Bring your own IP addresses (BYOIP) in Amazon EC2 with Germany marketplace Interlir
bgunderlay bgunderlay bgunderlay

Bring your own IP addresses (BYOIP) in Amazon EC2

You can use IP rented at INTERLIR Marketplace as Amazon EC2 BYOIP. You can bring part or all of your publicly routable IPv4 or IPv6 address range from your on-premises network to your AWS account. You continue to control the address range, but by default, AWS advertises it on the internet. After you bring the address range to AWS, it appears in your AWS account as an address pool.

BYOIP is not available in all Regions and for all resources. For a list of supported Regions and resources, see the FAQ for Bring Your Own IP.


BYOIP definitions

  • X.509 Self-sign certificate — A certificate standard most commonly used to encrypt and authenticate data within a network. It is a certificate used by AWS to validate control over IP space from an RDAP record. For more information about X.509 certificates, see RFC 3280.
  • Registry Data Access Protocol (RDAP) — A querying resource for registration data. It is updated by customers and used by AWS to verify control of an address space in the Regional Internet Registries (RIR).
  • Route Origin Authorization (ROA) — An object created by RIRs for customers to authenticate IP advertisement in particular autonomous systems. For an overview, see Route Origin Authorizations (ROAs) on the ARIN website.
  • Local Internet Registry (LIR) — Organizations such as internet service providers that allocate a block of IP addresses from a RIR for their customers.

Requirements and quotas

  • The address range must be registered with your regional internet registry (RIR), such as the American Registry for Internet Numbers (ARIN), Réseaux IP Européens Network Coordination Centre (RIPE), or Asia-Pacific Network Information Centre (APNIC). It must be registered to a business or institutional entity and cannot be registered to an individual person.
  • The most specific IPv4 address range that you can bring is /24.
  • The most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertised, and /56 for CIDRs that are not publicly advertised.
  • ROAs are not required for CIDR ranges that are not publicly advertised, but the RDAP records still need to be updated. 
  • You can bring each address range to one Region at a time.
  • You can bring a total of five IPv4 and IPv6 address ranges per Region to your AWS account.
  • You cannot share your IP address range with other accounts using AWS RAM unless you use Amazon VPC IP Address Manager (IPAM) and integrate IPAM with AWS Organizations. For more information, see Integrate IPAM with AWS Organizations in the Amazon VPC IPAM User Guide.
  • The addresses in the IP address range must have a clean history. We might investigate the reputation of the IP address range and reserve the right to reject an IP address range if it contains an IP address that has a poor reputation or is associated with malicious behavior.
  • AWS doesn’t support legacy allocations.
  • For LIRs, it is common that they use a manual process to update their records. This can take days to deploy depending on the LIR.
  • A single ROA object and RDAP record are needed for a large CIDR block. You can bring multiple smaller CIDR blocks from that range to AWS, even across multiple Regions, using the single object and record.

Onboarding prerequisites for your BYOIP address range

The onboarding process for BYOIP has two phases, for which you must perform three steps. These steps correspond to the steps depicted in the following diagram.

Preparation phase

1. Create an RSA key pair, and use it to generate a self-signed X.509 certificate for authentication purposes.

RIR configuration phase

2. Upload the self-signed certificate to your RDAP record comments.

3. Create an ROA object in your RIR. The ROA defines the desired address range, the Autonomous System Numbers (ASNs) allowed to advertise the address range, and an expiration date to register with the Resource Public Key Infrastructure (RPKI) of your RIR.Note

An ROA is not required for non-publicly advertised IPv6 address space.

To bring on multiple non-contiguous address ranges, you must repeat this process with each address range. However, the preparation and RIR configuration steps don’t need to be repeated if splitting a contiguous block across several different Regions.

Bringing on an address range has no effect on any address ranges that you brought on previously.

Before onboarding your address range, complete the following prerequisites. For some tasks, you run Linux commands. On Windows, you can use the Windows Subsystem for Linux to run the Linux commands.

