you’ll want to share IP address pools with other accounts in your organization. Before you share an IPAM pool, complete the steps in this section to enable resource sharing with AWS RAM.
**To enable resource sharing**
1. Using the AWS Organizations management account, open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/).
1. In the left navigation pane, choose **Settings**, choose **Enable sharing with AWS Organizations**, and then choose **Save settings**.
![\[Enabling organization sharing in the AWS RAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-Jv8YJhg2J82EFdJrgsXA5w.png)
You can now share an IPAM pool with other members of the organization.
### Step 6.2. Share an IPAM pool using AWS RAM
In this section you’ll share the pre-production development pool with another AWS Organizations member account. For complete instructions on sharing IPAM pools, including information on the required IAM permissions, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md).
**To share an IPAM pool using AWS RAM**
1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. Choose the private scope, choose the pre-production IPAM pool, and choose **Actions** > **View details**.
1. Under **Resource sharing**, choose **Create resource share**. The AWS RAM console opens. You'll share the pool using AWS RAM.
1. Choose **Create a resource share**.
![\[Creating a resource share in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-6_1.png)
The AWS RAM console opens.
1. In the AWS RAM console, choose **Create a resource share** again.
1. Add a **Name** for the shared pool.
1. Under **Select resource type**, choose **IPAM pools,** and then choose the ARN of the pre-production development pool.
![\[Creating a resource share in the AWS RAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-El4fIIE4FoenE75KV43GtQ.png)
1. Choose **Next**.
1. Leave the default **AWSRAMDefaultPermissionsIpamPool** permission selected. The details of the permission options are out of scope for this tutorial, but you can find out more about these options in [Share an IPAM pool using AWS RAM](share-pool-ipam.md).
![\[Associating permissions on a resource share in the AWS RAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-lNweqIyKpC9LFvxpwrkmiw.png)
1. Choose **Next**.
1. Under **Principals**, choose **Allow sharing only within your organization.** Enter your AWS Organizations organization unit ID (as mentioned in [How AWS Organizations integrates with IPAM](#how-aws-organizations-integrates-with-ipam), and then choose **Add** .
![\[Granting access to a resource share in the AWS RAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-dvLWZpvLDwh-grXeuUwPFQ.png)
1. Choose **Next**.
1. Review the resource share options and the principals that you’ll be sharing with, and then choose **Create**.
Now that the pool has been shared, go to the next step to create a VPC with a CIDR allocated from an IPAM pool.
## Step 7: Create a VPC with a CIDR allocated from an IPAM pool
Follow the steps in this section to create a VPC with a CIDR allocated from the pre-production pool. This step should be completed by the member account in the OU that the IPAM pool was shared with in the previous section (called ** example-member-account-2** in [How AWS Organizations integrates with IPAM](#how-aws-organizations-integrates-with-ipam)). For more information about the IAM permissions that are required to create VPCs, see [Amazon VPC policy examples](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html) in the *Amazon VPC User Guide*.
**To create a VPC with a CIDR allocated from an IPAM pool**
1. Using the member account, open the VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/) as the member account that you'll use as the developer account.
1. Choose **Create VPC**.
1. Do the following:
1. Enter a name, such as **Example VPC.**
1. Choose **IPAM-allocated IPv4 CIDR block.**
1. Under **IPv4 IPAM pool**, choose the ID of the pre-production pool.
1. Choose a **Netmask** length. Because you limited the available netmask length for this pool to /24 (in [Step 5: Create a pre-production development pool](#5-create-a-preproduction-development-pool)), the only netmask option available is /24.
![\[Creating a VPC in the Amazon VPC console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-jP9gQ6vF0cRtH2b-7CGNAA.png)
1. For demonstration purposes, under **Tags**, do not add any additional tags at this time. When you created the pre-prod pool (in [Step 5: Create a pre-production development pool](#5-create-a-preproduction-development-pool)), you added an allocation rule that required any VPCs that are created with CIDRs from this pool to have an environment/pre-prod tag. Leave the environment/pre-prod tag off for now so that you can see that an error appears telling you that a required tag was not added.
1. Choose **Create VPC**.
1. An error appears telling you that a required tag was not added. The error appears because you set an allocation rule when you created the pre-prod pool (in [Step 5: Create a pre-production development pool](#5-create-a-preproduction-development-pool)). The allocation rule required any VPCs that are created with CIDRs from this pool to have an environment/pre-prod tag.
![\[Creating a VPC error in the Amazon VPC console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-wxP7WfFbl-2ThufLus_Usw.png)
1. Now, under **Tags**, add the tag **environment/pre-prod** and choose **Create VPC** again.
![\[Adding tags to a VPC in the Amazon VPC console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-w8R8_7bmW-Bp-CPSImwmEA.png)
1. The VPC is created successfully, and the VPC complies with the tag rule on the pre-production pool:
![\[Successfully creating a VPC in the Amazon VPC console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-D3roKYnuSRCdzlFfGT7-pg.png)
In the **Resources** pane of the IPAM console, the IPAM admin will be able to see and manage the VPC and its allocated CIDR. Note that it takes some time for the VPC to appear in the **Resources** pane.
## Step 8: Cleanup
In this tutorial, you created an IPAM with a delegated admin, created multiple pools, and enabled a member account in your organization to allocate a VPC CIDR from a pool.
Follow the steps in this section to clean up the resources that you created in this tutorial.
**To cleanup the resources created in this tutorial**
1. Using the member account that created the example VPC, delete the VPC. For detailed instructions, see [Delete your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/delete-vpc.html) in the *Amazon Virtual Private Cloud User Guide*.
1. Using the IPAM admin account, delete the example resource share in the AWS RAM console. For detailed instructions, see [Deleting a resource share in AWSAWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-delete.html) in the *AWS Resource Access Manager User Guide*.
1. Using the IPAM admin account, log into the RAM console and disable sharing with AWS Organizations that you enable in [Step 6.1. Enable resource sharing in AWS RAM](#61-enable-resource-sharing-in-aws-ram).
1. Using the IPAM admin account, delete the example IPAM by selecting the IPAM in the IPAM console and then choosing **Actions** > **Delete**. For detailed instructions, see [Delete an IPAM](delete-ipam.md).
1. When you’re prompted to delete the IPAM, choose **Cascade delete**. This will delete all scopes and pools within the IPAM before deleting the IPAM.
![\[Deleting an IPAM in the IPAM console.\]](http://docs.aws.amazon.com/vpc/latest/ipam/images/tutorials-get-started-console-wzlnq9726bqxf3M_F71QUQ.png)
1. Enter **delete** and then choose **Delete**.
1. Using the AWS Organizations management account, log into the IPAM console, choose **Settings**, and remove the delegated administrator account.
1. (Optional) When you integrate IPAM with AWS Organizations, [IPAM automatically creates a service-linked role in each member account](iam-ipam-slr.md). Using each AWS Organizations member account, log into IAM and delete the **AWSServiceRoleForIPAM** service linked role in each member account.
1. Cleanup is complete.
# Tutorial: Create an IPAM and pools using the AWS CLI
Follow the steps in this tutorial to use the AWS CLI to create an IPAM, create IP address pools, and allocate a VPC with a CIDR from an IPAM pool.
The following is an example hierarchy of the pool structure that you will create by following the steps in this section:
+ IPAM operating in AWS Region 1, AWS Region 2
+ Private scope
+ Top-level pool
+ Regional pool in AWS Region 2
+ Development pool
+ Allocation for a VPC
**Note**
In this section, you'll create an IPAM. By default, you can only create one IPAM. For more information, see [Quotas for your IPAM](quotas-ipam.md). If you have already delegated an IPAM account and created an IPAM, you can skip steps 1 and 2.
**Topics**
+ [Step 1: Enable IPAM in your organization](#cli-tut-enable-org-ipam)
+ [Step 2: Create an IPAM](#cli-tut-create-ipam)
+ [Step 3: Create an IPv4 address pool](#cli-tut-create-top-ipam)
+ [Step 4: Provision a CIDR to the top-level pool](#cli-tut-provision-cidr-ipam)
+ [Step 5. Create a Regional pool with CIDR sourced from the top-level pool](#cli-tut-create-reg-ipam)
+ [Step 6: Provision a CIDR to the Regional pool](#cli-tut-assign-cidr-reg-pool)
+ [Step 7. Create a RAM share for enabling IP assignments across accounts](#cli-tut-create-ram-share-ipam)
+ [Step 8. Create a VPC](#cli-tut-create-vpc-ipam)
+ [Step 9. Cleanup](#cli-tut-cleanup-ipam)
## Step 1: Enable IPAM in your organization
This step is optional. Complete this step to enable IPAM in your organization and configure your delegated IPAM using the AWS CLI. For more information about the role of the IPAM account, see [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md).
This request must be made from an AWS Organizations management account. When you run the following command, ensure that you’re using a role with an IAM policy that permits the following actions:
+ `ec2:EnableIpamOrganizationAdminAccount`
+ `organizations:EnableAwsServiceAccess`
+ `organizations:RegisterDelegatedAdministrator`
+ `iam:CreateServiceLinkedRole`
```
aws ec2 enable-ipam-organization-admin-account --region us-east-1 --delegated-admin-account-id 11111111111
```
You should see the following output, indicating that enabling was successful.
```
{
"Success": true
}
```
## Step 2: Create an IPAM
Follow the steps in this section to create an IPAM and view additional information about the scopes that are created. You will use this IPAM when you create pools and provision IP address ranges for those pools in later steps.
**Note**
The operating Regions option determines which AWS Regions the IPAM pools can be used for. For more information about operating Regions, see [Create an IPAM](create-ipam.md).
**To create an IPAM using the AWS CLI**
1. Run the following command to create the IPAM instance.
```
aws ec2 create-ipam --description my-ipam --region us-east-1 --operating-regions RegionName=us-west-2
```
When you create an IPAM, AWS automatically does the following:
+ Returns a globally unique resource ID (`IpamId`) for the IPAM.
+ Creates a default public scope (`PublicDefaultScopeId`) and a default private scope (`PrivateDefaultScopeId`).
```
{
"Ipam": {
"OwnerId": "123456789012",
"IpamId": "ipam-0de83dba6694560a9",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9",
"PublicDefaultScopeId": "ipam-scope-02a24107598e982c5",
"PrivateDefaultScopeId": "ipam-scope-065e7dfe880df679c",
"ScopeCount": 2,
"Description": "my-ipam",
"OperatingRegions": [
{
"RegionName": "us-west-2"
},
{
"RegionName": "us-east-1"
}
],
"Tags": []
}
}
```
1. Run the following command to view additional information related to the scopes. The public scope is intended for IP addresses that are going to be accessed through the public internet. The private scope is intended for IP addresses that are not going to be accessed through the public internet.
```
aws ec2 describe-ipam-scopes --region us-east-1
```
In the output, you see the available scopes. You'll use the private scope ID in the next step.
```
{
"IpamScopes": [
{
"OwnerId": "123456789012",
"IpamScopeId": "ipam-scope-02a24107598e982c5",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-02a24107598e982c5",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9",
"IpamScopeType": "public",
"IsDefault": true,
"PoolCount": 0
},
{
"OwnerId": "123456789012",
"IpamScopeId": "ipam-scope-065e7dfe880df679c",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9",
"IpamScopeType": "private",
"IsDefault": true,
"PoolCount": 0
}
]
}
```
## Step 3: Create an IPv4 address pool
Follow the steps in this section to create an IPv4 address pool.
**Important**
You won't use the `--locale` option on this top-level pool. You will set the locale option later on the Regional pool. The locale is the AWS Region where you want a pool to be available for CIDR allocations. As a result of not setting the locale on the top-level pool, the locale will default to `None`. If a pool has a locale of `None`, the pool won't be available to VPC resources in any AWS Region. You can only manually allocate IP address space in the pool to reserve space.
**To create an IPv4 address pool for all of your AWS resources using the AWS CLI**
1. Run the following command to create an IPv4 address pool. Use the ID of the private scope of the IPAM that you created in the previous step.
```
aws ec2 create-ipam-pool --ipam-scope-id ipam-scope-065e7dfe880df679c --description "top-level-pool" --address-family ipv4
```
In the output, you'll see a state of `create-in-progress` for the pool.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0008f25d7187a08d9",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0008f25d7187a08d9",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",
"IpamScopeType": "private",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9",
"Locale": "None",
"PoolDepth": 1,
"State": "create-in-progress",
"Description": "top-level-pool",
"AutoImport": false,
"AddressFamily": "ipv4",
"Tags": []
}
}
```
1. Run the following command until you see a state of `create-complete` in the output.
```
aws ec2 describe-ipam-pools
```
The following example output shows the correct state.
```
{
"IpamPools": [
{
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0008f25d7187a08d9",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0008f25d7187a08d9",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",
"IpamScopeType": "private",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9",
"Locale": "None",
"PoolDepth": 1,
"State": "create-complete",
"Description": "top-level-pool",
"AutoImport": false,
"AddressFamily": "ipv4"
}
]
}
```
## Step 4: Provision a CIDR to the top-level pool
Follow the steps in this section to provision a CIDR to the top-level pool, and then verify that the CIDR is provisioned. For more information, see [Provision CIDRs to a pool](prov-cidr-ipam.md).
**To provision a CIDR block to the pool using the AWS CLI**
1. Run the following command to provision the CIDR.
```
aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0008f25d7187a08d9 --cidr 10.0.0.0/8
```
In the output, you can verify the state of the provisioning.
```
{
"IpamPoolCidr": {
"Cidr": "10.0.0.0/8",
"State": "pending-provision"
}
}
```
1. Run the following command until you see a state of `provisioned` in the output.
```
aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0008f25d7187a08d9
```
The following example output shows the correct state.
```
{
"IpamPoolCidrs": [
{
"Cidr": "10.0.0.0/8",
"State": "provisioned"
}
]
}
```
## Step 5. Create a Regional pool with CIDR sourced from the top-level pool
When you create an IPAM pool, the pool belongs to the AWS Region of the IPAM by default. When you create a VPC, the pool that the VPC draws from must be in the same Region as the VPC. You can use the `--locale` option when you create a pool to make the pool available to services in a Region other than the Region of the IPAM. Follow the steps in this section to create a Regional pool in another locale.
**To create a pool with a CIDR sourced from the previous pool using the AWS CLI**
1. Run the following command to create the pool and insert space with a known available CIDR from the previous pool.
```
aws ec2 create-ipam-pool --description "regional--pool" --region us-east-1 --ipam-scope-id ipam-scope-065e7dfe880df679c --source-ipam-pool-id
ipam-pool-0008f25d7187a08d9 --locale us-west-2 --address-family ipv4
```
In the output, you'll see the ID of the pool that you created. You'll need this ID in the next step.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0da89c821626f1e4b",
"SourceIpamPoolId": "ipam-pool-0008f25d7187a08d9",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0da89c821626f1e4b",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",
"IpamScopeType": "private",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9",
"Locale": "us-west-2",
"PoolDepth": 2,
"State": "create-in-progress",
"Description": "regional--pool",
"AutoImport": false,
"AddressFamily": "ipv4",
"Tags": []
}
}
```
1. Run the following command until you see a state of `create-complete` in the output.
```
aws ec2 describe-ipam-pools
```
In the output, you see the pools that you have in your IPAM. In this tutorial, we created a top-level and a Regional pool, so you'll see them both.
```
{
"IpamPools": [
{
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0008f25d7187a08d9",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0008f25d7187a08d9",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",
"IpamScopeType": "private",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9",
"Locale": "None",
"PoolDepth": 1,
"State": "create-complete",
"Description": "top-level-pool",
"AutoImport": false,
"AddressFamily": "ipv4"
},
{
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0da89c821626f1e4b",
"SourceIpamPoolId": "ipam-pool-0008f25d7187a08d9",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0da89c821626f1e4b",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",
"IpamScopeType": "private",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9",
"Locale": "us-west-2",
"PoolDepth": 2,
"State": "create-complete",
"Description": "regional--pool",
"AutoImport": false,
"AddressFamily": "ipv4"
}
]
}
```
## Step 6: Provision a CIDR to the Regional pool
Follow the steps in this section to assign a CIDR block to the pool, and validate that it’s been successfully provisioned.
**To assign a CIDR block to the Regional pool using the AWS CLI**
1. Run the following command to provision the CIDR.
```
aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0da89c821626f1e4b --cidr 10.0.0.0/16
```
In the output, you see the state of the pool.
```
{
"IpamPoolCidr": {
"Cidr": "10.0.0.0/16",
"State": "pending-provision"
}
}
```
1. Run the following command until you see the state of `provisioned` in the output.
```
aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0da89c821626f1e4b
```
The following example output shows the correct state.
```
{
"IpamPoolCidrs": [
{
"Cidr": "10.0.0.0/16",
"State": "provisioned"
}
]
}
```
1. Run the following command to query the top-level pool to view the allocations. The Regional pool is considered an allocation within the top-level pool.
```
aws ec2 get-ipam-pool-allocations --region us-east-1 --ipam-pool-id ipam-pool-0008f25d7187a08d9
```
In the output, you see the Regional pool as an allocation in the top-level pool.
```
{
"IpamPoolAllocations": [
{
"Cidr": "10.0.0.0/16",
"IpamPoolAllocationId": "ipam-pool-alloc-fbd525f6c2bf4e77a75690fc2d93479a",
"ResourceId": "ipam-pool-0da89c821626f1e4b",
"ResourceType": "ipam-pool",
"ResourceOwner": "123456789012"
}
]
}
```
## Step 7. Create a RAM share for enabling IP assignments across accounts
This step is optional. You can complete this step only if you completed [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md).
When you create an IPAM pool AWS RAM share, it enables IP assignments across accounts. RAM sharing is only available in your home AWS Region. Note that you create this share in the same Region as the IPAM, not in the local Region for the pool. All administrative operations on IPAM resources are made through the home Region of your IPAM. The example in this tutorial creates a single share for a single pool, but you can add multiple pools to a single share. For more information, including an explanation of the options that you must enter, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md).
Run the following command to create a resource share.
```
aws ram create-resource-share --region us-east-1 --name pool_share --resource-arns arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0dec9695bca83e606 --principals 123456
```
The output shows that the pool was created.
```
{
"resourceShare": {
"resourceShareArn": "arn:aws:ram:us-west-2:123456789012:resource-share/3ab63985-99d9-1cd2-7d24-75e93EXAMPLE",
"name": "pool_share",
"owningAccountId": "123456789012",
"allowExternalPrincipals": false,
"status": "ACTIVE",
"creationTime": 1565295733.282,
"lastUpdatedTime": 1565295733.282
}
}
```
## Step 8. Create a VPC
Run the following command to create a VPC and assign a CIDR block to the VPC from the pool in your newly created IPAM.
```
aws ec2 create-vpc --region us-east-1 --ipv4-ipam-pool-id ipam-pool-04111dca0d960186e --cidr-block 10.0.0.0/24
```
The output shows that the VPC was created.
```
{
"Vpc": {
"CidrBlock": "10.0.0.0/24",
"DhcpOptionsId": "dopt-19edf471",
"State": "pending",
"VpcId": "vpc-0983f3c454f3d8be5",
"OwnerId": "123456789012",
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": [],
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-00b24cc1c2EXAMPLE",
"CidrBlock": "10.0.0.0/24",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false
}
}
```
## Step 9. Cleanup
Follow the steps in this section to delete the IPAM resources you've created in this tutorial.
1. Delete the VPC.
```
aws ec2 delete-vpc --vpc-id vpc-0983f3c454f3d8be5
```
1. Delete the IPAM pool RAM share.
```
aws ram delete-resource-share --resource-share-arn arn:aws:ram:us-west-2:123456789012:resource-share/3ab63985-99d9-1cd2-7d24-75e93EXAMPLE
```
1. Deprovision pool CIDR from the Regional pool.
```
aws ec2 deprovision-ipam-pool-cidr --ipam-pool-id ipam-pool-0da89c821626f1e4b --region us-east-1
```
1. Deprovision pool CIDR from the top-level pool.
```
aws ec2 deprovision-ipam-pool-cidr --ipam-pool-id ipam-pool-0008f25d7187a08d9 --region us-east-1
```
1. Delete the IPAM
```
aws ec2 delete-ipam --region us-east-1
```
# Tutorial: View IP address history using the AWS CLI
The scenarios in this section show you how to analyze and audit IP address usage using the AWS CLI. For general information about using the AWS CLI, see [Using the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-using.html) in the *AWS Command Line Interface User Guide*.
**Topics**
+ [Overview](#cli-tut-view-hist-ipam-overview)
+ [Scenarios](#cli-tut-view-hist-ipam-analyze)
## Overview
IPAM automatically retains your IP address monitoring data for up to three years. You can use the historical data to analyze and audit your network security and routing policies. You can search for historical insights for the following types of resources:
+ VPCs
+ VPC subnets
+ Elastic IP addresses
+ EC2 instances that are running
+ EC2 network interfaces attached to instances
**Important**
Although IPAM doesn't monitor Amazon EC2 instances or EC2 network interfaces attached to instances, you can use the Search IP history feature to search for historical data on EC2 instance and network interface CIDRs.
**Note**
The commands in this tutorial must be run using the account that owns the IPAM and the AWS Region that hosts the IPAM.
Records of changes to CIDRs are picked up in periodic snapshots, which means that it can take some time for records to appear or be updated, and the values for SampledStartTime and SampledEndTime can differ from the actual times they occurred.
## Scenarios
The scenarios in this section show you how to analyze and audit IP address usage using the AWS CLI. For more information about the values mentioned in this tutorial like sampled end time and start time, see [View IP address history](view-history-cidr-ipam.md).
**Scenario 1: Which resources were associated with `10.2.1.155/32` between 1:00 AM and 9:00 PM on December 27, 2021 (UTC)?**
1. Run the following command:
```
aws ec2 get-ipam-address-history --region us-east-1 --cidr 10.2.1.155/32 --ipam-scope-id ipam-scope-05b579a1909c5fc7a --start-time 2021-12-20T01:00:00.000Z --end-time 2021-12-27T21:00:00.000Z
```
1. View the results of the analysis. In the example below, the CIDR was allocated to a network interface and EC2 instance over the course of the time period. Note that no **SampledEndTime** value means the record is still active. For more information about the values shown in the following output, see [View IP address history](view-history-cidr-ipam.md).
```
{
"HistoryRecords": [
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-1",
"ResourceType": "network-interface",
"ResourceId": "eni-0b4e53eb1733aba16",
"ResourceCidr": "10.2.1.155/32",
"VpcId": "vpc-0f5ee7e1ba908a378",
"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"
},
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-1",
"ResourceType": "instance",
"ResourceId": "i-064da1f79baed14f3",
"ResourceCidr": "10.2.1.155/32",
"VpcId": "vpc-0f5ee7e1ba908a378",
"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"
}
]
}
```
If the owner ID of the instance to which a network interface is attached differs from the owner ID of the network interface (as is the case for NAT gateways, Lambda network interfaces in VPCs, and other AWS services), the `ResourceOwnerId` is `amazon-aws` rather than the account ID of the owner of the network interface. The following example shows the record for a CIDR associated with a NAT gateway:
```
{
"HistoryRecords": [
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-1",
"ResourceType": "network-interface",
"ResourceId": "eni-0b4e53eb1733aba16",
"ResourceCidr": "10.0.0.176/32",
"VpcId": "vpc-0f5ee7e1ba908a378",
"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"
},
{
"ResourceOwnerId": "amazon-aws",
"ResourceRegion": "us-east-1",
"ResourceType": "instance",
"ResourceCidr": "10.0.0.176/32",
"VpcId": "vpc-0f5ee7e1ba908a378",
"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"
}
]
}
```
**Scenario 2: Which resources were associated with `10.2.1.0/24` from December 1, 2021 to December 27, 2021 (UTC)?**
1. Run the following command:
```
aws ec2 get-ipam-address-history --region us-east-1 --cidr 10.2.1.0/24 --ipam-scope-id ipam-scope-05b579a1909c5fc7a --start-time 2021-12-01T00:00:00.000Z --end-time 2021-12-27T23:59:59.000Z
```
1. View the results of the analysis. In the example below, the CIDR was allocated to a subnet and VPC over the course of the time period. Note that no **SampledEndTime** value means the record is still active. For more information about the values shown in the following output, see [View IP address history](view-history-cidr-ipam.md).
