AWS re:Invent 2021 - {New Launch} Manage your IP addresses at scale on AWS

AWS re:Invent 2021 - {New Launch} Manage your IP addresses at scale on AWS

AWS re:Invent 2021 - {New Launch} Manage your IP addresses at scale on AWS

Join this session to learn about Amazon VPC IP Address Manager (IPAM), a new capability that automates your IP allocations and provides a unified operational view of your IP addresses across AWS. This session introduces IPAM and walks through how easily you can backfill your existing VPCs to IPAM. It also discusses how to create new VPCs using IPAM and shows you IPAM’s IP address monitoring capability.

Learn more about re:Invent 2021 at https://bit.ly/3IvOLtK

Subscribe:
More AWS videos http://bit.ly/2O3zS75
More AWS events videos http://bit.ly/316g9t4

ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.

AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.

#AWS #AmazonWebServices #CloudComputing


Content

1.21 -> Hello, everyone.
2.043 -> How are you doing?
3.28 -> Hope you're having a good re:Invent.
6.381 -> (Tom laughs) Yeah.
8.42 -> Yesterday we launched IPAM
11.24 -> and I'm really excited to share more detail about IPAM,
14.49 -> talk more about it.
16.42 -> And I'm Shovan Das.
17.87 -> I'm a Product Manager in EC2-VPC.
20.43 -> With me, Tom, he's a solution architect.
27.64 -> Talking about IP addresses, right?
30.72 -> Has it ever happened to you that you took out
34.24 -> your favorite navigation app,
35.974 -> and entered the address
38.93 -> and somehow you followed all the right directions,
40.98 -> but somehow you ended up in the wrong location?
44.64 -> That has happened to me.
46.29 -> The address was right, but the city was wrong.
48.34 -> It just auto-filled and aligned it up in the wrong place.
52.3 -> So as I was working on IPAM, so I was thinking,
56.457 -> "Could the app given me an alarm that,
58.257 -> 'Hey, you're going to the wrong place.
60.17 -> Your friend doesn't live there.'"
62.25 -> Or I could have helped the city planners
64.14 -> not to put the same address in two nearby cities
67.26 -> next to each other.
69.01 -> I don't know much about city planners,
71.33 -> but at least for network planning,
73.16 -> this IPAM will help you to put the right address
75.82 -> on your VPCs and your AWS resources.
80.33 -> So jumping right in.
81.6 -> What we are going to cover today is,
84.955 -> we'll talk about why we need IPAM.
87.3 -> Then we'll look at the details of IPAM.
89.54 -> Then we'll walk through some of the use cases.
91.58 -> If you have a greenfield deployment
93.45 -> or if you have brownfield deployment,
94.77 -> how you can use IPAM.
97.01 -> And then we'll go through some advanced use cases
99.63 -> how to detect overlap CIDRs
100.96 -> how to create overlapping networks.
103.2 -> And then finally, we'll have a console walkthrough,
106.33 -> sort of a demo for IPAM.
112.04 -> Now when you start on AWS, so your network is small,
116.87 -> the only thing you need is to put
118.2 -> the right IP address on your VPC
119.59 -> because that's what determines
121.22 -> how you'll reach that VPC
123.36 -> and what are the security policies of that VPC.
126.73 -> And you can start with the spreadsheet.
129.26 -> Your developer asks you an IP address,
131.01 -> you look at the spreadsheet, give them a IP address.
134.57 -> But what happens when you grow?
135.96 -> So you add a few more VPCs,
138.65 -> then you add a few more regions.
140.98 -> And now when your developer asks for an IP address,
143.19 -> you are just a taking longer time.
144.85 -> So our customers told us that,
146.657 -> "Hey, can we have IP address faster?
149.93 -> Can we assign IP address faster?"
152.27 -> So faster, better automation, always good, right?
155.44 -> So we chatted with our customers,
157.58 -> asked them, "Apart from faster, what else do you need?"
160.7 -> So they said that,
161.533 -> "Hey, we need to manage our routing tables
163.29 -> and firewall in a better way."
164.72 -> Why? Because when you start,
167.91 -> what happens is you can put the CIDR on your VPC
172.08 -> and then when you create the next VPC,
173.7 -> you put another CIDR, but they're fragmented.
176.61 -> So at some point in time,
178.17 -> you'll have a big route table
179.98 -> and firewall entries to manage.
181.89 -> It becomes complicated.
183.15 -> And this problem is especially more in IPv6,
186.58 -> where you can quickly fragment the IPv6 space
188.69 -> and then you'll have thousands of entries to manage.
191.45 -> So essentially what our customers told us
193.43 -> that they want to have a big block.
197.56 -> They will configure that big block.
198.88 -> So let's say that aligns with your DEV VPC,
202.53 -> so that CIDR you put on your route tables and firewalls,
206.33 -> configure how to reach your DEV VPCs.
