Adam Divall

Walkthrough Guides and Other Useful Information on AWS

Configuring Amazon VPC IP Address Manager (IPAM)

2023-03-19 5 min read Walkthroughs Adam Divall

In many enterprise environments a common challenge is to how to handle the allocation of IP CIDR blocks be that to Data Centers, Offices, Subnets so as to ensure that resources don’t end up with IP addresses that have already been assigned to resources on the Network. Duplicate IP Addresses on the Network can cause numerous issues and AWS have previously written the following blog that discusses several solutions to this challenge such as the use of NAT Gateways and AWS PrivateLink or a couple of more manual approaches to workaround the issue.

However, any of those solutions doesn’t look at the root cause of the issue and organisations allocating IP CIDR blocks manually. At AWS re:Invent 2021, Amazon finally brought to the table there solution in the form of Amazon VPC IP Address Manager (IPAM). In this post, I’ll walk through the steps to configure the Service as well as how to make it usable by the entire AWS Organisation through Resource Access Manager.

What is Amazon VPC IP Address Manager?

Amazon VPC IP Address Manager (IPAM) is a VPC feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads.

Configuring Delegated Administration for Amazon VPC IP Address Manager

  • Login to the AWS Management Console using an Account with administrative permissions in the Management Account and switch to the AWS Region that you’re going to use as the Home Region e.g., eu-west-2 (London).
  • Navigate to Amazon VPC IP Address Manager.

  • Click Settings

  • Click Edit

  • In the Delegated administrator account, Type in the 12-digit AWS Account ID of the Account that you wish to enable as the delegated administrator for VPC IP Address Manager. Typically I would recommend configuring this to be the Network Account.

Create an IPAM

  • Login to the AWS Management Console using an Account with administrative permissions in the Network Account and switch to the AWS Region that you’re going to use as the Home Region e.g., eu-west-2 (London).
  • Navigate to Amazon VPC IP Address Manager.
  • Click IPAMs

  • Click Create IPAM.
  • On the Create IPAM page; Under the IPAM settings section, in the Name tag type Global.
  • In the Description, type Global IPAM.
  • In the Operating Regions, Select the regions that you wish to configure. In this example I’m going to simply leave it as is set to eu-west-2.
  • Click Create IPAM

Create a Global IPAM Pool

  • Click Pools.

  • On the Create Pool page; Under the Pool settings section, in the Name tag type Global Pool.
  • In the Description, type Global Pool.
  • Under the Pool hierarchy section, in the Source pool leave the setting as No source pool.
  • In the Locale, select None

  • Under the CIDRs to provision section, in the CIDR type 10.0.0.0/16.
  • Click Create pool.

Create a Regional IPAM Pool

  • On the Create Pool page; Under the Pool settings section, in the Name tag type Regional Pool.
  • In the Description, type Regional Pool.
  • Under the Pool hierarchy section, in the Source pool select the Global Pool.
  • In the Locale, select eu-west-2

  • Under the CIDRs to provision section, in the CIDR type 10.0.0.0/16.
  • Click Create pool.

Create SDLC IPAM Pools

  • On the Create Pool page; Under the Pool settings section, in the Name tag type Production Pool.
  • In the Description, type Production Pool.
  • Under the Pool hierarchy section, in the Source pool select the Regional Pool.
  • In the Locale, select eu-west-2

  • Under the CIDRs to provision section, Click Add CIDR by Size and then Select /17.
  • Click Create pool.

  • Click on the Production Pool.

  • Click on the Compliancy Tab.

  • Under the Resource tag compliancy section, Click Edit
  • Under the CIDR management section, Select Allow automatic import.
  • Under the Tag compliancy section, Click Add new required tag.
  • In the Name, type Environment and in the Key type Production.

  • On the Create Pool page; Under the Pool settings section, in the Name tag type Development Pool.
  • In the Description, type Development Pool.
  • Under the Pool hierarchy section, in the Source pool select the Regional Pool.
  • In the Locale, select eu-west-2

  • Under the CIDRs to provision section, Click Add CIDR by Size and then Select /17.
  • Click Create pool.

  • Click on the Development Pool.

  • Click on the Compliancy Tab.

  • Under the Resource tag compliancy section, Click Edit
  • Under the CIDR management section, Select Allow automatic import.
  • Under the Tag compliancy section, Click Add new required tag.
  • In the Name, type Environment and in the Key type Development.

Share the IPAM Pools with the AWS Organization

  • Login to the AWS Management Console using an Account with administrative permissions in the Network Account and switch to the AWS Region where you’ve previously created the IPAM Pools
  • Navigate to Amazon Resource Access Manager.
  • Click Create resource share.

  • On the Specify resource share details page, Under the Resource share name type IPAM.
  • Under the Resources - optional section; In the Select resource type drop down, Select IPAM Pools and then select all the ARN’s of the IPAM Pools we’ve previously created.
  • Click Next.

  • On the Associate permissions page, Click Next.

  • On the Grant access to principals page; Under the Principals - option section, Under the Principals - Select Organization.
  • In the Organization ID, type the Organization ID.
  • Click Add.
  • Click Next.

  • Click Create resource share.

Whats Next?

All that is left to do is to provision a VPC. This can be done in one of 2 ways:

Provision a VPC by selecting the IPAM Pool that you want the IP CIDR Range to be allocated from such as the Production Pool or the Development Pool. However, this will require the VPC to be Tagged with a Key/Value of Environment and either Production or Development based on the Pool that you’ve selected in the AWS Management Console.

Alternatively, deploy the VPC via Infrastructure as Code with a tool such as CloudFormation. In the custom-vpc.yaml CloudFormation Template on my GitHub I’ve written a CloudFormation Custom resource that will obtain the VPC IPAM Pool ID based on the AWS Region and the Tags that are applied to the VPC

Also within the GitHub Repo are CloudFormation Template for walking through the processes described in this post including Delegating Administration and configuring Multiple IPAM Pools and Regions.

Hope this helps.

IPAM Network VPC
© 2024 by Adam Divall
Bilberry Hugo Theme