1. Create a key pair for AWS authentication

Use the following procedure to create a self-signed X.509 certificate and add it to the RDAP record for your RIR. This key pair is used to authenticate the address range with the RIR. The openssl commands require OpenSSL version 1.0.2 or later.

Copy the following commands and replace only the placeholder values (in colored italic text). 

To create a self-signed X.509 certificate and add it to the RDAP record

This procedure follows the best practice of encrypting your private RSA key and requiring a passphrase to access it.

2. Upload the RDAP record to your RIR

Add the certificate that you previously created to the RDAP record for your RIR. Be sure to include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- strings before and after the encoded portion. All of this content must be on a single, long line. The procedure for updating RDAP depends on your RIR:

  • For ARIN, add the certificate in the “Public Comments” section for your address range. Do not add it to the comments section for your organization.
  • For RIPE, add the certificate as a new “descr” field for your address range. Do not add it to the comments section for your organization.
  • For APNIC, email the public key to to manually add it to the “remarks” field for your address range. Send the email using the APNIC authorized contact for the IP addresses.

3. Create an ROA object in your RIR

Create an ROA object to authorize the Amazon ASNs 16509 and 14618 to advertise your address range, as well as the ASNs that are currently authorized to advertise the address range. For the AWS GovCloud (US) Region, authorize ASN 8987. You must set the maximum length to the size of the smallest prefix that you want to bring (for example, /24). It might take up to 24 hours for the ROA to become available to Amazon. For more information, consult your RIR:

When you migrate advertisements from an on-premises workload to AWS, you must create an ROA for your existing ASN before creating the ROAs for Amazon’s ASNs. Otherwise, you might see an impact to your existing routing and advertisements.Note

This step is not required for non-publicly advertised IPv6 address space.

Onboard your BYOIP

The onboarding process for BYOIP has the following tasks depending on your needs: 


Provision a publicly advertised address range in AWS

When you provision an address range for use with AWS, you are confirming that you control the address range and are authorizing Amazon to advertise it. We also verify that you control the address range through a signed authorization message. This message is signed with the self-signed X.509 key pair that you used when updating the RDAP record with the X.509 certificate. AWS requires a cryptographically signed authorization message that it presents to the RIR. The RIR authenticates the signature against the certificate that you added to RDAP, and checks the authorization details against the ROA.

To provision the address range

  1. Compose messageCompose the plaintext authorization message. The format of the message is as follows, where the date is the expiry date of the message: 1|aws|account|cidr|YYYYMMDD|SHA256|RSAPSSReplace the account number, address range, and expiry date with your own values to create a message resembling the following:text_message="1|aws|0123456789AB||20211231|SHA256|RSAPSS"This is not to be confused with an ROA message, which has a similar appearance.
  2. Sign messageSign the plaintext message using the private key that you created previously. The signature returned by this command is a long string that you need to use in the next step.ImportantWe recommend that you copy and paste this command. Except for the message content, do not modify or replace any of the values.signed_message=$( echo -n $text_message | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n")
  3. Provision addressUse the AWS CLI provision-byoip-cidr command to provision the address range. The --cidr-authorization-context option uses the message and signature strings that you created previously.ImportantYou must specify the AWS Region where the BYOIP range should be provisioned if it differs from your AWS CLI configuration Default region ec2 provision-byoip-cidr --cidr address-range --cidr-authorization-context Message="$text_message",Signature="$signed_message" --region us-east-1Provisioning an address range is an asynchronous operation, so the call returns immediately, but the address range is not ready to use until its status changes from pending-provision to provisioned.
  4. Monitor progressIt can take up to one week to complete the provisioning process for publicly advertisable ranges. Use the describe-byoip-cidrs command to monitor progress, as in this example:aws ec2 describe-byoip-cidrs --max-results 5 --region us-east-1If there are issues during provisioning and the status goes to failed-provision, you must run the provision-byoip-cidr command again after the issues have been resolved.

