Amazon Virtual Private Cloud

(1)

Amazon Virtual Private Cloud

IP Address Manager

(2)

Amazon Virtual Private Cloud: IP Address Manager

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is IPAM?

Amazon VPC IP Address Manager (IPAM) is a VPC feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads. You can use IPAM's automated workﬂows to more eﬃciently manage IP addresses.

You can use IPAM to do the following:

• Organize IP address space into routing and security domains

• Monitor IP address space that's in use and monitor resources that are using space against business rules

• View the history of IP address assignments in your organization

• Automatically allocate CIDRs to VPCs using speciﬁc business rules

• Troubleshoot network connectivity issues

• Enable cross-region and cross-account sharing of your Bring Your Own IP (BYOIP) addresses

This guide consists of the following sections:

• How IPAM works (p. 2): IPAM concepts and terminology.

• Getting started with IPAM (p. 4): Steps to enable company-wide IP address management with AWS Organizations, create an IPAM, and plan IP address usage.

• Managing IP address space in IPAM (p. 17): Steps to manage your IPAM, scopes, pools, and allocations.

• Tracking IP address usage in IPAM (p. 28): Steps to monitor and track IP address usage with IPAM.

• Tutorials (p. 34): Detailed step-by-step tutorials for creating an IPAM and pools, allocating VPC CIDRs, and bringing your own public IP address CIDRs to IPAM.

(6)

How IPAM works

This topic explains some of the key concepts to help you get started with IPAM.

The following diagram shows an IPAM pool hierarchy for multiple AWS Regions within a top-level IPAM pool. Each AWS Regional pool has two IPAM development pools within it, one pool for pre-production and one pool production resources. For more information about IPAM concepts, see the descriptions below the diagram.

To use Amazon VPC IP Address Manager, you ﬁrst create an IPAM.

When you create the IPAM, you choose which AWS Region to create it in. When you create an IPAM, AWS VPC IPAM automatically creates two scopes for the IPAM. The scopes, together with pools and allocations, are key components of your IPAM.

• A scope is the highest-level container within IPAM. An IPAM contains two default scopes. Each scope represents the IP space for a single network. The private scope is intended for all private space. The public scope is intended for all public space. Scopes enable you to reuse IP addresses across multiple unconnected networks without causing IP address overlap or conﬂict. Within a scope, you create IPAM pools.

• A pool is a collection of contiguous IP address ranges (or CIDRs). IPAM pools enable you to organize your IP addresses according to your routing and security needs. You can have multiple pools within a top-level pool. For example, if you have separate routing and security needs for development and production applications, you can create a pool for each. Within IPAM pools, you allocate CIDRs to AWS resources.

• An allocation is a CIDR assignment from an IPAM pool to another resource or IPAM pool. When you create a VPC and choose an IPAM pool for the VPC’s CIDR, the CIDR is allocated from the CIDR provisioned to the IPAM pool. You can monitor and manage the allocation with IPAM.

IPAM can manage and monitor private IPv4 CIDRs and public IPv4/IPv6 CIDRs that you own. IPAM can only monitor (not manage) Amazon owned public IP space.

(7)

To get started and create an IPAM, see Getting started with IPAM (p. 4).

(8)

Access IPAM

Getting started with IPAM

Follow the steps in this section to get started with IPAM. You’ll begin by accessing IPAM and deciding if you want to delegate an IPAM account. By the end of this section, you will have created an IPAM, created multiple pools of IP addresses, and allocated a CIDR in a pool to a VPC.

Contents

• Access IPAM (p. 4)

• Conﬁgure permissions for your IPAM (p. 4)

• Create an IPAM (p. 7)

• Plan for IP address provisioning (p. 8)

• Allocate CIDRs (p. 15)

Access IPAM

As with other AWS services, you can create, access, and manage your IPAM using the following methods:

• AWS Management Console: Provides a web interface that you can use to create and manage your IPAM. See https://console.aws.amazon.com/ipam/.

• AWS Command Line Interface (AWS CLI): Provides commands for a broad set of AWS services, including Amazon VPC. The AWS CLI is supported on Windows, macOS, and Linux. To get the AWS CLI, see AWS Command Line Interface.

• AWS SDKs: Provide language-speciﬁc APIs. The AWS SDKs take care of many of the connection details, such as calculating signatures, handling request retries, and handling errors. For more information, see AWS SDKs.

• Query API: Provides low-level API actions that you call using HTTPS requests. Using the Query API is the most direct way to access IPAM. However, it requires your application to handle low-level details such as generating the hash to sign the request, and handling errors. For more information, see Amazon IPAM actions in the Amazon EC2 API Reference.

This guide primarily focuses on using the AWS Management Console to create, access, and manage your IPAM. In each description of how to complete a process in the console, we include links to the AWS CLI documentation that shows you how to do the same thing by using the AWS CLI.

If you are a ﬁrst-time user of IPAM, review How IPAM works (p. 2) to learn about the role of IPAM in Amazon VPC and then continue with the instructions in Conﬁgure permissions for your IPAM (p. 4).

Conﬁgure permissions for your IPAM

Before you begin using IPAM, you must choose one of the options in this section to enable IPAM to monitor CIDRs associated with EC2 networking resources and store metrics:

• To enable IPAM to integrate with AWS Organizations to enable the Amazon VPC IPAM service to manage and monitor networking resources created by all AWS Organizations member accounts, see Integrate IPAM with AWS Organizations (p. 5).

(9)

Integrate IPAM with AWS Organizations

• To use a single AWS account with IPAM and enable the Amazon VPC IPAM service to manage and monitor the networking resources you create with the single account, see Use IPAM with a single account (p. 6).

If you do not choose one of these options, you can still create IPAM resources, such as pools, but you won't see metrics in your dashboard and you will not be able to monitor the status of resources.

Contents

• Integrate IPAM with AWS Organizations (p. 5)

• Use IPAM with a single account (p. 6)

Integrate IPAM with AWS Organizations

Optionally, you can follow the steps in this section to integrate IPAM with AWS Organizations and delegate a member account as the IPAM account.

The IPAM account is responsible for creating an IPAM and using it to manage and monitor IP address usage.

