You can use IP rented at INTERLIR Marketplace as Amazon EC2 BYOIP. You can bring part or all of your publicly routable IPv4 or IPv6 address range from your on-premises network to your AWS account. You continue to control the address range, but by default, AWS advertises it on the internet. After you bring the address range to AWS, it appears in your AWS account as an address pool.
BYOIP is not available in all Regions and for all resources. For a list of supported Regions and resources, see the FAQ for Bring Your Own IP.
Contents
The onboarding process for BYOIP has two phases, for which you must perform three steps. These steps correspond to the steps depicted in the following diagram.
Preparation phase
1. Create an RSA key pair, and use it to generate a self-signed X.509 certificate for authentication purposes.
RIR configuration phase
2. Upload the self-signed certificate to your RDAP record comments.
3. Create an ROA object in your RIR. The ROA defines the desired address range, the Autonomous System Numbers (ASNs) allowed to advertise the address range, and an expiration date to register with the Resource Public Key Infrastructure (RPKI) of your RIR.Note
An ROA is not required for non-publicly advertised IPv6 address space.
To bring on multiple non-contiguous address ranges, you must repeat this process with each address range. However, the preparation and RIR configuration steps don’t need to be repeated if splitting a contiguous block across several different Regions.
Bringing on an address range has no effect on any address ranges that you brought on previously.
Before onboarding your address range, complete the following prerequisites. For some tasks, you run Linux commands. On Windows, you can use the Windows Subsystem for Linux to run the Linux commands.
Use the following procedure to create a self-signed X.509 certificate and add it to the RDAP record for your RIR. This key pair is used to authenticate the address range with the RIR. The openssl commands require OpenSSL version 1.0.2 or later.
Copy the following commands and replace only the placeholder values (in colored italic text).
To create a self-signed X.509 certificate and add it to the RDAP record
This procedure follows the best practice of encrypting your private RSA key and requiring a passphrase to access it.
Add the certificate that you previously created to the RDAP record for your RIR. Be sure to include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- strings before and after the encoded portion. All of this content must be on a single, long line. The procedure for updating RDAP depends on your RIR:
Create an ROA object to authorize the Amazon ASNs 16509 and 14618 to advertise your address range, as well as the ASNs that are currently authorized to advertise the address range. For the AWS GovCloud (US) Region, authorize ASN 8987. You must set the maximum length to the size of the smallest prefix that you want to bring (for example, /24). It might take up to 24 hours for the ROA to become available to Amazon. For more information, consult your RIR:
When you migrate advertisements from an on-premises workload to AWS, you must create an ROA for your existing ASN before creating the ROAs for Amazon’s ASNs. Otherwise, you might see an impact to your existing routing and advertisements.
Note:
This step is not required for non-publicly advertised IPv6 address space.
The onboarding process for BYOIP has the following tasks depending on your needs:
Topics
When you provision an address range for use with AWS, you are confirming that you control the address range and are authorizing Amazon to advertise it. We also verify that you control the address range through a signed authorization message. This message is signed with the self-signed X.509 key pair that you used when updating the RDAP record with the X.509 certificate. AWS requires a cryptographically signed authorization message that it presents to the RIR. The RIR authenticates the signature against the certificate that you added to RDAP, and checks the authorization details against the ROA.
To provision the address range
1|aws|account|cidr|YYYYMMDD|SHA256|RSAPSSReplace the account number, address range, and expiry date with your own values to create a message resembling the following: text_message="1|aws|0123456789AB|198.51.100.0/24|20211231|SHA256|RSAPSS". This is not to be confused with an ROA message, which has a similar appearance.signed_message=$( echo -n $text_message | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n").--cidr-authorization-context option uses the message and signature strings that you created previously. Default region name.aws ec2 provision-byoip-cidr --cidr address-range --cidr-authorization-context Message="$text_message",Signature="$signed_message" --region us-east-1pending-provision to provisioned.aws ec2 describe-byoip-cidrs --max-results 5 --region us-east-1failed-provision, you must run the provision-byoip-cidr command again after the issues have been resolved.By default, an address range is provisioned to be publicly advertised to the internet. You can provision an IPv6 address range that will not be publicly advertised. For routes that are not publicly advertisable, the provisioning process generally completes within minutes. When you associate an IPv6 CIDR block from a non-public address range with a VPC, the IPv6 CIDR can only be accessed through hybrid connectivity options that support IPv6, such as AWS Direct Connect, AWS Site-to-Site VPN, or Amazon VPC Transit Gateways.
An ROA is not required to provision a non-public address range.
Important:
You can only specify whether an address range is publicly advertised during provisioning. You cannot change the advertisable status later on.
To provision an IPv6 address range that will not be publicly advertised, use the following provision-byoip-cidr command.
aws ec2 provision-byoip-cidr --cidr address-range --cidr-authorization-context Message="$text_message",Signature="$signed_message" --no-publicly-advertisable --region us-east-1After the address range is provisioned, it is ready to be advertised. You must advertise the exact address range that you provisioned. You can’t advertise only a portion of the provisioned address range.
If you provisioned an IPv6 address range that will not be publicly advertised, you do not need to complete this step.
We recommend that you stop advertising the address range from other locations before you advertise it through AWS. If you keep advertising your IP address range from other locations, we can’t reliably support it or troubleshoot issues. Specifically, we can’t guarantee that traffic to the address range will enter our network.
To minimize down time, you can configure your AWS resources to use an address from your address pool before it is advertised, and then simultaneously stop advertising it from the current location and start advertising it through AWS. For more information about allocating an Elastic IP address from your address pool, see Allocate an Elastic IP address.
Limitations
To advertise the address range, use the following advertise-byoip-cidr command.
aws ec2 advertise-byoip-cidr --cidr address-range --region us-east-1To stop advertising the address range, use the following withdraw-byoip-cidr command.
aws ec2 withdraw-byoip-cidr --cidr address-range --region us-east-1To stop using your address range with AWS, first release any Elastic IP addresses and disassociate any IPv6 CIDR blocks that are still allocated from the address pool. Then stop advertising the address range, and finally, deprovision the address range.
You cannot deprovision a portion of the address range. If you want to use a more specific address range with AWS, deprovision the entire address range and provision a more specific address range.
(IPv4) To release each Elastic IP address, use the following release-address command.
aws ec2 release-address --allocation-id eipalloc-12345678abcabcabc --region us-east-1(IPv6) To disassociate an IPv6 CIDR block, use the following disassociate-vpc-cidr-blockcommand.
aws ec2 disassociate-vpc-cidr-block --association-id vpc-cidr-assoc-12345abcd1234abc1 --region us-east-1To stop advertising the address range, use the following withdraw-byoip-cidr command.
aws ec2 withdraw-byoip-cidr --cidr address-range --region us-east-1To deprovision the address range, use the following deprovision-byoip-cidr command.
aws ec2 deprovision-byoip-cidr --cidr address-range --region us-east-1It can take up to a day to deprovision an address range.
You can view and use the IPv4 and IPv6 address ranges that you’ve provisioned in your account.
You can create an Elastic IP address from your IPv4 address pool and use it with your AWS resources, such as EC2 instances, NAT gateways, and Network Load Balancers.
To view information about the IPv4 address pools that you’ve provisioned in your account, use the following describe-public-ipv4-pools command.
aws ec2 describe-public-ipv4-pools --region us-east-1To create an Elastic IP address from your IPv4 address pool, use the allocate-address command. You can use the --public-ipv4-pool option to specify the ID of the address pool returned by describe-byoip-cidrs. Or you can use the --address option to specify an address from the address range that you provisioned.