209.49 -> And then whenever you create VPCs
210.9 -> just find out a CIDR from that space.
213.14 -> But now you're not fragmenting,
214.75 -> you have a single entry on your route table and firewalls.
219.32 -> So then we ask, "What else do you need?"
221.34 -> So our customers said that they need to monitor
224.91 -> VPCs across all the accounts across all the regions.
228.06 -> Why? Because overlaps can happen
231.69 -> and you want to take the overlap.
233.89 -> So you will take the overlap after six months
236.58 -> or whenever you connect those VPCs.
239.24 -> And at that time,
240.073 -> it's really expensive to fix.
241.18 -> You have to re-IP or move one VPC.
243.75 -> So customer said that,
245.607 -> "Hey, we need to understand right away
247.96 -> that we created overlapping VPCs."
250.97 -> Then what happens is customers also told
254.02 -> that they need to monitor the utilization statistics
257.32 -> of their IP addresses.
258.63 -> Because before the peak season, they want to know,
262.14 -> do they need more IP addresses
263.64 -> and they can proactively add those IP addresses.
267.37 -> So finally, what happened is we asked,
270.837 -> "Okay, what else do you need?"
272 -> So they said that,
274.177 -> "We need something which helps us to troubleshoot."
276.71 -> Why? Because anytime you have a networking issue
279.54 -> or connectivity issue,
280.5 -> the first thing you would want to know,
282.827 -> "Am I using the IP address at the right place
284.81 -> in the right way?"
286.61 -> After you do the sanity check,
287.84 -> then you go and do other troubleshooting.
291.07 -> Then the other thing our customer told us
293.42 -> that not only that we do
297.68 -> routine compliance checks, audit checks,
301.48 -> whenever we receive a traffic,
302.74 -> we want to know if the IP address belongs to us.
305.14 -> So some kind of auditing capability.
307.68 -> So they said that,
308.513 -> "Hey, can I go back in time
309.73 -> and look what happened to that IP address,
311.7 -> how it came to my network
312.98 -> and does it still belong to my network?"
315.07 -> So they gave us that feedback.
317.12 -> Then finally, does any of you use Bring your own IP?
323.52 -> Yes, we released this feature two years back.
326.89 -> So great feature.
328.14 -> It allows you to bring your own IP addresses.
330.44 -> If you have use cases where you have
332.8 -> a hard affinity to your IP addresses,
334.74 -> you want to retain your reputation.
336.13 -> So you use Bring your own IP,
337.78 -> but our customers told that,
339.767 -> "We want to share it across accounts."
341.73 -> We want to improve the utilization, right?
345.112 -> You needed that one?
346.99 -> Okay, so we've got it here now. (laughs)
350.53 -> But we took all this feedback
352.05 -> and essentially built IPAM.
354.1 -> And essentially what IPAM does is three things.
359.68 -> First, it allows you to automate IP address assignments.
364.15 -> So now your developers can go to IPAM
367.54 -> and ask for IP address and they will get it in seconds.
369.77 -> So no longer cutting tickets
371.12 -> or asking IP addresses through emails.
374.13 -> Second thing IPAM does is that it helps you monitor.
378.01 -> So it will monitor all your IP addresses
379.98 -> across all your regions, across all your accounts.
382.14 -> You can come to IPAM, figure out, "Is there any overlap?
386.43 -> Am I using the IP in the right way to my intentions?"
390.53 -> And you can also detect the statistics
392.43 -> for capacity planning.
394.71 -> The third thing it does is that it helps you
396.36 -> to do retrospective analysis.
397.86 -> It stores IP address information.
399.97 -> And then you can go back
401.25 -> and look what happened to an IP address.
403.11 -> Use it for audit or troubleshooting or compliance reviews.
409.268 -> So now we'll see, we'll start with greenfield deployment.
412.92 -> And I know like most of you have VPC,
415.37 -> so you are more interested in the brownfield deployment,
417.81 -> but greenfield deployment will help us
419.36 -> to understand the features
420.43 -> and the basic building blocks of IPAM.
422.32 -> And then we'll go into the brownfield deployment.
425.58 -> So how to use IPAM is actually quite simple.
429.61 -> You just have to do three things to use IPAM.
432.17 -> The first thing is you create an IPAM.
435.3 -> So you will just create one single IPAM
437.36 -> in one single region,
438.93 -> but it will help you to manage your IPs
440.68 -> across all the regions.
443.03 -> One big benefit of IPAM is that you can
445.79 -> actually choose which region you want to host IPAM.
450.15 -> So it's a global service,
451.5 -> but you can decide where you want to host IPAM.
453.49 -> And most of our customers said that they want to host IPAM
457.02 -> in the region where they have the maximum workloads,
460.07 -> but other regions are also covered.
461.58 -> So just one single IPAM for all accounts and all regions.
466.4 -> Then what to do is you arrange your IP addresses
469.2 -> based on your routing and security needs.