Integrating IPAM with AWS Organizations and delegating an IPAM admin has the following beneﬁts:

• Share your IPAM pools with your organization: When you delegate an IPAM account, IPAM enables other AWS Organizations member accounts in the organization to allocate CIDRs from IPAM pools that are shared using AWS Resource Access Manager (RAM). For more information on setting up an organization, see What is AWS Organizations? in the AWS Organizations User Guide.

• Monitor IP address usage in your organization: When you delegate an IPAM account, you give IPAM permission to monitor IP usage across all of your accounts. As a result, IPAM automatically imports CIDRs that are used by existing VPCs across other AWS Organizations member accounts into IPAM.

If you do not delegate an AWS Organizations member account as an IPAM account, IPAM will monitor resources only in the AWS account that you use to create the IPAM.

Important

• You must enable integration with AWS Organizations by using IPAM in the AWS management console or the enable-ipam-organization-admin-account AWS CLI command. This ensures that the AWSServiceRoleForIPAM service-linked role is created. If you enable trusted access with AWS Organizations by using the AWS Organizations console or the register-delegated- administrator AWS CLI command, the AWSServiceRoleForIPAM service-linked role isn't created, and you can't manage or monitor resources within your organization.

Note

When integrating with AWS Organizations:

• You cannot use IPAM to manage IP addresses across multiple AWS Organizations.

• IPAM charges you for each active IP address that it monitors in your organization's member accounts. For more information about pricing, see IPAM pricing.

• You must have an account in AWS Organizations and a management account set up with one or more member accounts. For more information about account types, see Terminology and concepts in the AWS Organizations User Guide. For more information on setting up an organization, see Getting started with AWS Organizations.

• The IPAM account must be an AWS Organizations member account. You cannot use the AWS Organizations management account as the IPAM account.

(10)

Use IPAM with a single account

• The IPAM account must have an IAM policy attached to it that permits the

iam:CreateServiceLinkedRole action. When you create the IPAM, you automatically create the AWSServiceRoleForIPAM service-linked role.

• The IAM user account associated with the AWS Organizations management account must have the following IAM policy actions attached:

• ec2:EnableIpamOrganizationAdminAccount

• organizations:EnableAwsServiceAccess

• organizations:RegisterDelegatedAdministrator

• iam:CreateServiceLinkedRole

For more information on managing IAM policies, see Editing IAM policies in the IAM User Guide.

AWS Management Console

To select an IPAM account

1. Open the IPAM console at https://console.aws.amazon.com/ipam/.

2. In the AWS Management Console, choose the AWS Region in which you want to work with IPAM.

3. In the navigation pane, choose Settings.

4. Enter the AWS account ID for an IPAM account. The IPAM administrator must be an AWS Organizations member account.

5. Choose Delegate.

Command line

The commands in this section link to the AWS CLI Reference documentation. The documentation provides detailed descriptions of the options that you can use when you run the commands.

• To delegate an IPAM admin account using AWS CLI, use the following command: enable-ipam- organization-admin-account

When you delegate an Organizations member account as an IPAM account, IPAM automatically creates a service-linked IAM role in all member accounts in your organization. IPAM monitors the IP address usage in these accounts by assuming the service-linked IAM role in each member account, discovering the resources and their CIDRs, and integrating them with IPAM. The resources within all member accounts will be discoverable by IPAM regardless of their Organizational Unit. If there are member accounts that have created a VPC, for example, you’ll see the VPC and its CIDR in the Resources section of the IPAM console.

Important

The role of the AWS Organizations management account that delegated the IPAM admin is now complete. To continue using IPAM, the IPAM admin account must log into Amazon VPC IPAM and create an IPAM.

Use IPAM with a single account

If you choose not to Integrate IPAM with AWS Organizations (p. 5), you can use IPAM with a single AWS account.

When you create an IPAM in the next section, a service-linked role is automatically created for the Amazon VPC IPAM service in AWS Identity and Access Management. IPAM uses the service-linked role to monitor and store metrics for CIDRs associated with EC2 networking resources. For more information on the service-linked role and how IPAM uses it, see Service-linked roles for IPAM (p. 97).

(11)

Create an IPAM

Important

If you use IPAM with a single AWS account, you must ensure that the AWS account you use to create the IPAM has an IAM policy attached to it that permits the

iam:CreateServiceLinkedRole action. When you create the IPAM, you automatically create the AWSServiceRoleForIPAM service-linked role. For more information on managing IAM policies, see Editing IAM policies in the IAM User Guide.

Once the single AWS account has permission to create the IPAM service-linked role, go to Create an IPAM (p. 7).

Create an IPAM

Follow the steps in this section to create your IPAM. If you have delegated an IPAM administrator, these steps should be completed by the IPAM account.

Important

When you create an IPAM, you will be asked to allow IPAM to replicate data from source accounts into an IPAM delegate account. To integrate IPAM with AWS Organizations, IPAM needs your permission to replicate resource and IP usage details across accounts (from member accounts to the delegated IPAM member account) and across AWS Regions (from operating Regions to the home Region of your IPAM). For single account IPAM users, IPAM needs your permission to replicate resource and IP usage details across operating Regions to the home Region of your IPAM.

When you create the IPAM, you choose the AWS Regions where the IPAM is allowed to manage IP address CIDRs. These AWS Regions are called operating Regions. IPAM discovers and monitors resources only in the AWS Regions that you select as operating Regions. IPAM doesn't store any data outside of the operating Regions that you select.

The following example hierarchy shows how the AWS Regions that you assign when you create the IPAM will impact the Regions that will be available for pools that you create later.

• IPAM operating in AWS Region 1 and AWS Region 2

• Private scope

• Top-level IPAM pool

• Regional IPAM pool in AWS Region 2

• Development pool

• Allocation for a VPC in AWS Region 2

You can only create one IPAM. For more information about increasing quotas related to IPAM, see Quotas for your IPAM (p. 100).

To create an IPAM

2. In the AWS Management Console, choose the AWS Region in which you want to create the IPAM.

3. On the service home page, choose Create IPAM.

4. Select Allow Amazon VPC IP Address Manager to replicate data from source account(s) into the IPAM delegate account. If you do not select this option, you cannot create an IPAM.

5. Under Operating regions, select the AWS Regions in which this IPAM can manage and discover resources. The AWS Region in which you are creating your IPAM is selected as one of the operating Regions by default. For example, if you’re creating this IPAM in AWS Region us-

(12)

Plan for IP address provisioning

east-1 but you want to create Regional IPAM pools later that provide CIDRs to VPCs in us- west-2, select us-west-2 here. If you forget an operating Region, you can return at a later time and edit your IPAM settings.