Provision an IPv6 address range that’s not publicly advertised

By default, an address range is provisioned to be publicly advertised to the internet. You can provision an IPv6 address range that will not be publicly advertised. For routes that are not publicly advertisable, the provisioning process generally completes within minutes. When you associate an IPv6 CIDR block from a non-public address range with a VPC, the IPv6 CIDR can only be accessed through hybrid connectivity options that support IPv6, such as AWS Direct ConnectAWS Site-to-Site VPN, or Amazon VPC Transit Gateways.

An ROA is not required to provision a non-public address range.Important

You can only specify whether an address range is publicly advertised during provisioning. You cannot change the advertisable status later on.

To provision an IPv6 address range that will not be publicly advertised, use the following provision-byoip-cidr command.

aws ec2 provision-byoip-cidr --cidr address-range --cidr-authorization-context Message="$text_message",Signature="$signed_message" --no-publicly-advertisable --region us-east-1

Advertise the address range through AWS

After the address range is provisioned, it is ready to be advertised. You must advertise the exact address range that you provisioned. You can’t advertise only a portion of the provisioned address range.

If you provisioned an IPv6 address range that will not be publicly advertised, you do not need to complete this step.

We recommend that you stop advertising the address range from other locations before you advertise it through AWS. If you keep advertising your IP address range from other locations, we can’t reliably support it or troubleshoot issues. Specifically, we can’t guarantee that traffic to the address range will enter our network.

To minimize down time, you can configure your AWS resources to use an address from your address pool before it is advertised, and then simultaneously stop advertising it from the current location and start advertising it through AWS. For more information about allocating an Elastic IP address from your address pool, see Allocate an Elastic IP address.


  • You can run the advertise-byoip-cidr command at most once every 10 seconds, even if you specify different address ranges each time.
  • You can run the withdraw-byoip-cidr command at most once every 10 seconds, even if you specify different address ranges each time.

To advertise the address range, use the following advertise-byoip-cidr command.

aws ec2 advertise-byoip-cidr --cidr address-range --region us-east-1

To stop advertising the address range, use the following withdraw-byoip-cidr command.

aws ec2 withdraw-byoip-cidr --cidr address-range --region us-east-1

Deprovision the address range

To stop using your address range with AWS, first release any Elastic IP addresses and disassociate any IPv6 CIDR blocks that are still allocated from the address pool. Then stop advertising the address range, and finally, deprovision the address range.

You cannot deprovision a portion of the address range. If you want to use a more specific address range with AWS, deprovision the entire address range and provision a more specific address range.

(IPv4) To release each Elastic IP address, use the following release-address command.

aws ec2 release-address --allocation-id eipalloc-12345678abcabcabc --region us-east-1

(IPv6) To disassociate an IPv6 CIDR block, use the following disassociate-vpc-cidr-blockcommand.

aws ec2 disassociate-vpc-cidr-block --association-id vpc-cidr-assoc-12345abcd1234abc1 --region us-east-1

To stop advertising the address range, use the following withdraw-byoip-cidr command.

aws ec2 withdraw-byoip-cidr --cidr address-range --region us-east-1

To deprovision the address range, use the following deprovision-byoip-cidr command.

aws ec2 deprovision-byoip-cidr --cidr address-range --region us-east-1

It can take up to a day to deprovision an address range.

Work with your address range

You can view and use the IPv4 and IPv6 address ranges that you’ve provisioned in your account.

IPv4 address ranges

You can create an Elastic IP address from your IPv4 address pool and use it with your AWS resources, such as EC2 instances, NAT gateways, and Network Load Balancers.

To view information about the IPv4 address pools that you’ve provisioned in your account, use the following describe-public-ipv4-pools command.

aws ec2 describe-public-ipv4-pools --region us-east-1

To create an Elastic IP address from your IPv4 address pool, use the allocate-address command. You can use the --public-ipv4-pool option to specify the ID of the address pool returned by describe-byoip-cidrs. Or you can use the --address option to specify an address from the address range that you provisioned.