` Bring Your Own IP Addresses (BYOIP) to Amazon EC2: InterLIR Marketplace
bgunderlay bgunderlay bgunderlay

Bring your own IP addresses (BYOIP) in Amazon EC2

At INTERLIR Marketplace, you have the option to rent IP addresses that can be utilized as Amazon EC2 BYOIP (Bring Your Own IP) addresses. This allows you to bring a portion or all of your publicly routable IPv4 or IPv6 address range from your on-premises network to your AWS (Amazon Web Services) account. While you retain control over the address range, AWS will advertise it on the internet by default. Once you integrate the address range with AWS, it will be available in your AWS account as an address pool.

Not all Regions and resources support BYOIP (Bring Your Own IP). To find the list of supported Regions and resources, please refer to the BYOIP FAQ.

Contents

Definitions for BYOIP (Bring Your Own IP)

Requirements and limitations for BYOIP

Address Range Registration:

Specific IPv4 and IPv6 Address Ranges:

ROAs and RDAP Records:

Limitations and Integration:

IP Address History and Support:

Update Process for LIRs:

Single ROA and RDAP Record for Large CIDR Blocks:

Prerequisites for onboarding your BYOIP address range

The onboarding process for BYOIP consists of two phases, each requiring three specific steps, as illustrated in the diagram below.

Preparation Phase:

1. Generate an RSA key pair and utilize it to create a self-signed X.509 certificate for authentication purposes

RIR Configuration Phase

2. Upload the self-signed certificate to your RDAP record comments.

3. Create an ROA object in your RIR, specifying the desired address range, allowed Autonomous System Numbers (ASNs) for advertising the range, and an expiration date for registration with the Resource Public Key Infrastructure (RPKI) of your RIR.

Note: An ROA is not necessary for non-publicly advertised IPv6 address space.

To bring on multiple non-contiguous address ranges, you need to repeat this process for each range. However, if splitting a contiguous block across different Regions, the preparation and RIR configuration steps do not need to be repeated.

The onboarding of an address range does not affect any previously brought-on address ranges.

Before proceeding with the address range onboarding, ensure you complete the necessary prerequisites. Some tasks involve running Linux commands, and on Windows, you can utilize the Windows Subsystem for Linux to execute these commands.

1. Create a key pair for AWS authentication

Use the following procedure to create a self-signed X.509 certificate and add it to the RDAP record for your RIR. This key pair is used to authenticate the address range with the RIR. The openssl commands require OpenSSL version 1.0.2 or later.

Copy the following commands and replace only the placeholder values (in colored italic text).

To create a self-signed X.509 certificate and add it to the RDAP record

This procedure follows the best practice of encrypting your private RSA key and requiring a passphrase to access it.

2. Upload the RDAP record to your RIR

Add the certificate that you previously created to the RDAP record for your RIR. Be sure to include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- strings before and after the encoded portion. All of this content must be on a single, long line. The procedure for updating RDAP depends on your RIR:

3. Create an ROA object in your RIR

Create an ROA object to authorize the Amazon ASNs 16509 and 14618 to advertise your address range, as well as the ASNs that are currently authorized to advertise the address range. For the AWS GovCloud (US) Region, authorize ASN 8987. You must set the maximum length to the size of the smallest prefix that you want to bring (for example, /24). It might take up to 24 hours for the ROA to become available to Amazon. For more information, consult your RIR:

Before migrating advertisements from an on-premises workload to AWS, it is crucial to create a Route Origin Authorization (ROA) for your existing Autonomous System Number (ASN) first. Only after creating the ROA for your existing ASN should you proceed to create the ROAs for Amazon’s ASNs. Failing to follow this sequence might result in potential impacts to your existing routing and advertisements.

Note: This step is not required for non-publicly advertised IPv6 address space.