6. Choose Create.

Command line

Use the following AWS CLI commands to create, modify, and view details related to your IPAM:

1. Create the IPAM: create-ipam

2. View the IPAM that you've created: describe-ipams

3. View the scopes that are created automatically: describe-ipam-scopes 4. Modify an existing IPAM: modify-ipam

When you have completed these steps, IPAM has done the following:

• Created your IPAM. You can see the IPAM and the currently selected operating Regions by choosing IPAMs in the left navigation pane of the console.

• Created one private and one public scope. You can see the scopes by choosing Scopes in the navigation pane. For more information about scopes, see How IPAM works (p. 2).

Plan for IP address provisioning

Follow the steps in this section to plan for IP address provisioning by using IPAM pools. If you have conﬁgured an IPAM account, these steps should be completed by that account.

Important

To use IPAM pools across AWS accounts, you must integrate IPAM with AWS Organizations or some features may not work properly. For more information, see Integrate IPAM with AWS Organizations (p. 5).

In IPAM, a pool is a collection of contiguous IP address ranges (or CIDRs). Pools enable you to organize your IP addresses according to your routing and security needs. You can create pools for AWS Regions outside of your IPAM Region. For example, if you have separate routing and security needs for development and production applications, you can create a pool for each.

In the ﬁrst step in this section, you’ll create a top-level pool. Then, you’ll create a Regional pool within the top-level pool. Within the Regional pool, you can create additional pools as needed, such as a production and development environment pools. By default, you can create pools up to a depth of 10.

For information on IPAM quotas, see Quotas for your IPAM (p. 100).

Note

The terms provision and allocate are used throughout this user guide and the IPAM console.

Provision is used when you add a CIDR to an IPAM pool. Allocate is used when you associate a CIDR from an IPAM pool with a resource.

The following is an example hierarchy of the pool structure that you will create by completing the steps in this section:

• IPAM operating in AWS Region 1 and AWS Region 2

• Private scope

• Top-level pool

(13)

Example IPAM pool plans

• Regional pool in AWS Region 1

• Development pool

• Allocation for a VPC

This structure serves as an example of how you might want to use IPAM, but you can use IPAM to suit the needs of your organization. If you are creating a single IPAM pool, complete the steps in Create a top- level pool (p. 10) and then skip to Allocate CIDRs (p. 15).

Contents

• Example IPAM pool plans (p. 9)

• Create a top-level pool (p. 10)

• Create a Regional pool (p. 12)

• Create a development pool (p. 13)

Example IPAM pool plans

You can use IPAM to suit the needs of your organization. This section provides examples of how you might organize your IP addresses.

Pools in multiple AWS Regions

The following example shows an IPAM pool hierarchy for multiple AWS Regions within a top-level pool. Each AWS Regional pool has two IPAM development pools within it, one pool for pre-production resources and one pool for production resources.

Pools for multiple lines of business

The following example shows an IPAM pool hierarchy for multiple lines of business within a top-level pool. Each pool for each line of business contains three AWS Regional pools. Each Regional pool has two

(14)

Create a top-level pool

IPAM development pools within it, one pool for pre-production resources and one pool for production resources.

Create a top-level pool

Follow the steps in this section to create a top-level IPAM pool. When you create the pool, you provision a CIDR for the pool to use. The pool assigns space within that CIDR to allocations within the pool. An allocation is a CIDR assignment from an IPAM pool to another resource or IPAM pool.

The following example shows the hierarchy of the pool structure that you can create with instructions in this guide. At this step, you are creating the top-level IPAM pool:

• Private scope

• Top-level pool (10.0.0.0/8)

• Regional pool in AWS Region 2 (10.0.0.0/16)

• Development pool (10.0.0.0/24)

• Allocation for a VPC (10.0.0.0/25)

In the preceding example, the CIDRs that are used are examples only. They illustrate that each pool within the top-level pool is provisioned with a portion of the top-level CIDR.

When you create an IPAM pool, you can conﬁgure rules for the allocations that are made within the IPAM pool.

Allocation rules enable you to conﬁgure the following:

• Whether IPAM should automatically import CIDRs into the IPAM pool if it ﬁnds them within this pool's CIDR range

• The required netmask length for allocations within the pool

• The required tags for resources within the pool

• The required locale for resources within the pool. The locale is the AWS Region where an IPAM pool is available for allocations.

Allocation rules determine whether resources are compliant or noncompliant. For additional information about compliance, see Monitor CIDR usage by resource (p. 29).

(15)

Create a top-level pool

Important

There is an additional implicit rule that is not displayed in the allocation rules. If the resource is in an IPAM pool that is a shared resource in AWS Resource Access Manager (RAM), the resource owner must be conﬁgured as a principal in AWS RAM. For more information about sharing pools with RAM, see Share an IPAM pool using AWS RAM (p. 18).

The following example shows how you might use allocation rules to control access to an IPAM pool:

Example

When you create your pools based on routing and security needs, you might want to allow only certain resources to use a pool. In such cases, you can set an allocation rule stating that any resource that wants a CIDR from this pool must have a tag that matches the allocation rule tag requirements. For example, you could set an allocation rule stating that only VPCs with the tag prod can get CIDRs from an IPAM pool. You could also set a rule stating that CIDRs allocated from this pool can be no larger than /24.

In this case, a resource could still be created using a CIDR larger than /24 from this pool if the space is available, but because doing so violates an allocation rule on the pool, IPAM ﬂags this resource as noncompliant.

To create a pool

2. In the navigation pane, choose Pools.

3. By default, when you create a pool, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see How IPAM works (p. 2).

4. Choose Create pool.

5. (Optional) Add a Name tag for the pool and a description for the pool.

6. Choose No source pool.

7. For the Locale, choose None. You will set the locale on the Regional pool.

The locale is the AWS Region where you want this IPAM pool to be available for allocations. For example, you can only allocate a CIDR for a VPC from an IPAM pool that shares a locale with the VPC’s Region. Note that when you have chosen a locale for a pool, you cannot modify it.

Note

If you are creating a single pool only and not a top-level pool with Regional pools within it, you would want to choose a Locale for this pool so that the pool is available for allocations.