471.84 -> Essentially you create the hierarchal structure.
475.3 -> And then final thing is that you put your business rules,
478.67 -> because you want allocations to happen
481.33 -> based on your intentions.
483.16 -> You want DEV accounts to get DEV CIDRs,
486.36 -> PROD accounts to get PROD CIDRs
487.77 -> So you can set those rules here.
489.65 -> You can decide which region gets what IP addresses,
491.96 -> and we will get into that more in detail.
493.77 -> But you set these three things,
495.55 -> and then you're ready to go.
498.22 -> What you can do IPAM is that you can assign CIDRs,
500.88 -> your developers can go and get CIDRs.
503.15 -> Then you can monitor, go to the IPAM central dashboard.
507.27 -> And in that central dashboard you will have all your VPCs,
509.77 -> all your EIPs, all your IP addresses,
512.33 -> and you can use it to monitor, do usage statistics,
517.11 -> do capacity planning there.
518.89 -> And then finally IPAM has IP address information
522.96 -> for three years.
523.793 -> So it is tracking every movement of your IPAM,
526.089 -> how it went from one EC2 instance to another EC2 instance.
528.69 -> And you can go there, ask IPAM,
531.037 -> "I want to know what happened with my IP address."
532.507 -> And IPAM will tell you all the information.
534.44 -> So use it whenever you do quarterly reviews
537.61 -> or compliance audits.
542.32 -> So now let's get into the detail, right?
544.61 -> So the first thing is that,
546.01 -> how do you arrange your IP address
547.43 -> into routing and security domains?
550.19 -> And here, one important concept
552.71 -> that you have to understand is pool.
554.73 -> So pool is a collection of CIDRs.
557.78 -> One CIDR or multiple CIDR.
559.97 -> But the benefit of pool is
561.13 -> that when you're automating your assignment,
565.17 -> so your scripts are pointing to the pool,
566.93 -> and when the pool is empty, so you add more CIDRs.
569.31 -> So the pool ID is not changing.
570.86 -> So that always remains the same.
573.45 -> You can add more CIDRs
574.47 -> but the pool will remain the same.
576.09 -> So your scripts are not changing.
578.69 -> How it helps you in arranging IPs
580.77 -> based on your routing and security domain
582.45 -> is that you can split the pools into two halves
585.15 -> or multiple halves.
586.75 -> So by splitting it,
587.583 -> you will create the hierarchal structure
589.42 -> because you take a big CIDR, then you can,
593.09 -> half of it, you can allocate it for one region,
595.31 -> half of it, you can allocate it for another region, right?
598.49 -> Let's see.
599.323 -> Let's go through some examples how it happens.
602.67 -> So this is first example.
604.7 -> And you took a big aggregate.
606.62 -> So that is our AWS-wide CIDR.
609.34 -> Now you divided it based on regions
611.7 -> because now you can, one single CIDR represents
615.087 -> the routing to that region.
616.47 -> So TGW configuration or DX configuration is very simple.
620.6 -> Then you divide it into DEV and PROD accounts
624.05 -> in each region.
625.23 -> And now you can set up firewall or security group rules
627.95 -> for DEV CIDRs and PROD CIDRs.
629.97 -> They can be different.
632.19 -> Another example is that you can take the same CIDR
636.785 -> that AWS-wide pool.
638.45 -> Then you can first divide it based on your security domains,
641.24 -> DEV and PROD, and then divide it across regions.
644.83 -> And the third one is,
647.02 -> let's say you have a big organization
648.89 -> and you have multiple business units
650.98 -> and you have a requirement that one business unit
652.81 -> shouldn't talk to another business unit.
655.03 -> So in that case, you divide first across business units,
658.49 -> set up your routing and security policies
660.75 -> such that one view, one IP address from one business unit
664.15 -> cannot talk to IP addresses from other business units.
666.67 -> And then you either follow example one or two.
668.84 -> Divide it across regions
669.99 -> and then divide it across DEV and PROD.
672.23 -> And here I have shown three or four layers of hierarchy,
674.47 -> but you can create as many layers of hierarchy as you want.
677.45 -> So essentially the point is that IPAM is flexible,
679.94 -> and based on your needs,
681.23 -> you can decide to structure how you want.
683.02 -> So here are some templates, some examples
685.5 -> where it's up to you.
688.27 -> So once you do that,
689.47 -> the next thing you will do is set business rules
692.37 -> because now your developers can come to IPAM
697.59 -> and ask for IP addresses,
698.95 -> but still you want some rules.
700.5 -> Which IP is going to which region?
702.88 -> Which CIDR is being used for DEV?
704.733 -> Which CIDR is being used for PROD?
705.85 -> So you want those rules.
707.78 -> So you can set those rules.
710.01 -> Before giving IP addresses,
712.1 -> IPAM will consult your rule.
713.63 -> If all the rule matches, IPAM will give it.