Steps to onboard your BYOIP

The onboarding process for BYOIP has the following tasks depending on your needs: 

Topics

Provision a publicly advertised address range in AWS

When you provision an address range for use with AWS, you are declaring that you have control over the address range and granting Amazon the authorization to advertise it. To verify your ownership of the address range, we require a signed authorization message. This message is signed using the self-signed X.509 key pair that you used to update the RDAP record with the X.509 certificate. AWS mandates a cryptographically signed authorization message, which is then presented to the Regional Internet Registry (RIR). The RIR authenticates the signature against the certificate you added to RDAP and cross-checks the authorization details against the Route Origin Authorization (ROA). This verification process ensures the legitimate ownership and proper handling of the address range.

provision of the address range

  1. Compose message. Compose the plaintext authorization message. The format of the message is as follows, where the date is the expiry date of the message: 1|aws|account|cidr|YYYYMMDD|SHA256|RSAPSSReplace the account number, address range, and expiry date with your own values to create a message resembling the following: text_message="1|aws|0123456789AB|198.51.100.0/24|20211231|SHA256|RSAPSS". This is not to be confused with an ROA message, which has a similar appearance.

  2. Sign message.Sign the plaintext message using the private key that you created previously. The signature returned by this command is a long string that you need to use in the next step.

    Important: We recommend that you copy and paste this command. Except for the message content, do not modify or replace any of the values.signed_message=$( echo -n $text_message | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n").

  3. Provision address. Use the AWS CLI provision-byoip-cidr command to provision the address range. The --cidr-authorization-context option uses the message and signature strings that you created previously.

    Important: You must specify the AWS Region where the BYOIP range should be provisioned if it differs from your AWS CLI configuration Default region name.aws ec2 provision-byoip-cidr --cidr address-range --cidr-authorization-context Message="$text_message",Signature="$signed_message" --region us-east-1

    Provisioning an address range is an asynchronous operation, so the call returns immediately, but the address range is not ready to use until its status changes from pending-provision to provisioned.

  4. Monitor progress. It can take up to one week to complete the provisioning process for publicly advertisable ranges. Use the describe-byoip-cidrs command to monitor progress, as in this example:aws ec2 describe-byoip-cidrs --max-results 5 --region us-east-1

    If there are issues during provisioning and the status goes to failed-provision, you must run the provision-byoip-cidr command again after the issues have been resolved.

Provision an IPv6 address range that’s not publicly advertised

By default, when you provision an address range, it is set to be publicly advertised on the internet. However, for IPv6 address ranges, you have the option to provision them as non-public, meaning they won’t be advertised to the internet. The provisioning process for non-publicly advertisable routes typically completes within a few minutes. When you associate a non-public IPv6 CIDR block with a Virtual Private Cloud (VPC), access to the IPv6 CIDR is only possible through hybrid connectivity options that support IPv6, such as AWS Direct ConnectAWS Site-to-Site VPN, or Amazon VPC Transit Gateways.

For non-public address ranges, there is no requirement to create a Route Origin Authorization (ROA) during the provisioning process.

Important:

You can only specify whether an address range is publicly advertised during provisioning. You cannot change the advertisable status later on.

To provision an IPv6 address range that will not be publicly advertised, use the following provision-byoip-cidr command.

aws ec2 provision-byoip-cidr --cidr address-range --cidr-authorization-context Message="$text_message",Signature="$signed_message" --no-publicly-advertisable --region us-east-1


Advertise the address range through AWS

Once the address range is provisioned, it is ready to be advertised. It’s important to note that you must advertise the exact address range that was provisioned and cannot advertise only a portion of it.

If you have provisioned an IPv6 address range that will not be publicly advertised, you can skip this step.

Before advertising the address range through AWS, we recommend stopping its advertisement from other locations. Continuing to advertise the same IP address range from other locations may lead to unreliable support and troubleshooting. To ensure a smooth transition, you can configure your AWS resources to use an address from your address pool before it is advertised, and then simultaneously stop advertising it from the current location and start advertising it through AWS. For detailed guidance on allocating an Elastic IP address from your address pool, refer to the instructions for “Allocate an Elastic IP address.

