Cleanup - Amazon Virtual Private Cloud

Step 1: Enable IPAM in your organization

This step is optional. Complete this step to enable IPAM in your organization and conﬁgure your delegated IPAM using the AWS CLI. For more information about the role of the IPAM account, see Integrate IPAM with AWS Organizations (p. 5).

This request must be made from an AWS Organizations management account. When you run the following command, ensure that you’re using a role with an IAM policy that permits the following actions:

• ec2:EnableIpamOrganizationAdminAccount

• organizations:EnableAwsServiceAccess

• organizations:RegisterDelegatedAdministrator

• iam:CreateServiceLinkedRole

aws ec2 enable-ipam-organization-admin-account --region us-east-1 --delegated-admin-account-id 11111111111

You should see the following output, indicating that enabling was successful.

{ "Success": true }

Step 2: Create an IPAM

Follow the steps in this section to create an IPAM and view additional information about the scopes that are created. You will use this IPAM when you create pools and provision IP address ranges for those pools in later steps.

Note

The operating Regions option determines which AWS Regions the IPAM pools can be used for.

For more information about operating Regions, see Create an IPAM (p. 7).

To create an IPAM using the AWS CLI

1. Run the following command to create the IPAM instance.

aws ec2 create-ipam --description my-ipam --region us-east-1 --operating-regions RegionName=us-west-2

When you create an IPAM, AWS automatically does the following:

• Returns a globally unique resource ID (IpamId) for the IPAM.

• Creates a default public scope (PublicDefaultScopeId) and a default private scope (PrivateDefaultScopeId).

{ "Ipam": {

"OwnerId": "123456789012",

"IpamId": "ipam-0de83dba6694560a9",

"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9", "PublicDefaultScopeId": "ipam-scope-02a24107598e982c5",

Step 3: Create an IPv4 address pool

"PrivateDefaultScopeId": "ipam-scope-065e7dfe880df679c", "ScopeCount": 2,

2. Run the following command to view additional information related to the scopes. The public scope is intended for IP addresses that are going to be accessed via public internet. The private scope is intended for IP addresses that are not going to be accessed via public internet.

aws ec2 describe-ipam-scopes --region us-east-1

In the output, you see the available scopes. You'll use the private scope ID in the next step.

{ "IpamScopes": [ {

"OwnerId": "123456789012",

"IpamScopeId": "ipam-scope-02a24107598e982c5",

"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-02a24107598e982c5",

"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9", "IpamScopeType": "public",

"IpamScopeId": "ipam-scope-065e7dfe880df679c",

"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",

"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9", "IpamScopeType": "private",

Step 3: Create an IPv4 address pool

Follow the steps in this section to create an IPv4 address pool.

To create an IPv4 address pool for all of your AWS resources using the AWS CLI

1. Run the following command to create an IPv4 address pool. Use the ID of the private scope of the IPAM that you created in the previous step.

aws ec2 create-ipam-pool ipam-scope-id ipam-scope-065e7dfe880df679c --description "top-level-pool" --address-family ipv4

Step 4: Provision a CIDR to the top-level pool

In the output, you'll see a state of create-in-progress for the pool.

{ "IpamPool": {

"OwnerId": "123456789012",

"IpamPoolId": "ipam-pool-0008f25d7187a08d9",

"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0008f25d7187a08d9",

"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",

"IpamScopeType": "private",

"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9", "Locale": "None",

"PoolDepth": 1,

"State": "create-in-progress", "Description": "top-level-pool", "AutoImport": false,

"AddressFamily": "ipv4", "Tags": []

} }

2. Run the following command until you see a state of create-complete in the output.

aws ec2 describe-ipam-pools

The following example output shows the correct state.