715.71 -> If it doesn't match, then IPAM will fail the call.
720.25 -> So let's look at the rules, right?
723.31 -> Now, for this launch we came up with four rules,
727.8 -> and based on your feedback, we'll add more rules.
730.58 -> To begin with, these four rules are.
732.72 -> First, region.
733.553 -> So you can say that this CIDR is for this region
736.81 -> and only VPCs and resources in that region
739.37 -> can use that CIDR.
741.14 -> So it keeps your route table simple.
743.67 -> Then you can say that,
745.247 -> "Hey, this CIDR is for these particular principles
748.92 -> or accounts or organization units."
752.6 -> So if you have a structure
754.38 -> you can say that DEV accounts
755.47 -> can only have DEV pools.
756.81 -> PROD accounts can only have PROD pools.
758.96 -> So that way you know that your IPs
761.06 -> are not being misused.
764.157 -> The third thing is that you can have
766.75 -> tag-based allocation policy.
768.71 -> So only resources with certain tags
770.517 -> can get IP addresses from a pool.
773.36 -> That's because normally you will arrange your resources
777 -> based on some tags.
778.01 -> So this will ensure that your tags and allocation policies
782.58 -> have one-to-one matching.
784.87 -> And the final thing is size
786.4 -> because you want to standardize HIP.
788.77 -> The smallest VPCs should be this much.
790.56 -> The largest VPCs should be this much.
792.84 -> It will take care of over-provisioning or underprovisioning.
795.24 -> So you can set up a size-based route
798.34 -> that minimum size of VPC should be what,
800.45 -> maximum size should be what,
801.51 -> and what should be the default size.
803.56 -> So that will help you to manage the size of your VPCs.
809.7 -> And that's it.
811.1 -> So those are the four rules.
812.96 -> If all those four will match, IPAM will give CIDRs.
815.98 -> Now one of the typical question here is that,
818.777 -> "Hey, does IPAM works only for VPC?"
822.64 -> It's integrated with the VPC flow.
824.24 -> So you can create VPC API
827.33 -> and IPAM will directly give IP addresses
830.04 -> to that created VPC API.
832.33 -> But in case you want to build container overlay networks
836.84 -> or you want to get CIDRs for your VPNs
840.29 -> for any other use cases apart from VPC.
843.45 -> So what you can do is that you can call IPAM
847.3 -> and there's allocate CIDR API.
849.87 -> So you can say that allocate CIDR is 24.
852.44 -> So it will give you a /24 CIDR.
855.31 -> And then you can take that /24 CIDR
857.21 -> and use it wherever you want.
858.41 -> For example, you can build a container overlay network.
860.99 -> You can give it to your VPNs.
866.02 -> Now we are coming to the other use case of IPAM.
869.51 -> We talked about automating IP addresses.
871.74 -> So we are now talking about how you can monitor your VPCs.
875.27 -> So the moment you turn on IPAM,
876.58 -> what happens is IPAM is actually monitoring
880.42 -> and creating inventory of all your VPCs,
882.87 -> whether they were created by IPAM
884.33 -> or whether they were created by you before.
888.79 -> So both VPCs and EIPs,
891.29 -> both public IPs.
892.21 -> So it comes here.
893.36 -> Then that's the list of all the inventories.
896.67 -> Then IPAM will say that,
897.777 -> "Hey, there is some overlap."
900.06 -> If you use IPAM to create VPCs,
902.94 -> IPAM won't create overlapping VPCs.
904.67 -> But in case you acquired a VPC from an MNA,
907.93 -> or you created a VPC outside of IPAM,
910.41 -> or you had a prior VPC.
911.77 -> So IPAM will tell you that it is overlapping.
914.29 -> And it will also set compliance.
916.36 -> So what does compliance mean?
917.22 -> We talked about the four rules.
919.74 -> If those four rules match,
921.89 -> so then we'll say that the VPC is compliant.
923.76 -> If one of the rules is not matching,
925.29 -> for example, the VPC is in the wrong region,
927.47 -> so we'll say IPAM is out of compliance.
930.06 -> Not IPAM, the VPC is out of compliance.
932.96 -> And then you can go and check why it is out of compliance.
937.54 -> This one will come...
938.74 -> This one will be handy when you go
940.08 -> to brownfield deployments,
941.97 -> when you have private VPCs,
943.47 -> and then you want to know whether they're compliant or not
946.16 -> based on your routing and security policies.
950.57 -> And IPAM is integrated with CloudWatch.
953.69 -> So all the pool statistics and information
956.47 -> is going to CloudWatch and you can create CloudWatch alarms.
959.85 -> So you can set up a threshold that,
961.207 -> "Hey, if my US-east pool is at 80% threshold, for example,
965.35 -> I want an alarm."
966.183 -> And at that point you add more CIDRs to that US-east pool.
971.92 -> Then let's chat about historical audit.
