• Step 6: Cleanup (p. 95)
Step 1: Create AWS CLI named profiles
To complete this tutorial as a single AWS user, you can use AWS CLI named profiles to switch from one AWS account to another. Named profiles are collections of IAM access key IDs and secret access keys that you store locally and then refer to using the --profile option when you use the AWS CLI. For more information about how to create or retrieve IAM access keys for AWS accounts, see Managing access keys for IAM users in the AWS Identity and Access Management User Guide.
Complete the steps in Creating named profiles in the AWS Command Line Interface User Guide to create one named profiles for each of the AWS accounts you will use in this tutorial:
• A profile called ipam-account for the AWS account that is the IPAM administrator.
• A profile called byoip-owner-account for the AWS account in your organization which owns the BYOIP CIDR.
Step 2: Get your IPAM’s public scope ID
Once you have created the named profiles, return to this page and go to the next step. You will notice throughout the rest of this tutorial that the sample AWS CLI commands use the --profile option with one of the named profiles to indicate which account must run the command.
Step 2: Get your IPAM’s public scope ID
Follow the steps in this section to get your IPAM’s public scope ID. This step should be performed by the IPAM account.
Run the following command to get your public scope ID.
aws ec2 describe-ipams --region us-east-1 --profile ipam-account
In the output, you'll see your public scope ID. Note the values for PublicDefaultScopeId. You will need it in the next step.
{ "Ipams": [ {
"OwnerId": "123456789012",
"IpamId": "ipam-090e48e75758de279",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "PublicDefaultScopeId": "ipam-scope-0087d83896280b594",
"PrivateDefaultScopeId": "ipam-scope-08b70b04fbd524f8d", "ScopeCount": 2,
"Description": "my-ipam", "OperatingRegions": [ {
"RegionName": "us-east-1"
}, {
"RegionName": "us-west-2"
} ],
"Tags": []
} ] }
Step 3: Create an IPAM pool
Follow the steps in this section to create an IPAM pool. This step should be performed by the IPAM account. The IPAM pool you create must be a top-level pool with the --locale option matching the BYOIP CIDR AWS Region and the pool must be created with the --aws-service ec2 option. You can only transfer a BYOIP to a top-level IPAM pool.
To create an IPv4 address pool for the transferred BYOIP CIDR using the AWS CLI
1. Run the following command to create an IPAM pool. Use the ID of the public scope of the IPAM that you retrieved in the previous step.
aws ec2 create-pool --region us-east-1 --scope-id
ipam-scope-0087d83896280b594 --description "top-level-pool" --locale us-west-2 --aws-service ec2 --address-family ipv4 --profile ipam-account
In the output, you'll see create-in-progress, which indicates that pool creation is in progress.
{
Step 4: Transfer an existing BYOIP IPV4 CIDR to IPAM
"IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0a03d430ca3f5c035",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-west-2",
"PoolDepth": 1,
"State": "create-in-progress", "Description": "top-level-pool", "AutoImport": false,
2. Run the following command until you see a state of create-complete in the output.
aws ec2 describe-ipam-pools --region us-east-1 --profile ipam-account
The following example output shows the state of the pool. You will need the OwnerId in the next step.
{
"IpamPools": [ {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0a03d430ca3f5c035",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035",
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-west-2",
Step 4: Transfer an existing BYOIP IPV4 CIDR to IPAM
Follow the steps in this section to transfer an existing BYOIP IPV4 CIDR to IPAM. This step should be performed by the BYOIP CIDR owner account.
To transfer a BYOIP CIDR to the IPAM pool using the AWS CLI
1. Run the following command to transfer the CIDR. Ensure that the --region value is the AWS Region of the BYOIP CIDR.
Step 5: View the CIDR in IPAM
aws ec2 move-byoip-cidr-to-ipam --region us-west-2 --pool-id
ipam-pool-0a03d430ca3f5c035 ipam-pool-owner 123456789012 cidr 130.137.249.0/24 --profile byoip-owner-account
In the output, you'll see the CIDR pending provision.
{ "ByoipCidr": { "Cidr": "130.137.249.0/24", "State": "pending-transfer"
} }
2. Ensure that the CIDR has been transferred. Run the following command until you see a state of complete-transfer in the output.
aws ec2 move-byoip-cidr-to-ipam --region us-west-2 --pool-id
ipam-pool-0a03d430ca3f5c035 ipam-pool-owner 123456789012 cidr 130.137.249.0/24 --profile byoip-owner-account
The following example output shows the state.
{ "ByoipCidr": { "Cidr": "130.137.249.0/24", "State": "complete-transfer"
} }
Step 5: View the CIDR in IPAM
Follow the steps in this section to view the CIDR in IPAM. This step should be performed by the IPAM account.