{

"IpamPools": [ {

"OwnerId": "123456789012",

"IpamPoolId": "ipam-pool-0008f25d7187a08d9",

"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0008f25d7187a08d9",

"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",

"IpamScopeType": "private",

"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9", "Locale": "None",

"PoolDepth": 1,

"State": "create-complete", "Description": "top-level-pool", "AutoImport": false,

"AddressFamily": "ipv4"

} ] }

Step 4: Provision a CIDR to the top-level pool

Follow the steps in this section to provision a CIDR to the top-level pool, and then verify that the CIDR is provisioned. For more information, see Provision CIDRs to a pool (p. 19).

To provision a CIDR block to the pool using the AWS CLI

1. Run the following command to provision the CIDR.

Step 5. Create a Regional pool with CIDR sourced from the top-level pool

aws ec2 provision-pool-cidr --region us-east-1 --pool-id ipam-pool-0008f25d7187a08d9 --cidr 10.0.0.0/8

In the output, you can verify the state of the provisioning.

{ "IpamPoolCidr": { "Cidr": "10.0.0.0/8", "State": "pending-provision"

} }

2. Run the following command until you see a state of provisioned in the output.

aws ec2 get-pool-cidrs --region us-east-1 --pool-id ipam-pool-0008f25d7187a08d9

The following example output shows the correct state.

{ "IpamPoolCidrs": [ { "Cidr": "10.0.0.0/8", "State": "provisioned"

} ] }

Step 5. Create a Regional pool with CIDR sourced from the top-level pool

When you create an IPAM pool, the pool belongs to the AWS Region of the IPAM by default. When you create a VPC, the pool that the VPC draws from must be in the same Region as the VPC. You can use the --locale option when you create a pool to make the pool available to services in a Region other than the Region of the IPAM. Follow the steps in this section to create a Regional pool in another locale.

To create a pool with a CIDR sourced from the previous pool using the AWS CLI

1. Run the following command to create the pool and insert space with a known available CIDR from the previous pool.

aws ec2 create-ipam-pool --description "regional--pool" --region us-east-1 --ipam-scope-id ipam-scope-065e7dfe880df679c --source-ipam-pool-id

ipam-pool-0008f25d7187a08d9 --locale us-west-2 --address-family ipv4

In the output, you'll see the ID of the pool that you created. You'll need this ID in the next step.

{ "IpamPool": {

"OwnerId": "123456789012",

"IpamPoolId": "ipam-pool-0da89c821626f1e4b", "SourceIpamPoolId": "ipam-pool-0008f25d7187a08d9", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0da89c821626f1e4b",

Step 5. Create a Regional pool with CIDR sourced from the top-level pool

"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",

"IpamScopeType": "private",

"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9", "Locale": "us-west-2",

"PoolDepth": 2,

"State": "create-in-progress", "Description": "regional--pool", "AutoImport": false,

"AddressFamily": "ipv4", "Tags": []

} }

2. Run the following command until you see a state of create-complete in the output.

aws ec2 describe-ipam-pools

In the output, you see the pools that you have in your IPAM. In this tutorial, we created a top-level and a Regional pool, so you'll see them both.

{ "IpamPools": [ {

"OwnerId": "123456789012",

"IpamPoolId": "ipam-pool-0008f25d7187a08d9",

"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0008f25d7187a08d9",

"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",

"IpamScopeType": "private",

"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9", "Locale": "None",

"IpamPoolId": "ipam-pool-0da89c821626f1e4b", "SourceIpamPoolId": "ipam-pool-0008f25d7187a08d9", "IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0da89c821626f1e4b",

"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-065e7dfe880df679c",

"IpamScopeType": "private",

"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-0de83dba6694560a9", "Locale": "us-west-2",

Step 6: Provision a CIDR to the Regional pool

Follow the steps in this section to assign a CIDR block to the pool, and validate that it’s been successfully provisioned.

To assign a CIDR block to the Regional pool using the AWS CLI

1. Run the following command to provision the CIDR.

aws ec2 provision-pool-cidr --region us-east-1 --pool-id ipam-pool-0da89c821626f1e4b --cidr 10.0.0.0/16

In the output, you see the state of the pool.