Limitations

To advertise the address range, use the following advertise-byoip-cidr command.

aws ec2 advertise-byoip-cidr --cidr address-range --region us-east-1

To stop advertising the address range, use the following withdraw-byoip-cidr command.

aws ec2 withdraw-byoip-cidr --cidr address-range --region us-east-1

Deprovision the address range

To stop using your address range with AWS, first release any Elastic IP addresses and disassociate any IPv6 CIDR blocks that are still allocated from the address pool. Then stop advertising the address range, and finally, deprovision the address range.

You cannot deprovision a portion of the address range. If you want to use a more specific address range with AWS, deprovision the entire address range and provision a more specific address range.

(IPv4) To release each Elastic IP address, use the following release-address command.

aws ec2 release-address --allocation-id eipalloc-12345678abcabcabc --region us-east-1

(IPv6) To disassociate an IPv6 CIDR block, use the following disassociate-vpc-cidr-block command.

aws ec2 disassociate-vpc-cidr-block --association-id vpc-cidr-assoc-12345abcd1234abc1 --region us-east-1

To stop advertising the address range, use the following withdraw-byoip-cidr command.

aws ec2 withdraw-byoip-cidr --cidr address-range --region us-east-1

To deprovision the address range, use the following deprovision-byoip-cidr command.

aws ec2 deprovision-byoip-cidr --cidr address-range --region us-east-1

It can take up to a day to deprovision an address range.

Work with your address range

You can view and use the IPv4 and IPv6 address ranges that you’ve provisioned in your account.

IPv4 address ranges

You can create an Elastic IP address from your IPv4 address pool and use it with your AWS resources, such as EC2 instances, NAT gateways, and Network Load Balancers.

To view information about the IPv4 address pools that you’ve provisioned in your account, use the following describe-public-ipv4-pools command.

aws ec2 describe-public-ipv4-pools --region us-east-1

To create an Elastic IP address from your IPv4 address pool, use the allocate-address command. You can use the --public-ipv4-pool option to specify the ID of the address pool returned by describe-byoip-cidrs. Or you can use the --address option to specify an address from the address range that you provisioned.

Evgeny Sevastyanov

Client Support Teamleader

    Ready to get started?




    Articles
    Renting/leasing/purchasing
    Renting/leasing/purchasing

    Having a clear understanding of the different types and purposes of IP addresses

    More
    How to do IP address abuse management in 2024
    How to do IP address abuse management in 2024

    the rights to manage blocks of IP addresses are constantly faced with a dilemma.

    More
    European IPv4 addresses marketplace
    European IPv4 addresses marketplace

    In 2011, RIPE announced the depletion of IPv4 addresses. IPv4 addresses continue

    More
    Digital future and IPv4 address
    Digital future and IPv4 address

    addresses are trite. The allocation from the Primary IPv4 Registry, begun by John

    More
    What is an IPv4 address?
    What is an IPv4 address?

    unique identifier that points to each device on the internet and allows them to communicate

    More
    The great IP space redistribution
    The great IP space redistribution

    One of the possible ways to support the development of the IT sector is the effective

    More
    How to Monetize IP Network
    How to Monetize IP Network

    Even if you don’t plan to sell your IPv4 network, there are still ways to make

    More
    INTERLIR: IPv4 Address Broker and Networks Marketplace
    INTERLIR: IPv4 Address Broker and Networks Marketplace

    InterLIR GmbH is a marketplace solution that aims to solve network availability problems

    More
    Managing IPv4 Scarcity Through IP Lease
    Managing IPv4 Scarcity Through IP Lease

    l IPv4, where is possible only 4,3 billion combination of the numbers.

    More
    Sell IPv4 Addresses
    Sell IPv4 Addresses

    The increasing demand for IP blocks has driven up prices and transformed overused

    More