To view the transferred BYOIP CIDR in IPAM pool using the AWS CLI
• Run the following command to view the allocation managed in IPAM. Ensure that the --region value is the AWS Region of the BYOIP CIDR.
aws ec2 get-pool-allocations --region us-west-2 --pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account
The output shows the allocation in IPAM.
{ "IpamPoolAllocations": [ {
"Cidr": "130.137.249.0/24",
"IpamPoolAllocationId": "ipam-pool-alloc-5dedc8e7937c4261b56dc3e3eb53dc46", "ResourceId": "ipv4pool-ec2-0019eed22a684e0b3",
"ResourceType": "ec2-public-ipv4-pool", "ResourceOwner": "470889052924"
} ]
Step 6: Cleanup
}
Step 6: Cleanup
Follow the steps in this section to remove the resources you created in this tutorial. This step should be performed by the IPAM account.
To cleanup the resources created in this tutorial using the AWS CLI
1. Run the following command to get the allocation ID for the BYOIP CIDR. Ensure that the --region value matches the AWS Region of the BYOIP CIDR.
aws ec2 get-pool-allocations --region us-west-2 --pool-id ipam-pool-0d8f3646b61ca5987 --profile ipam-account
The output shows the allocation in IPAM.
{
"IpamPoolAllocations": [ {
"Cidr": "130.137.249.0/24",
"IpamPoolAllocationId": "ipam-pool-alloc-5dedc8e7937c4261b56dc3e3eb53dc46", "ResourceId": "ipv4pool-ec2-0019eed22a684e0b3",
"ResourceType": "ec2-public-ipv4-pool", "ResourceOwner": "470889052924"
} ] }
2. Run the following command to deallocate the BYOIP CIDR. It can take some time for IPAM to discover that the VPC has been deleted and remove this allocation. Ensure that the --region value is the AWS Region of the BYOIP CIDR.
aws ec2 release-pool-allocation --region us-west-2 --pool-id
0a03d430ca3f5c035 --cidr 130.137.249.0/24 --allocation-id ipam-pool-alloc-5dedc8e7937c4261b56dc3e3eb53dc46 --profile ipam-account
The output shows the allocation removed from IPAM.
{
"IpamPoolAllocations": []
}
3. Run the following command to delete the top-level pool.
aws ec2 delete-ipam-pool --region us-east-1 --ipam-pool-id ipam-pool-0a03d430ca3f5c035 --profile ipam-account
In the output, you can see the delete state.
{ "IpamPool": {
"OwnerId": "123456789012",
"IpamPoolId": "ipam-pool-0a03d430ca3f5c035",
"IpamPoolArn": "arn:aws:ec2::123456789012:ipam-pool/ipam-pool-0a03d430ca3f5c035",
Step 6: Cleanup
"IpamScopeArn": "arn:aws:ec2::123456789012:ipam-scope/ipam-scope-0087d83896280b594",
"IpamScopeType": "public",
"IpamArn": "arn:aws:ec2::123456789012:ipam/ipam-090e48e75758de279", "Locale": "us-east-1",
"PoolDepth": 2,
"State": "delete-in-progress", "Description": "top-level-pool", "AutoImport": false,
"Advertisable": true, "AddressFamily": "ipv4", "AwsService": "ec2"
} }
Service-linked roles for IPAM
Identity and access management in IPAM
AWS uses security credentials to identify you and to grant you access to your AWS resources. You can use features of AWS Identity and Access Management (IAM) to allow other users, services, and applications to use your AWS resources fully or in a limited way, without sharing your security credentials.
This section describes the AWS service-linked roles that are created specifically for IPAM and the managed policies attached to the IPAM service-linked roles. For more information about AWS IAM roles and policies, see Roles terms and concepts in the IAM User Guide.
For more information on identity and access management for VPC, see Identity and access management for Amazon VPC in the Amazon VPC User Guide.
Contents
• Service-linked roles for IPAM (p. 97)
• AWS managed policies for IPAM (p. 98)
Service-linked roles for IPAM
Service-linked roles in AWS Identity and Access Management (IAM) enable AWS services to call other AWS services on your behalf. For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.
There is currently only one service-linked role for IPAM: AWSServiceRoleForIPAM.
Permissions granted to the service-linked role
IPAM uses the AWSServiceRoleForIPAM service-linked role to call the actions in the attached
AWSIPAMServiceRolePolicy managed policy. For more information on the allowed actions in that policy, see AWS managed policies for IPAM (p. 98).
Also attached to the service-linked role is an IAM trusted policy that allows the ipam.amazonaws.com service to assume the service-linked role.
Create the service-linked role
IPAM monitors the IP address usage in one or more accounts by assuming the service-linked role in an account, discovering the resources and their CIDRs, and integrating the resources with IPAM.