8. Select the Address family for this pool. Choose IPv4 if the IP addresses in this pool will be IPv4 addresses. Choose IPv6 if they will be IPv6 addresses. If the scope you’ve chosen for this pool is the public scope, you’ll have the option of using either IPv4 or IPv6. If the scope you’ve chosen for this pool is private, IPv4 is the only option.

9. (Optional) Choose a CIDR to provision for the pool. You can create a pool without a CIDR, but you won’t be able to use the pool for allocations until you’ve provisioned a CIDR for it.

10. Choose optional allocation rules for this pool:

• Automatically import discovered resources: This option is not available if the Locale is set to None. If selected, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM. Note the following:

• The CIDRs that will be allocated for these resources must not already be allocated to other resources in order for the import to succeed.

• IPAM will import a CIDR regardless of its compliance with the pool's allocation rules, so a resource might be imported and subsequently marked as noncompliant.

(16)

Create a Regional pool

• If IPAM discovers multiple CIDRs that overlap, IPAM will import the largest CIDR only.

• If IPAM discovers multiple CIDRs with matching CIDRs, IPAM will randomly import one of them only.

• Minimum netmask length: The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant and the largest size CIDR block that can be allocated from the pool. The minimum netmask length must be less than the maximum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.

• Default netmask length: A default netmask length for allocations added to this pool. For example, if the CIDR that's provisioned to this pool is 10.0.0.0/8 and you enter 16 here, any new allocations in this pool will default to a netmask length of /16.

• Maximum netmask length: The maximum netmask length that will be required for CIDR allocations in this pool. This value dictates the smallest size CIDR block that can be allocated from the pool.

• Tagging requirements: The tags that are required for resources to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging rules are changed on the pool, the resource may be marked as noncompliant.

• Locale: The locale that will be required for resources that use CIDRs from this pool.

Automatically imported resources that do not have this locale will be marked noncompliant.

Resources that are not automatically imported into the pool will not be allowed to allocate space from the pool unless they are in this locale.

11. (Optional) Choose Tags for the pool.

Command line

Use the following AWS CLI commands to create or edit a top-level pool in your IPAM:

1. Create a pool: create-ipam-pool.

2. Edit the pool after you create it to modify the allocation rules: modify-ipam-pool.

Create a Regional pool

Follow the steps in this section to create a Regional pool within your top-level pool. If you need only a top-level pool, and don't need additional Regional and development pools, skip to Allocate CIDRs (p. 15).

The following example shows the hierarchy of the pool structure that you create by following the instructions in this guide. At this step, you are creating the Regional IPAM pool:

• Private scope

• Top-level pool (10.0.0.0/8)

• Regional pool in AWS Region 2 (10.0.0.0/16)

(17)

Create a development pool

To create a Regional pool within a top-level pool

6. Under Source pool, choose the top-level pool that you created in the previous section.

7. Choose the locale for the pool. Choosing a locale ensures there are no cross-region

dependencies between your pool and the resources allocating from it. The available options come from the operating Regions that you chose when you created your IPAM.

8. (Optional) Choose a CIDR to provision for the pool. You can create a pool without a CIDR, but you won’t be able to use the pool for allocations until you’ve provisioned a CIDR for it. You can add CIDRs to a pool at any time by editing the pool.

9. You have the same allocation rule options here as you did when you created the top-level pool.

See Create a top-level pool (p. 10) for an explanation of the options that are available when you create pools. The allocation rules for the Regional pool are not inherited from the top-level pool. If you do not apply any rules here, there will be no allocation rules set for the pool.

11. When you’ve ﬁnished conﬁguring your pool, choose Create pool.

Command line

Use the following AWS CLI commands to create a Regional pool in your IPAM:

1. Get the ID of the scope that you want to create the pool in: describe-ipam-scopes 2. Get the ID of the pool that you want to create the pool in: describe-ipam-pools 3. Create the pool: create-ipam-pool

4. View the new pool: describe-ipam-pools

Repeat these steps to create additional pools within the top-level pool, as needed.

Create a development pool

Follow the steps in this section to create a development pool within your Regional pool. If you need only a top-level and Regional pool, and don't need development pools, skip to Allocate CIDRs (p. 15).

The following example shows the hierarchy of the pool structure that you can create with the instructions in this guide. At this step, you are creating a development IPAM pool:

(18)

Create a development pool

• Private scope

• Top-level pool (10.0.0.0/8)

• Development pool for non-production VPCs (10.0.0.0/24)

• Development pool for production VPCs (10.0.1.0/24)

To create a development pool within a Regional pool

6. Under Source pool, choose the Regional pool.

7. Choose the locale for the pool. Choosing a locale ensures there are no cross-region

dependencies between your pool and the resources allocating from it. The available options here come from the operating Regions that you chose when you created your IPAM.

8. (Optional) Choose a CIDR to provision for the pool. You can only provision a CIDR that was provisioned to the top-level pool. You can create a pool without a CIDR, but you won’t be able to use the pool for allocations until you’ve provisioned a CIDR for it. You can add CIDRs to a pool at any time by editing the pool.

9. You have the same allocation rule options here as you did when you created the top-level and Regional pool. See Create a top-level pool (p. 10) for an explanation of the options that are available when you create pools. The allocation rules for the pool are not inherited from the pool above it in the hierarchy. If you do not apply any rules here, no allocation rules will be set for the pool.

11. When you’ve ﬁnished conﬁguring your pool, choose Create pool.

Command line

Use the following AWS CLI commands to create a Regional pool in your IPAM:

1. Get the ID of the scope that you want to create the pool in: describe-ipam-scopes

(19)

Allocate CIDRs

2. Get the ID of the pool that you want to create the pool in: describe-ipam-pools 3. Create the pool: create-ipam-pool

4. View the new pool: describe-ipam-pools

Repeat these steps to create additional development pools within the Regional pool, as needed.

Allocate CIDRs

Follow the steps in this section to allocate a CIDR from an IPAM pool to a resource.

Note

The following example shows the hierarchy of the pool structure that you can create with the instructions in this section:

• Private scope

• Top-level IPAM pool (10.0.0.0/8)

• Regional IPAM pool in AWS Region 2 (10.0.0.0/16)

• Allocation - VPC (10.0.0.0/25)

You can allocate CIDRs from an IPAM pool in the following ways:

• Use an AWS service that's integrated with IPAM, such as Amazon VPC, and select the option to use an IPAM pool for the CIDR. IPAM automatically creates the allocation in the pool for you.