973.8 -> This was one of the features which is hard to build
977.17 -> because when you are tracking IP addresses,
979.8 -> all your IP addresses,
980.747 -> I assume you will have thousands of IP addresses.
983.44 -> Some customers will have even more.
985.52 -> So when you have those much IP addresses
987.62 -> tracking each and every movement,
989.19 -> each and every assignment of that IP address at scale,
992.06 -> is a difficult task.
992.98 -> So we solved it.
994.36 -> And what happens here is that...
997.1 -> Let's take an example.
999.07 -> If you have a public EIP,
1000.55 -> so you are reviewing your firewall policies
1003.15 -> and you saw that, "Hey, this EIP is allow-listed."
1006.287 -> And you want to see that whether it is valid or not.
1008.61 -> So you go to IPAM and it says that yeah,
1010.37 -> that IP was allocated to your account,
1013.53 -> but then it moved account boundaries
1016.63 -> and at some point it got deallocated from your account.
1018.94 -> So it's no longer belongs to you.
1020.28 -> It went back to Amazon pool.
1022.396 -> So that means your allowed list firewall rule is still,
1025.44 -> so you might want to clean up that,
1026.97 -> but you can use IPAM for these kinds of scenarios.
1030.14 -> The other is that let's say for private IP address,
1033.82 -> one of your developer complains that,
1035.807 -> "Hey, last night my database servers was down
1038.86 -> for two hours.
1039.693 -> It is up now, but what happened in those two hours?"
1042.08 -> So you can go to IPAM and IPAM will tell you that,
1044.48 -> yeah, in the last two hours actually there was an overlap.
1047.78 -> There was another VPC was created.
1049.53 -> There was an overlap,
1050.37 -> but now that VPC got deleted.
1052.64 -> So now it's fine.
1053.473 -> But you know that, "Okay, what was the root cause?"
1055.03 -> And then you can build some process to fix it.
1060.16 -> Now, yeah.
1060.993 -> This is interesting one.
1061.826 -> So I assume you already have tons of VPCs.
1065.19 -> So how you can use IPAM?
1066.89 -> Actually, the first thing is that IPAM monitors
1071.94 -> all your VPCs, right?
1072.85 -> So you create an IPAM.
1074.19 -> The moment you create an IPAM,
1076.4 -> it starts monitoring all your VPC
1078.17 -> without you doing any actions.
1080.55 -> It discovers all your VPCs
1082.88 -> and then creates the inventory view.
1084.94 -> Then what you do is that you create your pools
1086.91 -> and allocation policies.
1088.77 -> So the moment you create your pools and allocation policies,
1091.2 -> IPAM starts backfilling all the VPCs into those pools
1095.69 -> with the allocation policies.
1097.7 -> If IPAM doesn't find a pool,
1099.85 -> so then IPAM will say that it's an unmanaged VPC.
1102.54 -> I couldn't find an IP address.
1105.8 -> If it finds a pool,
1107.1 -> but if all the pool rules doesn't match,
1108.86 -> so it will say that, yeah, I found it,
1110.21 -> but it is out of compliance.
1111.33 -> Looks like in the past you created a VPC in the wrong region
1114.9 -> or wrong account is using the wrong CIDR.
1116.9 -> So you can get those kind of insights.
1123.1 -> So the other question is that,
1125.027 -> "Okay, now I know I can use it for my brownfield deployment,
1127.85 -> but then how do I start?
1128.9 -> How do I migrate to IPAM?
1130.44 -> So, first thing is that you don't
1131.313 -> have to change your workflow.
1133.02 -> So you create your VPCs as you're creating,
1135.54 -> start using IPAM for monitoring.
1137.43 -> So IPAM is just monitoring.
1139.45 -> Then application, or region by region,
1141.76 -> you move to IPAM-based assignment.
1144.55 -> So you automate those site assignments
1146.68 -> for a particular application or for a particular region,
1150.09 -> and then migrate towards IPAM.
1152.52 -> Once you are complete, then actually IPAM has a SCP policy.
1156.38 -> You can lock down.
1157.83 -> You can say that from now onwards all my VPC
1160.28 -> in my AWS organization needs to be created using IPAM.
1164.31 -> So without IPAM, if I'm not using IPAM,
1167.32 -> the no VPCs should be created in my organization.
1169.95 -> So you can create that rule as well.
1171.86 -> So you can go that far and enforce it.
1177.125 -> So here's the summary of all the workflows possible.
1181.01 -> This is the first one.
1182.24 -> So in the first workflow what happens is,
1184.27 -> this is what happens today.
1186.17 -> Most likely, your developer will ask you
1188.11 -> for an IP address.
1189.29 -> You will go into your homegrown tool or spreadsheet,
1192.09 -> look for an IP address, give back to the developer.
1194.48 -> Developer will then take it and use that string or CIDR
1198.63 -> in the Terraform script or in the CloudFormation script
1202.31 -> and they will create the VPC.