{ "IpamPoolCidr": { "Cidr": "10.0.0.0/16", "State": "pending-provision"

} }

2. Run the following command until you see the state of provisioned in the output.

aws ec2 get-pool-cidrs --region us-east-1 --pool-id ipam-pool-0da89c821626f1e4b

The following example output shows the correct state.

{

"IpamPoolCidrs": [ { "Cidr": "10.0.0.0/16", "State": "provisioned"

} ] }

3. Run the following command to query the top-level pool to view the allocations. The Regional pool is considered an allocation within the top-level pool.

aws ec2 get-pool-allocations --region us-east-1 --pool-id ipam-pool-041ff84c50166914f

In the output, you see the Regional pool as an allocation in the top-level pool.

{ "IpamPoolAllocations": [ {

"Cidr": "10.0.0.0/16",

"IpamPoolAllocationId": "ipam-pool-alloc-fbd525f6c2bf4e77a75690fc2d93479a", "ResourceId": "ipam-pool-0da89c821626f1e4b",

"ResourceType": "ipam-pool", "ResourceOwner": "123456789012"

} ] }

Step 7. Create a RAM share for enabling IP assignments across accounts

This step is optional. You can complete this step only if you completed Integrate IPAM with AWS Organizations (p. 5).

When you create an IPAM pool AWS RAM share, it enables IP assignments across accounts. RAM sharing is only available in your home AWS Region. Note that you create this share in the same Region as the IPAM, not in the local Region for the pool. All administrative operations on IPAM resources are made through the IPAM's home Region. The example in this tutorial creates a single share for a single pool, but you can add multiple pools to a single share. For more information, including an explanation of the options that you must enter, see Share an IPAM pool using AWS RAM (p. 18).

Run the following command to create a resource share.

aws ram create-resource-share --region us-east-1 --name pool_share --resource-arns arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0dec9695bca83e606 --principals 123456

The output shows that the pool was created.

{

"resourceShare": {

"resourceShareArn": "arn:aws:ram:us-west-2:123456789012:resource-share/3ab63985-99d9-1cd2-7d24-75e93EXAMPLE",

"name": "pool_share",

"owningAccountId": "123456789012", "allowExternalPrincipals": false, "status": "ACTIVE",

"creationTime": 1565295733.282, "lastUpdatedTime": 1565295733.282 }

}

Step 8. Create a VPC

Run the following command to create a VPC and assign a CIDR block to the VPC from the pool in your newly created IPAM.

aws ec2 create-vpc --region us-east-1 --ipv4-ipam-pool-id ipam-pool-04111dca0d960186e --cidr-block 10.0.0.0/24

The output shows that the VPC was created.

{ "Vpc": {

"CidrBlock": "10.0.0.0/24", "DhcpOptionsId": "dopt-19edf471", "State": "pending",

"VpcId": "vpc-0983f3c454f3d8be5", "OwnerId": "123456789012", "InstanceTenancy": "default", "Ipv6CidrBlockAssociationSet": [], "CidrBlockAssociationSet": [ {

"AssociationId": "vpc-cidr-assoc-00b24cc1c2EXAMPLE", "CidrBlock": "10.0.0.0/24",

"CidrBlockState": { "State": "associated"

Step 9. Cleanup

} } ],

"IsDefault": false }

}

Step 9. Cleanup

Follow the steps in this section to delete the IPAM resources you've created in this tutorial.