```
{
"HistoryRecords": [
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-1",
"ResourceType": "subnet",
"ResourceId": "subnet-0864c82a42f5bffed",
"ResourceCidr": "10.2.1.0/24",
"VpcId": "vpc-0f5ee7e1ba908a378",
"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"
},
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-1",
"ResourceType": "vpc",
"ResourceId": "vpc-0f5ee7e1ba908a378",
"ResourceCidr": "10.2.1.0/24",
"ResourceComplianceStatus": "compliant",
"ResourceOverlapStatus": "nonoverlapping",
"VpcId": "vpc-0f5ee7e1ba908a378",
"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"
}
]
}
```
**Scenario 3: Which resources were associated with `2605:9cc0:409::/56` from December 1, 2021 to December 27, 2021 (UTC)?**
1. Run the following command, where --region is the IPAM home Region:
```
aws ec2 get-ipam-address-history --region us-east-1 --cidr 2605:9cc0:409::/56 --ipam-scope-id ipam-scope-07cb485c8b4a4d7cc --start-time 2021-12-01T01:00:00.000Z --end-time 2021-12-27T23:59:59.000Z
```
1. View the results of the analysis. In the example below, the CIDR was allocated to two different VPCs over the course of the time period in a Region outside the IPAM home Region. Note that no **SampledEndTime** value means the record is still active. For more information about the values shown in the following output, see [View IP address history](view-history-cidr-ipam.md).
```
{
"HistoryRecords": [
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-2",
"ResourceType": "vpc",
"ResourceId": "vpc-01d967bf3b923f72c",
"ResourceCidr": "2605:9cc0:409::/56",
"ResourceName": "First example VPC",
"ResourceComplianceStatus": "compliant",
"ResourceOverlapStatus": "nonoverlapping",
"VpcId": "vpc-01d967bf3b923f72c",
"SampledStartTime": "2021-12-23T20:02:00.701000+00:00",
"SampledEndTime": "2021-12-23T20:12:59.848000+00:00"
},
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-2",
"ResourceType": "vpc",
"ResourceId": "vpc-03e62c7eca81cb652",
"ResourceCidr": "2605:9cc0:409::/56",
"ResourceName": "Second example VPC",
"ResourceComplianceStatus": "compliant",
"ResourceOverlapStatus": "nonoverlapping",
"VpcId": "vpc-03e62c7eca81cb652",
"SampledStartTime": "2021-12-27T15:11:00.046000+00:00"
}
]
}
```
**Scenario 4: Which resources were associated with `10.0.0.0/24` in the last 24 hours (assuming the current time is midnight on December 27, 2021 (UTC))?**
1. Run the following command:
```
aws ec2 get-ipam-address-history --region us-east-1 --cidr 10.0.0.0/24 --ipam-scope-id ipam-scope-05b579a1909c5fc7a --start-time 2021-12-27T00:00:00.000Z
```
1. View the results of the analysis. In the example below, the CIDR has been allocated to numerous subnets and VPCs over the time period. Note that no **SampledEndTime** value means the record is still active. For more information about the values shown in the following output, see [View IP address history](view-history-cidr-ipam.md).
```
{
"HistoryRecords": [
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-2",
"ResourceType": "subnet",
"ResourceId": "subnet-0d1b8f899725aa72d",
"ResourceCidr": "10.0.0.0/24",
"ResourceName": "Example name",
"VpcId": "vpc-042b8a44f64267d67",
"SampledStartTime": "2021-12-11T16:35:59.074000+00:00",
"SampledEndTime": "2021-12-28T15:34:00.017000+00:00"
},
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-2",
"ResourceType": "vpc",
"ResourceId": "vpc-09754dfd85911abec",
"ResourceCidr": "10.0.0.0/24",
"ResourceName": "Example name",
"ResourceComplianceStatus": "unmanaged",
"ResourceOverlapStatus": "overlapping",
"VpcId": "vpc-09754dfd85911abec",
"SampledStartTime": "2021-12-27T20:07:59.947000+00:00",
"SampledEndTime": "2021-12-28T15:34:00.017000+00:00"
},
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-west-2",
"ResourceType": "vpc",
"ResourceId": "vpc-0a8347f594bea5901",
"ResourceCidr": "10.0.0.0/24",
"ResourceName": "Example name",
"ResourceComplianceStatus": "unmanaged",
"ResourceOverlapStatus": "overlapping",
"VpcId": "vpc-0a8347f594bea5901",
"SampledStartTime": "2021-12-11T16:35:59.318000+00:00"
},
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-1",
"ResourceType": "subnet",
"ResourceId": "subnet-0af7eadb0798e9148",
"ResourceCidr": "10.0.0.0/24",
"ResourceName": "Example name",
"VpcId": "vpc-03298ba16756a8736",
"SampledStartTime": "2021-12-14T21:07:22.357000+00:00"
}
]
}
```
**Scenario 5: Which resources are currently associated with `10.2.1.155/32`?**
1. Run the following command:
```
aws ec2 get-ipam-address-history --region us-east-1 --cidr 10.2.1.155/32 --ipam-scope-id ipam-scope-05b579a1909c5fc7a
```
1. View the results of the analysis. In the example below, the CIDR was allocated to a network interface and EC2 instance over the time period. Note that no **SampledEndTime** value means the record is still active. For more information about the values shown in the following output, see [View IP address history](view-history-cidr-ipam.md).
```
{
"HistoryRecords": [
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-1",
"ResourceType": "network-interface",
"ResourceId": "eni-0b4e53eb1733aba16",
"ResourceCidr": "10.2.1.155/32",
"VpcId": "vpc-0f5ee7e1ba908a378",
"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"
},
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-1",
"ResourceType": "instance",
"ResourceId": "i-064da1f79baed14f3",
"ResourceCidr": "10.2.1.155/32",
"VpcId": "vpc-0f5ee7e1ba908a378",
"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"
}
]
}
```
**Scenario 6: Which resources are currently associated with `10.2.1.0/24`?**
1. Run the following command:
```
aws ec2 get-ipam-address-history --region us-east-1 --cidr 10.2.1.0/24 --ipam-scope-id ipam-scope-05b579a1909c5fc7a
```
1. View the results of the analysis. In the example below, the CIDR was allocated to a VPC and subnet over the time period. Only the results that match this exact `/24` CIDR are returned, not all `/32 `within the `/24` CIDR. Note that no **SampledEndTime** value means the record is still active. For more information about the values shown in the following output, see [View IP address history](view-history-cidr-ipam.md).
```
{
"HistoryRecords": [
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-1",
"ResourceType": "subnet",
"ResourceId": "subnet-0864c82a42f5bffed",
"ResourceCidr": "10.2.1.0/24",
"VpcId": "vpc-0f5ee7e1ba908a378",
"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"
},
{
"ResourceOwnerId": "123456789012",
"ResourceRegion": "us-east-1",
"ResourceType": "vpc",
"ResourceId": "vpc-0f5ee7e1ba908a378",
"ResourceCidr": "10.2.1.0/24",
"ResourceComplianceStatus": "compliant",
"ResourceOverlapStatus": "nonoverlapping",
"VpcId": "vpc-0f5ee7e1ba908a378",
"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"
}
]
}
```
**Scenario 7: Which resources are currently associated with `54.0.0.9/32`?**
In this example, `54.0.0.9/32` is assigned to an Elastic IP address that is not part of the AWS Organization integrated with your IPAM.
1. Run the following command:
```
aws ec2 get-ipam-address-history --region us-east-1 --cidr 54.0.0.9/32 --ipam-scope-id ipam-scope-05b579a1909c5fc7a
```
1. Since `54.0.0.9/32` is assigned to an Elastic IP address that is not part of the AWS Organization integrated with the IPAM in this example, no records are returned.
```
{
"HistoryRecords": []
}
```
# Tutorial: Bring your ASN to IPAM
If your applications are using trusted IP addresses and Autonomous System Numbers (ASNs) that your partners or customers have allow listed in their network, you can run these applications in AWS without requiring your partners or customers to change their allow lists.
An Autonomous System Number (ASN) is a globally unique number which enables a group of networks to be identified over the internet and exchange routing data with other networks dynamically using [Border Gateway Protocol](https://aws.amazon.com/what-is/border-gateway-protocol/). Internet service providers (ISPs), for example, use ASNs to identify the network traffic source. Not all organizations purchase their own ASNs, but for organizations which do, they can bring their ASN to AWS.
Bring your own autonomous system number (BYOASN) enables you to advertise the IPv4 or IPv6 addresses that you bring to AWS with your own public ASN instead of the AWS ASN. When you use BYOASN, the traffic originating from your IP address carries your ASN instead of the AWS ASN, and your workloads are reachable by customers or partners that have allow listed traffic based on your IP address and ASN.
**Important**
Complete this tutorial using the IPAM admin account in your IPAM’s home Region.
This tutorial assumes you own the public ASN you’d like to bring to IPAM and that you’ve already brought a BYOIP CIDR to AWS and provisioned it to a pool in your public scope. You can bring an ASN to IPAM at any time, but to use it, you have to associate with a CIDR that you’ve brought to your AWS account. This tutorial assumes that you have already done that. For more information, see [Tutorial: Bring your IP addresses to IPAM](tutorials-byoip-ipam.md).
You can change between your advertising your own ASN or an AWS ASN without delay, but you are limited to changing from an AWS ASN to your own ASN once per hour.
If your BYOIP CIDR is currently advertised, you do not have to withdraw it from advertising to associate with your ASN.
## Onboarding prerequisites for your ASN
You will need the following to complete this tutorial:
+ Your public 2-byte or 4-byte ASN.
+ If you've already brought an IP address range to AWS with [Tutorial: Bring your IP addresses to IPAM](tutorials-byoip-ipam.md), you need the IP address CIDR range. You'll also need a private key. You can use the private key that you created when you brought the IP address CIDR range to AWS or you can create a new private key as described in [Create a private key and generate an X.509 certificate](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/prepare-for-byoip.html#byoip-certificate) in the *Amazon EC2 User Guide*.
+ When you bring an IPv4 or IPv6 address range to AWS with [Tutorial: Bring your IP addresses to IPAM](tutorials-byoip-ipam.md), you [create an X.509 certificate](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-add-certificate) and [upload the X.509 certificate to the RDAP record in your RIR](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-add-certificate). You must upload the same certificate you created to the RDAP record in your RIR for the ASN. Be sure to include the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` strings before and after the encoded portion. All of this content must be on a single, long line. The procedure for updating RDAP depends on your RIR:
+ For ARIN, use the [Account Manager portal](https://account.arin.net/public/secure/dashboard) to add the certificate in the "Public Comments" section for the "Network Information" object representing your ASN by using the "Modify ASN" option. Do not add it to the comments section for your organization.
+ For RIPE, add the certificate as a new "descr" field to the “aut-num” object representing your ASN. These can usually be found in the "My Resources" section of the
[RIPE Database portal ](https://apps.db.ripe.net/db-web-ui/myresources/overview). Do not add it to the comments section for your organization or the "remarks" field of the “aut-num” object.
+ For APNIC, email the certificate to [helpdesk@apnic.net ](mailto:helpdesk@apnic.net) to manually add it to the "remarks" field for your ASN. Send the email using the APNIC authorized contact for the ASN.
+ When you bring an IP address range to IPAM, you create a ROA to verify that you control the IP address space that you are bringing to IPAM. In addition to that ROA, you must have a second ROA in your RIR with the ASN that you are bringing to IPAM. If you don’t have this second ROA for the ASN in your RIR, complete [3. Create a ROA object](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/prepare-for-byoip.html#byoip-create-roa-object) in your RIR. Ignore the other steps.
## Tutorial steps
Complete the steps below using the AWS console or the AWS CLI.
------
#### [ AWS Management Console ]
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the left navigation pane, choose **IPAMs**.
1. Choose your IPAM.
1. Choose the **BYOASNs** tab and choose **Provision BYOASNs**.
1. Enter the **ASN**. As a result, the **Message** field is automatically populated with the message you will need to sign in the next step.
+ The format of the message is as follows, where ACCOUNT is your AWS account number, ASN is the ASN you are bringing to IPAM, and YYYYMMDD is the expiry date of the message (which defaults to the last day of the next month). Example:
```
text_message="1|aws|ACCOUNT|ASN|YYYYMMDD|SHA256|RSAPSS"
```
1. Copy the message and replace the expiry date with your own value if you want to.
1. Sign the message using the private key. Example:
```
signed_message=$( echo -n $text_message | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n")
```
1. Under **Signature**, enter the signature.
1. (Optional) To provision another ASN, choose **Provision another ASN**. You can provision up to 5 ASNs. To increase this quota, see [Quotas for your IPAM](quotas-ipam.md).
1. Choose **Provision**.
1. View the provisioning process in the **BYOASNs** tab. Wait for the **State** to change from *Pending-provision* to *Provisioned*. BYOASNs in a *Failed-provision* state are automatically removed after 7 days. Once the ASN is successfully provisioned, you can associate it with a BYOIP CIDR.
1. In the left navigation pane, choose **Pools**.
1. Choose your public scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).
1. Choose a regional pool that has a BYOIP CIDR provisioned to it. The pool must have **Service** set to **EC2** and must have a locale chosen.
1. Choose the **CIDRs** tab and select a BYOIP CIDR.
1. Choose **Actions** > **Manage BYOASN associations**.
1. Under **Associated BYOASNs**, choose the ASN you brought to AWS. If you have multiple ASNs, you can associate multiple ASNs to the BYOIP CIDR. You can associate as many ASNs as you can bring to IPAM. Note that you can bring up to 5 ASNs to IPAM by default. For more information, see [Quotas for your IPAM](quotas-ipam.md).
1. Choose **Associate**.
1. Wait for the ASN association to complete. Once the ASN is successfully associated with the BYOIP CIDR, you can advertise the BYOIP CIDR again.
1. Choose the pool **CIDRs** tab.
1. Select the BYOIP CIDR and choose **Actions** > **Advertise**. As a result, your ASN options are displayed: the Amazon ASN and any ASNs you’ve brought to IPAM.
1. Select the ASN you brought to IPAM and choose **Advertise CIDR**. As a result, the BYOIP CIDR is advertised and the value in the **Advertising** column changes from Withdrawn to Advertised. The **Autonomous System Number** column displays the ASN associated with the CIDR.
1. (optional) If you decide that you want to change the ASN association back to the Amazon ASN, select the BYOIP CIDR and choose **Actions** > **Advertise** again. This time, choose the Amazon ASN. You can swap back to the Amazon ASN at any time, but you can only change to a custom ASN once every hour.
The tutorial is complete.
**Cleanup**
1. Disassociate the ASN from the BYOIP CIDR
+ To withdraw the BYOIP CIDR from advertising, in your pool in the public scope, choose the BYOIP CIDR and choose **Actions** > **Withdraw from advertising**.
+ To disassociate the ASN from the CIDR, choose **Actions** > **Manage BYOASN associations**.
1. Deprovision the ASN
+ To deprovision the ASN, in the BYOASNs tab, choose the ASN and choose **Deprovision ASN**. As a result, the ASN is deprovisioned. BYOASNs in a *Deprovisioned* state are automatically removed after 7 days.
Cleanup is complete.
------
#### [ Command line ]
1. Provision your ASN by including your ASN and authorization message. The signature is the message signed with your private key.
```
aws ec2 provision-ipam-byoasn --ipam-id $ipam_id --asn 12345 --asn-authorization-context Message="$text_message",Signature="$signed_message"
```
1. Describe your ASN to track the provisioning process. If the request succeeds, you should see the *ProvisionStatus* set to *provisioned* after a few minutes.
```
aws ec2 describe-ipam-byoasn
```
1. Associate your ASN with your BYOIP CIDR. Any custom ASN you wish to advertise from must first be associated with your CIDR.
```
aws ec2 associate-ipam-byoasn --asn 12345 --cidr xxx.xxx.xxx.xxx/n
```
1. Describe your CIDR to track the association process.
```
aws ec2 describe-byoip-cidrs --max-results 10
```
1. Advertise your CIDR with your ASN. If the CIDR is already advertised, this will swap the origin ASN from Amazon’s to yours.
```
aws ec2 advertise-byoip-cidr --asn 12345 --cidr xxx.xxx.xxx.xxx/n
```
1. Describe your CIDR to see the ASN state change from *associated* to *advertised*.
```
aws ec2 describe-byoip-cidrs --max-results 10
```
The tutorial is complete.
**Cleanup**
1. Do one of the following:
+ To withdraw just your ASN advertisement and go back to using the Amazon ASNs while keeping the CIDR advertised you must call advertise-byoip-cidr with the special AWS value for the asn parameter. You can swap back to the Amazon ASN at any time, but you can only change to a custom ASN once every hour.
```
aws ec2 advertise-byoip-cidr --asn AWS --cidr xxx.xxx.xxx.xxx/n
```
+ To withdraw your CIDR and ASN advertisement simultaneously, you can call withdraw-byoip-cidr.
```
aws ec2 withdraw-byoip-cidr --cidr xxx.xxx.xxx.xxx/n
```
1. To clean up your ASN, you must first disassociate it from your BYOIP CIDR.
```
aws ec2 disassociate-ipam-byoasn --asn 12345 --cidr xxx.xxx.xxx.xxx/n
```
1. Once your ASN is disassociated from all the BYOIP CIDRs with which you associated it, you can deprovision it.
```
aws ec2 deprovision-ipam-byoasn --ipam-id $ipam_id --asn 12345
```
1. The BYOIP CIDR can also be deprovisioned once all ASN associations are removed.
```
aws ec2 deprovision-ipam-pool-cidr --ipam-pool-id ipam-pool-1234567890abcdef0 --cidr xxx.xxx.xxx.xxx/n
```
1. Confirm the deprovisioning.
```
aws ec2 get-ipam-pool-cidrs --ipam-pool-id ipam-pool-1234567890abcdef0
```
Cleanup is complete.
------
# Tutorial: Bring your IP addresses to IPAM
The tutorials in this section walk you through the process of bringing public IP address space to AWS and managing the space with IPAM.
Managing public IP address space with IPAM has the following benefits:
+ **Improves public IP addresses utilization across your organization**: You can use IPAM to share IP address space across AWS accounts. Without using IPAM, you cannot share your public IP space across AWS Organizations accounts.
+ **Simplifies the process of bringing public IP space to AWS**: You can use IPAM to onboard public IP address space once, and then use IPAM to distribute your public IPs across Regions to resources like EC2 instances and [application load balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-ip-pools.html). Without IPAM, you have to onboard your public IPs for each AWS Region.
**Topics**
+ [Verify domain control](tutorials-byoip-ipam-domain-verification-methods.md)
+ [Bring your own IP to IPAM using both the AWS Management Console and the AWS CLI](tutorials-byoip-ipam-console-intro.md)
+ [Bring your own IP CIDR to IPAM using only the AWS CLI](tutorials-byoip-ipam-cli-only-intro.md)
+ [Bring your own IP to CloudFront using IPAM (supports IPv4 and IPv6)](tutorials-byoip-cloudfront.md)
# Verify domain control
Before you bring an IP address range to AWS, you have to use one of the options described in this section to verify that you control the IP address space. This applies to both IPv4 and IPv6 address ranges. Later, when you bring the IP address range to AWS, AWS validates that you control the IP address range. This validation ensures that customers cannot use IP ranges belonging to others, preventing routing and security issues.
There are two methods that you can use to verify that you control the range:
+ **X.509 certificate**: If your IP address range is registered with an Internet Registry that supports RDAP (such as ARIN, RIPE and APNIC), you can use an X.509 certificate to verify ownership of your domain.
+ **DNS TXT record**: Regardless of whether your Internet Registry supports RDAP, you can use a verification token and a DNS TXT record to verify ownership of your domain.
**Topics**
+ [Verify your domain with an X.509 certificate](#tutorials-byoip-ipam-domain-verification-cert)
+ [Verify your domain with a DNS TXT record](#tutorials-byoip-ipam-domain-verification-dns-txt)
## Verify your domain with an X.509 certificate
This section describes how to verify your domain with an X.509 certificate before you bring your IP address range to IPAM.
**To verify your domain with an X.509 certificate**
1. Complete the three steps in [Prerequisites for BYOIP in Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/prepare-for-byoip.html) in the *Amazon EC2 User Guide*.
**Note**
When you create the ROAs, for IPv4 CIDRs you must set the maximum length of an IP address prefix to `/24`. For IPv6 CIDRs, if you are adding them to an advertisable pool, the maximum length of an IP address prefix must be `/48`. This ensures that you have full flexibility to divide your public IP address across AWS Regions. IPAM enforces the maximum length you set. The maximum length is the smallest prefix length announcement you will allow for this route. For example, if you bring a `/20` CIDR block to AWS, by setting the maximum length to `/24`, you can divide the larger block any way you like (such as with `/21`, `/22`, or `/24`) and distribute those smaller CIDR blocks to any Region. If you were to set the maximum length to `/23`, you would not be able to divide and advertise a `/24` from the larger block. Also, note that `/24` is the smallest IPv4 block and `/48` is the smallest IPv6 block you can advertise from a Region to the internet.
1. Complete steps 1 and 2 only under [Provision a publicly advertisable address range in AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-provision) in the *Amazon EC2 User Guide*, **and don't provision the address range (step 3) yet**. Save the `text_message` and `signed_message`. You'll need them later in this process.
When you've completed these steps, continue with [Bring your own IP to IPAM using both the AWS Management Console and the AWS CLI](tutorials-byoip-ipam-console-intro.md) or [Bring your own IP CIDR to IPAM using only the AWS CLI](tutorials-byoip-ipam-cli-only-intro.md).
## Verify your domain with a DNS TXT record
Complete the steps in this section to verify your domain with a DNS TXT record before you bring your IP address range to IPAM.
You can use DNS TXT records to validate that you control a public IP address range. DNS TXT records are a type of DNS record that contain information about your domain name. This feature enables you to bring IP addresses registered with any internet registry (such as JPNIC, LACNIC, and AFRINIC), not just those that support RDAP (Registration Data Access Protocol) record-based validations (such as ARIN, RIPE and APNIC).
**Important**
Before you can continue, you must have already created an IPAM in the Free or Advanced Tier. If you don’t have an IPAM, complete [Create an IPAM](create-ipam.md) first.
**Topics**
+ [Step 1: Create a ROA if you don't have one](#tutorials-byoip-ipam-domain-verification-dns-txt-roa)
+ [Step 2. Create a verification token](#tutorials-byoip-ipam-domain-verification-dns-txt-token)
+ [Step 3. Set up the DNS zone and TXT record](#tutorials-byoip-ipam-domain-verification-dns-txt-dns)
### Step 1: Create a ROA if you don't have one
You must have a Route Origin Authorization (ROA) in your Regional Internet Registry (RIR) for IP address ranges you wish to advertise. If you don’t have a ROA in your RIR, complete [3. Create a ROA object in your RIR](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-create-roa-object) in the *Amazon EC2 User Guide*. Ignore the other steps.
The most specific IPv4 address range that you can bring is /24. The most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable.
### Step 2. Create a verification token
A verification token is an AWS-generated random value that you can use to prove control of an external resource. For example, you can use a verification token to validate that you control a public IP address range when you bring an IP address range to AWS (BYOIP).
Complete the steps in this section to create a verification token which you'll need in a later step in this tutorial to bring your IP address range to IPAM. Use the instructions below for either the AWS console or the AWS CLI.
------
#### [ AWS Management Console ]
**To create a verification token**
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the AWS Management Console, choose the AWS Region where you created your IPAM.
1. In the left navigation pane, choose **IPAMs**.
1. Choose your IPAM and then choose the **Verification tokens tab**.
1. Select **Create verification token**.
1. After you create the token, leave this browser tab open. You’ll need the **Token value**, **Token name** in the next step and the **Token ID** in a later step.
Note the following:
+ Once you create a verification token, you can reuse the token for multiple BYOIP CIDRs that you provision from your IPAM within 72 hours. If you want to provision more CIDRs after 72 hours, you need a new token.
+ You can create up to 100 tokens. If you reach the limit, delete expired tokens.
------
#### [ Command line ]
+ Request that IPAM creates a verification token that you will use for the DNS configuration with [create-ipam-external-resource-verification-token](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-ipam-external-resource-verification-token.html):
```
aws ec2 create-ipam-external-resource-verification-token --ipam-id ipam-id
```
This will return an IpamExternalResourceVerificationTokenId and token with `TokenName` and `TokenValue`, and the expiration time (`NotAfter`) of the token.