• Manually allocate a CIDR within an IPAM pool to reserve it for later use with an AWS service that's integrated with IPAM, such as Amazon VPC.

This section walks you through both options: how to use the AWS services integrated with IPAM to provision an IPAM pool CIDR, and how to manually reserve IP address space.

Contents

• Create a VPC that uses an IPAM pool CIDR (p. 15)

• Manually allocate a CIDR to a pool to reserve IP address space (p. 16)

Create a VPC that uses an IPAM pool CIDR

Follow the steps in Creating a VPC in the Amazon VPC User Guide. When you reach the step to choose a CIDR for the VPC, you will have an option to use a CIDR from an IPAM pool.

If you choose the option to use an IPAM pool when you create the VPC, AWS allocates a CIDR in the IPAM pool. You can view the allocation in IPAM by choosing a pool in the content pane of the IPAM console and viewing the Resources tab for the pool.

(20)

Manually allocate a CIDR to a pool to reserve IP address space

Note

For complete instructions using the AWS CLI, including creating a VPC, see the Tutorials (p. 34) section.

Manually allocate a CIDR to a pool to reserve IP address space

Follow the steps in this section to manually allocate a CIDR to a pool. You might do this in order to reserve a CIDR within an IPAM pool for later use. You can also reserve space in your IPAM pool to represent an on-premises network. IPAM will manage that reservation for you and indicate if any CIDRs overlap with your on-premises IP space.

Important

You cannot manually allocate CIDRs from pools in the public scope.

To manually allocate a CIDR

3. By default, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see How IPAM works (p. 2).

4. In the content pane, choose a pool.

5. Choose Actions > Allocate CIDR.

6. Choose whether to deﬁne the exact CIDR to allocate (for example, 10.0.0.0/24), or choose the netmask length only (or example, /24).

7. Choose Allocate.

8. You can view the allocation in IPAM by choosing Pools in the navigation pane, choosing a pool, and viewing the Allocations tab for the pool.

Command line

Use the following AWS CLI commands to manually allocate a CIDR to a pool:

1. Get the ID of the IPAM pool that you want to create the allocation in: describe-ipam-pools.

2. Create the allocation: allocate-ipam-pool-cidr.

3. View the allocation: get-ipam-pool-allocations.

To release a manually allocated CIDR, see Release an allocation (p. 25).

(21)

Restrict pool access

Managing IP address space in IPAM

The tasks in this section are optional. If you want to complete the tasks in this section, and you have delegated an IPAM account, the tasks should be completed by the IPAM administrator.

Follow the steps in this section to manage your IP address space in IPAM.

Contents

• Restrict pool access (p. 17)

• Share an IPAM pool using AWS RAM (p. 18)

• Provision CIDRs to a pool (p. 19)

• Deprovision CIDRs from a pool (p. 20)

• Edit a pool (p. 21)

• Delete a pool (p. 21)

• Create additional scopes (p. 22)

• Move resource CIDRs between scopes (p. 23)

• Change the monitoring state of resource CIDRs (p. 24)

• Delete a scope (p. 25)

• Release an allocation (p. 25)

• Delete an IPAM (p. 27)

Restrict pool access

Note

This section describes how to create a service-control policy in AWS Organizations that restricts access to IPAM pools. This section is only applicable to you if you've enabled IPAM to integrate with AWS Organizations. For more information, see Integrate IPAM with AWS Organizations (p. 5).

Service control policies (SCP) in AWS Organizations are a type of organization policy that enable you to manage permissions in your organization. Follow the steps in this section to create an SCP and restrict users in your AWS Organizations account to creating VPCs with CIDRs from a speciﬁc IPv4 pool and associating CIDRs to the VPCs from the pool. Users in the account will not be able to create VPCs with CIDRs or associate CIDRs to VPCs from any other pools from the one you choose.

To create an SCP and restrict user access to a pool

1. Follow the steps in Creating an SCP and enter the following text in the JSON editor:

{ "Version": "2012-10-17", "Statement": [

{

"Effect": "Deny",

"Action": ["ec2:CreateVpc", "ec2:AssociateVpcCidrBlock"], "Resource": "arn:aws:ec2:*:*:vpc/*",

"Condition": {

"StringNotEquals": {

(22)

Share an IPAM pool using AWS RAM

"ec2:Ipv4IpamPoolId": "ipam-pool-0123456789abcdefg"

} } } ]}

2. Change the ipam-pool-0123456789abcdefg example value to the IPv4 pool ID you would like to restrict users to.

3. Optionally, you can also add a condition for ec2:Ipv6IpamPoolId to restrict access to a speciﬁc IPv6 pool.

Share an IPAM pool using AWS RAM

Follow the steps in this section to share an IPAM pool using AWS Resource Access Manager (RAM). When you share an IPAM pool with RAM, “principals” can allocate CIDRs from the pool to AWS resources, such as VPCs, from their respective accounts. A principal is a concept in RAM that means any AWS account, IAM role, IAM user, or organizational unit in AWS Organizations. For more information, see Sharing your AWS resources in the AWS RAM User Guide.

Note

• You can only share an IPAM pool with AWS RAM if you've integrated IPAM with AWS

Organizations. For more information, see Integrate IPAM with AWS Organizations (p. 5). You cannot share an IPAM pool with AWS RAM f you are a single account IPAM user.

• You must enable resource sharing with AWS Organizations in AWS RAM. For more information, see Enable resource sharing within AWS Organizations in the AWS RAM User Guide.

• RAM sharing is only available in your IPAM's home AWS Region. You must create the share in the AWS Region that the IPAM is in, not in the Region of the IPAM pool.

• The account that creates and deletes IPAM pool resource shares must have the following permissions in their IAM policy:

• ec2:PutResourcePolicy

• ec2:DeleteResourcePolicy

• You can add multiple IPAM pools to a RAM share.

To share an IPAM pool using RAM

3. By default, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see How IPAM works (p. 2).

4. In the content pane, choose the pool you want to share and choose Actions > View details.

5. Under Resource sharing, choose Create resource share. As a result, the AWS RAM console opens. You'll create the shared pool in AWS RAM.