1204.36 -> So the first step here is that you just insert IPAM.
1207.51 -> So you'll get the monitoring advantage of IPAM.
1210.43 -> IPAM will give you automated CIDRs, so less errors,
1213.28 -> all the benefits of IPAM.
1215.11 -> Then later on, you can take yourself out.
1218.11 -> Then the developers can directly use IPAM
1220.83 -> as a self-servicing tool.
1222.12 -> So you get more time and you can work
1223.76 -> on more strategic projects and work on other things.
1227.04 -> But once that is done,
1228.25 -> then you can have final integration.
1229.69 -> So we just released Terraform last night.
1233 -> So Terraform is integrated.
1234.57 -> CloudFormation is integrated.
1236.23 -> So you just use IPAM.
1238.46 -> Developer calls the script, and the Terraform calls IPAM,
1243.04 -> gets the CIDR, creates the VPC.
1245.003 -> So in this one, actually developer doesn't even know
1247.9 -> what his IP address.
1252.24 -> And one of the common question here is that,
1254.827 -> "Okay, now, that's good.
1258.08 -> I can take care of my existing VPCs,
1260.9 -> but how do I take care of what happens
1263.15 -> if I have a hybrid network?"
1264.91 -> So here what happens today is that you're on prem,
1270.03 -> you might have an on-prem IPAM.
1271.57 -> So you are getting CIDRs from on-prem IPAM,
1273.59 -> and then essentially handing over that CIDR
1276.026 -> to a spreadsheet.
1276.859 -> And that's how you are managing in AWS
1278.52 -> or your homegrown tool for that matter.
1280.92 -> So in this case do the same thing,
1282.19 -> but give it to AWS IPAM.
1283.74 -> And then AWS IPAM will automate across all your regions,
1286.89 -> VPCs, do the monitoring in AWS.
1290.5 -> You can even create a static pool for on-prem,
1292.74 -> which represents what you're using in on-prem.
1295 -> IPAM won't use it to allocate VPCs out of it,
1298.33 -> but if a VPC was created
1300.66 -> and it is conflicting with this on-prem static pool,
1302.91 -> so then IPAM will give you an alert that,
1304.63 -> Hey, I found a VPC,
1306.05 -> which is not conflicting with any other VPC,
1307.617 -> but it is actually conflicting with one
1310.06 -> of your on-prem deployments.
1311.92 -> So it will help you to troubleshoot routing issues,
1315.66 -> if you have.
1318.84 -> Then yeah, I'll hand it over to Tom.
1321.17 -> He will cover some of the advanced topics.
1324.262 -> Thanks, Shovan.
1325.095 -> Thanks, Tom.
1326.05 -> Awesome. We still have a walkthrough for you guys
1329.35 -> at the very end that we'll will cover every single feature
1332.113 -> that Shovan has mentioned.
1334.25 -> But before that, I want to talk a little bit
1336.45 -> about Bring Your Own IP space,
1338.64 -> about high availability of IPAM,
1340.78 -> about overlapping address space and a bit of pricing.
1344.72 -> So Bring your own IP is a feature we launched in 2018.
1349.14 -> Actually Shovan was part of the team that has launched it.
1352.37 -> And it allows you to bring your own IPv4
1355.387 -> and IPv6 public space into AWS
1358.72 -> and assign it to resources you run in AWS,
1361.95 -> and then have AWS advertise those IP address blocks
1365.61 -> on your behalf.
1367.7 -> And this is very relevant,
1368.83 -> especially if you build up some reputation
1372.53 -> in your address space,
1373.59 -> or if you have some allow-lists
1374.97 -> that you would have to update
1375.95 -> if you change your IP addressing.
1377.7 -> So it's very handy feature.
1379.88 -> With the launch of IPAM,
1382 -> we've actually added a number of improvements
1384.63 -> to Bring your own IP space,
1386.31 -> from improving how you can bring
1387.96 -> this space into your environment,
1389.64 -> how you can segment it
1390.87 -> across different accounts and regions,
1394.72 -> as well as how you can bring in
1396.45 -> your existing IP space into AWS.
1401.14 -> Let's dive into each one.
1403.05 -> So prior to IPAM,
1405.42 -> when you were bringing IP space into AWS,
1409.25 -> you could bring a block into each respective AWS account.
1413.6 -> And the smallest block on the IPv4 site
1416.09 -> would be a /24, which is 256 IP addresses, 255, sorry.
1421.82 -> And then each account would get that /24 255 addresses,
1425.61 -> even if you only needed to use 10 addresses per account.
1429.29 -> So there will be a lot of IP address space wasted
1431.82 -> if you went in with that approach.
1433.35 -> With IPAM, you can bring that address space once
1437.21 -> into the IPA account
1438.93 -> and then subdivide it across your additional accounts.
1442.16 -> So you can improve the efficiency
1443.97 -> of how you're using your address space.