1. Delete the VPC.

aws ec2 delete-vpc --vpc-id vpc-0983f3c454f3d8be5 2. Delete the IPAM pool RAM share.

aws ram delete-resource-share --resource-share-arn arn:aws:ram:us-west-2:123456789012:resource-share/3ab63985-99d9-1cd2-7d24-75e93EXAMPLE 3. Deprovision pool CIDR from the Regional pool.

aws ec2 deprovision-ipam-pool-cidr ipam-pool-id ipam-pool-0da89c821626f1e4b --region us-east-1

4. Deprovision pool CIDR from the top-level pool.

aws ec2 deprovision-ipam-pool-cidr --ipam-pool-id ipam-pool-0008f25d7187a08d9 --region us-east-1

5. Disable IPAM integration with AWS Organizations

aws ec2 get-address-history --region us-east-1 --scope-id ipam-scope-0e2a31e8866c27cbb --cidr 10.0.0.0/24 --max-results 10

6. Delete the IPAM

aws ec2 delete-ipam --region us-east-1

Tutorial: View IP address history using the AWS CLI

The scenarios in this section show you how to analyze and audit IP address usage using the AWS CLI. For general information about using the AWS CLI, see Using the AWS CLI in the AWS Command Line Interface User Guide.

Contents

• Overview (p. 42)

• Scenarios (p. 43)

Overview

IPAM automatically retains your IP address monitoring data for up to three years. You can use the historical data to analyze and audit your network security and routing policies. You can search for historical insights for the following types of resources:

Scenarios

• VPCs

• VPC subnets

• Elastic IP addresses

• EC2 instances that are running

• EC2 network interfaces attached to instances

Important

Although IPAM doesn't monitor Amazon EC2 instances or EC2 network interfaces attached to instances, you can use the IP historical insights feature to search for historical data on EC2 instance and network interface CIDRs.

Note

• The commands in this tutorial must be run using the account that owns the IPAM and the AWS Region that hosts the IPAM.

• Records of changes to CIDRs are picked up in periodic snapshots, which means that it can take some time for records to appear or be updated, and the values for SampledStartTime and SampledEndTime can diﬀer from the actual times they occurred.

Scenarios

The scenarios in this section show you how to analyze and audit IP address usage using the AWS CLI. For more information about the values mentioned in this tutorial like sampled end time and start time, see View IP address history (p. 31).

Scenario 1: Which resources were associated with 10.2.1.155/32 between 1:00 AM and 9:00 PM on December 27, 2021 (UTC)?

1. Run the following command:

aws ec2 get-ipam-address-history --region us-east-1 --cidr 10.2.1.155/32 --ipam-scope-id ipam-scope-05b579a1909c5fc7a --start-time 2021-12-20T01:00:00.000Z --end-time 2021-12-27T21:00:00.000Z

2. View the results of the analysis. In the example below, the CIDR was allocated to a network interface and EC2 instance over the course of the time period. Note that no SampledEndTime value means the record is still active. For more information about the values shown in the following output, see View IP address history (p. 31).

{ "HistoryRecords": [

{

"ResourceOwnerId": "123456789012", "ResourceRegion": "us-east-1", "ResourceType": "network-interface", "ResourceId": "eni-0b4e53eb1733aba16", "ResourceCidr": "10.2.1.155/32", "VpcId": "vpc-0f5ee7e1ba908a378",

"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"

}, {

"ResourceOwnerId": "123456789012", "ResourceRegion": "us-east-1", "ResourceType": "instance",

"ResourceId": "i-064da1f79baed14f3", "ResourceCidr": "10.2.1.155/32", "VpcId": "vpc-0f5ee7e1ba908a378",

Scenarios

"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"

} ] }

If the owner ID of the instance to which a network interface is attached diﬀers from the owner ID of the network interface (as is the case for NAT gateways, Lambda network interfaces in VPCs, and other AWS services), the ResourceOwnerId is amazon-aws rather than the account ID of the owner of the network interface. The following example shows the record for a CIDR associated with a NAT gateway:

"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"

} ] }

Scenario 2: Which resources were associated with 10.2.1.0/24 from December 1, 2021 to December 27, 2021 (UTC)?