6. Choose Create a resource share.

7. Add a Name for the shared resource.

8. Under Select resource type, select IPAM pools and choose one or more IPAM pools.

9. Choose Next.

(23)

Provision CIDRs to a pool

10. Choose one of the permissions for the resource share:

• AWSRAMDefaultPermissionsIpamPool: Choose this permission to allow principals to view the CIDRs and allocations in the shared IPAM pool and allocate/release CIDRs in the pool.

• AWSRAMPermissionIpamPoolByoipCidrImport: Choose this permission to allow principals to import BYOIP CIDRs into the shared IPAM pool. You will need this permission only if you have existing BYOIP CIDRs and you want to import them to IPAM and share them with principals.

For additional information on BYOIP CIDRs to IPAM, see Tutorial: Transfer existing BYOIP IPv4 CIDRs to IPAM (p. 91).

11. Choose the principals that are allowed to access this resource. If principals will be importing existing BYOIP CIDRs to this shared IPAM pool, add the BYOIP CIDR owner account as principal.

12. Review the resource share options and the principals you’ll be sharing with and choose Create.

Command line

The command(s) in this section link to the AWS CLI Reference documentation. There you’ll ﬁnd detailed descriptions of the options you can use when you run the command(s).

Use the following AWS CLI commands to share an IPAM pool using RAM:

1. Get the ARN of the IPAM: describe-ipam-pools 2. Create the resource share: create-resource-share 3. View the resource share: get-resource-shares

As a result of creating the resource share in RAM, other principals can now allocate CIDRs to resources using the IPAM pool. For information on monitoring resources created by principals, see Monitor CIDR usage by resource (p. 29). For more information on how to create a VPC and allocate a CIDR from a shared IPAM pool, see Creating a VPC in the Amazon VPC User Guide.

Provision CIDRs to a pool

Follow the steps in this section to provision CIDRs to a pool. If you already provisioned a CIDR when you created the pool, you might need to provision additional CIDRs if a pool is nearing full allocation. To monitor pool usage, see Monitor CIDR usage with the IPAM dashboard (p. 28).

Note

To provision CIDRs to a pool

3. By default, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see How IPAM works (p. 2)

4. In the content pane, choose the pool that you want to add a CIDR to.

5. Choose Actions > Provision CIDRs.

6. Enter the CIDR that you want to add, and then choose Add new CIDR for additional CIDRs.

(24)

Deprovision CIDRs from a pool

Note

When you provision CIDRs to a pool:

• The CIDR you want to provision must be available in the scope.

• If you are provisioning CIDRs to a pool within a pool, then the CIDR space you want to provision must be available in the pool.

7. Choose Request provisioning.

8. You can view the CIDR in IPAM by choosing Pools in the navigation pane, choosing a pool, and viewing the CIDRs tab for the pool.

Command line

Use the following AWS CLI commands to provision CIDRs to a pool:

1. Get the ID of an IPAM pool: describe-ipam-pools

2. Get the CIDRs that are provisioned to the pool: get-ipam-pool-cidrs 3. Provision a new CIDR to the pool: provision-ipam-pool-cidr

4. Get the CIDRs that are provisioned to the pool and view the new CIDR: get-ipam-pool-cidrs

Deprovision CIDRs from a pool

Follow the steps in this section to deprovision CIDRs from an IPAM pool. When you deprovision all pool CIDRs, the pool can no longer be used for allocations. You must ﬁrst provision a new CIDR to the pool before you can use the pool for allocations.

Important

You cannot deprovision the CIDR if there are allocations in the pool. To remove allocations, see Release an allocation (p. 25).

To deprovision a pool CIDR

3. From the dropdown menu at the top of the content pane, choose the scope that you want to use. For more information about scopes, see How IPAM works (p. 2).

4. In the content pane, choose the pool whose CIDRs you want to deprovision.

5. Choose the CIDRs tab.

6. Select one or more CIDRs and choose Deprovision CIDRs.

7. Choose Deprovision CIDR.

Command line

Use the following AWS CLI commands to deprovision a pool CIDR:

(25)

Edit a pool

1. Get an IPAM pool ID: describe-ipam-pools

2. View your current CIDRs for the pool: get-ipam-pool-cidrs 3. Deprovision CIDRs: deprovision-ipam-pool-cidr

4. View your updated CIDRs: get-ipam-pool-cidrs

To provision a new CIDR to the pool, see Deprovision CIDRs from a pool (p. 20). If you want to delete the pool, see Delete a pool (p. 21).

Edit a pool

Follow the steps in this section to edit an IPAM pool. You may want to edit a pool to change the allocation rules in the pool. For more information about allocation rules, see Create a top-level pool (p. 10).

To edit a pool

3. By default, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see How IPAM works (p. 2)

4. In the content pane, choose the pool whose CIDR you want to edit.

5. Choose Actions > Edit.

6. Make any changes you need to the pools. For information about pool conﬁguration options, see Create a top-level pool (p. 10).

7. Choose Update.

Command line

Use the following AWS CLI commands to edit a pool:

1. Get an IPAM pool ID: describe-ipam-pools 2. Modify the pool: modify-ipam-pool

Delete a pool

Follow the steps in this section to delete an IPAM pool.

Important

You cannot delete an IP address pool if there are allocations in it. You must ﬁrst release the allocations and Deprovision CIDRs from a pool (p. 20) before you can delete the pool.

To delete a pool

(26)

Create additional scopes

3. From the dropdown menu at the top of the content pane, choose the scope that you want to use. For more information about scopes, see How IPAM works (p. 2).

4. In the content pane, choose the pool whose CIDR you want to delete.

5. Choose Actions > Delete pool.

6. Enter delete and then choose Delete.

Command line

Use the following AWS CLI commands to delete a pool:

1. View pools and get an IPAM pool ID: describe-ipam-pools 2. Delete a pool: delete-ipam-pool

3. View your pools: describe-ipam-pools

To create a new pool, see Create a top-level pool (p. 10).

Create additional scopes

Follow the steps in this section to create an additional scope.

A scope is the highest-level container within IPAM. When you create an IPAM, IPAM creates two default scopes for you. Each scope represents the IP space for a single network. The private scope is intended for all private space. The public scope is intended for all public space. Scopes enable you to reuse IP addresses across multiple unconnected networks without causing IP address overlap or conﬂict.