1447.4 -> Now, if you already have
1449.2 -> Bring your own address space on AWS
1451.7 -> already deployed in your accounts,
1454.41 -> it's actually very easy to bring that addressing into IPAM.
1460.009 -> All you need to do is allow IPAM
1461.24 -> to discover those IP addresses, take management,
1464.6 -> and it can then be used to reallocate that address space
1467.57 -> in a more efficient way.
1469.78 -> And all that happens on the control plane side.
1472.51 -> So there's no impact to your data plane.
1474.42 -> So if you have resources already using
1476.82 -> that public address space, there's no change.
1479.02 -> They still continue working as they were.
1481.07 -> Just the management has changed.
1486.03 -> The other improvement is the simplified onboarding.
1490.09 -> So when you bring an address space,
1492.26 -> you actually have to prove to us, to AWS, that you own it.
1495.77 -> So there's a whole process of what you need to do
1498 -> to do that, update ROAs.
1500.28 -> And we'll talk about it in a second.
1502.973 -> And create private and private keys.
1504.84 -> So I have an example to show you how that looks like,
1507.36 -> but it was a cumbersome process
1508.57 -> that you'd have to go through each time
1509.93 -> you were bringing in another address block.
1512.01 -> With IPAM, you do it once,
1514.47 -> bring it into a centralized account,
1517 -> prove it that you own it once
1518.81 -> and then you can start subdividing.
1522.27 -> The final option is the ability for you to, in IPAM,
1525.62 -> define that you want to advertise
1528.74 -> a particular Bring your own IPv6 space
1531.89 -> out to the internet,
1533.31 -> or decide that you only want to use it
1535.69 -> internally within your VPCs.
1537.89 -> So in this example,
1539.36 -> I'm showing you first a range that's publicly advertisable.
1542.96 -> So you define it in your configuration.
1545.2 -> So that /33 would be your top-level pool.
1548.42 -> You subdivide it into regions
1550.28 -> and then subdivide it into environments.
1552.7 -> And with saying it's publicly advertisable,
1555.77 -> you are asking AWS to advertise that address space
1559.26 -> to the internet.
1562.14 -> If you set up the no-publicly-advertisable flag,
1565.21 -> you're effectively saying that,
1566.377 -> "I still want to use this globally routable address space,
1568.96 -> but I don't want AWS to advertise it for me."
1572.47 -> It would only be relevant to specific VPCs.
1575.52 -> And to be able to communicate with that environment,
1577.63 -> you would have to use things
1578.463 -> like AWS Direct Connect or AWS VPN.
1581.76 -> And you can have both ranges operating in parallel
1584.87 -> and maybe use them for different environments.
1590.92 -> Another interesting feature for IPAM
1593.45 -> is how it deals with overlapping address space.
1596.26 -> When you design your networks,
1597.51 -> obviously you want to avoid overlapping address space.
1600.59 -> It's actually pretty complicated to fix,
1603.78 -> so if you can do it in advance,
1605.09 -> make sure you're not overlapping.
1606.25 -> But there's scenarios where you might have
1608.78 -> clashing address space
1609.74 -> and IPAM can help you figure out what to do.
1613.94 -> One example where you might have overlapping address space
1617.24 -> is if you have VPCs that are not connected,
1619.3 -> you don't plan to connect them in the future.
1621.33 -> Maybe the sandbox environments,
1622.84 -> all of them have the same IP block.
1625.41 -> Or another example could be where you have VPCs
1628.74 -> with one address range that's non-overlapping
1632.09 -> and a much larger address space that is overlapping
1634.76 -> that might be used for other purposes.
1637.05 -> This is a common scenario with the container environments
1639.33 -> where customers want to give IP addresses
1642.06 -> that are non-routable to the containers
1644.43 -> and then when those containers need
1645.64 -> to leave that environment,
1646.79 -> they would use the routable space.
1649.23 -> So in those scenarios,
1650.14 -> when IPAM discovers those VPCs,
1652.35 -> it will flag that they're actually overlapping.
1654.78 -> So you can tell IPAM,
1655.877 -> "Hey, I am okay with this overlap.
1658.1 -> I'm aware that this is overlapping.
1659.43 -> This is on purpose."
1662.05 -> Another scenario that you might see overlapping
1665.06 -> is more related to acquisitions,
1667.6 -> or if you're running multiple independent networks
1671.21 -> that would run the same address space.
1674.62 -> To solve that, you can create separate scopes.
1677.31 -> So IPAM allows you to create these containers called scopes
1680.91 -> and within each scope,
1682.356 -> IP addresses have to be unique and non-overlapping.
1685.77 -> But think about each scope as an independent environment
1688.27 -> that you manage separately.
1689.32 -> So you can overlap address space in each additional scope.
1695.82 -> So what about high availability?
1698.377 -> Shovan mentioned earlier that when you decide
1701.27 -> on the IPAM hosted region,
1703.86 -> that's where your control plane for your IPAM will live.