```
{
"IpamExternalResourceVerificationToken": {
"IpamExternalResourceVerificationTokenId": "ipam-ext-res-ver-token-0309ce7f67a768cf0",
"IpamId": "ipam-0f9e8725ac3ae5754",
"TokenValue": "a34597c3-5317-4238-9ce7-50da5b6e6dc8",
"TokenName": "86950620",
"NotAfter": "2024-05-19T14:28:15.927000+00:00",
"Status": "valid",
"Tags": [],
"State": "create-in-progress" }
}
```
Note the following:
+ Once you create a verification token, you can reuse the token for multiple BYOIP CIDRs that you provision from your IPAM within 72 hours. If you want to provision more CIDRs after 72 hours, you need a new token.
+ You can view your tokens using [describe-ipam-external-resource-verification-tokens](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-ipam-external-resource-verification-tokens.html).
+ You can create up to 100 tokens. If you reach the limit, you can delete expired tokens using [delete-ipam-external-resource-verification-token](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-ipam-external-resource-verification-token.html).
------
### Step 3. Set up the DNS zone and TXT record
Complete the steps in this section to set up the DNS zone and TXT record. If you are not using Route53 as your DNS, then follow the documentation provided by your DNS provider to set up a DNS Zone and add a TXT record.
If you are using Route53, note the following:
+ To create a Reverse Lookup Zone in the AWS console, see [Creating a public hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html) in the *Amazon Route 53 Developer Guide* or use the AWS CLI command [create-hosted-zone](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-hosted-zone.html).
+ To create a record in the Reverse Lookup Zone in the AWS console, see [Creating records by using the Amazon Route 53 console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) in the *Amazon Route 53 Developer Guide* or use the AWS CLI command [change-resource-record-sets](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/change-resource-record-sets.html).
+ After you are done creating your hosted zone, delegate the hosted zone from your RIR to the name servers provided by Route53 (such as for [LACNIC](https://www.lacnic.net/1017/2/lacnic/reverse-dns-resolution) or [APNIC](https://www.apnic.net/manage-ip/manage-resources/reverse-dns/)).
Whether you are using another DNS provider or Route53, when you set up the TXT record, note the following:
+ Record name should be your token name.
+ Record type should be TXT.
+ ResourceRecord Value should be the token value.
Example:
+ **Name**: `86950620.113.0.203.in-addr.arpa`
+ **Type**: `TXT`
+ **ResourceRecords Value**: `a34597c3-5317-4238-9ce7-50da5b6e6dc8`
Where:
+ `86950620` is the verification token name.
+ `113.0.203.in-addr.arpa` is the Reverse Lookup Zone name.
+ `TXT` is the record type.
+ `a34597c3-5317-4238-9ce7-50da5b6e6dc8` is the verification token value.
**Note**
Depending on the size of the prefix to be brought to IPAM with BYOIP, one or more authentication records must be created in the DNS. These authentication records are of the record type TXT and must be placed into the reverse zone of the prefix itself or its parent prefix.
For IPv4, authentication records need to align to ranges at an octet boundary that make up the prefix.
**Examples**
For 198.18.123.0/24, which is already aligned at an octet boundary, you would need to create a single authentication record at:
`token-name.123.18.198.in-addr.arpa. IN TXT “token-value”`
For 198.18.12.0/22, which itself is not aligned to octet boundary, you would need to create four authentication records. These records must cover the subnets 198.18.12.0/24, 198.18.13.0/24, 198.18.14.0/24, and 198.18.15.0/24 which are aligned at an octet boundary. The corresponding DNS entries must be:
`token-name.12.18.198.in-addr.arpa. IN TXT “token-value”`
`token-name.13.18.198.in-addr.arpa. IN TXT “token-value”`
`token-name.14.18.198.in-addr.arpa. IN TXT “token-value”`
`token-name.15.18.198.in-addr.arpa. IN TXT “token-value”`
For 198.18.0.0/16, which is already aligned at an octet boundary, you need to create a single authentication record:
`token-name.18.198.in-addr.arpa. IN TXT “token-value”`
For IPv6, authentication records need to align to ranges at nibble boundary that make up the prefix. Valid nibble values are e.g. 32, 36, 40, 44, 48, 52, 56, and 60.
**Examples**
For 2001:0db8::/40, which is already aligned at nibble boundary, you need to create a single authentication record:
`token-name.0.0.8.b.d.0.1.0.0.2.ip6.arpa TXT “token-value”`
For 2001:0db8:80::/42, which is itself not aligned at nibble boundary, you need to create four authentication records. These records must cover the subnets 2001:db8:80::/44, 2001:db8:90::/44, 2001:db8:a0::/44, and 2001:db8:b0::/44 which are aligned at a nibble boundary. The corresponding DNS entries must be:
`token-name.8.0.0.8.b.d.0.1.0.0.2.ip6.arpa TXT “token-value”`
`token-name.9.0.0.8.b.d.0.1.0.0.2.ip6.arpa TXT “token-value”`
`token-name.a.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”`
`token-name.b.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”`
For the non-advertised range 2001:db8:0:1000::/54, which is itself not aligned at a nibble boundary, you need to create four authentication records. These records must cover the subnets 2001:db8:0:1000::/56, 2001:db8:0:1100::/56, 2001:db8:0:1200::/56, and 2001:db8:0:1300::/56 which are aligned at a nibble boundary. The corresponding DNS entries must be:
`token-name.0.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”`
`token-name.1.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”`
`token-name.2.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”`
`token-name.3.1.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa IN TXT “token-value”`
To validate the correct number of hexadecimal numbers between the *token-name* and the "ip6.arpa" string, multiply the number by four. The result should match the prefix length. For example, for a /56 prefix you should have 14 hexadecimal digits.
When you've completed these steps, continue with [Bring your own IP to IPAM using both the AWS Management Console and the AWS CLI](tutorials-byoip-ipam-console-intro.md) or [Bring your own IP CIDR to IPAM using only the AWS CLI](tutorials-byoip-ipam-cli-only-intro.md).
# Bring your own IP to IPAM using both the AWS Management Console and the AWS CLI
Bringing Your Own IP (BYOIP) to IPAM allows you to use your organization's existing IPv4 and IPv6 address ranges in AWS. This enables you to maintain consistent branding, improve network performance, enhance security, and simplify management by unifying on-premises and cloud environments under your own IP address space.
Follow these steps to bring an IPv4 or IPv6 CIDR to IPAM using both the AWS Management Console and the AWS CLI.
**Note**
Before you begin, you must have first [verified domain control](tutorials-byoip-ipam-domain-verification-methods.md).
Once you bring an IPv4 address range to AWS, you can use all of the IP addresses in the range, including the first address (the network address) and the last address (the broadcast address).
**Topics**
+ [Bring your own IPv4 CIDR to IPAM using both the AWS Management Console and the AWS CLI](tutorials-byoip-ipam-console-ipv4.md)
+ [Bring your own IPv6 CIDR to IPAM using the AWS Management Console](tutorials-byoip-ipam-console-ipv6.md)
# Bring your own IPv4 CIDR to IPAM using both the AWS Management Console and the AWS CLI
Follow these steps to bring an IPv4 CIDR to IPAM and allocate an Elastic IP address (EIP) using both the AWS Management Console and the AWS CLI.
**Important**
This tutorial assumes you have already completed the steps in the following sections:
[Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md).
[Create an IPAM](create-ipam.md).
Each step of this tutorial must be done by one of three AWS Organizations accounts:
The management account.
The member account configured to be your IPAM administrator in [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). In this tutorial, this account will be called the IPAM account.
The member account in your organization which will allocate CIDRs from an IPAM pool. In this tutorial, this account will be called the member account.
**Topics**
+ [Step 1: Create AWS CLI named profiles and IAM roles](#tutorials-create-profiles)
+ [Step 2: Create a top-level IPAM pool](#tutorials-byoip-ipam-ipv4-console-create-top)
+ [Step 3. Create a Regional pool within the top-level pool](#tutorials-byoip-ipam-ipv4-console-create-reg)
+ [Step 4: Advertise the CIDR](#tutorials-byoip-ipam-ipv4-console-adv)
+ [Step 5. Share the Regional pool](#tutorials-byoip-ipam-ipv4-console-share-reg)
+ [Step 6: Allocate an Elastic IP address from the pool](#tutorials-byoip-ipam-ipv4-console-all-eip)
+ [Step 7: Associate the Elastic IP address with an EC2 instance](#tutorials-byoip-ipam-ipv4-console-assoc-eip)
+ [Step 8: Cleanup](#tutorials-byoip-ipam-ipv4-console-cleanup)
+ [Alternative to Step 6](#tutorials-byoip-ipam-ipv4-alt)
## Step 1: Create AWS CLI named profiles and IAM roles
To complete this tutorial as a single AWS user, you can use AWS CLI named profiles to switch from one IAM role to another. [Named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles) are collections of settings and credentials that you refer to when using the `--profile` option with the AWS CLI. For more information about how to create IAM roles and named profiles for AWS accounts, see [Using an IAM role in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html).
Create one role and one named profile for each of the three AWS accounts you will use in this tutorial:
+ A profile called `management-account` for the AWS Organizations management account.
+ A profile called `ipam-account` for the AWS Organizations member account that is configured to be your IPAM administrator.
+ A profile called `member-account` for the AWS Organizations member account in your organization which will allocate CIDRs from an IPAM pool.
After you have created the IAM roles and named profiles, return to this page and go to the next step. You will notice throughout the rest of this tutorial that the sample AWS CLI commands use the `--profile` option with one of the named profiles to indicate which account must run the command.
## Step 2: Create a top-level IPAM pool
Complete the steps in this section to create a top-level IPAM pool.
This step must be done by the IPAM account.
**To create a pool**
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. By default, when you create a pool, the default private scope is selected. Choose the public scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).
1. Choose **Create pool**.
1. (Optional) Add a **Name tag** for the pool and a **Description** for the pool.
1. Under **Source**, choose **IPAM scope**.
1. Under **Address family**, choose **IPv4**.
1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).
1. Under **Locale**, choose **None**.
The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR. Since we are going to create a top-level IPAM pool with a Regional pool within it, and we’re going to allocate space to an Elastic IP address from the Regional pool, you will set the locale on the Regional pool and not the top-level pool. You’ll add the locale to the Regional pool when you create the Regional pool in a later step.
**Note**
If you are creating a single pool only and not a top-level pool with Regional pools within it, you would want to choose a Locale for this pool so that the pool is available for allocations.
1. Under **Public IP source**, choose **BYOIP**.
1. Under **CIDRs to provision**, do one of the following:
+ If you [verified your domain control with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert), you must include the CIDR and the BYOIP message and certificate signature that you created in that step so we can verify that you control the public space.
+ If you [verified your domain control with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt), you must include the CIDR and IPAM verification token that you created in that step so we can verify that you control the public space.
Note that when provisioning an IPv4 CIDR to a pool within the top-level pool, the minimum IPv4 CIDR you can provision is `/24`; more specific CIDRs (such as `/25`) are not permitted.
**Important**
While most provisioning will be completed within two hours, it may take up to one week to complete the provisioning process for publicly advertisable ranges.
1. Leave **Configure this pool's allocation rule settings** unselected.
1. (Optional) Choose **Tags** for the pool.
1. Choose **Create pool**.
Ensure that this CIDR has been provisioned before you continue. You can see the state of provisioning in the **CIDRs** tab in the pool details page.
## Step 3. Create a Regional pool within the top-level pool
Create a Regional pool within the top-level pool. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR. You’ll add the locale to the Regional pool when you create the Regional pool in this section. The `Locale` must be part of one of the operating Regions you configured when you created the IPAM. For example, a locale of *us-east-1* means that *us-east-1* must be an operating Region for the IPAM. A locale of *us-east-1-scl-1* (a network border group used for Local Zones) means that the IPAM must have an operating Region of *us-east-1*.
This step must be done by the IPAM account.
**To create a Regional pool within a top-level pool**
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. By default, when you create a pool, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).
1. Choose **Create pool**.
1. (Optional) Add a **Name tag** for the pool and a **Description** for the pool.
1. Under **Source**, choose the top-level pool that you created in the previous section.
1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).
1. Under **Locale**, choose the locale for the pool. In this tutorial, we'll use `us-east-2` as the locale for the Regional pool. The available options come from the operating Regions that you chose when you created your IPAM.
The locale for the pool should be one of the following:
+ An AWS Region where you want this IPAM pool to be available for allocations.
+ The network border group for an AWS Local Zone where you want this IPAM pool to be available for allocations ([supported Local Zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-zone-avail)). This option is only available for IPAM IPv4 pools in the public scope.
+ An [AWS Dedicated Local Zone](https://aws.amazon.com/dedicatedlocalzones/). To create a pool within an AWS Dedicated Local Zone, enter the AWS Dedicated Local Zone in the selector input.
+ `Global` when you want to use IP addresses globally across all AWS Regions, such as CloudFront locations. The `Global` locale is only available for public IPv4 pools.
For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses.
Choosing a locale ensures there are no cross-region dependencies between your pool and the resources allocating from it.
1. Under **Service**, choose **EC2 (EIP/VPC)**. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is **EC2 (EIP/VPC)**, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service (for Elastic IP addresses) and the Amazon VPC service (for CIDRs associated with VPCs).
1. Under **CIDRs to provision**, choose a CIDR to provision for the pool.
**Note**
When provisioning a CIDR to a Regional pool within the top-level pool, the most specific IPv4 CIDR you can provision is `/24`; more specific CIDRs (such as `/25`) are not permitted. After you create the Regional pool, you can create smaller pools (such as `/25`) within the same Regional pool. Note that if you share the Regional pool or pools within it, these pools can only be used in the locale set on the same Regional pool.
1. Enable **Configure this pool's allocation rule settings**. You have the same allocation rule options here as you did when you created the top-level pool. See [Create a top-level IPv4 pool](create-top-ipam.md) for an explanation of the options that are available when you create pools. The allocation rules for the Regional pool are not inherited from the top-level pool. If you do not apply any rules here, there will be no allocation rules set for the pool.
1. (Optional) Choose **Tags** for the pool.
1. When you’ve finished configuring your pool, choose **Create pool**.
Ensure that this CIDR has been provisioned before you continue. You can see the state of provisioning in the **CIDRs** tab in the pool details page.
## Step 4: Advertise the CIDR
The steps in this section must be done by the IPAM account. Once you associate the Elastic IP address (EIP) with an instance or Elastic Load Balancer, you can then start advertising the CIDR you brought to AWS that is in pool that has the **Service EC2 (EIP/VPC)** configured. In this tutorial, that's your Regional pool. By default the CIDR is not advertised, which means it's not publicly accessible over the internet.
This step must be done by the IPAM account.
**Note**
The advertisement status doesn't not restrict your ability to allocate Elastic IP addresses. Even if your BYOIPv4 CIDR is not advertised, you can still can create EIPs from the IPAM pool.
**To advertise the CIDR**
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. By default, when you create a pool, the default private scope is selected. Choose the public scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).
1. Choose the Regional pool you created in this tutorial.
1. Choose the **CIDRs** tab.
1. Select the BYOIP CIDR and choose **Actions** > **Advertise**.
1. Choose **Advertise CIDR**.
As a result, the BYOIP CIDR is advertised and the value in the **Advertising** column changes from **Withdrawn** to **Advertised**.
## Step 5. Share the Regional pool
Follow the steps in this section to share the IPAM pool using AWS Resource Access Manager (RAM).
### Enable resource sharing in AWS RAM
After you create your IPAM, you’ll want to share the regional pool with other accounts in your organization. Before you share an IPAM pool, complete the steps in this section to enable resource sharing with AWS RAM. If you are using the AWS CLI to enable resource sharing, use the `--profile management-account` option.
**To enable resource sharing**
1. Using the AWS Organizations management account, open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/).
1. In the left navigation pane, choose **Settings**, choose **Enable sharing with AWS Organizations**, and then choose **Save settings**.
You can now share an IPAM pool with other members of the organization.
### Share an IPAM pool using AWS RAM
In this section you’ll share the regional pool with another AWS Organizations member account. For complete instructions on sharing IPAM pools, including information on the required IAM permissions, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md). If you are using the AWS CLI to enable resource sharing, use the `--profile ipam-account` option.
**To share an IPAM pool using AWS RAM**
1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. Choose the private scope, choose the IPAM pool, and choose **Actions** > **View details**.
1. Under **Resource sharing**, choose **Create resource share**. The AWS RAM console opens. You share the pool using AWS RAM.
1. Choose **Create a resource share**.
1. In the AWS RAM console, choose **Create a resource share** again.
1. Add a **Name** for the shared pool.
1. Under **Select resource type**, choose **IPAM pools,** and then choose the ARN of the pool you want to share.
1. Choose **Next**.
1. Choose the **AWSRAMPermissionIpamPoolByoipCidrImport** permission. The details of the permission options are out of scope for this tutorial, but you can find out more about these options in [Share an IPAM pool using AWS RAM](share-pool-ipam.md).
1. Choose **Next**.
1. Under **Principals** > **Select principal type**, choose **AWS account** and enter the account ID of the account that will be bringing an IP address range to IPAM and choose **Add** .
1. Choose **Next**.
1. Review the resource share options and the principals that you’ll be sharing with, and then choose **Create**.
1. To allow the **member-account** account to allocate IP address CIDRS from the IPAM pool, create a second resource share with `AWSRAMDefaultPermissionsIpamPool`. The value for `--resource-arns` is the ARN of the IPAM pool that you created in the previous section. The value for `--principals` is the account ID of the **member-account**. The value for `--permission-arns` is the ARN of the `AWSRAMDefaultPermissionsIpamPool` permission.
## Step 6: Allocate an Elastic IP address from the pool
Complete the steps in this section to allocate an Elastic IP address from the pool. Note that if you are using public IPv4 pools to allocate Elastic IP addresses, you can use the alternative steps in [Alternative to Step 6](#tutorials-byoip-ipam-ipv4-alt) rather than the steps in this section.
**Important**
If you see an error related to not having permissions to call ec2:AllocateAddress, the managed permission currently assigned to the IPAM pool that was shared with you needs to be updated. Contact the person who created the resource share and ask them to update the managed permission `AWSRAMPermissionIpamResourceDiscovery` to the default version. For more information, see [Update a resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-update.html) in the *AWS RAM User Guide *.
------
#### [ AWS Management Console ]
Follow the steps in [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide* to allocate the address, but note the following:
+ This step must be done by the member account.
+ Ensure that the AWS Region you are in in the EC2 console matches the Locale option you chose when you created the Regional pool.
+ When you choose the address pool, choose the option to **Allocate using an IPv4 IPAM pool** and choose the Regional pool you created.
------
#### [ Command line ]
Allocate an address from the pool with the [allocate-address](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/allocate-address.html) command. The `--region` you use must match the `-locale` option you chose when you created the pool in Step 2. Include the ID of the IPAM pool you created in Step 2 in `--ipam-pool-id`. Optionally, you can also choose a specific `/32` in your IPAM pool by using the `--address` option.
```
aws ec2 allocate-address --region us-east-1 --ipam-pool-id ipam-pool-07ccc86aa41bef7ce
```
Example response:
```
{
"PublicIp": "18.97.0.41",
"AllocationId": "eipalloc-056cdd6019c0f4b46",
"PublicIpv4Pool": "ipam-pool-07ccc86aa41bef7ce",
"NetworkBorderGroup": "us-east-1",
"Domain": "vpc"
}
```
For more information, see [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide*.
------
## Step 7: Associate the Elastic IP address with an EC2 instance
Complete the steps in this section to associate the Elastic IP address with an EC2 instance.
------
#### [ AWS Management Console ]
Follow the steps in [Associate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-associating) in the *Amazon EC2 User Guide* to allocate an Elastic IP address from the IPAM pool, but note the following: When you use AWS Management Console option, the AWS Region you associate the Elastic IP address in must match the Locale option you chose when you created the Regional pool.
This step must be done by the member account.
------
#### [ Command line ]
This step must be done by the member account. Use the `--profile member-account` option.
Associate the Elastic IP address with an instance with the [associate-address](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/allocate-address.html) command. The `--region` you associate the Elastic IP address in must match the `--locale` option you chose when you created the Regional pool.
```
aws ec2 associate-address --region us-east-1 --instance-id i-07459a6fca5b35823 --public-ip 18.97.0.41
```
Example response:
```
{
"AssociationId": "eipassoc-06aa85073d3936e0e"
}
```
For more information, see [Associate an Elastic IP address with an instance or network interface](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-associating) in the *Amazon EC2 User Guide*.
------
## Step 8: Cleanup
Follow the steps in this section to clean up the resources you've provisioned and created in this tutorial.
**Step 1: Withdraw the CIDR from advertising**
This step must be done by the IPAM account.
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. By default, when you create a pool, the default private scope is selected. Choose the public scope.
1. Choose the Regional pool you created in this tutorial.
1. Choose the **CIDRs** tab.
1. Select the BYOIP CIDR and choose **Actions** > **Withdraw from advertising**.
1. Choose **Withdraw CIDR**.
As a result, the BYOIP CIDR is no longer advertised and the value in the **Advertising** column changes from **Advertised** to **Withdrawn**.
**Step 2: Disassociate the Elastic IP address**
This step must be done by the member account. If you are using the AWS CLI, use the `--profile member-account` option.
+ Complete the steps in [Disassociate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-associating-different) in the *Amazon EC2 User Guide* to disassociate the EIP. When you open EC2 in the AWS Management console, the AWS Region you disassociate the EIP in must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR. In this tutorial, that pool is the Regional pool.
**Step 3: Release the Elastic IP address**
This step must be done by the member account. If you are using the AWS CLI, use the `--profile member-account` option.
+ Complete the steps in [Release an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-releasing) in the *Amazon EC2 User Guide* to release an Elastic IP address (EIP) from the public IPv4 pool. When you open EC2 in the AWS Management console, the AWS Region you allocate the EIP in must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR.
**Step 4: Delete any RAM shares and disable RAM integration with AWS Organizations**
This step must be done by the IPAM account and management account respectively. If you are using the AWS CLI to delete the RAM shares and disable RAM integration, use the ` --profile ipam-account` and ` --profile management-account` options.
+ Complete the steps in [Deleting a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-delete.html) and [Disabling resource sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/security-disable-sharing-with-orgs.html) in the *AWS RAM User Guide*, in that order, to delete the RAM shares and disable RAM integration with AWS Organizations.
**Step 5: Deprovision the CIDRs from the Regional pool and top-level pool**
This step must be done by the IPAM account. If you are using the AWS CLI to share the pool, use the `--profile ipam-account` option.
+ Complete the steps in [Deprovision CIDRs from a pool](depro-pool-cidr-ipam.md) to deprovision the CIDRs from the Regional pool and then the top-level pool, in that order.
**Step 6: Delete the Regional pool and top-level pool**
This step must be done by the IPAM account. If you are using the AWS CLI to share the pool, use the `--profile ipam-account` option.
+ Complete the steps in [Delete a pool](delete-pool-ipam.md) to delete the Regional pool and then the top-level pool, in that order.
## Alternative to Step 6
If you are using public IPv4 pools to allocate Elastic IP addresses, you can use the steps in this section rather than the steps in [Step 6: Allocate an Elastic IP address from the pool](#tutorials-byoip-ipam-ipv4-console-all-eip).
**Topics**
+ [Step 1: Create a public IPv4 pool](#tutorials-byoip-ipam-ipv4-console-alt-pool)
+ [Step 2: Provision the public IPv4 CIDR to your public IPv4 pool](#tutorials-byoip-ipam-ipv4-console-alt-cidr)
+ [Step 3: Allocate an Elastic IP address from the public IPv4 pool](#tutorials-byoip-ipam-ipv4-console-alt-eip)
+ [Alternative to Step 6 cleanup](#tutorials-byoip-ipam-ipv4-console-alt-cleanup)
### Step 1: Create a public IPv4 pool
This step should be done by the member account that will provision an Elastic IP address.
**Note**
This step must be done by the member account using the AWS CLI.
Public IPv4 pools and IPAM pools are managed by distinct resources in AWS. Public IPv4 pools are single account resources that enable you to convert your publicly-owned CIDRs to Elastic IP addresses. IPAM pools can be used to allocate your public space to public IPv4 pools.