1. Run the following command:

aws ec2 get-ipam-address-history --region us-east-1 --cidr 10.2.1.0/24 --ipam-scope-id ipam-scope-05b579a1909c5fc7a --start-time 2021-12-01T00:00:00.000Z --end-time 2021-12-27T23:59:59.000Z

2. View the results of the analysis. In the example below, the CIDR was allocated to a subnet and VPC over the course of the time period. Note that no SampledEndTime value means the record is still active. For more information about the values shown in the following output, see View IP address history (p. 31).

"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"

}, {

"ResourceOwnerId": "123456789012",

Scenarios "ResourceOverlapStatus": "nonoverlapping", "VpcId": "vpc-0f5ee7e1ba908a378",

"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"

} ] }

Scenario 3: Which resources were associated with 2605:9cc0:409::/56 from December 1, 2021 to December 27, 2021 (UTC)?

1. Run the following command, where --region is the IPAM home Region:

aws ec2 get-ipam-address-history --region us-east-1 --cidr 2605:9cc0:409::/56 --ipam-scope-id ipam-scope-07cb485c8b4a4d7cc --start-time 2021-12-01T01:00:00.000Z --end-time 2021-12-27T23:59:59.000Z

2. View the results of the analysis. In the example below, the CIDR was allocated to two diﬀerent VPCs over the course of the time period in a Region outside the IPAM home Region. Note that no SampledEndTime value means the record is still active. For more information about the values shown in the following output, see View IP address history (p. 31).

{ "HistoryRecords": [ "ResourceOverlapStatus": "nonoverlapping", "VpcId": "vpc-01d967bf3b923f72c",

"SampledStartTime": "2021-12-23T20:02:00.701000+00:00", "SampledEndTime": "2021-12-23T20:12:59.848000+00:00"

}, "ResourceOverlapStatus": "nonoverlapping", "VpcId": "vpc-03e62c7eca81cb652",

"SampledStartTime": "2021-12-27T15:11:00.046000+00:00"

} ] }

Scenario 4: Which resources were associated with 10.0.0.0/24 in the last 24 hours (assuming the current time is midnight on December 27, 2021 (UTC))?

1. Run the following command:

Scenarios

aws ec2 get-ipam-address-history --region us-east-1 --cidr 10.0.0.0/24 --ipam-scope-id ipam-scope-05b579a1909c5fc7a --start-time 2021-12-27T00:00:00.000Z

2. View the results of the analysis. In the example below, the CIDR has been allocated to numerous subnets and VPCs over the time period. Note that no SampledEndTime value means the record is still active. For more information about the values shown in the following output, see View IP address history (p. 31).

"SampledStartTime": "2021-12-11T16:35:59.074000+00:00", "SampledEndTime": "2021-12-28T15:34:00.017000+00:00"

"SampledStartTime": "2021-12-27T20:07:59.947000+00:00", "SampledEndTime": "2021-12-28T15:34:00.017000+00:00"

"SampledStartTime": "2021-12-11T16:35:59.318000+00:00"

"SampledStartTime": "2021-12-14T21:07:22.357000+00:00"

} ] }

Scenarios

Scenario 5: Which resources are currently associated with 10.2.1.155/32?

1. Run the following command:

aws ec2 get-ipam-address-history --region us-east-1 --cidr 10.2.1.155/32 --ipam-scope-id ipam-scope-05b579a1909c5fc7a

2. View the results of the analysis. In the example below, the CIDR was allocated to a network interface and EC2 instance over the time period. Note that no SampledEndTime value means the record is still active. For more information about the values shown in the following output, see View IP address history (p. 31).

"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"

} ] }

Scenario 6: Which resources are currently associated with 10.2.1.0/24?

1. Run the following command:

aws ec2 get-ipam-address-history --region us-east-1 --cidr 10.2.1.0/24 --ipam-scope-id ipam-scope-05b579a1909c5fc7a

2. View the results of the analysis. In the example below, the CIDR was allocated to a VPC and subnet over the time period. Only the results that match this exact /24 CIDR are returned, not all /32 within the /24 CIDR. Note that no SampledEndTime value means the record is still active. For more information about the values shown in the following output, see View IP address history (p. 31).