When you create an IPAM, default scopes (one private and one public) are created for you. You can create additional private scopes. You cannot create additional public scopes.

You can create additional private scopes if you require support for multiple disconnected private

networks. Additional private scopes allow you to create pools and manage resources that use the same IP space.

Important

If IPAM discovers resources with private IPv4 CIDRs, the resource CIDRs are imported into the default private scope and do not appear in any additional private scopes you create. You can move CIDRs from the default private scope to another private scope. For information, see Move resource CIDRs between scopes (p. 23).

To create an additional private scope

2. In the navigation pane, choose Scopes.

3. Choose Create scope.

4. Choose the IPAM that you want to add the scope to.

5. Add a description for the scope.

(27)

Move resource CIDRs between scopes

6. Choose Create scope.

7. You can view the scope in IPAM by choosing Scopes in the navigation pane.

Command line

Use the following AWS CLI commands to create an additional private scope:

1. View your current scopes: describe-ipam-scopes 2. Create a new private scope: create-ipam-scope

3. View your current scopes to view the new scope: describe-ipam-scopes

Move resource CIDRs between scopes

Follow the steps in this section to move a resource CIDR from one scope to another.

Important

• You can only move resource CIDRs from one private scope to another. You cannot move resource CIDRs out of a public scope to a private scope or from a private scope to a public scope.

• You can only move CIDRs for resources that IPAM can manage.

• The same AWS account must own both scopes.

To move a single CIDR allocated to a resource

2. In the navigation pane, choose Resources.

3. From the dropdown menu at the top of the content pane, choose the scope you want to use.

4. In the content pane, choose a resource and view the details of the resource.

5. Under Associated CIDRs, select one of the CIDRs allocated to the resource and choose Actions >

Move CIDR to diﬀerent scope.

6. Select the scope you want to move the resource CIDR to.

7. Choose Change scope.

To move all CIDRs allocated to a resource

4. In the content pane, choose the resource whose CIDRs you want to move.

5. Choose Actions > Move all associated CIDRs to diﬀerent scope.

6. Select the scope you want to move the resource CIDR to.

7. Choose Move scope.

(28)

Change the monitoring state of resource CIDRs

Command line

Use the following AWS CLI commands to modify a pool:

2. Get a resource CIDR in current scope: get-ipam-pool-cidrs 3. Move a resource CIDR: modify-ipam-resource-cidr

4. Get a resource CIDR in the other scope: get-ipam-pool-cidrs

Change the monitoring state of resource CIDRs

Follow the steps in this section to change the monitoring state of a resource CIDR. You may want to change a resource CIDR from monitored to ignored if you do not want IPAM to manage or monitor the resource and allow the CIDR allocated to the resource to be available for use. You may want to change a resource CIDR from ignored to monitored if you want IPAM to manage and monitor the resource CIDR.

Note

You cannot ignore resources in the public scope.

You can change the monitoring state of a resource CIDR to monitored or ignored:

• Monitored: The resource CIDR has been detected by IPAM and is being monitored for overlap with other CIDRs and Allocation rule compliance.

• Ignored: The resource has been chosen to be exempt from monitoring. Ignored resources are not evaluated for overlap with other CIDRs or Allocation rule compliance. Once a resource is chosen to be ignored, any space allocated to it from an IPAM pool is returned to the pool and the resource will not be imported again via auto-import (if the auto-import Allocation rule is set on the pool).

To change the monitoring status of a single CIDR allocated to a resource

3. From the dropdown menu at the top of the content pane, choose the private scope you want to use.

4. In the content pane, choose the resource and view the details of the resource.

5. Under Associated CIDRs, select one of the CIDRs allocated to the resource and choose Actions >

Mark as ignored or Unmark as ignored.

6. Choose Mark as ignored or Unmark as ignored.

To change the monitoring status of all CIDRs allocated to a resource

4. In the content pane, choose the resource whose monitoring state you want to change.

5. Choose Actions > Mark all associated CIDRs as ignored or Unmark all associated CIDRs as ignored.

6. Choose Mark as ignored or Unmark as ignored.

(29)

Delete a scope

Command line

Use the following AWS CLI commands to change the monitoring state of a resource CIDR:

1. Get a scope ID: describe-ipam-scopes

2. View the current monitoring state for the resource: get-ipam-resource-cidrs 3. Change the state of the resource CIDR: modify-ipam-resource-cidr

4. View the new monitoring state for the resource: get-ipam-resource-cidrs

Delete a scope

Follow the steps in this section to delete an IPAM scope.

Important

You can't delete a scope if either of the following is true:

• The scope is a default scope. When you create an IPAM, two default scopes (one public, one private) are created automatically, and cannot be deleted. To see if a scope is a default scope, view the Scope type in the details of the scope.

• There are one or more pools in the scope. You must ﬁrst Delete a pool (p. 21) before you can delete the scope.

To delete a scope

2. In the navigation pane, choose Scopes.

3. In the content pane, choose the scope that you want to delete.

4. Choose Actions > Delete scope.

Command line

Use the following AWS CLI commands to delete a scope:

1. View scopes: describe-ipam-scopes 2. Delete a scope: delete-ipam-scope

3. View updated scopes: describe-ipam-scopes

To create a new scope, see Create additional scopes (p. 22). To delete the IPAM, see Delete an IPAM (p. 27).

Release an allocation

Follow the steps in this section to release a CIDR allocation from an IPAM pool. An allocation is a CIDR assignment from an IPAM pool to another resource or IPAM pool.

(30)

Release an allocation

If you are planning to delete a pool, you might need to release a pool allocation. You cannot delete pools if the pools have CIDRs provisioned, and you cannot deprovision CIDRs if the CIDRs are allocated to resources.

Note

• To release a manual allocation, use the steps in this section or call the ReleaseIpamPoolAllocation API.

• To release an allocation in a private scope, you must ignore or delete the resource CIDR. For more information, see Change the monitoring state of resource CIDRs (p. 24). After some time, Amazon VPC IPAM will automatically release the allocation on your behalf.

Example

Example

If you have a VPC CIDR in a private scope, to release the allocation you must either ignore or delete the VPC CIDR. After some time, Amazon VPC IPAM will automatically release the VPC CIDR allocation from the IPAM pool.