**To create a public IPv4 pool using the AWS CLI**
+ Run the following command to provision the CIDR. When you run the command in this section, the value for `--region` must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR.
```
aws ec2 create-public-ipv4-pool --region us-east-2 --profile member-account
```
In the output, you'll see the public IPv4 pool ID. You will need this ID in the next step.
```
{
"PoolId": "ipv4pool-ec2-09037ce61cf068f9a"
}
```
### Step 2: Provision the public IPv4 CIDR to your public IPv4 pool
Provision the public IPv4 CIDR to your public IPv4 pool. The value for `--region` must match the `Locale` value you chose when you created the pool that will be used for the BYOIP CIDR. The `--netmask-length` is the amount of space out of the IPAM pool that you want to bring to your public pool. The value cannot be larger than the netmask length of the IPAM pool. The least specific `--netmask-length` you can define is `24`.
**Note**
If you are bringing a `/24` CIDR range to IPAM to share across an AWS Organization, you can provision smaller prefixes to multiple IPAM pools, say `/27` (using `-- netmask-length 27`), rather than provisioning the entire `/24` CIDR (using `-- netmask-length 24`) as is shown in this tutorial.
This step must be done by the member account using the AWS CLI.
**To create a public IPv4 pool using the AWS CLI**
1. Run the following command to provision the CIDR.
```
aws ec2 provision-public-ipv4-pool-cidr --region us-east-2 --ipam-pool-id ipam-pool-04d8e2d9670eeab21 --pool-id ipv4pool-ec2-09037ce61cf068f9a --netmask-length 24 --profile member-account
```
In the output, you'll see the provisioned CIDR.
```
{
"PoolId": "ipv4pool-ec2-09037ce61cf068f9a",
"PoolAddressRange": {
"FirstAddress": "130.137.245.0",
"LastAddress": "130.137.245.255",
"AddressCount": 256,
"AvailableAddressCount": 256
}
}
```
1. Run the following command to view the CIDR provisioned in the public IPv4 pool.
```
aws ec2 describe-public-ipv4-pools --region us-east-2 --max-results 10 --profile member-account
```
In the output, you'll see the provisioned CIDR. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. You will have the chance to set this CIDR to advertised in the last step of this tutorial.
```
{
"PublicIpv4Pools": [
{
"PoolId": "ipv4pool-ec2-09037ce61cf068f9a",
"Description": "",
"PoolAddressRanges": [
{
"FirstAddress": "130.137.245.0",
"LastAddress": "130.137.245.255",
"AddressCount": 256,
"AvailableAddressCount": 255
}
],
"TotalAddressCount": 256,
"TotalAvailableAddressCount": 255,
"NetworkBorderGroup": "us-east-2",
"Tags": []
}
]
}
```
Once you create the public IPv4 pool, to view the public IPv4 pool allocated in the IPAM Regional pool, open the IPAM console and view the allocation in the Regional pool under **Allocations** or **Resources**.
### Step 3: Allocate an Elastic IP address from the public IPv4 pool
Complete the steps in [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide* to allocate an EIP from the public IPv4 pool. When you open EC2 in the AWS Management console, the AWS Region you allocate the EIP in must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR.
This step must be done by the member account. If you are using the AWS CLI, use the `--profile member-account` option.
Once you've completed these three steps, return to [Step 7: Associate the Elastic IP address with an EC2 instance](#tutorials-byoip-ipam-ipv4-console-assoc-eip) and continue until you complete the tutorial.
### Alternative to Step 6 cleanup
Complete these steps to clean up public IPv4 pools created with the alternative to Step 9. You should complete these steps after you release the Elastic IP address during the standard cleanup process in [Step 8: Cleanup](#tutorials-byoip-ipam-ipv4-console-cleanup).
**Step 1: Deprovision the public IPv4 CIDR from your public IPv4 pool**
**Important**
This step must be done by the member account using the AWS CLI.
1. View your BYOIP CIDRs.
```
aws ec2 describe-public-ipv4-pools --region us-east-2 --profile member-account
```
In the output, you'll see the IP addresses in your BYOIP CIDR.
```
{
"PublicIpv4Pools": [
{
"PoolId": "ipv4pool-ec2-09037ce61cf068f9a",
"Description": "",
"PoolAddressRanges": [
{
"FirstAddress": "130.137.245.0",
"LastAddress": "130.137.245.255",
"AddressCount": 256,
"AvailableAddressCount": 256
}
],
"TotalAddressCount": 256,
"TotalAvailableAddressCount": 256,
"NetworkBorderGroup": "us-east-2",
"Tags": []
}
]
}
```
1. Run the following command to release the CIDR from the public IPv4 pool.
```
aws ec2 deprovision-public-ipv4-pool-cidr --region us-east-2 --pool-id ipv4pool-ec2-09037ce61cf068f9a --cidr 130.137.245.0/24 --profile member-account
```
1. View your BYOIP CIDRs again and ensure there are no more provisioned addresses. When you run the command in this section, the value for `--region` must match the Region of your IPAM.
```
aws ec2 describe-public-ipv4-pools --region us-east-2 --profile member-account
```
In the output, you'll see the IP addresses count in your public IPv4 pool.
```
{
"PublicIpv4Pools": [
{
"PoolId": "ipv4pool-ec2-09037ce61cf068f9a",
"Description": "",
"PoolAddressRanges": [],
"TotalAddressCount": 0,
"TotalAvailableAddressCount": 0,
"NetworkBorderGroup": "us-east-2",
"Tags": []
}
]
}
```
**Note**
It can take some time for IPAM to discover that public IPv4 pool allocations have been removed. You cannot continue to clean up and deprovision the IPAM pool CIDR until you see that the allocation has been removed from IPAM.
**Step 2: Delete the public IPv4 pool**
This step must be done by the member account.
+ Run the following command to delete the public IPv4 pool the CIDR. When you run the command in this section, the value for `--region` must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR. In this tutorial, that pool is the Regional pool. This step must be done using the AWS CLI.
```
aws ec2 delete-public-ipv4-pool --region us-east-2 --pool-id ipv4pool-ec2-09037ce61cf068f9a --profile member-account
```
In the output, you'll see the return value **true**.
```
{
"ReturnValue": true
}
```
Once you delete the pool, to view the allocation unmanaged by IPAM, open the IPAM console and view the details of the Regional pool under **Allocations**.
# Bring your own IPv6 CIDR to IPAM using the AWS Management Console
Follow the steps in this tutorial to bring an IPv6 CIDR to IPAM and allocate a VPC with the CIDR using both the AWS Management Console and the AWS CLI.
If you do not need to advertise your IPv6 addresses over the Internet, you can provision a private GUA IPv6 address to an IPAM. For more information, see [Enable provisioning private IPv6 GUA CIDRs](enable-prov-ipv6-gua.md).
**Important**
This tutorial assumes you have already completed the steps in the following sections:
[Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md).
[Create an IPAM](create-ipam.md).
Each step of this tutorial must be done by one of three AWS Organizations accounts:
The management account.
The member account configured to be your IPAM administrator in [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). In this tutorial, this account will be called the IPAM account.
The member account in your organization which will allocate CIDRs from an IPAM pool. In this tutorial, this account will be called the member account.
**Topics**
+ [Step 1: Create a top-level IPAM pool](#tutorials-byoip-ipam-ipv6-console-1)
+ [Step 2. Create a Regional pool within the top-level pool](#tutorials-byoip-ipam-ipv6-console-2)
+ [Step 3. Share the Regional pool](#tutorials-byoip-ipam-ipv4-console-4-deux)
+ [Step 4: Create a VPC](#tutorials-byoip-ipam-ipv6-console-4)
+ [Step 5: Advertise the CIDR](#tutorials-byoip-ipam-ipv6-console-5)
+ [Step 6: Cleanup](#tutorials-byoip-ipam-ipv6-console-cleanup)
## Step 1: Create a top-level IPAM pool
Since you are going to create a top-level IPAM pool with a Regional pool within it, and we’re going to allocate space to a resource from the Regional pool, you will set the locale on the Regional pool and not the top-level pool. You’ll add the locale to the Regional pool when you create the Regional pool in a later step. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR.
This step must be done by the IPAM account.
**To create a pool**
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. By default, when you create a pool, the default private scope is selected. Choose the public scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).
1. Choose **Create pool**.
1. (Optional) Add a **Name tag** for the pool and a **Description** for the pool.
1. Under **Source**, choose **IPAM scope**.
1. Under **Address family**, choose **IPv6**.
1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).
1. Under **Locale**, choose **None**. You will set the locale on the Regional pool.
The locale is the AWS Region where you want this IPAM pool to be available for allocations. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses.
**Note**
If you are creating a single pool only and not a top-level pool with Regional pools within it, you would want to choose a Locale for this pool so that the pool is available for allocations.
1. Under **Public IP source**, **BYOIP** is selected by default.
1. Under **CIDRs to provision**, do one of the following:
+ If you [verified your domain control with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert), you must include the CIDR and the BYOIP message and certificate signature that you created in that step so we can verify that you control the public space.
+ If you [verified your domain control with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt), you must include the CIDR and IPAM verification token that you created in that step so we can verify that you control the public space.
Note that when provisioning an IPv6 CIDR to a pool within the top-level pool, the most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable.
**Important**
While most provisioning will be completed within two hours, it may take up to one week to complete the provisioning process for publicly advertisable ranges.
1. Leave **Configure this pool's allocation rule settings** unselected.
1. (Optional) Choose **Tags** for the pool.
1. Choose **Create pool**.
Ensure that this CIDR has been provisioned before you continue. You can see the state of provisioning in the **CIDRs** tab in the pool details page.
## Step 2. Create a Regional pool within the top-level pool
Create a Regional pool within the top-level pool. A Locale is required on the pool and it must be one of the operating Regions you configured when you created the IPAM.
This step must be done by the IPAM account.
**To create a Regional pool within a top-level pool**
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. By default, when you create a pool, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).
1. Choose **Create pool**.
1. (Optional) Add a **Name tag** for the pool and a description for the pool.
1. Under **Source**, choose the top-level pool that you created in the previous section.
1. Under **Resource planning**, leave **Plan IP space within the scope** selected. For more information about using this option to plan for subnet IP space within a VPC, see [Tutorial: Plan VPC IP address space for subnet IP allocations](tutorials-subnet-planning.md).
1. Choose the locale for the pool. Choosing a locale ensures there are no cross-region dependencies between your pool and the resources allocating from it. The available options come from the operating Regions that you chose when you created your IPAM. In this tutorial, we'll use `us-east-2` as the locale for the Regional pool.
The locale is the AWS Region where you want this IPAM pool to be available for allocations. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses.
1. Under **Service**, choose **EC2 (EIP/VPC)**. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is **EC2 (EIP/VPC)**, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service and the Amazon VPC service (for CIDRs associated with VPCs).
1. Under **CIDRs to provision**, choose a CIDR to provision for the pool. Note that when provisioning an IPv6 CIDR to a pool within the top-level pool, the most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable.
1. Enable **Configure this pool's allocation rule settings** and choose optional allocation rules for this pool:
+ **Automatically import discovered resources**: This option is not available if the **Locale** is set to **None**. If selected, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM. Note the following:
+ The CIDRs that will be allocated for these resources must not already be allocated to other resources in order for the import to succeed.
+ IPAM will import a CIDR regardless of its compliance with the pool's allocation rules, so a resource might be imported and subsequently marked as noncompliant.
+ If IPAM discovers multiple CIDRs that overlap, IPAM will import the largest CIDR only.
+ If IPAM discovers multiple CIDRs with matching CIDRs, IPAM will randomly import one of them only.
+ **Minimum netmask length**: The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant and the largest size CIDR block that can be allocated from the pool. The minimum netmask length must be less than the maximum netmask length. Possible netmask lengths for IPv4 addresses are `0` - `32`. Possible netmask lengths for IPv6 addresses are `0` - `128`.
+ **Default netmask length**: A default netmask length for allocations added to this pool.
+ **Maximum netmask length**: The maximum netmask length that will be required for CIDR allocations in this pool. This value dictates the smallest size CIDR block that can be allocated from the pool. Ensure that this value is minimum **/48**.
+ **Tagging requirements**: The tags that are required for resources to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging rules are changed on the pool, the resource may be marked as noncompliant.
+ **Locale**: The locale that will be required for resources that use CIDRs from this pool. Automatically imported resources that do not have this locale will be marked noncompliant. Resources that are not automatically imported into the pool will not be allowed to allocate space from the pool unless they are in this locale.
1. (Optional) Choose **Tags** for the pool.
1. When you’ve finished configuring your pool, choose **Create pool**.
Ensure that this CIDR has been provisioned before you continue. You can see the state of provisioning in the **CIDRs** tab in the pool details page.
## Step 3. Share the Regional pool
Follow the steps in this section to share the IPAM pool using AWS Resource Access Manager (RAM).
### Enable resource sharing in AWS RAM
After you create your IPAM, you’ll want to share the regional pool with other accounts in your organization. Before you share an IPAM pool, complete the steps in this section to enable resource sharing with AWS RAM. If you are using the AWS CLI to enable resource sharing, use the `--profile management-account` option.
**To enable resource sharing**
1. Using the AWS Organizations management account, open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/).
1. In the left navigation pane, choose **Settings**, choose **Enable sharing with AWS Organizations**, and then choose **Save settings**.
You can now share an IPAM pool with other members of the organization.
### Share an IPAM pool using AWS RAM
In this section you’ll share the regional pool with another AWS Organizations member account. For complete instructions on sharing IPAM pools, including information on the required IAM permissions, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md). If you are using the AWS CLI to enable resource sharing, use the `--profile ipam-account` option.
**To share an IPAM pool using AWS RAM**
1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. Choose the private scope, choose the IPAM pool, and choose **Actions** > **View details**.
1. Under **Resource sharing**, choose **Create resource share**. The AWS RAM console opens. You share the pool using AWS RAM.
1. Choose **Create a resource share**.
1. In the AWS RAM console, choose **Create a resource share** again.
1. Add a **Name** for the shared pool.
1. Under **Select resource type**, choose **IPAM pools,** and then choose the ARN of the pool you want to share.
1. Choose **Next**.
1. Choose the **AWSRAMPermissionIpamPoolByoipCidrImport** permission. The details of the permission options are out of scope for this tutorial, but you can find out more about these options in [Share an IPAM pool using AWS RAM](share-pool-ipam.md).
1. Choose **Next**.
1. Under **Principals** > **Select principal type**, choose **AWS account** and enter the account ID of the account that will be bringing an IP address range to IPAM and choose **Add** .
1. Choose **Next**.
1. Review the resource share options and the principals that you’ll be sharing with, and then choose **Create**.
1. To allow the **member-account** account to allocate IP address CIDRS from the IPAM pool, create a second resource share with `AWSRAMDefaultPermissionsIpamPool`. The value for `--resource-arns` is the ARN of the IPAM pool that you created in the previous section. The value for `--principals` is the account ID of the **member-account**. The value for `--permission-arns` is the ARN of the `AWSRAMDefaultPermissionsIpamPool` permission.
## Step 4: Create a VPC
Complete the steps in [Create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html) in the *Amazon VPC User Guide*.
This step must be done by the member account.
**Note**
When you open VPC in the AWS Management console, the AWS Region you create the VPC in must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR.
When you reach the step to choose a CIDR for the VPC, you will have an option to use a CIDR from an IPAM pool. Choose the Regional pool you created in this tutorial.
When you create the VPC, AWS allocates a CIDR in the IPAM pool to the VPC. You can view the allocation in IPAM by choosing a pool in the content pane of the IPAM console and viewing the **Allocations** tab for the pool.
## Step 5: Advertise the CIDR
The steps in this section must be done by the IPAM account. Once you create the VPC, you can then start advertising the CIDR you brought to AWS that is in the pool that has the **Service EC2 (EIP/VPC)** configured. In this tutorial, that's your Regional pool. By default the CIDR is not advertised, which means it's not publicly accessible over the internet.
This step must be done by the IPAM account.
**To advertise the CIDR**
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. By default, when you create a pool, the default private scope is selected. Choose the public scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).
1. Choose the Regional pool you created in this tutorial.
1. Choose the **CIDRs** tab.
1. Select the BYOIP CIDR and choose **Actions** > **Advertise**.
1. Choose **Advertise CIDR**.
As a result, the BYOIP CIDR is advertised and the value in the **Advertising** column changes from **Withdrawn** to **Advertised**.
## Step 6: Cleanup
Follow the steps in this section to clean up the resources you've provisioned and created in this tutorial.
**Step 1: Withdraw the CIDR from advertising**
This step must be done by the IPAM account.
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. By default, when you create a pool, the default private scope is selected. Choose the public scope.
1. Choose the Regional pool you created in this tutorial.
1. Choose the **CIDRs** tab.
1. Select the BYOIP CIDR and choose **Actions** > **Withdraw from advertising**.
1. Choose **Withdraw CIDR**.
As a result, the BYOIP CIDR is no longer advertised and the value in the **Advertising** column changes from **Advertised** to **Withdrawn**.
**Step 2: Delete the VPC**
This step must be done by the member account.
+ Complete the steps in [Delete a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/delete-vpc.html) in the *Amazon VPC User Guide* to delete the VPC. When you open VPC in the AWS Management console, the AWS Region delete the VPC from must match the `Locale` option you chose when you created the pool that will be used for the BYOIP CIDR. In this tutorial, that pool is the Regional pool.
When you delete the VPC, it takes time for IPAM to discover that the resource has been deleted and to deallocate the CIDR allocated to the VPC. You cannot continue to the next step in the cleanup until you see that IPAM has removed the allocation from the pool in the pool details **Allocations** tab.
**Step 3: Delete the RAM shares and disable RAM integration with AWS Organizations**
This step must be done by the IPAM account and management account respectively.
+ Complete the steps in [Deleting a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-delete.html) and [Disabling resource sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/security-disable-sharing-with-orgs.html) in the *AWS RAM User Guide*, in that order, to delete the RAM shares and disable RAM integration with AWS Organizations.
**Step 4: Deprovision the CIDRs from the Regional pool and top-level pool**
This step must be done by the IPAM account.
+ Complete the steps in [Deprovision CIDRs from a pool](depro-pool-cidr-ipam.md) to deprovision the CIDRs from the Regional pool and then the top-level pool, in that order.
**Step 5: Delete the Regional pool and top-level pool**
This step must be done by the IPAM account.
+ Complete the steps in [Delete a pool](delete-pool-ipam.md) to delete the Regional pool and then the top-level pool, in that order.
# Bring your own IP CIDR to IPAM using only the AWS CLI
Bringing Your Own IP (BYOIP) to IPAM allows you to use your organization's existing IPv4 and IPv6 address ranges in AWS. This enables you to maintain consistent branding, improve network performance, enhance security, and simplify management by unifying on-premises and cloud environments under your own IP address space.
Follow these steps to bring an IPv4 or IPv6 CIDR to IPAM using only the AWS CLI.
**Note**
Before you begin, you must have first [verified domain control](tutorials-byoip-ipam-domain-verification-methods.md).
Once you bring an IPv4 address range to AWS, you can use all of the IP addresses in the range, including the first address (the network address) and the last address (the broadcast address).
**Topics**
+ [Bring your own public IPv4 CIDR to IPAM using only the AWS CLI](tutorials-byoip-ipam-ipv4.md)
+ [Bring your own IPv6 CIDR to IPAM using only the AWS CLI](tutorials-byoip-ipam-ipv6.md)
# Bring your own public IPv4 CIDR to IPAM using only the AWS CLI
Follow these steps to bring an IPv4 CIDR to IPAM and allocate an Elastic IP address (EIP) with the CIDR using only the AWS CLI.
**Important**
This tutorial assumes you have already completed the steps in the following sections:
[Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md).
[Create an IPAM](create-ipam.md).
Each step of this tutorial must be done by one of three AWS Organizations accounts:
The management account.
The member account configured to be your IPAM administrator in [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). In this tutorial, this account will be called the IPAM account.
The member account in your organization which will allocate CIDRs from an IPAM pool. In this tutorial, this account will be called the member account.
**Topics**
+ [Step 1: Create AWS CLI named profiles and IAM roles](#tutorials-create-profiles)
+ [Step 2: Create an IPAM](#tutorials-byoip-ipam-ipv4-2)
+ [Step 3: Create a top-level IPAM pool](#tutorials-byoip-ipam-ipv4-3)
+ [Step 4: Provision a CIDR to the top-level pool](#tutorials-byoip-ipam-ipv4-4)
+ [Step 5: Create a Regional pool within the top-level pool](#tutorials-byoip-ipam-ipv4-5)
+ [Step 6: Provision a CIDR to the Regional pool](#tutorials-byoip-ipam-ipv4-6)
+ [Step 7: Advertise the CIDR](#tutorials-byoip-ipam-ipv4-11)
+ [Step 8: Share the Regional pool](#tutorials-byoip-ipam-ipv4-console-4-deux)
+ [Step 9: Allocate an Elastic IP address from the pool](#tutorials-byoip-ipam-ipv4-console-cli-all-eip)
+ [Step 10: Associate the Elastic IP address with an EC2 instance](#tutorials-byoip-ipam-ipv4-console-cli-assoc-eip)
+ [Step 11: Cleanup](#tutorials-byoip-ipam-ipv4-cli-cleanup)
+ [Alternative to Step 9](#tutorials-byoip-ipam-ipv4-cli-alt)
## Step 1: Create AWS CLI named profiles and IAM roles
To complete this tutorial as a single AWS user, you can use AWS CLI named profiles to switch from one IAM role to another. [Named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles) are collections of settings and credentials that you refer to when using the `--profile` option with the AWS CLI. For more information about how to create IAM roles and named profiles for AWS accounts, see [Using an IAM role in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html).
Create one role and one named profile for each of the three AWS accounts you will use in this tutorial:
+ A profile called `management-account` for the AWS Organizations management account.
+ A profile called `ipam-account` for the AWS Organizations member account that is configured to be your IPAM administrator.
+ A profile called `member-account` for the AWS Organizations member account in your organization which will allocate CIDRs from an IPAM pool.
After you have created the IAM roles and named profiles, return to this page and go to the next step. You will notice throughout the rest of this tutorial that the sample AWS CLI commands use the `--profile` option with one of the named profiles to indicate which account must run the command.
## Step 2: Create an IPAM
This step is optional. If you already have an IPAM created with operating Regions of `us-east-1` and `us-west-2` created, you can skip this step. Create an IPAM and specify an operating region of `us-east-1` and `us-west-2` . You must select an operating region so that you can use the locale option when you create your IPAM pool. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR.
This step must be done by the IPAM account.
Run the following command:
```
aws ec2 create-ipam --description my-ipam --region us-east-1 --operating-regions RegionName=us-west-2 --profile ipam-account
```
In the output, you'll see the IPAM you've created. Note the value for `PublicDefaultScopeId`. You will need your public scope ID in the next step. You are using the public scope because BYOIP CIDRs are public IP addresses, which is what the public scope is meant for.
```
{
"Ipam": {
"OwnerId": "123456789012",
"IpamId": "ipam-090e48e75758de279",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"PublicDefaultScopeId": "ipam-scope-0087d83896280b594",
"PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d",
"ScopeCount": 2,
"Description": "my-ipam",
"OperatingRegions": [
{
"RegionName": "us-east-1"
},
{
"RegionName": "us-west-2"
}
],
"Tags": []
}
}
```
## Step 3: Create a top-level IPAM pool
Complete the steps in this section to create a top-level IPAM pool.
This step must be done by the IPAM account.
**To create an IPv4 address pool for all of your AWS resources using the AWS CLI**
1. Run the following command to create an IPAM pool. Use the ID of the public scope of the IPAM that you created in the previous step.
This step must be done by the IPAM account.
```
aws ec2 create-ipam-pool --region us-east-1 --ipam-scope-id ipam-scope-0087d83896280b594 --description "top-level-IPv4-pool" --address-family ipv4 --profile ipam-account
```
In the output, you'll see `create-in-progress`, which indicates that pool creation is in progress.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0a03d430ca3f5c035",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "None",
"PoolDepth": 1,
"State": "create-in-progress",
"Description": "top-level-pool",
"AutoImport": false,
"AddressFamily": "ipv4",
"Tags": []
}
}
```
1. Run the following command until you see a state of `create-complete` in the output.
```
aws ec2 describe-ipam-pools --region us-east-1 --profile ipam-account
```
The following example output shows the state of the pool.
