Manual IP address assignment and management through spreadsheets can be cumbersome and inefficient for network planning. As businesses expand, IP address conflicts may lead to network restructures that would have otherwise been avoided, which inflates costs and disrupts business operations. The IP Address Manager (IPAM) feature in virtual private clouds (VPCs) helps prevent address conflicts and streamline network planning by automating IP address allocation and management.
What is IPAM?
IPAM is a tool that automates IP address assignment and management, thereby simplifying network management and preventing address conflicts. The following features are available in IPAM.
Automated IP address assignment: Automatically allocates IP addresses from the designated pool for VPCs based on rules that are aligned with business scenarios.
CIDR block management for VPCs and vSwitches: Resource discovery is automatically enabled and associated with the IPAM when you create an IPAM, which allows you to manage VPC and vSwitch addresses effectively.
IP address conflict detection: Automatically identifies potential address conflicts and compliance status, which mitigates network failure risks.
IP address usage monitoring: Monitors IP address usage to manage capacity and scale out resources as needed. This helps to ensure network stability and security.
Centralized network planning for multi-account architecture: Corporate network administrators can share IPAM pools with other accounts in the same organization, which centralizes address allocation and management while preventing conflicts.
How IPAM works
IPAM has three key components, scopes, IPAM pools, and CIDR allocations. The system generates two scopes by default upon creating an IPAM.
Scope: the highest-level container within IPAM. Each scope represents an independent IP address space. After an IPAM is created, the system creates a private scope and a public scope by default. The private scope applies to all private spaces, while the public scope applies to all public spaces (the latter is currently unavailable). Scopes enable you to reuse IP addresses across multiple unconnected networks without causing IP address overlaps or conflicts. You can create IPAM pools within a scope.
IPAM pool: a collection of contiguous IP address ranges (CIDR blocks). You can create a top-level pool within a private scope and create multiple subpools within a top-level pool. IPAM pools can assign and manage IP addresses based on network traffic destinations and security policies. For example, development and production environments may require different routing policies and security policies. To isolate network traffic between the two types of environments, you can create a pool for each environment and specify different routing and security policies.
You can specify an IPAM pool to assign IP addresses to a VPC. IPAM automatically checks whether IP address conflicts or overlapping occur.
Allocation: a CIDR assignment from an IPAM pool to another resource or IPAM pool. When you create a VPC, you can specify an IPAM pool to allocate a CIDR block from provisioned CIDR blocks to the VPC.
Figure 1 shows the logical structure of an IPAM pool and Figure 2 illustrates the hierarchy when CIDR blocks are allocated to a VPC.
Figure 1. IPAM pool structure
Figure 2. Hierarchical structure of assigning resources from IPAM pools to VPCs
Scenarios
IPAM supports essential features like automated IP address assignment, resource sharing, and monitoring. It enables efficient IP address resource planning and utilization monitoring across various business scenarios and multi-account architectures.
Scenario 1: Use different pools for different business departments to isolate traffic
By using IPAM, you can flexibly manage pools. IPAM pools support different hierarchical structures for different departments, application environments, and geographical areas. This ensures effective assignment and management of IP addresses.
You can divide a top-level pool into smaller subpools, which can be used for specific departments, applications, or regions. You can perform the following steps to create subpools for different departments in different regions. You can determine the IPAM pool to which a specific CIDR block is allocated based on the pool usage.
Create an IPAM and a private IPAM scope. For more information, see Create and manage an IPAM.
Create a top-level pool, a regional pool, and a development pool in sequence, and provision CIDR blocks to the pools. For more information, see Create and manage an IPAM pool.
View the pool usage of a regional pool and CIDR blocks allocated from the regional pool to other pools. For more information, see View pool usage.
Figure 1 and Figure 2 show the structure of pools in different regions and the structure of pools for different departments.
Figure 1. Hierarchical structure of address pools in different regions
Figure 2. Hierarchical structure of address pools for different business departments
Scenario 2: Allocate a CIDR block from a pool when you create a VPC
After you create different development pools in Scenario 1, you can use these pools to create VPCs to isolate network traffic without the need to worry about IP address conflicts or security policy conflicts.
When you create a VPC, you can allocate a CIDR block to the VPC based on allocation rules so that the CIDR block of the VPC does not overlap with the CIDR blocks of other resources. You can also use the IPAM console to view the VPCs associated with a pool and the management status and compliance status of the VPCs. You can perform the following steps to allocate a CIDR block from a pool when you create a VPC:
Allocate a CIDR block from a pool when you create a VPC. For more information, see Create and manage a VPC.
Check the CIDR block management status and compliance status of VPCs associated with a pool. For more information, see Create and manage an IPAM.
The following figure shows the pool structure of VPCs associated with different development pools.
Scenario 3: Unify allocation and management of IP addresses for multiple accounts
In a multi-account architecture, centralized control of network resources is challenging when IP addresses are configured independently by each business account, leading to increased configuration and maintenance costs. To address this, you can share planned IPAM pools with other accounts through the resource management feature to centrally plan addresses.
As shown in the following figure, the network administrator can share the subpools with accounts A, B, and C through resource sharing. Account C can then allocate resources from the shared IPAM pool when creating VPCs.
Scenario 4: Use IP address monitoring for resource management
Comprehensive monitoring capabilities are available in IPAM to help you effectively plan and allocate resources, enhancing network stability and security.
Monitor the address usage rate of VPCs or vSwitches. You can scale out resources of high usage rates in a timely manner to ensure adequate addresses for new VPCs or vSwitches.
Monitor the address compliance status. You can identify potential issues and resolve them in advance to reduce network failures.
Limits and billing
Billing
IPAM is free of charge during the beta test.
Supported regions
Area | Supported region |
Asia Pacific | China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok) |
Europe & Americas | Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia) |
Middle East | UAE (Dubai) and Saudi Arabia (Riyadh) Important The SAU (Riyadh - Partner Region) region is operated by a partner. |
Quotas
Name/ID | Description | Default value |
ipam_quota_per_region | Maximum number of IPAMs that can be created by each account in each region | 1 |
ipam_scope_quota_per_ipam | Maximum number of IPAM scopes supported in each IPAM | 5 |
ipam_pool_quota_depth | Maximum depth of each pool | 10 |
ipam_cidr_quota_per_ipam_pool | Maximum number of CIDR blocks that can be provisioned to each pool | 50 |
ipam_sub_pool_quota_per_ipam_pool | Maximum number of subpools that can be created from a source pool | 50 |
ipam_pool_quota_per_scope | Maximum number of IPAM pools that can be created by each private scope | 500 |
ipam_resource_discovery_quota_per_region | Maximum number of resource discovery for each account in each region | 1 |
resource_share_quota_per_ipam_pool | Maximum number of resources that can be shared from each IPAM pool | 100 |
shared_ipam_pool_quota_per_user | Maximum number of shared address pools for each user | 100 |