`
At INTERLIR Marketplace, you have the option to rent IP addresses that can be utilized as Amazon EC2 BYOIP (Bring Your Own IP) addresses. This allows you to bring a portion or all of your publicly routable IPv4 or IPv6 address range from your on-premises network to your AWS (Amazon Web Services) account. While you retain control over the address range, AWS will advertise it on the internet by default. Once you integrate the address range with AWS, it will be available in your AWS account as an address pool.
Not all Regions and resources support BYOIP (Bring Your Own IP). To find the list of supported Regions and resources, please refer to the BYOIP FAQ.
Contents
Address Range Registration:
Specific IPv4 and IPv6 Address Ranges:
ROAs and RDAP Records:
Limitations and Integration:
IP Address History and Support:
Update Process for LIRs:
Single ROA and RDAP Record for Large CIDR Blocks:
The onboarding process for BYOIP consists of two phases, each requiring three specific steps, as illustrated in the diagram below.
Preparation Phase:
RIR Configuration Phase
2. Upload the self-signed certificate to your RDAP record comments.
3. Create an ROA object in your RIR, specifying the desired address range, allowed Autonomous System Numbers (ASNs) for advertising the range, and an expiration date for registration with the Resource Public Key Infrastructure (RPKI) of your RIR.
Note: An ROA is not necessary for non-publicly advertised IPv6 address space.
To bring on multiple non-contiguous address ranges, you need to repeat this process for each range. However, if splitting a contiguous block across different Regions, the preparation and RIR configuration steps do not need to be repeated.
The onboarding of an address range does not affect any previously brought-on address ranges.
Before proceeding with the address range onboarding, ensure you complete the necessary prerequisites. Some tasks involve running Linux commands, and on Windows, you can utilize the Windows Subsystem for Linux to execute these commands.
Use the following procedure to create a self-signed X.509 certificate and add it to the RDAP record for your RIR. This key pair is used to authenticate the address range with the RIR. The openssl commands require OpenSSL version 1.0.2 or later.
Copy the following commands and replace only the placeholder values (in colored italic text).
To create a self-signed X.509 certificate and add it to the RDAP record
This procedure follows the best practice of encrypting your private RSA key and requiring a passphrase to access it.
Add the certificate that you previously created to the RDAP record for your RIR. Be sure to include the -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
strings before and after the encoded portion. All of this content must be on a single, long line. The procedure for updating RDAP depends on your RIR:
Create an ROA object to authorize the Amazon ASNs 16509 and 14618 to advertise your address range, as well as the ASNs that are currently authorized to advertise the address range. For the AWS GovCloud (US) Region, authorize ASN 8987. You must set the maximum length to the size of the smallest prefix that you want to bring (for example, /24). It might take up to 24 hours for the ROA to become available to Amazon. For more information, consult your RIR:
Before migrating advertisements from an on-premises workload to AWS, it is crucial to create a Route Origin Authorization (ROA) for your existing Autonomous System Number (ASN) first. Only after creating the ROA for your existing ASN should you proceed to create the ROAs for Amazon’s ASNs. Failing to follow this sequence might result in potential impacts to your existing routing and advertisements.
Note: This step is not required for non-publicly advertised IPv6 address space.
The onboarding process for BYOIP has the following tasks depending on your needs:
Topics
When you provision an address range for use with AWS, you are declaring that you have control over the address range and granting Amazon the authorization to advertise it. To verify your ownership of the address range, we require a signed authorization message. This message is signed using the self-signed X.509 key pair that you used to update the RDAP record with the X.509 certificate. AWS mandates a cryptographically signed authorization message, which is then presented to the Regional Internet Registry (RIR). The RIR authenticates the signature against the certificate you added to RDAP and cross-checks the authorization details against the Route Origin Authorization (ROA). This verification process ensures the legitimate ownership and proper handling of the address range.