```
{
"IpamPools": [
{
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0a03d430ca3f5c035",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "None",
"PoolDepth": 1,
"State": "create-complete",
"Description": "top-level-IPV4-pool",
"AutoImport": false,
"AddressFamily": "ipv4",
"Tags": []
}
]
}
```
## Step 4: Provision a CIDR to the top-level pool
Provision a CIDR block to the top-level pool. Note that when provisioning an IPv4 CIDR to a pool within the top-level pool, the minimum IPv4 CIDR you can provision is `/24`; more specific CIDRs (such as `/25`) are not permitted.
**Note**
If you [verified your domain control with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert), you must include the CIDR and the BYOIP message and certificate signature that you created in that step so we can verify that you control the public space.
If you [verified your domain control with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt), you must include the CIDR and IPAM verification token that you created in that step so we can verify that you control the public space.
You only need to verify domain control when you provision the BYOIP CIDR to the top-level pool. For the Regional pool within the top-level pool, you can omit the domain ownership verification option.
This step must be done by the IPAM account.
**Important**
You only need to verify domain control when you provision the BYOIP CIDR to the top-level pool. For the Regional pool within the top-level pool, you can omit the domain control option. Once you onboard your BYOIP to IPAM, you are not required to perform ownership validation when you divide the BYOIP across Regions and accounts.
**To provision a CIDR block to the pool using the AWS CLI**
1. To provision the CIDR with certificate information, use the following command example. In addition to replacing the values as needed in the example, ensure that you replace `Message` and `Signature` values with the `text_message` and `signed_message` values that you got in [Verify your domain with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert).
```
aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --cidr 130.137.245.0/24 --verification-method remarks-x509 --cidr-authorization-context Message="1|aws|470889052444|130.137.245.0/24|20250101|SHA256|RSAPSS",Signature="W3gdQ9PZHLjPmrnGM~cvGx~KCIsMaU0P7ENO7VRnfSuf9NuJU5RUveQzus~QmF~Nx42j3z7d65uyZZiDRX7KMdW4KadaLiClyRXN6ps9ArwiUWSp9yHM~U-hApR89Kt6GxRYOdRaNx8yt-uoZWzxct2yIhWngy-du9pnEHBOX6WhoGYjWszPw0iV4cmaAX9DuMs8ASR83K127VvcBcRXElT5URr3gWEB1CQe3rmuyQk~gAdbXiDN-94-oS9AZlafBbrFxRjFWRCTJhc7Cg3ASbRO-VWNci-C~bWAPczbX3wPQSjtWGV3k1bGuD26ohUc02o8oJZQyYXRpgqcWGVJdQ__" --profile ipam-account
```
To provision the CIDR with verification token information, use the following command example. In addition to replacing the values as needed in the example, ensure that you replace `ipam-ext-res-ver-token-0309ce7f67a768cf0` with the `IpamExternalResourceVerificationTokenId` token ID that you got in [Verify your domain with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt).
```
aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --cidr 130.137.245.0/24 --verification-method dns-token --ipam-external-resource-verification-token-id ipam-ext-res-ver-token-0309ce7f67a768cf0 --profile ipam-account
```
In the output, you'll see the CIDR pending provision.
```
{
"IpamPoolCidr": {
"Cidr": "130.137.245.0/24",
"State": "pending-provision"
}
}
```
1. Ensure that this CIDR has been provisioned before you continue.
**Important**
While most provisioning will be completed within two hours, it may take up to one week to complete the provisioning process for publicly advertisable ranges.
Run the following command until you see a state of `provisioned` in the output.
```
aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --profile ipam-account
```
The following example output shows the state.
```
{
"IpamPoolCidrs": [
{
"Cidr": "130.137.245.0/24",
"State": "provisioned"
}
]
}
```
## Step 5: Create a Regional pool within the top-level pool
Create a Regional pool within the top-level pool.
The locale for the pool should be one of the following:
+ An AWS Region where you want this IPAM pool to be available for allocations.
+ The network border group for an AWS Local Zone where you want this IPAM pool to be available for allocations ([supported Local Zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#byoip-zone-avail)). This option is only available for IPAM IPv4 pools in the public scope.
+ An [AWS Dedicated Local Zone](https://aws.amazon.com/dedicatedlocalzones/). To create a pool within an AWS Dedicated Local Zone, enter the AWS Dedicated Local Zone in the selector input.
+ `Global` when you want to use IP addresses globally across all AWS Regions, such as CloudFront locations. The `Global` locale is only available for public IPv4 pools.
For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it. If the home Region of the IPAM is unavailable due to an outage and the pool has a locale different than the home Region of the IPAM, the pool can still be used to allocate IP addresses.
When you run the commands in this section, the value for `--region` must include the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR. For example, if you created the BYOIP pool with a locale of *us-east-1*, the `--region` should be *us-east-1*. If you created the BYOIP pool with a locale of *us-east-1-scl-1* (a network border group used for Local Zones), the `--region` should be *us-east-1* because that Region manages the locale *us-east-1-scl-1*.
This step must be done by the IPAM account.
Choosing a locale ensures there are no cross-region dependencies between your pool and the resources allocating from it. The available options come from the operating Regions that you chose when you created your IPAM. In this tutorial, we'll use `us-west-2` as the locale for the Regional pool.
**Important**
When you create the pool, you must include `--aws-service ec2`. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is `ec2`, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service (for Elastic IP addresses) and the Amazon VPC service (for CIDRs associated with VPCs).
**To create a Regional pool using the AWS CLI**
1. Run the following command to create the pool.
```
aws ec2 create-ipam-pool --description "Regional-IPv4-pool" --region us-east-1 --ipam-scope-id ipam-scope-0087d83896280b594 --source-ipam-pool-id ipam-pool-0a03d430ca3f5c035 --locale us-west-2 --address-family ipv4 --aws-service ec2 --profile ipam-account
```
In the output, you'll see IPAM creating the pool.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0d8f3646b61ca5987",
"SourceIpamPoolId": "ipam-pool-0a03d430ca3f5c035",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0d8f3646b61ca5987",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "us-west-2",
"PoolDepth": 2,
"State": "create-in-progress",
"Description": "Regional--pool",
"AutoImport": false,
"AddressFamily": "ipv4",
"Tags": [],
"ServiceType": "ec2"
}
}
```
1. Run the following command until you see a state of `create-complete` in the output.
```
aws ec2 describe-ipam-pools --region us-east-1 --profile ipam-account
```
In the output, you see the pools that you have in your IPAM. In this tutorial, we created a top-level and a Regional pool, so you'll see them both.
## Step 6: Provision a CIDR to the Regional pool
Provision a CIDR block to the Regional pool.
**Note**
When provisioning a CIDR to a Regional pool within the top-level pool, the most specific IPv4 CIDR you can provision is `/24`; more specific CIDRs (such as `/25`) are not permitted. After you create the Regional pool, you can create smaller pools (such as `/25`) within the same Regional pool. Note that if you share the Regional pool or pools within it, these pools can only be used in the locale set on the same Regional pool.
This step must be done by the IPAM account.
**To assign a CIDR block to the Regional pool using the AWS CLI**
1. Run the following command to provision the CIDR.
```
aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --cidr 130.137.245.0/24 --profile ipam-account
```
In the output, you'll see the CIDR pending provision.
```
{
"IpamPoolCidr": {
"Cidr": "130.137.245.0/24",
"State": "pending-provision"
}
}
```
1. Run the following command until you see the state of `provisioned` in the output.
```
aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account
```
The following example output shows the correct state.
```
{
"IpamPoolCidrs": [
{
"Cidr": "130.137.245.0/24",
"State": "provisioned"
}
]
}
```
## Step 7: Advertise the CIDR
The steps in this section must be done by the IPAM account. Once you associate the Elastic IP address (EIP) with an instance or Elastic Load Balancer, you can then start advertising the CIDR you brought to AWS that is in pool that has `--aws-service ec2` defined. In this tutorial, that's your Regional pool. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. When you run the command in this section, the value for `--region` must match the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR.
This step must be done by the IPAM account.
**Note**
The advertisement status doesn't not restrict your ability to allocate Elastic IP addresses. Even if your BYOIPv4 CIDR is not advertised, you can still can create EIPs from the IPAM pool.
**Start advertising the CIDR using the AWS CLI**
+ Run the following command to advertise the CIDR.
```
aws ec2 advertise-byoip-cidr --region us-west-2 --cidr 130.137.245.0/24 --profile ipam-account
```
In the output, you'll see the CIDR is advertised.
```
{
"ByoipCidr": {
"Cidr": "130.137.245.0/24",
"State": "advertised"
}
}
```
## Step 8: Share the Regional pool
Follow the steps in this section to share the IPAM pool using AWS Resource Access Manager (RAM).
### Enable resource sharing in AWS RAM
After you create your IPAM, you’ll want to share the regional pool with other accounts in your organization. Before you share an IPAM pool, complete the steps in this section to enable resource sharing with AWS RAM. If you are using the AWS CLI to enable resource sharing, use the `--profile management-account` option.
**To enable resource sharing**
1. Using the AWS Organizations management account, open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/).
1. In the left navigation pane, choose **Settings**, choose **Enable sharing with AWS Organizations**, and then choose **Save settings**.
You can now share an IPAM pool with other members of the organization.
### Share an IPAM pool using AWS RAM
In this section you’ll share the regional pool with another AWS Organizations member account. For complete instructions on sharing IPAM pools, including information on the required IAM permissions, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md). If you are using the AWS CLI to enable resource sharing, use the `--profile ipam-account` option.
**To share an IPAM pool using AWS RAM**
1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. Choose the private scope, choose the IPAM pool, and choose **Actions** > **View details**.
1. Under **Resource sharing**, choose **Create resource share**. The AWS RAM console opens. You share the pool using AWS RAM.
1. Choose **Create a resource share**.
1. In the AWS RAM console, choose **Create a resource share** again.
1. Add a **Name** for the shared pool.
1. Under **Select resource type**, choose **IPAM pools,** and then choose the ARN of the pool you want to share.
1. Choose **Next**.
1. Choose the **AWSRAMPermissionIpamPoolByoipCidrImport** permission. The details of the permission options are out of scope for this tutorial, but you can find out more about these options in [Share an IPAM pool using AWS RAM](share-pool-ipam.md).
1. Choose **Next**.
1. Under **Principals** > **Select principal type**, choose **AWS account** and enter the account ID of the account that will be bringing an IP address range to IPAM and choose **Add** .
1. Choose **Next**.
1. Review the resource share options and the principals that you’ll be sharing with, and then choose **Create**.
1. To allow the **member-account** account to allocate IP address CIDRS from the IPAM pool, create a second resource share with `AWSRAMDefaultPermissionsIpamPool`. The value for `--resource-arns` is the ARN of the IPAM pool that you created in the previous section. The value for `--principals` is the account ID of the **member-account**. The value for `--permission-arns` is the ARN of the `AWSRAMDefaultPermissionsIpamPool` permission.
## Step 9: Allocate an Elastic IP address from the pool
Complete the steps in this section to allocate an Elastic IP address from the pool. Note that if you are using public IPv4 pools to allocate Elastic IP addresses, you can use the alternative steps in [Alternative to Step 9](#tutorials-byoip-ipam-ipv4-cli-alt) rather than the steps in this section.
**Important**
If you see an error related to not having permissions to call ec2:AllocateAddress, the managed permission currently assigned to the IPAM pool that was shared with you needs to be updated. Contact the person who created the resource share and ask them to update the managed permission `AWSRAMPermissionIpamResourceDiscovery` to the default version. For more information, see [Update a resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-update.html) in the *AWS RAM User Guide *.
------
#### [ AWS Management Console ]
Follow the steps in [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide* to allocate the address, but note the following:
+ This step must be done by the member account.
+ Ensure that the AWS Region you are in in the EC2 console matches the Locale option you chose when you created the Regional pool.
+ When you choose the address pool, choose the option to **Allocate using an IPv4 IPAM pool** and choose the Regional pool you created.
------
#### [ Command line ]
Allocate an address from the pool with the [allocate-address](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/allocate-address.html) command. The `--region` you use must match the `-locale` option you chose when you created the pool in Step 2. Include the ID of the IPAM pool you created in Step 2 in `--ipam-pool-id`. Optionally, you can also choose a specific `/32` in your IPAM pool by using the `--address` option.
```
aws ec2 allocate-address --region us-east-1 --ipam-pool-id ipam-pool-07ccc86aa41bef7ce
```
Example response:
```
{
"PublicIp": "18.97.0.41",
"AllocationId": "eipalloc-056cdd6019c0f4b46",
"PublicIpv4Pool": "ipam-pool-07ccc86aa41bef7ce",
"NetworkBorderGroup": "us-east-1",
"Domain": "vpc"
}
```
For more information, see [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide*.
------
## Step 10: Associate the Elastic IP address with an EC2 instance
Complete the steps in this section to associate the Elastic IP address with an EC2 instance.
------
#### [ AWS Management Console ]
Follow the steps in [Associate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-associating) in the *Amazon EC2 User Guide* to allocate an Elastic IP address from the IPAM pool, but note the following: When you use AWS Management Console option, the AWS Region you associate the Elastic IP address in must match the Locale option you chose when you created the Regional pool.
This step must be done by the member account.
------
#### [ Command line ]
This step must be done by the member account. Use the `--profile member-account` option.
Associate the Elastic IP address with an instance with the [associate-address](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/allocate-address.html) command. The `--region` you associate the Elastic IP address in must match the `--locale` option you chose when you created the Regional pool.
```
aws ec2 associate-address --region us-east-1 --instance-id i-07459a6fca5b35823 --public-ip 18.97.0.41
```
Example response:
```
{
"AssociationId": "eipassoc-06aa85073d3936e0e"
}
```
For more information, see [Associate an Elastic IP address with an instance or network interface](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-associating) in the *Amazon EC2 User Guide*.
------
## Step 11: Cleanup
Follow the steps in this section to clean up the resources you've provisioned and created in this tutorial. When you run the commands in this section, the value for `--region` must include the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR.
**Clean up using the AWS CLI**
1. View the EIP allocation managed in IPAM.
This step must be done by the IPAM account.
```
aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account
```
The output shows the allocation in IPAM.
```
{
"IpamPoolAllocations": [
{
"Cidr": "130.137.245.0/24",
"IpamPoolAllocationId": "ipam-pool-alloc-5dedc8e7937c4261b56dc3e3eb53dc45",
"ResourceId": "ipv4pool-ec2-0019eed22a684e0b2",
"ResourceType": "ec2-public-ipv4-pool",
"ResourceOwner": "123456789012"
}
]
}
```
1. Stop advertising the IPv4 CIDR.
This step must be done by the IPAM account.
```
aws ec2 withdraw-byoip-cidr --region us-west-2 --cidr 130.137.245.0/24 --profile ipam-account
```
In the output, you'll see the CIDR State has changed from **advertised** to **provisioned**.
```
{
"ByoipCidr": {
"Cidr": "130.137.245.0/24",
"State": "provisioned"
}
}
```
1. Release the Elastic IP address.
This step must be done by the member account.
```
aws ec2 release-address --region us-west-2 --allocation-id eipalloc-0db3405026756dbf6 --profile member-account
```
You will not see any output when you run this command.
1. View the EIP allocation is no longer managed in IPAM. It can take some time for IPAM to discover that the Elastic IP address has been removed. You cannot continue to clean up and deprovision the IPAM pool CIDR until you see that the allocation has been removed from IPAM. When you run the command in this section, the value for `--region` must include the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR.
This step must be done by the IPAM account.
```
aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account
```
The output shows the allocation in IPAM.
```
{
"IpamPoolAllocations": []
}
```
1. Deprovision the Regional pool CIDR. When you run the commands in this step, the value for `--region` must match the Region of your IPAM.
This step must be done by the IPAM account.
```
aws ec2 deprovision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --cidr 130.137.245.0/24 --profile ipam-account
```
In the output, you'll see the CIDR pending deprovision.
```
{
"IpamPoolCidr": {
"Cidr": "130.137.245.0/24",
"State": "pending-deprovision"
}
}
```
Deprovisioning takes time to complete. Check the status of deprovisioning.
```
aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account
```
Wait until you see **deprovisioned** before you continue to the next step.
```
{
"IpamPoolCidr": {
"Cidr": "130.137.245.0/24",
"State": "deprovisioned"
}
}
```
1. Delete the RAM shares and disable RAM integration with AWS Organizations. Complete the steps in [Deleting a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-delete.html) and [Disabling resource sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/security-disable-sharing-with-orgs.html) in the *AWS RAM User Guide*, in that order, to delete the RAM shares and disable RAM integration with AWS Organizations.
This step must be done by the IPAM account and management account respectively. If you are using the AWS CLI to delete the RAM shares and disable RAM integration, use the ` --profile ipam-account` and ` --profile management-account` options.
1. Delete the Regional pool. When you run the command in this step, the value for `--region` must match the Region of your IPAM.
This step must be done by the IPAM account.
```
aws ec2 delete-ipam-pool --region us-east-1 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account
```
In the output, you can see the delete state.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0d8f3646b61ca5987",
"SourceIpamPoolId": "ipam-pool-0a03d430ca3f5c035",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0d8f3646b61ca5987",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "us-east-1",
"PoolDepth": 2,
"State": "delete-in-progress",
"Description": "reg-ipv4-pool",
"AutoImport": false,
"Advertisable": true,
"AddressFamily": "ipv4"
}
}
```
1. Deprovision the top-level pool CIDR. When you run the commands in this step, the value for `--region` must match the Region of your IPAM.
This step must be done by the IPAM account.
```
aws ec2 deprovision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --cidr 130.137.245.0/24 --profile ipam-account
```
In the output, you'll see the CIDR pending deprovision.
```
{
"IpamPoolCidr": {
"Cidr": "130.137.245.0/24",
"State": "pending-deprovision"
}
}
```
Deprovisioning takes time to complete. Run the following command to check the status of deprovisioning.
```
aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --profile ipam-account
```
Wait until you see **deprovisioned** before you continue to the next step.
```
{
"IpamPoolCidr": {
"Cidr": "130.137.245.0/24",
"State": "deprovisioned"
}
}
```
1. Delete the top-level pool. When you run the command in this step, the value for `--region` must match the Region of your IPAM.
This step must be done by the IPAM account.
```
aws ec2 delete-ipam-pool --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --profile ipam-account
```
In the output, you can see the delete state.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0a03d430ca3f5c035",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "us-east-1",
"PoolDepth": 2,
"State": "delete-in-progress",
"Description": "top-level-pool",
"AutoImport": false,
"Advertisable": true,
"AddressFamily": "ipv4"
}
}
```
1. Delete the IPAM. When you run the command in this step, the value for `--region` must match the Region of your IPAM.
This step must be done by the IPAM account.
```
aws ec2 delete-ipam --region us-east-1 --ipam-id ipam-090e48e75758de279 --profile ipam-account
```
In the output, you'll see the IPAM response. This means that the IPAM was deleted.
```
{
"Ipam": {
"OwnerId": "123456789012",
"IpamId": "ipam-090e48e75758de279",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"PublicDefaultScopeId": "ipam-scope-0087d83896280b594",
"PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d",
"ScopeCount": 2,
"OperatingRegions": [
{
"RegionName": "us-east-1"
},
{
"RegionName": "us-west-2"
}
],
}
}
```
## Alternative to Step 9
If you are using public IPv4 pools to allocate Elastic IP addresses, you can use the steps in this section rather than the steps in [Step 9: Allocate an Elastic IP address from the pool](#tutorials-byoip-ipam-ipv4-console-cli-all-eip).
**Topics**
+ [Step 1: Create a public IPv4 pool](#tutorials-byoip-ipam-ipv4-9)
+ [Step 2: Provision the public IPv4 CIDR to your public IPv4 pool](#tutorials-byoip-ipam-ipv4-9)
+ [Step 3: Create an Elastic IP address from the public IPv4 pool](#tutorials-byoip-ipam-ipv4-10)
+ [Alternative to Step 9 cleanup](#tutorials-byoip-ipam-ipv4-cli-alt-cleanup)
### Step 1: Create a public IPv4 pool
This step would typically be done by a different AWS account which wants to provision an Elastic IP address, such as the member account.
**Important**
Public IPv4 pools and IPAM pools are managed by distinct resources in AWS. Public IPv4 pools are single account resources that enable you to convert your publicly-owned CIDRs to Elastic IP addresses. IPAM pools can be used to allocate your public space to public IPv4 pools.
**To create a public IPv4 pool using the AWS CLI**
+ Run the following command to provision the CIDR. When you run the command in this section, the value for `--region` must match the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR.
```
aws ec2 create-public-ipv4-pool --region us-west-2 --profile member-account
```
In the output, you'll see the public IPv4 pool ID. You will need this ID in the next step.
```
{
"PoolId": "ipv4pool-ec2-0019eed22a684e0b2"
}
```
### Step 2: Provision the public IPv4 CIDR to your public IPv4 pool
Provision the public IPv4 CIDR to your public IPv4 pool. The value for `--region` must match the `--locale` value you entered when you created the pool that will be used for the BYOIP CIDR. The least specific `--netmask-length` you can define is `24`.
This step must be done by the member account.
**To create a public IPv4 pool using the AWS CLI**
1. Run the following command to provision the CIDR.
```
aws ec2 provision-public-ipv4-pool-cidr --region us-west-2 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --pool-id ipv4pool-ec2-0019eed22a684e0b2 --netmask-length 24 --profile member-account
```
In the output, you'll see the provisioned CIDR.
```
{
"PoolId": "ipv4pool-ec2-0019eed22a684e0b2",
"PoolAddressRange": {
"FirstAddress": "130.137.245.0",
"LastAddress": "130.137.245.255",
"AddressCount": 256,
"AvailableAddressCount": 256
}
}
```
1. Run the following command to view the CIDR provisioned in the public IPv4 pool.
```
aws ec2 describe-byoip-cidrs --region us-west-2 --max-results 10 --profile member-account
```
In the output, you'll see the provisioned CIDR. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. You will have the chance to set this CIDR to advertised in the last step of this tutorial.
```
{
"ByoipCidrs": [
{
"Cidr": "130.137.245.0/24",
"StatusMessage": "Cidr successfully provisioned",
"State": "provisioned"
}
]
}
```
### Step 3: Create an Elastic IP address from the public IPv4 pool
Create an Elastic IP address (EIP) from the public IPv4 pool. When you run the commands in this section, the value for `--region` must match the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR.
This step must be done by the member account.
**To create an EIP from the public IPv4 pool using the AWS CLI**
1. Run the following command to create the EIP.
```
aws ec2 allocate-address --region us-west-2 --public-ipv4-pool ipv4pool-ec2-0019eed22a684e0b2 --profile member-account
```
In the output, you'll see the allocation.
```
{
"PublicIp": "130.137.245.100",
"AllocationId": "eipalloc-0db3405026756dbf6",
"PublicIpv4Pool": "ipv4pool-ec2-0019eed22a684e0b2",
"NetworkBorderGroup": "us-east-1",
"Domain": "vpc"
}
```
1. Run the following command to view the EIP allocation managed in IPAM.
This step must be done by the IPAM account.
```
aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account
```
The output shows the allocation in IPAM.
```
{
"IpamPoolAllocations": [
{
"Cidr": "130.137.245.0/24",
"IpamPoolAllocationId": "ipam-pool-alloc-5dedc8e7937c4261b56dc3e3eb53dc45",
"ResourceId": "ipv4pool-ec2-0019eed22a684e0b2",
"ResourceType": "ec2-public-ipv4-pool",
"ResourceOwner": "123456789012"
}
]
}
```
### Alternative to Step 9 cleanup
Complete these steps to clean up public IPv4 pools created with the alternative to Step 9. You should complete these steps after you release the Elastic IP address during the standard cleanup process in [Step 10: Cleanup](tutorials-byoip-ipam-ipv6.md#tutorials-byoip-ipam-ipv4-cleanup).
1. View your BYOIP CIDRs.
This step must be done by the member account.
```
aws ec2 describe-public-ipv4-pools --region us-west-2 --profile member-account
```
In the output, you'll see the IP addresses in your BYOIP CIDR.