{ "HistoryRecords": [

"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"

}, {

"ResourceOwnerId": "123456789012",

Tutorial: BYOIP address CIDRs to IPAM

"ResourceRegion": "us-east-1", "ResourceType": "vpc",

"ResourceId": "vpc-0f5ee7e1ba908a378", "ResourceCidr": "10.2.1.0/24",

"ResourceComplianceStatus": "compliant", "ResourceOverlapStatus": "nonoverlapping", "VpcId": "vpc-0f5ee7e1ba908a378",

"SampledStartTime": "2021-12-27T20:08:46.672000+00:00"

} ] }

Scenario 7: Which resources are currently associated with 54.0.0.9/32?

In this example, 54.0.0.9/32 is assigned to an Elastic IP address that is not part of the AWS Organization integrated with your IPAM.

1. Run the following command:

aws ec2 get-ipam-address-history --region us-east-1 --cidr 54.0.0.9/32 --ipam-scope-id ipam-scope-05b579a1909c5fc7a

2. Since 54.0.0.9/32 is assigned to an Elastic IP address that is not part of the AWS Organization integrated with the IPAM in this example, no records are returned.

{ "HistoryRecords": []

}

Tutorial: BYOIP address CIDRs to IPAM

The tutorials in this section walk you through the process of bringing public IP address space to AWS and managing the space with IPAM.

Managing public IP address space with IPAM has the following beneﬁts:

• Improves public IP addresses utilization across your organization: You can use IPAM to share IP address space across AWS accounts. Without using IPAM, you cannot share your public IP space across AWS Organizations accounts.

• Simpliﬁes the process of bringing public IP space to AWS: You can use IPAM to onboard public IP address space once, and then use IPAM to distribute your public IPs across Regions. Without IPAM, you have to onboard your public IPs for each AWS Region.

Important

To complete the steps in this tutorial, you ﬁrst need to complete the following steps using the Amazon EC2 User Guide for Linux Instances for the CIDR range you want to bring to AWS and IPAM. Once you complete these steps, continue with this tutorial:

1. Create a key pair and certiﬁcate.

2. Create an ROA object in your RIR.

When you create the ROAs, for IPv4 CIDRs you must set the maximum length of an IP address preﬁx to /24. For IPv6 CIDRs, if you are adding them to an advertisable pool, the maximum length of an IP address preﬁx must be /48. This ensures that you have full ﬂexibility to divide your public IP address across AWS Regions. IPAM enforces the maximum

AWS console and CLI

length you set. The maximum length is the smallest preﬁx length announcement you will allow for this route. For example, if you bring a /20 CIDR block to AWS, by setting the maximum length to /24, you can divide the larger block anyway you like (such as with /21, /22, or /24) and distribute those smaller CIDR blocks to any Region. If you were to set the maximum length to /23,you would not be able to divide and advertise a /24 from the larger block. Also, note that /24 is the smallest IPv4 block and /48 is the smallest IPv6 block you can advertise from a Region to the internet.

3. Update the RDAP record in your RIR.

Contents

• Bring your own public IPv4 CIDR to IPAM using both the AWS Management Console and the AWS CLI (p. 49)

• Bring your own public IPv4 CIDR to IPAM using only the AWS CLI (p. 63)

Bring your own public IPv4 CIDR to IPAM using both the AWS Management Console and the AWS CLI

Follow these steps to bring an IPv4 or IPv6 CIDR to IPAM using both the AWS Management Console and the AWS CLI.

Important

To complete the steps in this tutorial, you ﬁrst need to complete the following steps using the Amazon EC2 User Guide for Linux Instances for the CIDR range you want to bring to AWS and

在文檔中 Amazon Virtual Private Cloud (頁 38-54)