provision of the address range
1|aws|account|cidr|YYYYMMDD|SHA256|RSAPSS
Replace the account number, address range, and expiry date with your own values to create a message resembling the following: text_message="1|aws|0123456789AB|198.51.100.0/24|20211231|SHA256|RSAPSS"
. This is not to be confused with an ROA message, which has a similar appearance.signed_message=$( echo -n $text_message | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n")
.--cidr-authorization-context
option uses the message and signature strings that you created previously. Default region name
.aws ec2 provision-byoip-cidr --cidr address-range --cidr-authorization-context Message="$text_message",Signature="$signed_message" --region us-east-1
pending-provision
to provisioned
.aws ec2 describe-byoip-cidrs --max-results 5 --region us-east-1
failed-provision
, you must run the provision-byoip-cidr
command again after the issues have been resolved.By default, when you provision an address range, it is set to be publicly advertised on the internet. However, for IPv6 address ranges, you have the option to provision them as non-public, meaning they won’t be advertised to the internet. The provisioning process for non-publicly advertisable routes typically completes within a few minutes. When you associate a non-public IPv6 CIDR block with a Virtual Private Cloud (VPC), access to the IPv6 CIDR is only possible through hybrid connectivity options that support IPv6, such as AWS Direct Connect, AWS Site-to-Site VPN, or Amazon VPC Transit Gateways.
For non-public address ranges, there is no requirement to create a Route Origin Authorization (ROA) during the provisioning process.
Important:
You can only specify whether an address range is publicly advertised during provisioning. You cannot change the advertisable status later on.
To provision an IPv6 address range that will not be publicly advertised, use the following provision-byoip-cidr command.
aws ec2 provision-byoip-cidr --cidr address-range --cidr-authorization-context Message="$text_message",Signature="$signed_message" --no-publicly-advertisable --region us-east-1
Once the address range is provisioned, it is ready to be advertised. It’s important to note that you must advertise the exact address range that was provisioned and cannot advertise only a portion of it.
If you have provisioned an IPv6 address range that will not be publicly advertised, you can skip this step.
Before advertising the address range through AWS, we recommend stopping its advertisement from other locations. Continuing to advertise the same IP address range from other locations may lead to unreliable support and troubleshooting. To ensure a smooth transition, you can configure your AWS resources to use an address from your address pool before it is advertised, and then simultaneously stop advertising it from the current location and start advertising it through AWS. For detailed guidance on allocating an Elastic IP address from your address pool, refer to the instructions for “Allocate an Elastic IP address.“
Limitations
To advertise the address range, use the following advertise-byoip-cidr command.
aws ec2 advertise-byoip-cidr --cidr address-range --region us-east-1
To stop advertising the address range, use the following withdraw-byoip-cidr command.
aws ec2 withdraw-byoip-cidr --cidr address-range --region us-east-1
To stop using your address range with AWS, first release any Elastic IP addresses and disassociate any IPv6 CIDR blocks that are still allocated from the address pool. Then stop advertising the address range, and finally, deprovision the address range.
You cannot deprovision a portion of the address range. If you want to use a more specific address range with AWS, deprovision the entire address range and provision a more specific address range.
(IPv4) To release each Elastic IP address, use the following release-address command.
aws ec2 release-address --allocation-id eipalloc-12345678abcabcabc --region us-east-1
(IPv6) To disassociate an IPv6 CIDR block, use the following disassociate-vpc-cidr-block command.
aws ec2 disassociate-vpc-cidr-block --association-id vpc-cidr-assoc-12345abcd1234abc1 --region us-east-1
To stop advertising the address range, use the following withdraw-byoip-cidr command.
aws ec2 withdraw-byoip-cidr --cidr address-range --region us-east-1
To deprovision the address range, use the following deprovision-byoip-cidr command.
aws ec2 deprovision-byoip-cidr --cidr address-range --region us-east-1
It can take up to a day to deprovision an address range.
You can view and use the IPv4 and IPv6 address ranges that you’ve provisioned in your account.
You can create an Elastic IP address from your IPv4 address pool and use it with your AWS resources, such as EC2 instances, NAT gateways, and Network Load Balancers.
To view information about the IPv4 address pools that you’ve provisioned in your account, use the following describe-public-ipv4-pools command.
aws ec2 describe-public-ipv4-pools --region us-east-1
To create an Elastic IP address from your IPv4 address pool, use the allocate-address command. You can use the --public-ipv4-pool
option to specify the ID of the address pool returned by describe-byoip-cidrs
. Or you can use the --address
option to specify an address from the address range that you provisioned.
Evgeny Sevastyanov
Client Support Teamleader