```
{
"PublicIpv4Pools": [
{
"PoolId": "ipv4pool-ec2-0019eed22a684e0b2",
"Description": "",
"PoolAddressRanges": [
{
"FirstAddress": "130.137.245.0",
"LastAddress": "130.137.245.255",
"AddressCount": 256,
"AvailableAddressCount": 256
}
],
"TotalAddressCount": 256,
"TotalAvailableAddressCount": 256,
"NetworkBorderGroup": "us-east-1",
"Tags": []
}
]
}
```
1. Release the CIDR from the public IPv4 pool. When you run the command in this section, the value for `--region` must match the Region of your IPAM.
This step must be done by the member account.
```
aws ec2 deprovision-public-ipv4-pool-cidr --region us-east-1 --pool-id ipv4pool-ec2-0019eed22a684e0b2 --cidr 130.137.245.0/24 --profile member-account
```
1. View your BYOIP CIDRs again and ensure there are no more provisioned addresses. When you run the command in this section, the value for `--region` must match the Region of your IPAM.
This step must be done by the member account.
```
aws ec2 describe-public-ipv4-pools --region us-east-1 --profile member-account
```
In the output, you'll see the IP addresses count in your public IPv4 pool.
```
{
"PublicIpv4Pools": [
{
"PoolId": "ipv4pool-ec2-0019eed22a684e0b2",
"Description": "",
"PoolAddressRanges": [],
"TotalAddressCount": 0,
"TotalAvailableAddressCount": 0,
"NetworkBorderGroup": "us-east-1",
"Tags": []
}
]
}
```
# Bring your own IPv6 CIDR to IPAM using only the AWS CLI
Follow these steps to bring an IPv6 CIDR to IPAM and allocate a VPC using only the AWS CLI.
If you do not need to advertise your IPv6 addresses over the Internet, you can provision a private GUA IPv6 address to an IPAM. For more information, see [Enable provisioning private IPv6 GUA CIDRs](enable-prov-ipv6-gua.md).
**Important**
This tutorial assumes you have already completed the steps in the following sections:
[Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md).
[Create an IPAM](create-ipam.md).
Each step of this tutorial must be done by one of three AWS Organizations accounts:
The management account.
The member account configured to be your IPAM administrator in [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md). In this tutorial, this account will be called the IPAM account.
The member account in your organization which will allocate CIDRs from an IPAM pool. In this tutorial, this account will be called the member account.
**Topics**
+ [Step 1: Create AWS CLI named profiles and IAM roles](#tutorials-create-profiles)
+ [Step 2: Create an IPAM](#tutorials-byoip-ipam-ipv6-2)
+ [Step 3: Create an IPAM pool](#tutorials-byoip-ipam-ipv6-3)
+ [Step 4: Provision a CIDR to the top-level pool](#tutorials-byoip-ipam-ipv6-4)
+ [Step 5: Create a Regional pool within the top-level pool](#tutorials-byoip-ipam-ipv6-5)
+ [Step 6: Provision a CIDR to the Regional pool](#tutorials-byoip-ipam-ipv6-6)
+ [Step 7. Share the Regional pool](#tutorials-byoip-ipam-ipv4-console-4-deux)
+ [Step 8: Create a VPC using the IPv6 CIDR](#tutorials-byoip-ipam-ipv6-8)
+ [Step 9: Advertise the CIDR](#tutorials-byoip-ipam-ipv6-9)
+ [Step 10: Cleanup](#tutorials-byoip-ipam-ipv4-cleanup)
## Step 1: Create AWS CLI named profiles and IAM roles
To complete this tutorial as a single AWS user, you can use AWS CLI named profiles to switch from one IAM role to another. [Named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles) are collections of settings and credentials that you refer to when using the `--profile` option with the AWS CLI. For more information about how to create IAM roles and named profiles for AWS accounts, see [Using an IAM role in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html).
Create one role and one named profile for each of the three AWS accounts you will use in this tutorial:
+ A profile called `management-account` for the AWS Organizations management account.
+ A profile called `ipam-account` for the AWS Organizations member account that is configured to be your IPAM administrator.
+ A profile called `member-account` for the AWS Organizations member account in your organization which will allocate CIDRs from an IPAM pool.
After you have created the IAM roles and named profiles, return to this page and go to the next step. You will notice throughout the rest of this tutorial that the sample AWS CLI commands use the `--profile` option with one of the named profiles to indicate which account must run the command.
## Step 2: Create an IPAM
This step is optional. If you already have an IPAM created with operating Regions of `us-east-1` and `us-west-2` created, you can skip this step. Create an IPAM and specify an operating region of `us-east-1` and `us-west-2` . You must select an operating region so that you can use the locale option when you create your IPAM pool. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR.
This step must be done by the IPAM account.
Run the following command:
```
aws ec2 create-ipam --description my-ipam --region us-east-1 --operating-regions RegionName=us-west-2 --profile ipam-account
```
In the output, you'll see the IPAM you've created. Note the value for `PublicDefaultScopeId`. You will need your public scope ID in the next step.
```
{
"Ipam": {
"OwnerId": "123456789012",
"IpamId": "ipam-090e48e75758de279",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"PublicDefaultScopeId": "ipam-scope-0087d83896280b594",
"PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d",
"ScopeCount": 2,
"Description": "my-ipam",
"OperatingRegions": [
{
"RegionName": "us-east-1"
},
{
"RegionName": "us-west-2"
}
],
"Tags": []
}
}
```
## Step 3: Create an IPAM pool
Since you are going to create a top-level IPAM pool with a Regional pool within it, and we’re going to allocate space to a resource (a VPC) from the Regional pool, you will set the locale on the Regional pool and not the top-level pool. You’ll add the locale to the Regional pool when you create the Regional pool in a later step. The IPAM integration with BYOIP requires that the locale is set on whichever pool will be used for the BYOIP CIDR.
This step must be done by the IPAM account.
Choose if you want this IPAM pool CIDR to be advertisable by AWS over the public internet (`--publicly-advertisable` or `--no-publicly-advertisable`).
**Note**
Note that the scope ID must be the ID for the public scope and the address family must be `ipv6`.
**To create an IPv6 address pool for all of your AWS resources using the AWS CLI**
1. Run the following command to create an IPAM pool. Use the ID of the public scope of the IPAM that you created in the previous step.
```
aws ec2 create-ipam-pool --region us-east-1 --ipam-scope-id ipam-scope-0087d83896280b594 --description "top-level-IPv6-pool" --address-family ipv6 --publicly-advertisable --profile ipam-account
```
In the output, you'll see `create-in-progress`, which indicates that pool creation is in progress.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-07f2466c7158b50c4",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-07f2466c7158b50c4",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "None",
"PoolDepth": 1,
"State": "create-in-progress",
"Description": "top-level-Ipv6-pool",
"AutoImport": false,
"Advertisable": true,
"AddressFamily": "ipv6",
"Tags": []
}
}
```
1. Run the following command until you see a state of `create-complete` in the output.
```
aws ec2 describe-ipam-pools --region us-east-1 --profile ipam-account
```
The following example output shows the state of the pool.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-07f2466c7158b50c4",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-07f2466c7158b50c4",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "None",
"PoolDepth": 1,
"State": "create-complete",
"Description": "top-level-Ipv6-pool",
"AutoImport": false,
"Advertisable": true,
"AddressFamily": "ipv6",
"Tags": []
}
}
```
## Step 4: Provision a CIDR to the top-level pool
Provision a CIDR block to the top-level pool. Note that when provisioning an IPv6 CIDR to a pool within the top-level pool, the most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable.
**Note**
If you [verified your domain control with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert), you must include the CIDR and the BYOIP message and certificate signature that you created in that step so we can verify that you control the public space.
If you [verified your domain control with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt), you must include the CIDR and IPAM verification token that you created in that step so we can verify that you control the public space.
You only need to verify domain control when you provision the BYOIP CIDR to the top-level pool. For the Regional pool within the top-level pool, you can omit the domain ownership option.
This step must be done by the IPAM account.
**To provision a CIDR block to the pool using the AWS CLI**
1. To provision the CIDR with certificate information, use the following command example. In addition to replacing the values as needed in the example, ensure that you replace `Message` and `Signature` values with the `text_message` and `signed_message` values that you got in [Verify your domain with an X.509 certificate](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-cert).
```
aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --cidr 2605:9cc0:409::/48 --verification-method remarks-x509 --cidr-authorization-context Message="1|aws|470889052444|2605:9cc0:409::/48|20250101|SHA256|RSAPSS",Signature="FU26~vRG~NUGXa~akxd6dvdcCfvL88g8d~YAuai-CR7HqMwzcgdS9RlpBGtfIdsRGyr77LmWyWqU9Xp1g2R1kSkfD00NiLKLcv9F63k6wdEkyFxNp7RAJDvF1mBwxmSgH~Crt-Vp6LON3yOOXMp4JENB9uM7sMlu6oeoutGyyhXFeYPzlGSRdcdfKNKaimvPCqVsxGN5AwSilKQ8byNqoa~G3dvs8ueSaDcT~tW4CnILura70nyK4f2XzgPKKevAD1g8bpKmOFMbHS30CxduYknnDl75lvEJs1J91u3-wispI~r69fq515UR19TA~fmmxBDh1huQ8DkM1rqcwveWow__" --profile ipam-account
```
To provision the CIDR with verification token information, use the following command example. In addition to replacing the values as needed in the example, ensure that you replace `ipam-ext-res-ver-token-0309ce7f67a768cf0` with the `IpamExternalResourceVerificationTokenId` token ID that you got in [Verify your domain with a DNS TXT record](tutorials-byoip-ipam-domain-verification-methods.md#tutorials-byoip-ipam-domain-verification-dns-txt).
```
aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --cidr 2605:9cc0:409::/48 --verification-method dns-token --ipam-external-resource-verification-token-id ipam-ext-res-ver-token-0309ce7f67a768cf0 --profile ipam-account
```
In the output, you'll see the CIDR pending provision.
```
{
"IpamPoolCidr": {
"Cidr": "2605:9cc0:409::/48",
"State": "pending-provision"
}
}
```
1. Ensure that this CIDR has been provisioned before you continue.
**Important**
While most provisioning will be completed within two hours, it may take up to one week to complete the provisioning process for publicly advertisable ranges.
Run the following command until you see a state of `provisioned` in the output.
```
aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --profile ipam-account
```
The following example output shows the state.
```
{
"IpamPoolCidrs": [
{
"Cidr": "2605:9cc0:409::/48",
"State": "provisioned"
}
]
}
```
## Step 5: Create a Regional pool within the top-level pool
Create a Regional pool within the top-level pool. `--locale` is required on the pool and it must be one of the operating Regions you configured when you created the IPAM.
This step must be done by the IPAM account.
**Important**
When you create the pool, you must include `--aws-service ec2`. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is `ec2`, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service and the Amazon VPC service (for CIDRs associated with VPCs).
**To create a Regional pool using the AWS CLI**
1. Run the following command to create the pool.
```
aws ec2 create-ipam-pool --description "Regional-IPv6-pool" --region us-east-1 --ipam-scope-id ipam-scope-0087d83896280b594 --source-ipam-pool-id ipam-pool-07f2466c7158b50c4 --locale us-west-2 --address-family ipv6 --aws-service ec2 --profile ipam-account
```
In the output, you'll see IPAM creating the pool.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0053b7d2b4fc3f730",
"SourceIpamPoolId": "ipam-pool-07f2466c7158b50c4",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0053b7d2b4fc3f730",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "us-west-2",
"PoolDepth": 2,
"State": "create-in-progress",
"Description": "reg-ipv6-pool",
"AutoImport": false,
"Advertisable": true,
"AddressFamily": "ipv6",
"Tags": [],
"ServiceType": "ec2"
}
}
```
1. Run the following command until you see a state of `create-complete` in the output.
```
aws ec2 describe-ipam-pools --region us-east-1 --profile ipam-account
```
In the output, you see the pools that you have in your IPAM. In this tutorial, we created a top-level and a Regional pool, so you'll see them both.
## Step 6: Provision a CIDR to the Regional pool
Provision a CIDR block to the Regional pool. Note that when provisioning the CIDR to a pool within the top-level pool, the most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /60 for CIDRs that are not publicly advertisable.
This step must be done by the IPAM account.
**To assign a CIDR block to the Regional pool using the AWS CLI**
1. Run the following command to provision the CIDR.
```
aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --cidr 2605:9cc0:409::/48 --profile ipam-account
```
In the output, you'll see the CIDR pending provision.
```
{
"IpamPoolCidr": {
"Cidr": "2605:9cc0:409::/48",
"State": "pending-provision"
}
}
```
1. Run the following command until you see the state of `provisioned` in the output.
```
aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account
```
The following example output shows the correct state.
```
{
"IpamPoolCidrs": [
{
"Cidr": "2605:9cc0:409::/48",
"State": "provisioned"
}
]
}
```
## Step 7. Share the Regional pool
Follow the steps in this section to share the IPAM pool using AWS Resource Access Manager (RAM).
### Enable resource sharing in AWS RAM
After you create your IPAM, you’ll want to share the regional pool with other accounts in your organization. Before you share an IPAM pool, complete the steps in this section to enable resource sharing with AWS RAM. If you are using the AWS CLI to enable resource sharing, use the `--profile management-account` option.
**To enable resource sharing**
1. Using the AWS Organizations management account, open the AWS RAM console at [https://console.aws.amazon.com/ram/](https://console.aws.amazon.com/ram/).
1. In the left navigation pane, choose **Settings**, choose **Enable sharing with AWS Organizations**, and then choose **Save settings**.
You can now share an IPAM pool with other members of the organization.
### Share an IPAM pool using AWS RAM
In this section you’ll share the regional pool with another AWS Organizations member account. For complete instructions on sharing IPAM pools, including information on the required IAM permissions, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md). If you are using the AWS CLI to enable resource sharing, use the `--profile ipam-account` option.
**To share an IPAM pool using AWS RAM**
1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. Choose the private scope, choose the IPAM pool, and choose **Actions** > **View details**.
1. Under **Resource sharing**, choose **Create resource share**. The AWS RAM console opens. You share the pool using AWS RAM.
1. Choose **Create a resource share**.
1. In the AWS RAM console, choose **Create a resource share** again.
1. Add a **Name** for the shared pool.
1. Under **Select resource type**, choose **IPAM pools,** and then choose the ARN of the pool you want to share.
1. Choose **Next**.
1. Choose the **AWSRAMPermissionIpamPoolByoipCidrImport** permission. The details of the permission options are out of scope for this tutorial, but you can find out more about these options in [Share an IPAM pool using AWS RAM](share-pool-ipam.md).
1. Choose **Next**.
1. Under **Principals** > **Select principal type**, choose **AWS account** and enter the account ID of the account that will be bringing an IP address range to IPAM and choose **Add** .
1. Choose **Next**.
1. Review the resource share options and the principals that you’ll be sharing with, and then choose **Create**.
1. To allow the **member-account** account to allocate IP address CIDRS from the IPAM pool, create a second resource share with `AWSRAMDefaultPermissionsIpamPool`. The value for `--resource-arns` is the ARN of the IPAM pool that you created in the previous section. The value for `--principals` is the account ID of the **member-account**. The value for `--permission-arns` is the ARN of the `AWSRAMDefaultPermissionsIpamPool` permission.
## Step 8: Create a VPC using the IPv6 CIDR
Create a VPC using the IPAM pool ID. You must associate an IPv4 CIDR block to the VPC as well using the `--cidr-block` option or the request will fail. When you run the command in this section, the value for `--region` must match the `--locale` option you entered when you created the pool that will be used for the BYOIP CIDR.
This step must be done by the member account.
**To create a VPC with the IPv6 CIDR using the AWS CLI**
1. Run the following command to provision the CIDR.
```
aws ec2 create-vpc --region us-west-2 --ipv6-ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --cidr-block 10.0.0.0/16 --ipv6-netmask-length 56 --profile member-account
```
In the output, you'll see the VPC being created.
```
{
"Vpc": {
"CidrBlock": "10.0.0.0/16",
"DhcpOptionsId": "dopt-2afccf50",
"State": "pending",
"VpcId": "vpc-00b5573ffc3b31a29",
"OwnerId": "123456789012",
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-01b5703d6cc695b5b",
"Ipv6CidrBlock": "2605:9cc0:409::/56",
"Ipv6CidrBlockState": {
"State": "associating"
},
"NetworkBorderGroup": "us-east-1",
"Ipv6Pool": "ipam-pool-0053b7d2b4fc3f730"
}
],
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-09cccb07d4e9a0e0e",
"CidrBlock": "10.0.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false
}
}
```
1. View the VPC allocation in IPAM.
```
aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account
```
In the output, you'll see allocation in IPAM.
```
{
"IpamPoolAllocations": [
{
"Cidr": "2605:9cc0:409::/56",
"IpamPoolAllocationId": "ipam-pool-alloc-5f8db726fb9e4ff0a33836e649283a52",
"ResourceId": "vpc-00b5573ffc3b31a29",
"ResourceType": "vpc",
"ResourceOwner": "123456789012"
}
]
}
```
## Step 9: Advertise the CIDR
Once you create the VPC with CIDR allocated in IPAM, you can then start advertising the CIDR you brought to AWS that is in pool that has `--aws-service ec2` defined. In this tutorial, that's your Regional pool. By default the CIDR is not advertised, which means it's not publicly accessible over the internet. When you run the command in this section, the value for `--region` must match the `--locale` option you entered when you created the Regional pool that will be used for the BYOIP CIDR.
This step must be done by the IPAM account.
**Start advertising the CIDR using the AWS CLI**
+ Run the following command to advertise the CIDR.
```
aws ec2 advertise-byoip-cidr --region us-west-2 --cidr 2605:9cc0:409::/48 --profile ipam-account
```
In the output, you'll see the CIDR is advertised.
```
{
"ByoipCidr": {
"Cidr": "2605:9cc0:409::/48",
"State": "advertised"
}
}
```
## Step 10: Cleanup
Follow the steps in this section to clean up the resources you've provisioned and created in this tutorial. When you run the commands in this section, the value for `--region` must match the `--locale` option you entered when you created the Regional pool that will be used for the BYOIP CIDR.
**Clean up using the AWS CLI**
1. Run the following command to view the VPC allocation managed in IPAM.
This step must be done by the IPAM account.
```
aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account
```
The output shows the allocation in IPAM.
```
{
"IpamPoolAllocations": [
{
"Cidr": "2605:9cc0:409::/56",
"IpamPoolAllocationId": "ipam-pool-alloc-5f8db726fb9e4ff0a33836e649283a52",
"ResourceId": "vpc-00b5573ffc3b31a29",
"ResourceType": "vpc",
"ResourceOwner": "123456789012"
}
]
}
```
1. Run the following command to stop advertising the CIDR. When you run the command in this step, the value for `--region` must match the `--locale` option you entered when you created the Regional pool that will be used for the BYOIP CIDR.
This step must be done by the IPAM account.
```
aws ec2 withdraw-byoip-cidr --region us-west-2 --cidr 2605:9cc0:409::/48 --profile ipam-account
```
In the output, you'll see the CIDR State has changed from **advertised** to **provisioned**.
```
{
"ByoipCidr": {
"Cidr": "2605:9cc0:409::/48",
"State": "provisioned"
}
}
```
1. Run the following command to delete the VPC. When you run the command in this section, the value for `--region` must match the `--locale` option you entered when you created the Regional pool that will be used for the BYOIP CIDR.
This step must be done by the member account.
```
aws ec2 delete-vpc --region us-west-2 --vpc-id vpc-00b5573ffc3b31a29 --profile member-account
```
You will not see any output when you run this command.
1. Run the following command to view the VPC allocation in IPAM. It can take some time for IPAM to discover that the VPC has been deleted and remove this allocation. When you run the commands in this section, the value for `--region` must match the `--locale` option you entered when you created the Regional pool that will be used for the BYOIP CIDR.
This step must be done by the IPAM account.
```
aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account
```
The output shows the allocation in IPAM.
```
{
"IpamPoolAllocations": [
{
"Cidr": "2605:9cc0:409::/56",
"IpamPoolAllocationId": "ipam-pool-alloc-5f8db726fb9e4ff0a33836e649283a52",
"ResourceId": "vpc-00b5573ffc3b31a29",
"ResourceType": "vpc",
"ResourceOwner": "123456789012"
}
]
}
```
Rerun the command and look for the allocation to be removed. You cannot continue to clean up and deprovision the IPAM pool CIDR until you see that the allocation has been removed from IPAM.
```
aws ec2 get-ipam-pool-allocations --region us-west-2 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account
```
The output shows the allocation removed from IPAM.
```
{
"IpamPoolAllocations": []
}
```
1. Delete the RAM shares and disable RAM integration with AWS Organizations. Complete the steps in [Deleting a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-delete.html) and [Disabling resource sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/security-disable-sharing-with-orgs.html) in the *AWS RAM User Guide*, in that order, to delete the RAM shares and disable RAM integration with AWS Organizations.
This step must be done by the IPAM account and management account respectively. If you are using the AWS CLI to delete the RAM shares and disable RAM integration, use the ` --profile ipam-account` and ` --profile management-account` options.
1. Run the following command to deprovision the Regional pool CIDR.
This step must be done by the IPAM account.
```
aws ec2 deprovision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --cidr 2605:9cc0:409::/48 --profile ipam-account
```
In the output, you'll see the CIDR pending deprovision.
```
{
"IpamPoolCidr": {
"Cidr": "2605:9cc0:409::/48",
"State": "pending-deprovision"
}
}
```
Deprovisioning takes time to complete. Continue to run the command until you see the CIDR state **deprovisioned**.
```
aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --cidr 2605:9cc0:409::/48 --profile ipam-account
```
In the output, you'll see the CIDR pending deprovision.
```
{
"IpamPoolCidr": {
"Cidr": "2605:9cc0:409::/48",
"State": "deprovisioned"
}
}
```
1. Run the following command to delete the Regional pool.
This step must be done by the IPAM account.
```
aws ec2 delete-ipam-pool --region us-east-1 --ipam-pool-id ipam-pool-0053b7d2b4fc3f730 --profile ipam-account
```
In the output, you can see the delete state.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0053b7d2b4fc3f730",
"SourceIpamPoolId": "ipam-pool-07f2466c7158b50c4",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0053b7d2b4fc3f730",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "us-east-1",
"PoolDepth": 2,
"State": "delete-in-progress",
"Description": "reg-ipv6-pool",
"AutoImport": false,
"Advertisable": true,
"AddressFamily": "ipv6"
}
}
```
1. Run the following command to deprovision the top-level pool CIDR.
This step must be done by the IPAM account.
```
aws ec2 deprovision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --cidr 2605:9cc0:409::/48 --profile ipam-account
```
In the output, you'll see the CIDR pending deprovision.
```
{
"IpamPoolCidr": {
"Cidr": "2605:9cc0:409::/48",
"State": "pending-deprovision"
}
}
```
Deprovisioning takes time to complete. Run the following command to check the status of deprovisioning.
```
aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --profile ipam-account
```
Wait until you see **deprovisioned** before you continue to the next step.
```
{
"IpamPoolCidr": {
"Cidr": "2605:9cc0:409::/48",
"State": "deprovisioned"
}
}
```
1. Run the following command to delete the top-level pool.
This step must be done by the IPAM account.
```
aws ec2 delete-ipam-pool --region us-east-1 --ipam-pool-id ipam-pool-07f2466c7158b50c4 --profile ipam-account
```
In the output, you can see the delete state.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0053b7d2b4fc3f730",
"SourceIpamPoolId": "ipam-pool-07f2466c7158b50c4",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0053b7d2b4fc3f730",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "us-east-1",
"PoolDepth": 2,
"State": "delete-in-progress",
"Description": "reg-ipv6-pool",
"AutoImport": false,
"Advertisable": true,
"AddressFamily": "ipv6"
}
}
```
1. Run the following command to delete the IPAM.
This step must be done by the IPAM account.
```
aws ec2 delete-ipam --region us-east-1 --ipam-id ipam-090e48e75758de279 --profile ipam-account
```
In the output, you'll see the IPAM response. This means that the IPAM was deleted.
```
{
"Ipam": {
"OwnerId": "123456789012",
"IpamId": "ipam-090e48e75758de279",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"PublicDefaultScopeId": "ipam-scope-0087d83896280b594",
"PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d",
"ScopeCount": 2,
"OperatingRegions": [
{
"RegionName": "us-east-1"
},
{
"RegionName": "us-west-2"
}
]
}
}
```
# Bring your own IP to CloudFront using IPAM (supports IPv4 and IPv6)
IPAM's BYOIP for global services lets you use your own IPv4 and IPv6 addresses with AWS global services like CloudFront. Unlike regional BYOIP, your IP addresses are advertised from multiple edge locations simultaneously through anycast routing.