The service-linked role is created in one of two ways:
• When you integrate with AWS Organizations
If you Integrate IPAM with AWS Organizations (p. 5) using the IPAM console or using the enable-ipam-organization-admin-account AWS CLI command, the AWSServiceRoleForIPAM service-linked role is automatically created in each of your AWS Organizations member accounts. As a result, the resources within all member accounts are discoverable by IPAM.
Important
For IPAM to create the service-linked role on your behalf:
Edit the service-linked role
• The AWS Organizations management account that enables IPAM integration with AWS Organizations must have an IAM policy attached to it that permits the following actions:
• ec2:EnableIpamOrganizationAdminAccount
• organizations:EnableAwsServiceAccess
• organizations:RegisterDelegatedAdministrator
• iam:CreateServiceLinkedRole
• The IPAM account must have an IAM policy attached to it that permits the iam:CreateServiceLinkedRole action.
• When you create an IPAM using a single AWS account
If you Use IPAM with a single account (p. 6), the AWSServiceRoleForIPAM service-linked role is automatically created when you create an IPAM as that account.
Important
If you use IPAM with a single AWS account, before you create an IPAM, you must ensure that the AWS account you are using has an IAM policy attached to it that permits the iam:CreateServiceLinkedRole action. When you create the IPAM, you automatically create the AWSServiceRoleForIPAM service-linked role. For more information on managing IAM policies, see Editing IAM policies in the IAM User Guide.
Edit the service-linked role
You cannot edit the AWSServiceRoleForIPAM service-linked role.
Delete the service-linked role
If you no longer need to use IPAM, we recommend that you delete the AWSServiceRoleForIPAM service-linked role.
Note
You can delete the service-linked role only after you delete all IPAM resources in your AWS account. This ensures that you can't inadvertently remove the monitoring capability of IPAM.Follow these steps to delete the service-linked role via the AWS CLI:
1. Delete your IPAM resources using deprovision-ipam-pool-cidr and delete-ipam. For more information, see Deprovision CIDRs from a pool (p. 20) and Delete an IPAM (p. 27).
2. Disable the IPAM account with disable-ipam-organization-admin-account.
3. Disable the IPAM service with disable-aws-service-access using the --service-principal ipam.amazonaws.com option.
4. Delete the service-linked role: delete-service-linked-role. When you delete the service-linked role, the IPAM managed policy is also deleted. For more information, see Deleting a service-linked role in the IAM User Guide.
AWS managed policies for IPAM
If you are using IPAM with a single AWS account and you create an IPAM, the
AWSIPAMServiceRolePolicy managed policy is automatically created in your IAM account and attached to the AWSServiceRoleForIPAM service-linked role.
If you enable IPAM integration with AWS Organizations, the AWSIPAMServiceRolePolicy managed policy is automatically created in your IAM account and in each of your AWS Organizations member accounts, and the managed policy is attached to the AWSServiceRoleForIPAM service-linked role.
Updates to the AWS managed policy
This managed policy enables IPAM to do the following:
• Monitor CIDRs associated with EC2 networking resources across all members of your AWS Organization.
• Store metrics related to IPAM in Amazon CloudWatch, such as the IP address space available in your IPAM pools and the number of resource CIDRs that comply with allocation rules.
The following example shows the details of the managed policy that's created.
{ "Version": "2012-10-17", "Statement": [
The first statement in the preceding example enables IPAM to monitor the CIDRs used by your single AWS account or by the members of your AWS Organization.
The second statement in the preceding example uses the cloudwatch:PutMetricData condition key to allow IPAM to store IPAM metrics in your AWS/IPAM Amazon CloudWatch namespace. These metrics are used by the AWS Management Console to display data about the allocations in your IPAM pools and scopes. For more information, see Monitor CIDR usage with the IPAM dashboard (p. 28).
Updates to the AWS managed policy
View details about updates to AWS managed policies for IPAM since this service began tracking these changes.
Change Description Date
IPAM started tracking changes IPAM started tracking changes
for its AWS managed policies. December 2, 2021
Quotas for your IPAM
This section lists the quotas related to IPAM. The Service Quotas console also provides information about IPAM quotas. You can use the Service Quotas console to view default quotas and request quota increases for adjustable quotas. For more information, see Requesting a quota increase in the Service Quotas User Guide.
Name Default Adjustable
IPAM administrators per organization 1 No
IPAMs per Region 1 Yes
Scopes per IPAM 5 Yes
Pools per scope 50 Yes
CIDRs per pool 50 Yes
Pool depth (the number of pools within pools) 10 Yes
Note
You cannot use IPAM to manage IP addresses across multiple AWS Organizations.Pricing
You are charged hourly for each active IP address that IPAM monitors. An active IP address is defined as an IP address assigned to a resource such as an EC2 instance or an Elastic Network Interface (ENI). For more information, see IPAM pricing.
Document history for IPAM
The following table describes the releases for IPAM.
Feature Description Release Date
Initial release This release introduces Amazon VPC IP Address
Manager. December 2, 2021