• To release an allocation in a public scope, you must delete the resource CIDR. You cannot ignore public resource CIDRs. For more information, see Cleanup in Bring your own public IPv4 CIDR to IPAM using only the AWS CLI (p. 64) or Cleanup in Bring your own IPv6 CIDR to IPAM using only the AWS CLI (p. 78). After some time, Amazon VPC IPAM will automatically release the allocation on your behalf.

For Amazon VPC IPAM to release allocations on your behalf, all account permissions must be properly conﬁgured for either single-account use (p. 6) or multi-account use (p. 5).

When you release a CIDR that’s managed by your IPAM, Amazon VPC IPAM recycles the CIDR back into an IPAM pool. It takes a few minutes for the CIDR to become available for future allocations. For more information about pools and allocations, see How IPAM works (p. 2).

To release a pool allocation

3. From the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see How IPAM works (p. 2).

4. In the content pane, choose the pool that the allocation is in.

5. Choose the Allocations tab.

6. Select one or more allocations and choose Deallocate CIDRs.

7. Choose Deallocate CIDR.

Command line

Use the following AWS CLI commands to release a pool allocation:

2. View your current allocations in the pool: get-ipam-pool-allocations 3. Release an allocation: release-ipam-pool-allocation

(31)

Delete an IPAM

4. View your updated allocations: get-ipam-pool-allocations

To add a new allocation, see Allocate CIDRs (p. 15). To delete the pool after releasing allocations, you must ﬁrst Deprovision CIDRs from a pool (p. 20).

Delete an IPAM

Follow the steps in this section to delete an IPAM. For information on increasing the default number of IPAMs you can have rather than deleting an existing IPAM, see Quotas for your IPAM (p. 100). Deleting an IPAM removes all monitored data associated with the IPAM including the historical data for CIDRs.

Important

Before you can delete an IPAM, you must do the following:

• Release allocations within the IPAM pools. For more information, see Release an allocation (p. 25).

• Deprovision CIDRs provisioned to pools within the IPAM. For more information, see Deprovision CIDRs from a pool (p. 20).

• Delete any additional non-default scopes. For more information, see Delete a scope (p. 25).

• Delete your IPAM pools. For more information, see Delete a pool (p. 21).

To delete an IPAM

2. In the navigation pane, choose IPAMs.

3. In the content pane, select your IPAM.

4. Choose Actions > Delete IPAM.

Command line

Use the following AWS CLI commands to delete an IPAM:

1. View current IPAMs: describe-ipams 2. Delete an IPAM: delete-ipam

3. View your updated IPAMs: describe-ipam-pools

To create a new IPAM, see Create an IPAM (p. 7).

(32)

Monitor CIDR usage with the IPAM dashboard

Tracking IP address usage in IPAM

The tasks described in this section are optional. If you want to complete the tasks in this section, and you have delegated an IPAM account, the tasks should be completed by the IPAM account.

Follow the steps in this section to track IP address usage with IPAM.

Contents

• Monitor CIDR usage with the IPAM dashboard (p. 28)

• Monitor CIDR usage by resource (p. 29)

• Create alarms with Amazon CloudWatch (p. 31)

• View IP address history (p. 31)

Monitor CIDR usage with the IPAM dashboard

Follow the steps in this section to access the IPAM dashboard and view the status of all CIDRs within a particular IPAM scope.

To monitor CIDR usage using the IPAM dashboard

2. In the navigation pane, choose Dashboard.

3. By default, when you view the dashboard, the default private scope is selected. If you don’t want to use the default private scope, from the dropdown menu at the top of the content pane, choose the scope you want to use. For more information about scopes, see How IPAM works (p. 2).

4. View the monitoring data in the following sections:

• Scope: The details for this scope.

• Scope ID: The ID for this scope.

• Description: An optional description for the scope.

• IPAM ID: The ID of the IPAM that the scope is in.

• Scope type: The type of scope.

• Summary: The number of CIDRs per category.

• Managed CIDRs: The number of resource CIDRs for manageable resources (VPCs or public IPv4 pools) that are allocated from an IPAM pool in the scope.

• Unmanaged CIDRs: The number of resource CIDRs for unmanaged resources in this scope.

• Ignored CIDRs: The number of resource CIDRs that you have chosen to be exempt from monitoring with IPAM in the scope. IPAM does not evaluate ignored resources for overlap or compliance within a scope. When a resource is chosen to be ignored, any space that's allocated to it from an IPAM pool is returned to the pool, and the resource will not be imported again through automatic import (if the automatic import allocation rule is set on the pool).

• Pools: The number of pools in the scope.

Amazon Virtual Private Cloud

Amazon Virtual Private Cloud

IP Address Manager

Amazon Virtual Private Cloud: IP Address Manager

Table of Contents

What is IPAM?

How IPAM works

Getting started with IPAM

Access IPAM

Conﬁgure permissions for your IPAM

Integrate IPAM with AWS Organizations

Important

Note

To select an IPAM account

Important

Use IPAM with a single account

Important

Create an IPAM

Important

To create an IPAM

Plan for IP address provisioning

Important

Note

Example IPAM pool plans

Pools in multiple AWS Regions

Pools for multiple lines of business

Create a top-level pool

Important

Example

To create a pool

Note

Create a Regional pool

To create a Regional pool within a top-level pool

Create a development pool

To create a development pool within a Regional pool

Allocate CIDRs

Note

Create a VPC that uses an IPAM pool CIDR

Note

Manually allocate a CIDR to a pool to reserve IP address space

Important

To manually allocate a CIDR

Managing IP address space in IPAM

Restrict pool access

Note

To create an SCP and restrict user access to a pool

Share an IPAM pool using AWS RAM

Note

To share an IPAM pool using RAM

Provision CIDRs to a pool

Note

To provision CIDRs to a pool

Note

Deprovision CIDRs from a pool

Important

To deprovision a pool CIDR

Edit a pool

To edit a pool

Delete a pool

Important

To delete a pool

Create additional scopes

Important

To create an additional private scope

Move resource CIDRs between scopes

Important

To move a single CIDR allocated to a resource

To move all CIDRs allocated to a resource

Change the monitoring state of resource CIDRs

Note

To change the monitoring status of a single CIDR allocated to a resource

To change the monitoring status of all CIDRs allocated to a resource

Delete a scope

Important

To delete a scope

Release an allocation

Note

Example

To release a pool allocation

Delete an IPAM