This tutorial covers:
+ Creating global IPAM pools for IPv4 (/24) and/or IPv6 (/48) address ranges
+ Provisioning Anycast Static IP lists with your own IP addresses
+ Advertising your CIDRs globally through CloudFront edge locations
+ Dual-stack configurations using separate IPv4 and IPv6 IPAM pools
## Why use this feature?
+ **Maintain IP allowlisting** – Use existing approved IP addresses instead of updating firewall configurations
+ **Simplify migrations** – Migrate from other CDNs without changing IP infrastructure
+ **Consistent branding** – Keep your existing IP address space when moving to AWS
+ **IPv6 readiness** – Support modern dual-stack architectures with both IPv4 and IPv6
## Who should use this feature?
Organizations that need their own IP addresses with global content delivery:
+ Large enterprises with IP allowlisting requirements
+ Companies migrating from other CDNs with existing IP addresses
+ Organizations with strict security policies requiring specific IP ranges
+ Enterprises requiring dual-stack (IPv4/IPv6) configurations for global reach
## When to use this feature?
Use BYOIP for global services when you need to:
+ Maintain existing IP allowlisting with partners/clients
+ Migrate from another CDN using your IP addresses
+ Meet compliance requirements for specific IP ranges
+ Deploy dual-stack architectures supporting both IPv4 and IPv6 clients
**Note**
Requires /24 CIDR blocks for IPv4. Dual-stack (IPv4 and IPv6) requires /24 IPv4 and /48 IPv6 CIDR blocks. Currently available for CloudFront only.
## Prerequisites
Complete these steps before starting:
+ **IPAM setup** – [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md) and [Create an IPAM](create-ipam.md)
+ **Domain verification** – [Verify domain control](tutorials-byoip-ipam-domain-verification-methods.md)
+ **Create top-level pool(s)** – Follow steps 1-2 in [Bring your own IPv4 CIDR to IPAM](tutorials-byoip-ipam-console-ipv4.md) and/or [Bring your own IPv6 CIDR to IPAM](tutorials-byoip-ipam-console-ipv6.md)
+ **ROA (Route Origin Authorization)** – Ensure ROAs are configured for both IPv4 (/24) and IPv6 (/48) prefixes if deploying dual-stack
## Global service configuration steps
The following steps differ from the standard regional BYOIP process and establish the pattern for global services. For dual-stack deployments, you'll create separate pools for IPv4 and IPv6, then provision both to CloudFront.
### Step 1: Create global pool(s) for anycast services
Instead of creating a regional pool, create a global pool for anycast services:
**Console**
To create a global pool using the console:
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**
1. Choose **Create pool**
1. **Source**: Choose your top-level BYOIP pool
1. **Locale**: Choose **Global**
1. **Service**: Choose **Global services** (appears when Global is selected)
1. **Public IP source**: Choose **BYOIP**
1. **CIDRs to provision**: Specify your /24 CIDR range (for IPv4) or /48 CIDR range (for IPv6)
1. Choose **Create pool**
**CLI**
For IPv4:
```
aws ec2 create-ipam-pool \
--ipam-scope-id scope-id \
--locale None \
--address-family ipv4 \
--source-ipam-pool-id top-level-pool-id
aws ec2 provision-ipam-pool-cidr \
--ipam-pool-id global-pool-id \
--cidr your-ipv4-/24
```
For IPv6:
```
aws ec2 create-ipam-pool \
--ipam-scope-id scope-id \
--locale None \
--address-family ipv6 \
--source-ipam-pool-id top-level-pool-id
aws ec2 provision-ipam-pool-cidr \
--ipam-pool-id global-pool-id \
--cidr your-ipv6-/48
```
**Important**
For IPv4: You must allocate the full /24 block to this pool. You can provision more specific ranges within this block for different uses.
For IPv6: You must allocate the full /48 block to this pool. You can provision more specific ranges within this block for different uses.
### Step 2: Create service-specific resources
For CloudFront, create an anycast IP list that uses your IPAM pool. For detailed instructions, see [Bring your own IP to CloudFront using IPAM](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/bring-your-own-ip-address-using-ipam.html) in the *Amazon CloudFront Developer Guide*.
**Key parameters for IPAM integration:**
+ **IP address type** – Choose **BYOIP**
+ **IPAM pool** – Select your global pool from Step 1 (IPv4 or IPv6)
+ **IP count** – Enter **3** (required for CloudFront)
### Step 3: Associate with service resources
Associate your Anycast Static IP list with a CloudFront distribution. For detailed instructions, see [Bring your own IP to CloudFront using IPAM](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/bring-your-own-ip-address-using-ipam.html) in the *Amazon CloudFront Developer Guide*.
**Key configuration:**
+ In distribution settings, select your Anycast IP List from Step 2
### Step 4: Prepare for migration
+ **Lower DNS TTL** – Set DNS TTL for your records to 60 seconds or lower
+ **Wait for propagation** – Allow time for the new TTL to take effect across the internet
### Step 5: Advertise CIDR globally
Use the IPAM global advertisement command:
**Console**
To advertise the CIDR using the console:
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**
1. Select your global pool
1. Choose the **CIDRs** tab
1. Select your CIDR and choose **Actions** > **Advertise CIDR**
1. Confirm the advertisement
**CLI**
For IPv4:
```
aws ec2 advertise-byoip-cidr \
--cidr your-ipv4-/24
```
For IPv6:
```
aws ec2 advertise-byoip-cidr \
--cidr your-ipv6-/48
```
**Important**
Withdraw advertisement from your previous provider before running this command
Update DNS records to point to CloudFront to complete the migration (A records for IPv4, AAAA records for IPv6)
## Cleanup
To clean up resources created in this tutorial:
+ **Delete CloudFront resources** – Follow the cleanup instructions in [Bring your own IP to CloudFront using IPAM](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/bring-your-own-ip-address-using-ipam.html) in the *Amazon CloudFront Developer Guide*
+ **Withdraw CIDR and delete IPAM pools** – Follow the standard cleanup process in [Step 8: Cleanup](tutorials-byoip-ipam-console-ipv4.md#tutorials-byoip-ipam-ipv4-console-cleanup)
**Important**
Delete CloudFront resources first, then proceed with IPAM cleanup to avoid service disruptions.
# Tutorial: Transfer a BYOIP IPv4 CIDR to IPAM
Follow these steps to transfer an existing IPv4 CIDR to IPAM. If you already have an IPv4 BYOIP CIDR with AWS, you can move the CIDR to IPAM from a public IPv4 pool. You cannot move an IPv6 CIDR to IPAM.
This tutorial assumes you have already successfully brought an IP address range to AWS using the process described in [Bring your own IP addresses (BYOIP) in Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html) and now you want to transfer that IP address range to IPAM. If you are bringing a new IP address to AWS for the first time, complete the steps in [Tutorial: Bring your IP addresses to IPAM](tutorials-byoip-ipam.md).
If you transfer a public IPv4 pool to IPAM, there is no impact on existing allocations. Once you transfer a public IPv4 pool to IPAM, depending on the resource type, you may be able to monitor the existing allocations. For more information, see [Monitor CIDR usage by resource](monitor-cidr-compliance-ipam.md).
**Note**
This tutorial assumes you have already completed the steps in [Create an IPAM](create-ipam.md).
Each step of this tutorial must be done by one of two AWS accounts:
The account for the IPAM administrator. In this tutorial, this account will be called the IPAM account.
The account in your organization which owns the BYOIP CIDR. In this tutorial, this account will be called the BYOIP CIDR owner account.
**Topics**
+ [Step 1: Create AWS CLI named profiles and IAM roles](#tutorials-byoip-ipam-ipv4-console-1)
+ [Step 2: Get your IPAM’s public scope ID](#tutorials-byoip-ipam-transfer-ipv4-2)
+ [Step 3: Create an IPAM pool](#tutorials-byoip-ipam-transfer-ipv4-3)
+ [Step 4: Share the IPAM pool using AWS RAM](#tutorials-byoip-ipam-transfer-ipv4-4)
+ [Step 5: Transfer an existing BYOIP IPV4 CIDR to IPAM](#tutorials-byoip-ipam-transfer-ipv4-5)
+ [Step 6: View the CIDR in IPAM](#tutorials-byoip-ipam-transfer-ipv4-6)
+ [Step 7: Cleanup](#tutorials-byoip-ipam-transfer-ipv4-7)
## Step 1: Create AWS CLI named profiles and IAM roles
To complete this tutorial as a single AWS user, you can use AWS CLI named profiles to switch from one IAM role to another. [Named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles) are collections of settings and credentials that you refer to when using the `--profile` option with the AWS CLI. For more information about how to create IAM roles and named profiles for AWS accounts, see [Using an IAM role in the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html).
Create one role and one named profile for each of the three AWS accounts you will use in this tutorial:
+ A profile called `ipam-account` for the AWS account that is the IPAM administrator.
+ A profile called `byoip-owner-account` for the AWS account in your organization which owns the BYOIP CIDR.
After you have created the IAM roles and named profiles, return to this page and go to the next step. You will notice throughout the rest of this tutorial that the sample AWS CLI commands use the `--profile` option with one of the named profiles to indicate which account must run the command.
## Step 2: Get your IPAM’s public scope ID
Follow the steps in this section to get your IPAM’s public scope ID. This step should be performed by the **ipam-account** account.
Run the following command to get your public scope ID.
```
aws ec2 describe-ipams --region us-east-1 --profile ipam-account
```
In the output, you'll see your public scope ID. Note the values for `PublicDefaultScopeId`. You will need it in the next step.
```
{
"Ipams": [
{
"OwnerId": "123456789012",
"IpamId": "ipam-090e48e75758de279",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"PublicDefaultScopeId": "ipam-scope-0087d83896280b594",
"PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d",
"ScopeCount": 2,
"Description": "my-ipam",
"OperatingRegions": [
{
"RegionName": "us-east-1"
},
{
"RegionName": "us-west-2"
}
],
"Tags": []
}
]
}
```
## Step 3: Create an IPAM pool
Follow the steps in this section to create an IPAM pool. This step should be performed by the **ipam-account** account. The IPAM pool you create must be a top-level pool with the `--locale` option matching the BYOIP CIDR AWS Region. You can only transfer a BYOIP to a top-level IPAM pool.
**Important**
When you create the pool, you must include `--aws-service ec2`. The service you select determines the AWS service where the CIDR will be advertisable. Currently, the only option is `ec2`, which means that the CIDRs allocated from this pool will be advertisable for the Amazon EC2 service (for Elastic IP addresses) and the Amazon VPC service (for CIDRs associated with VPCs).
**To create an IPv4 address pool for the transferred BYOIP CIDR using the AWS CLI**
1. Run the following command to create an IPAM pool. Use the ID of the public scope of the IPAM that you retrieved in the previous step.
```
aws ec2 create-ipam-pool --region us-east-1 --profile ipam-account --ipam-scope-id ipam-scope-0087d83896280b594 --description "top-level-pool" --locale us-west-2 --aws-service ec2 --address-family ipv4
```
In the output, you'll see `create-in-progress`, which indicates that pool creation is in progress.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0a03d430ca3f5c035",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "us-west-2",
"PoolDepth": 1,
"State": "create-in-progress",
"Description": "top-level-pool",
"AutoImport": false,
"AddressFamily": "ipv4",
"Tags": [],
"AwsService": "ec2"
}
}
```
1. Run the following command until you see a state of `create-complete` in the output.
```
aws ec2 describe-ipam-pools --region us-east-1 --profile ipam-account
```
The following example output shows the state of the pool. You will need the **OwnerId** in the next step.
```
{
"IpamPools": [
{
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0a03d430ca3f5c035",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "us-west-2",
"PoolDepth": 1,
"State": "create-complete",
"Description": "top-level-pool",
"AutoImport": false,
"AddressFamily": "ipv4",
"Tags": [],
"AwsService": "ec2"
}
]
}
```
## Step 4: Share the IPAM pool using AWS RAM
Follow the steps in this section to share an IPAM pool using AWS RAM so that another AWS account can transfer an existing BYOIP IPV4 CIDR to the IPAM pool and use the IPAM pool. This step should be performed by the **ipam-account** account.
**To share an IPv4 address pool using the AWS CLI**
1. View the AWS RAM permissions available for IPAM pools. You need both ARNs to complete the steps in this section.
```
aws ram list-permissions --region us-east-1 --profile ipam-account --resource-type ec2:IpamPool
```
```
{
"permissions": [
{
"arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionsIpamPool",
"version": "1",
"defaultVersion": true,
"name": "AWSRAMDefaultPermissionsIpamPool",
"resourceType": "ec2:IpamPool",
"status": "ATTACHABLE",
"creationTime": "2022-06-30T13:04:29.335000-07:00",
"lastUpdatedTime": "2022-06-30T13:04:29.335000-07:00",
"isResourceTypeDefault": true
},
{
"arn": "arn:aws:ram::aws:permission/AWSRAMPermissionIpamPoolByoipCidrImport",
"version": "1",
"defaultVersion": true,
"name": "AWSRAMPermissionIpamPoolByoipCidrImport",
"resourceType": "ec2:IpamPool",
"status": "ATTACHABLE",
"creationTime": "2022-06-30T13:03:55.032000-07:00",
"lastUpdatedTime": "2022-06-30T13:03:55.032000-07:00",
"isResourceTypeDefault": false
}
]
}
```
1. Create a resource share to enable the **byoip-owner-account** account to import BYOIP CIDRs to IPAM. The value for `--resource-arns` is the ARN of the IPAM pool that you created in the previous section. The value for `--principals` is the account ID of the BYOIP CIDR owner account. The value for `--permission-arns` is the ARN of the `AWSRAMPermissionIpamPoolByoipCidrImport` permission.
```
aws ram create-resource-share --region us-east-1 --profile ipam-account --name PoolShare2 --resource-arns arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035 --principals 111122223333 --permission-arns arn:aws:ram::aws:permission/AWSRAMPermissionIpamPoolByoipCidrImport
```
```
{
"resourceShare": {
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/7993758c-a4ea-43ad-be12-b3abaffe361a",
"name": "PoolShare2",
"owningAccountId": "123456789012",
"allowExternalPrincipals": true,
"status": "ACTIVE",
"creationTime": "2023-04-28T07:32:25.536000-07:00",
"lastUpdatedTime": "2023-04-28T07:32:25.536000-07:00"
}
}
```
1. (Optional) If you want to allow the **byoip-owner-account** account to allocate IP address CIDRS from the IPAM pool to public IPv4 pools after the transfer is complete, copy the ARN for `AWSRAMDefaultPermissionsIpamPool` and create a second resource share. The value for `--resource-arns` is the ARN of the IPAM pool that you created in the previous section. The value for `--principals` is the account ID of the BYOIP CIDR owner account. The value for `--permission-arns` is the ARN of the `AWSRAMDefaultPermissionsIpamPool` permission.
```
aws ram create-resource-share --region us-east-1 --profile ipam-account --name PoolShare1 --resource-arns arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035 --principals 111122223333 --permission-arns arn:aws:ram::aws:permission/AWSRAMDefaultPermissionsIpamPool
```
```
{
"resourceShare": {
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/8d1e229b-2830-4cf4-8b10-19c889235a2f",
"name": "PoolShare1",
"owningAccountId": "123456789012",
"allowExternalPrincipals": true,
"status": "ACTIVE",
"creationTime": "2023-04-28T07:31:25.536000-07:00",
"lastUpdatedTime": "2023-04-28T07:31:25.536000-07:00"
}
}
```
As a result of creating the resource share in RAM, the byoip-owner-account account can now move CIDRs to IPAM.
## Step 5: Transfer an existing BYOIP IPV4 CIDR to IPAM
Follow the steps in this section to transfer an existing BYOIP IPV4 CIDR to IPAM. This step should be performed by the **byoip-owner-account** account.
**Important**
Once you bring an IPv4 address range to AWS, you can use all of the IP addresses in the range, including the first address (the network address) and the last address (the broadcast address).
To transfer the BYOIP CIDR to IPAM, the BYOIP CIDR owner must have these permissions in their IAM policy:
+ `ec2:MoveByoipCidrToIpam`
+ `ec2:ImportByoipCidrToIpam`
**Note**
You can use either the AWS Management Console or the AWS CLI for this step.
------
#### [ AWS Management Console ]
**To transfer a BYOIP CIDR to the IPAM pool:**
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/) as the **byoip-owner-account** account.
1. In the navigation pane, choose **Pools**.
1. Choose the top-level pool created and shared in this tutorial.
1. Choose **Actions** > **Transfer BYOIP CIDR**.
1. Choose **Transfer BYOIP CIDR**.
1. Choose your BYOIP CIDR.
1. Choose **Provision**.
------
#### [ Command line ]
Use the following AWS CLI commands transfer a BYOIP CIDR to the IPAM pool using the AWS CLI:
1. Run the following command to transfer the CIDR. Ensure that the `--region` value is the AWS Region of the BYOIP CIDR.
```
aws ec2 move-byoip-cidr-to-ipam --region us-west-2 --profile byoip-owner-account --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --ipam-pool-owner 123456789012 --cidr 130.137.249.0/24
```
In the output, you'll see the CIDR pending provision.
```
{
"ByoipCidr": {
"Cidr": "130.137.249.0/24",
"State": "pending-transfer"
}
}
```
1. Ensure that the CIDR has been transferred. Run the following command until you see a state of `complete-transfer` in the output.
```
aws ec2 move-byoip-cidr-to-ipam --region us-west-2 --profile byoip-owner-account --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --ipam-pool-owner 123456789012 --cidr 130.137.249.0/24
```
The following example output shows the state.
```
{
"ByoipCidr": {
"Cidr": "130.137.249.0/24",
"State": "complete-transfer"
}
}
```
------
## Step 6: View the CIDR in IPAM
Follow the steps in this section to view the CIDR in IPAM. This step should be performed by the **ipam-account** account.
**To view the transferred BYOIP CIDR in IPAM pool using the AWS CLI**
+ Run the following command to view the allocation managed in IPAM. Ensure that the `--region` value is the AWS Region of the BYOIP CIDR.
```
aws ec2 get-ipam-pool-allocations --region us-west-2 --profile ipam-account --ipam-pool-id ipam-pool-0d8f3646b61ca5987
```
The output shows the allocation in IPAM.
```
{
"IpamPoolAllocations": [
{
"Cidr": "130.137.249.0/24",
"IpamPoolAllocationId": "ipam-pool-alloc-5dedc8e7937c4261b56dc3e3eb53dc46",
"ResourceId": "ipv4pool-ec2-0019eed22a684e0b3",
"ResourceType": "ec2-public-ipv4-pool",
"ResourceOwner": "111122223333"
}
]
}
```
## Step 7: Cleanup
Follow the steps in this section to remove the resources you created in this tutorial. This step should be performed by the **ipam-account** account.
**To cleanup the resources created in this tutorial using the AWS CLI**
1. To delete the IPAM pool shared resource, run the following command to get the first resource share ARN:
```
aws ram get-resource-shares --region us-east-1 --profile ipam-account --name PoolShare1 --resource-owner SELF
```
```
{
"resourceShares": [
{
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/8d1e229b-2830-4cf4-8b10-19c889235a2f",
"name": "PoolShare1",
"owningAccountId": "123456789012",
"allowExternalPrincipals": true,
"status": "ACTIVE",
"creationTime": "2023-04-28T07:31:25.536000-07:00",
"lastUpdatedTime": "2023-04-28T07:31:25.536000-07:00",
"featureSet": "STANDARD"
}
]
}
```
1. Copy the resource share ARN and use it to delete the IPAM pool resource share.
```
aws ram delete-resource-share --region us-east-1 --profile ipam-account --resource-share-arn arn:aws:ram:us-east-1:123456789012:resource-share/8d1e229b-2830-4cf4-8b10-19c889235a2f
```
```
{
"returnValue": true
}
```
1. If you created an additional resource share in [Step 4: Share the IPAM pool using AWS RAM](#tutorials-byoip-ipam-transfer-ipv4-4), repeat the previous two steps to get the second resource share ARN for `PoolShare2` and delete the second resource share.
1. Run the following command to get the allocation ID for the BYOIP CIDR. Ensure that the `--region` value matches the AWS Region of the BYOIP CIDR.
```
aws ec2 get-ipam-pool-allocations --region us-west-2 --profile ipam-account --ipam-pool-id ipam-pool-0d8f3646b61ca5987
```
The output shows the allocation in IPAM.
```
{
"IpamPoolAllocations": [
{
"Cidr": "130.137.249.0/24",
"IpamPoolAllocationId": "ipam-pool-alloc-5dedc8e7937c4261b56dc3e3eb53dc46",
"ResourceId": "ipv4pool-ec2-0019eed22a684e0b3",
"ResourceType": "ec2-public-ipv4-pool",
"ResourceOwner": "111122223333"
}
]
}
```
1. Release the CIDR from the public IPv4 pool. When you run the command in this section, the value for `--region` must match the Region of your IPAM.
This step must be done by the **byoip-owner-account** account.
```
aws ec2 deprovision-public-ipv4-pool-cidr --region us-east-1 --profile byoip-owner-account --pool-id ipv4pool-ec2-0019eed22a684e0b3 --cidr 130.137.249.0/24
```
1. View your BYOIP CIDRs again and ensure there are no more provisioned addresses. When you run the command in this section, the value for `--region` must match the Region of your IPAM.
This step must be done by the **byoip-owner-account** account.
```
aws ec2 describe-public-ipv4-pools --region us-east-1 --profile byoip-owner-account
```
In the output, you'll see the IP addresses count in your public IPv4 pool.
```
{
"PublicIpv4Pools": [
{
"PoolId": "ipv4pool-ec2-0019eed22a684e0b3",
"Description": "",
"PoolAddressRanges": [],
"TotalAddressCount": 0,
"TotalAvailableAddressCount": 0,
"NetworkBorderGroup": "us-east-1",
"Tags": []
}
]
}
```
1. Run the following command to delete the top-level pool.
```
aws ec2 delete-ipam-pool --region us-east-1 --profile ipam-account --ipam-pool-id ipam-pool-0a03d430ca3f5c035
```
In the output, you can see the delete state.
```
{
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0a03d430ca3f5c035",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279",
"Locale": "us-east-1",
"PoolDepth": 2,
"State": "delete-in-progress",
"Description": "top-level-pool",
"AutoImport": false,
"Advertisable": true,
"AddressFamily": "ipv4",
"AwsService": "ec2"
}
}
```
# Tutorial: Plan VPC IP address space for subnet IP allocations
Complete this tutorial to plan the VPC IP address space for allocating IP addresses to VPC subnets and monitor IP address-related metrics at the subnet and VPC level.
**Note**
This tutorial covers allocating private IPv4 address space in a private IPAM scope to VPCs and subnets. You can also complete this tutorial using an IPv6 CIDR range by creating the VPC with an Amazon-provided IPv6 CIDR block option on the VPC console.
Planning VPC IP address space for subnets enables you to do the following:
+ **Plan and organize your VPC’s IP addresses for allocation to subnets**: You can divide VPC IP address space into smaller CIDR blocks and provision those CIDR blocks to subnets with different business needs, such as if you're running workloads in development or production subnets.
+ **Simplify IP address allocations for VPC subnets**: Once your VPC’s address space is planned and organized, you can choose a netmask length rather than manually inputting a CIDR. For example, if a developer is creating a subnet for hosting development workloads, they need to choose a pool and a netmask length for the subnet and IPAM will automatically allocate the CIDR block to your subnet.
The following example shows the hierarchy of the pool and resource structure that you will create with this tutorial:
+ Private scope
+ Resource planning pool (10.0.0.0/20)
+ Dev subnet pool (10.0.0.0/24)
+ Dev subnet (10.0.0.0/28)
+ Prod subnet pool (10.0.0.1/24)
+ Prod subnet (10.0.0.16/28)
**Important**
The resource planning pool can be used to allocate CIDRs to subnets or it can be used as a source pool in which you can create other pools. In this tutorial, we use the resource planning pool as a source pool for subnet pools.
You can create multiple resource planning pools using the same VPC if the VPC has more than one CIDR provisioned to it; if a VPC has two CIDRs assigned to it, for example, you can create two resource planning pools, one from each CIDR. Each CIDR can be assigned to one pool at a time.
## Step 1: Create a VPC
Complete the steps in this section to create a VPC to be used for subnet IP address planning. For more information about the IAM permissions that are required to create VPCs, see [Amazon VPC policy examples](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html) in the *Amazon VPC User Guide*.
**Note**
You can use an existing VPC rather than creating a new one, but this tutorial focuses on the scenario where the VPC is configured with a manually-allocated CIDR block, not an IPAM-allocated automatically CIDR block.
**To create a VPC**
1. Using the IPAM admin account, open the VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Choose **Create VPC**.
1. Enter a name for the VPC, such as tutorial-vpc.
1. Choose **IPv4 CIDR manual input** and enter an IPv4 CIDR block. In this tutorial, we use 10.0.0.0/20.
1. Skip the option to add an IPv6 CIDR block.
1. Choose **Create VPC**.
1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. Choose **Resources** in the left navigation pane.
1. Wait for the VPC that you created to appear. This takes some time to happen and you may need to refresh the window to see it appear. The VPC must be discovered by IPAM before you continue to the next step.
## Step 2: Create a resource planning pool
Complete the steps in this section to create a resource planning pool.
**To create a resource planning pool**
1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. Choose the private scope.
1. Choose **Create pool**.
1. Under **IPAM scope**, leave the private scope selected.
1. (Optional) Add a **Name tag** for the pool, such as “Resource-planning-pool”.
1. Under **Source**, choose **IPAM scope**.
1. Under **Resource planning**, choose **Plan IP space within a VPC** and choose the VPC you created in the previous step. The VPC is the resource used to provision CIDRs to the resource planning pool.
1. Under **CIDRs to provision**, choose the VPC CIDR to provision for the resource pool. The CIDR you provision to the resource planning pool must match the CIDR provisioned to the VPC. In this tutorial, we use 10.0.0.0/20.
1. Choose **Create pool**.
1. Once the pool is created, choose the **CIDR** tab to see the state of the provisioned CIDR. Refresh the page and wait for the CIDR state to change from *Pending-provision* to *Provisioned* before you go to the next step.
## Step 3: Create subnet pools
Complete the steps in this section to create two subnet pools that will be used for allocating IP space to subnets.
**To create subnet pools**
1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. Choose the private scope.
1. Choose **Create pool**.
1. Under **IPAM scope**, leave the private scope selected.
1. (Optional) Add a **Name tag** for the pool, such as “dev-subnet-pool”.
1. Under **Source**, choose **IPAM pool** and select the resource planning pool you created in Step 3. The address family, Resource planning configuration, and Locale are automatically inherited from the source pool.
1. Under **CIDRs to provision**, choose the CIDR to provision for the subnet pool. In this tutorial, we use 10.0.0.0/24.
1. Choose **Create pool**.
1. Once the pool is created, choose the **CIDR tab** to see the state of the provisioned CIDR. Refresh the page and wait for the CIDR state to change from *Pending-provision* to *Provisioned* before you go to the next step.
1. Repeat this process to create another subnet called “prod-subnet-pool”.
At this point, if you want to make this subnet pool available to other AWS accounts, you can share the subnet pool. For instructions on how to do that, see [Share an IPAM pool using AWS RAM](share-pool-ipam.md). Then return here to complete the tutorial.
## Step 4: Create subnets
Complete these steps to create two subnets.
**To create subnets**
1. Using the appropriate account, open the VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Choose **Subnets** > **Create subnet**.
1. Choose the VPC you created at the start of this tutorial.
1. Enter a name for the subnet, such as "tutorial-subnet".
1. (optional) Choose an **Availability Zone**.
1. Under **IPv4 CIDR block**, choose **IPAM-allocated IPV4 CIDR block** and choose the dev subnet pool and a /28 netmask.
1. Choose **Create subnet**.
1. Repeat this process to create another subnet. This time choose the prod subnet pool and a /28 netmask.
1. Return to the IPAM console and choose **Resources** in the left navigation pane.
1. Look for the subnet pools you created and wait for the subnets that you created to appear beneath it. This takes some time to happen and you may need to refresh the window to see it appear.
The tutorial is complete. You can create additional subnet pools as needed or you can launch in EC2 instance into one of the subnets.
IPAM publishes metrics related to IP address usage in subnets. You can set CloudWatch alarms on the SubnetIPUsage metric, thereby allowing you to take action when IP utilization thresholds are breached. If, for example, you have a /24 CIDR (256 IP addresses) assigned to a subnet and you want to be notified when 80% of the IPs have been utilized, you can set up a CloudWatch alarm to alert you when this threshold is reached. For more information on creating an alarm for subnet IP usage, see [Quick tip for creating alarms](cloudwatch-ipam-res-util.md#cloudwatch-ipam-res-util-tip).
## Step 5: Cleanup
Complete these steps to delete the resources you created with this tutorial.
**To clean up the resources**
1. Using the IPAM admin account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. Choose the private scope.
1. Choose the resource planning pool and choose **Action** > **Delete**.
1. Select **Cascade delete**. The resource planning pool and the subnet pools will be deleted. This will not delete the subnets themselves. They will stay with CIDRs provisioned to them, though the CIDRs will no longer be from an IPAM pool.
1. Choose **Delete**.
1. [Delete the subnets](https://docs.aws.amazon.com/vpc/latest/userguide/subnet-deleting.html).
1. [Delete the VPC](https://docs.aws.amazon.com/vpc/latest/userguide/delete-vpc.html).
Cleanup is complete.
# Allocate sequential Elastic IP addresses from an IPAM pool
IPAM enables you to provision Amazon-owned public IPv4 blocks to IPAM pools and allocate sequential [Elastic IP addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) from those pools to AWS resources.
Contiguously-allocated Elastic IP addresses are public IPv4 addresses that are allocated sequentially. For example, if Amazon provides you a public IPv4 CIDR block of `192.0.2.0/30` and you allocate the four available public IPv4 addresses from that CIDR block, an example of four sequential Elastic IP addresses is `192.0.2.0`, `192.0.2.1`, `192.0.2.2`, and `192.0.2.3`.
Contiguously-allocated Elastic IP addresses enable you to simplify your security and networking rules in the following ways:
+ **Security administration**: Using sequential IPv4 addresses reduces your firewall management overhead. You can add an entire prefix with a single rule and associate IPs from the same prefix as you scale, saving time and effort.
+ **Enterprise access**: You can simplify the address space shared with your clients by using an entire CIDR block instead of a long list of individual public IPv4 addresses. This avoids the need to constantly communicate IP changes as your application scales on AWS.
+ **Simplified IP management**: Using sequential IPv4 addresses simplifies public IP management for your central networking team, as it reduces the need to track individual public IPs and instead allows them to focus on a limited number of IP prefixes.
In this tutorial, you'll go through the steps required to allocate sequential Elastic IP addresses from an IPAM pool. You'll create an IPAM pool with an Amazon-provided contiguous public IPv4 CIDR block, allocate Elastic IP addresses from the pool, and learn how to monitor IPAM pool allocations.
**Note**
There are charges associated with provisioning Amazon-owned public IPv4 CIDR blocks. For more information, see the **Amazon-provided contiguous IPv4 block** tab on the [Amazon VPC pricing page](https://aws.amazon.com//vpc/pricing/).
This tutorial assumes you want to create an IPAM [using IPAM with a single account](enable-single-user-ipam.md). If you want to share Amazon-owned contiguous public IPv4 blocks across accounts, first [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md) and then [Share an IPAM pool using AWS RAM](share-pool-ipam.md). If you integrate with AWS Organizations, you have the option to create a [service control policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to prevent deprovisioning of the contig IPv4 blocks assigned to the pool.
You cannot [transfer](https://docs.aws.amazon.com/vpc/latest/userguide/WorkWithEIPs.html#transfer-EIPs-intro) sequential Elastic IP addresses allocated from an IPAM pool to other AWS accounts. Instead, IPAM allows you to share IPAM pools across AWS accounts by integrating IPAM with AWS Organizations (as mentioned above).
There are limits on the number of Amazon-owned public IPv4 CIDR blocks you can provision and their size. For more information, see [Quotas for your IPAM](quotas-ipam.md).
**Topics**
+ [Step 1: Create an IPAM](#tutorials-eip-pool-1)
+ [Step 2: Create an IPAM pool and provision a CIDR](#tutorials-eip-pool-2)
+ [Step 3: Allocate an Elastic IP address from the pool](#tutorials-eip-pool-3)
+ [Step 4: Associate the Elastic IP address with an EC2 instance](#tutorials-eip-pool-4)
+ [Step 5: Track and monitor pool usage](#track-monitor-eips-ipam)
+ [Cleanup](#tutorials-eip-pool-cleanup)
## Step 1: Create an IPAM
Complete the steps in this section to create an IPAM.
------
#### [ AWS Management Console ]
**To create an IPAM**
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the AWS Management Console, choose the AWS Region in which you want to create the IPAM. Create the IPAM in your main Region of operations.
1. On the service home page, choose **Create IPAM**.
1. Select **Allow Amazon VPC IP Address Manager to replicate data from source account(s) into the IPAM delegate account**. If you do not select this option, you cannot create an IPAM.
1. Choose an **IPAM tier**. For more information about the features available in each tier and the costs associated with the tiers, see the IPAM tab on the [Amazon VPC pricing page](https://aws.amazon.com//vpc/pricing/).
1. Under **Operating regions**, select the AWS Regions in which this IPAM can manage and discover resources. The AWS Region in which you are creating your IPAM is selected as one of the operating Regions by default. For example, if you’re creating this IPAM in AWS Region `us-east-1` but you want to create Regional IPAM pools later that provide CIDRs to VPCs in `us-west-2`, select `us-west-2` here. If you forget an operating Region, you can return at a later time and edit your IPAM settings.
**Note**
If you are creating an IPAM in the Free Tier, you can select multiple operating Regions for your IPAM, but the only IPAM feature that will be available across operating Regions is [Public IP insights](view-public-ip-insights.md). You cannot use other features in the Free Tier, like BYOIP, across the IPAM's operating Regions. You can only use them in the IPAM's home Region. To use all IPAM features across operating Regions, [create an IPAM in the Advanced Tier](mod-ipam-tier.md).
1. Choose **Create IPAM**.
------
#### [ Command line ]
The commands in this section link to the AWS CLI Reference documentation. The documentation provides detailed descriptions of the options that you can use when you run the commands.
Create the IPAM with the [create-ipam](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-ipam.html) command:
```
aws ec2 create-ipam --region us-east-1
```
Example response:
```
{
"Ipam": {
"OwnerId": "320805250157",
"IpamId": "ipam-0755477df834ea06b",
"IpamArn": "arn:aws:ec2::320805250157:ipam/ipam-0755477df834ea06b",
"IpamRegion": "us-east-1",
"PublicDefaultScopeId": "ipam-scope-01bc7290e4a9202f9",
"PrivateDefaultScopeId": "ipam-scope-0a50983b97a7a583a",
"ScopeCount": 2,
"OperatingRegions": [
{
"RegionName": "us-east-1"
}
],
"State": "create-in-progress",
"Tags": [],
"DefaultResourceDiscoveryId": "ipam-res-disco-02cc5b34cc3f04f09",
"DefaultResourceDiscoveryAssociationId": "ipam-res-disco-assoc-06b3a4dccfc81f7c1",
"ResourceDiscoveryAssociationCount": 1,
"Tier": "advanced"
}
}
```
You'll need the PublicDefaultScopeId in the next step. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).
------
## Step 2: Create an IPAM pool and provision a CIDR
Complete the steps in this section to create an IPAM pool from which you'll allocate the Elastic IP addresses.
------
#### [ AWS Management Console ]
**To create a pool**
1. Open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).
1. In the navigation pane, choose **Pools**.
1. Choose the public scope. For more information about scopes, see [How IPAM works](how-it-works-ipam.md).
1. Choose **Create pool**.
1. (Optional) Add a **Name tag** for the pool and a **Description** for the pool.
1. Under **Source**, choose **IPAM scope**.
1. Under **Address family**, choose **IPv4**.
1. Under **Resource planning**, leave **Plan IP space within the scope** selected.
1. Under **Locale**, choose the locale for the pool. The locale is the AWS Region where you want this IPAM pool to be available for allocations. The available options come from the operating Regions that you chose when you created your IPAM.
1. Under **Service**, choose **EC2 (EIP/VPC)**. The service you select determines the AWS service where the CIDR will advertised. Currently, the only option is **EC2 (EIP/VPC)**, which means that the CIDRs allocated from this pool will be advertised for the Amazon EC2 service (for Elastic IP addresses).
1. Under **Public IP source**, choose **Amazon-owned**.
1. Under **CIDR to provision**, choose **Add Amazon-owned public CIDR**. Choose a **Netmask** length between `/29` (8 IP addresses) and `/30` (4 IP addresses). You can add up to 2 CIDRs by default. For information about increasing the limits on Amazon-provided contiguous public IPv4 CIDRs, see [Quotas for your IPAM](quotas-ipam.md).
1. Leave **Configure this pool's allocation rule settings** unselected.
1. (Optional) Choose **Tags** for the pool.
1. Choose **Create pool**.
Ensure that this CIDR has been provisioned before you continue. You can see the state of provisioning in the **CIDRs** tab in the pool details page.
------
#### [ Command line ]
**To create a pool**
1. Create an IPAM pool with the [create-ipam-pool](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-ipam-pool.html) command. The locale is the AWS Region where you want this IPAM pool to be available for allocations. The available options come from the operating Regions that you chose when you created your IPAM.
```
aws ec2 create-ipam-pool --region us-east-1 --ipam-scope-id ipam-scope-01bc7290e4a9202f9 --address-family ipv4 --locale us-east-1 --aws-service ec2 --public-ip-source amazon
```
Example response with state `create-in-progress`:
```
{
"IpamPool": {
"OwnerId": "320805250157",
"IpamPoolId": "ipam-pool-07ccc86aa41bef7ce",
"IpamPoolArn": "arn:aws:ec2::320805250157:ipam-pool/ipam-pool-07ccc86aa41bef7ce",
"IpamScopeArn": "arn:aws:ec2::320805250157:ipam-scope/ipam-scope-01bc7290e4a9202f9",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::320805250157:ipam/ipam-0755477df834ea06b",
"IpamRegion": "us-east-1",
"Locale": "us-east-1",
"PoolDepth": 1,
"State": "create-in-progress",
"AutoImport": false,
"AddressFamily": "ipv4",
"Tags": [],
"AwsService": "ec2",
"PublicIpSource": "amazon"
}
}
```
1. Check that the pool was created successfully with the [describe-ipam-pools](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-ipam-pools.html) command.
```
aws ec2 describe-ipam-pools --region us-east-1 --ipam-pool-ids ipam-pool-07ccc86aa41bef7ce
```
Example response with state `create-complete`:
```
{
"IpamPools": [
{
"OwnerId": "320805250157",
"IpamPoolId": "ipam-pool-07ccc86aa41bef7ce",
"IpamPoolArn": "arn:aws:ec2::320805250157:ipam-pool/ipam-pool-07ccc86aa41bef7ce",
"IpamScopeArn": "arn:aws:ec2::320805250157:ipam-scope/ipam-scope-01bc7290e4a9202f9",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::320805250157:ipam/ipam-0755477df834ea06b",
"IpamRegion": "us-east-1",
"Locale": "us-east-1",
"PoolDepth": 1,
"State": "create-complete",
"AutoImport": false,
"AddressFamily": "ipv4",
"Tags": [],
"AwsService": "ec2",
"PublicIpSource": "amazon"
}
]
}
```
1. Provision a CIDR to the pool with the [provision-ipam-pool-cidr](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/provision-ipam-pool-cidr.html) command. Choose a `--netmask-length` between `/29` (8 IP addresses) and `/30` (4 IP addresses). You can add up to 2 CIDRs by default. For information about increasing the limits on Amazon-provided contiguous public IPv4 CIDRs, see [Quotas for your IPAM](quotas-ipam.md).
```
aws ec2 provision-ipam-pool-cidr --region us-east-1 --ipam-pool-id ipam-pool-07ccc86aa41bef7ce --netmask-length 29
```
Example response with state `pending-provision`:
```
{
"IpamPoolCidr": {
"State": "pending-provision",
"IpamPoolCidrId": "ipam-pool-cidr-01856e43994df4913b7bc6aac47adf983",
"NetmaskLength": 29
}
}
```
1. Ensure that this CIDR has been provisioned before you continue. You can view the state of provisioning using the [get-ipam-pool-cidrs](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ipam-pool-cidrs.html) command.
```
aws ec2 get-ipam-pool-cidrs --region us-east-1 --ipam-pool-id ipam-pool-07ccc86aa41bef7ce
```
Example response with state `provisioned`:
```
{
"IpamPoolCidrs": [
{
"Cidr": "18.97.0.40/29",
"State": "provisioned",
"IpamPoolCidrId": "ipam-pool-cidr-01856e43994df4913b7bc6aac47adf983",
"NetmaskLength": 29
}
]
}
```
------
## Step 3: Allocate an Elastic IP address from the pool
Complete the steps in this section to allocate an Elastic IP address from the pool.
------
#### [ AWS Management Console ]
Follow the steps in [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide* to allocate the address, but note the following:
+ Ensure that the AWS Region you are in in the EC2 console matches the Locale option you chose when you created the pool in Step 2.
+ When you choose the address pool, choose the option to **Allocate using an IPv4 IPAM pool** and choose the pool you created in Step 1.
------
#### [ Command line ]
Allocate an address from the pool with the [allocate-address](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/allocate-address.html) command. The `--region` you use must match the `-locale` option you chose when you created the pool in Step 2. Include the ID of the IPAM pool you created in Step 2 in `--ipam-pool-id`.
```
aws ec2 allocate-address --region us-east-1 --ipam-pool-id ipam-pool-07ccc86aa41bef7ce
```
Example response:
```
{
"PublicIp": "18.97.0.41",
"AllocationId": "eipalloc-056cdd6019c0f4b46",
"PublicIpv4Pool": "ipam-pool-07ccc86aa41bef7ce",
"NetworkBorderGroup": "us-east-1",
"Domain": "vpc"
}
```
Optionally, you can also choose a specific `/32` in your IPAM pool by using the `--address` option.
```
aws ec2 allocate-address --region us-east-1 --ipam-pool-id ipam-pool-07ccc86aa41bef7ce --address 18.97.0.41
```
Example response:
```
{
"PublicIp": "18.97.0.41",
"AllocationId": "eipalloc-056cdd6019c0f4b46",
"PublicIpv4Pool": "ipam-pool-07ccc86aa41bef7ce",
"NetworkBorderGroup": "us-east-1",
"Domain": "vpc"
}
```
For more information, see [Allocate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-allocating) in the *Amazon EC2 User Guide*.
------
## Step 4: Associate the Elastic IP address with an EC2 instance
Complete the steps in this section to associate the Elastic IP address with an EC2 instance.
------
#### [ AWS Management Console ]
Follow the steps in [Associate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-associating) in the *Amazon EC2 User Guide* to allocate an Elastic IP address from the IPAM pool, but note the following: When you use AWS Management Console option, the AWS Region you associate the Elastic IP address in must match the Locale option you chose when you created the pool in Step 2.
------
#### [ Command line ]
Associate the Elastic IP address with an instance with the [associate-address](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/allocate-address.html) command. The `--region` you associate the Elastic IP address in must match the `--locale` option you chose when you created the pool in Step 2.
```
aws ec2 associate-address --region us-east-1 --instance-id i-07459a6fca5b35823 --public-ip 18.97.0.41
```
Example response:
```
{
"AssociationId": "eipassoc-06aa85073d3936e0e"
}
```
For more information, see [Associate an Elastic IP address with an instance or network interface](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-associating) in the *Amazon EC2 User Guide*.
------
## Step 5: Track and monitor pool usage
Once you've allocated Elastic IP addresses from the IPAM pool, you can track and monitor IPAM pool allocations.
------
#### [ AWS Management Console ]
+ View the IPAM pool details **Allocations** tab in the IPAM console. Any Elastic IP addresses allocated from the IPAM pool have a **Resource Type** of **EIP**.
+ Use [Public IP insights](view-public-ip-insights.md):
+ Under **Public IP types**, filter by **Amazon-owned EIPs**. This shows the total number of public IPv4 addresses allocated to Amazon-owned Elastic IP addresses. If you filter by this measure and scroll to **Public IP addresses** at the bottom of the page, you'll see the Elastic IP addresses you've allocated.
+ Under **EIP usage**, filter by **Associated Amazon-owned EIPs** or **Unassociated Amazon-owned EIPs**. This shows the total number of Elastic IP addresses that you have allocated in your AWS account and that you have or have not associated with an EC2 instance, network interface, or AWS resource. If you filter by this measure and scroll to **Public IP addresses** at the bottom of the page, you'll see details about the filtered resources.
+ Under **Amazon-owned IPv4 contiguous IPs usage**, monitor sequential public IPv4 address usage over time and related Amazon-owned IPv4 IPAM pools.
+ Use Amazon CloudWatch to track and monitor metrics related to Amazon-provided contiguous public IPv4 blocks that have been provisioned to IPAM pools. For the available metrics specific to contiguous IPv4 blocks, see **Public IP Metrics** under [IPAM metrics](cloudwatch-ipam-ip-address-usage.md). In addition to viewing metrics, you can create alarms in Amazon CloudWatch to notify you when thresholds are reached. Creating alarms and setting up notifications with Amazon CloudWatch is outside the scope of this tutorial. For more information, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) in the *Amazon CloudWatch User Guide*.
------
#### [ Command line ]
+ View the IPAM pool allocations with the [get-ipam-pool-allocations](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-ipam-pool-allocations.html) command. Any Elastic IP addresses allocated from the IPAM pool have a **Resource Type** of **eip**.
```
aws ec2 get-ipam-pool-allocations --region us-east-1 --ipam-pool-id ipam-pool-07ccc86aa41bef7ce
```
Example response:
```
{
"IpamPoolAllocations": [
{
"Cidr": "18.97.0.40/32",
"IpamPoolAllocationId": "ipam-pool-alloc-0bd07df786e8148aba2763e2b6c1c44bd",
"ResourceId": "eipalloc-0c9decaa541d89aa9",
"ResourceType": "eip",
"ResourceRegion": "us-east-1",
"ResourceOwner": "320805250157"
}
]
}
```
+ Use Amazon CloudWatch to track and monitor metrics related to Amazon-provided contiguous public IPv4 blocks that have been provisioned to IPAM pools. For the available metrics specific to contiguous IPv4 blocks, see **Public IP Metrics** under [IPAM metrics](cloudwatch-ipam-ip-address-usage.md). In addition to viewing metrics, you can create alarms in Amazon CloudWatch to notify you when thresholds are reached. Creating alarms and setting up notifications with Amazon CloudWatch is outside the scope of this tutorial. For more information, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) in the *Amazon CloudWatch User Guide*.
------
The tutorial is now complete. You've created an IPAM pool with an Amazon-provided contiguous public IPv4 CIDR block, allocated Elastic IP addresses from the pool, and learned how to monitor IPAM pool allocations. Continue to the next section to delete the resources you've created in this tutorial.
## Cleanup
Follow the steps in this section to clean up the resources you've created in this tutorial.
**Step 1: Disassociate the Elastic IP address **
Complete the steps in [Disassociate an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-eips.html#using-instance-addressing-eips-associating-different) in the *Amazon EC2 User Guide* to disassociate the Elastic IP address.
**Step 2: Release the Elastic IP address**
Complete the steps in [Release an Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing-eips-releasing.html) in the *Amazon EC2 User Guide* to release an Elastic IP address from the public IPv4 pool.
**Step 3: Deprovision the CIDR from the IPAM pool**
Complete the steps in [Deprovision CIDRs from a pool](depro-pool-cidr-ipam.md) to deprovision the Amazon-owned public CIDR from the IPAM pool. This step is required for pool deletion. You will be billed for the Amazon-provided contiguous IPv4 block until this step is complete.
**Step 4: Delete the IPAM pool**
Complete the steps in [Delete a pool](delete-pool-ipam.md) to delete the IPAM pool.
**Step 5: Delete the IPAM**
Complete the steps in [Delete an IPAM](delete-ipam.md) to delete the IPAM.
The tutorial cleanup is complete.