1707.43 -> So usually that would be the region and account
1710.78 -> where you have the most resources.
1713.5 -> And if you start subdividing your top-level pool,
1717.04 -> each region would get an allocation
1718.98 -> of whatever pool you give to it.
1722.09 -> And then when VPCs are created,
1723.88 -> those VPCs pull IP addresses from the regional pool.
1727.73 -> For those VPCs or creation of those VPCs,
1730.07 -> it doesn't need to connect to the IPAM hosted region.
1733.67 -> So all the API calls happen within the same region.
1737.73 -> And that has some implications towards
1739.45 -> how high availability works here.
1741.74 -> So in the unlikely scenario
1743.86 -> that the IPAM hosted region becomes unavailable,
1747.9 -> you no longer can add additional CIDR ranges
1750.82 -> to your top-level pool,
1752.24 -> but you can continue creating VPCs in all the other regions
1755.42 -> as long as you still have available address space.
1758.11 -> So they're completely independent.
1760.75 -> Now, a similar scenario,
1761.85 -> another region where you have your regional pool
1764.86 -> might have an issue at that point.
1767.45 -> Just that region is affected.
1768.81 -> You can continue adding additional CIDRs
1770.85 -> to the top-level pool,
1772.36 -> and you can continue assigning addresses to VPCs
1775.82 -> in all of the other regions.
1780.72 -> From a pricing point of view, we're keeping it very simple.
1784.42 -> So the pricing is based on what you use,
1786.74 -> not on your planning.
1788.41 -> So you can create ranges.
1790.416 -> You can subdivide them.
1792.48 -> You can even create VPCs using those ranges.
1796.07 -> We will only charge you when you start
1797.97 -> allocating IP addresses from the bottom line.
1801.83 -> So if there are ENIs inside your VPC network interfaces
1805.38 -> actually using IP addresses from each pool.
1808.88 -> So example here, we have a /16 VPC.
1812.62 -> That's 65,000 IP addresses.
1815.78 -> CIDR was assigned by IPAM.
1817.67 -> And if that VPC only has 2,000 network interfaces,
1820.78 -> maybe 2,000 EC2 instances,
1822.8 -> IPAM will charge only for those 2,000 instances.
1826.76 -> And for the specifics for the pricing,
1828.84 -> you can check out our public documentation.
1832.95 -> All right, let's get to the walkthrough.
1837.4 -> So first thing you need to do when you get into IPAM
1842.05 -> and it's under the VPC section,
1843.85 -> is to just create IPAM.
1845.43 -> When you start, nothing's gonna be there,
1848.09 -> so you create IPAM.
1849.01 -> And I'm showing you the console.
1851.3 -> But as Shovan mentioned, you can use Terraform,
1853.34 -> you can use CloudFormation, you can use APIs.
1855.65 -> It's up to you.
1857.07 -> The simplest for the demonstration is the console.
1861.155 -> So then the next thing you need to do
1862.53 -> is effectively allow IPAM to allocate addresses
1866.55 -> and communicate with other accounts in regions.
1870.03 -> So you have to enable those permissions
1872.05 -> and then select which regions you want IPAM
1875.1 -> to be able to deploy addresses into.
1878.04 -> And when that's completed, you'll get two scopes.
1880.91 -> These are two default scopes, private and public,
1884.07 -> that get created as soon as you create your IPAM deployment.
1889.69 -> So once you have IPAM ready,
1891.07 -> you can start creating your pools.
1893.36 -> So let's start with creating a private pool.
1896.03 -> And we need to make sure that we are in the private scope
1899.26 -> because we will be creating a private pool.
1901.62 -> So make sure you select the right scope from the dropdown
1904.73 -> and then Create a pool.
1907.61 -> Because this is our top-level pool, our first pool,
1910.17 -> we don't have any other pool to select from,
1913.77 -> we just specify what address space we're interested in.
1916.65 -> In this case, it's private,
1917.71 -> so it will be IPv4.
1919.47 -> We don't have a region that we're assigning it to.
1921.91 -> And then we decide on what address block we want
1924.44 -> to allocate to our top-level pool.
1927.54 -> And in the future,
1928.373 -> we can keep expanding those ranges.
1929.81 -> In the example, I'm just gonna use a single /14.
1934.38 -> So we have that /14 popping up in our private scope.
1938.95 -> So next, we can continue creating our pool hierarchy.
1943.12 -> So we go in again, create a pool.
1946.12 -> And then now, because we have the top-level pool,
1949.25 -> we can select that as our Source pool for creation.
1954.21 -> Then we select the region we want to deploy
1957.33 -> that new pool into.
1959.7 -> And then finally we figure out what IP address block
1963.4 -> we want to allocate.
1964.36 -> And there's two options.
1965.29 -> You can manually specify,
1966.787 -> "Hey, I want this particular range."
1969.06 -> Or you can just say,
1970.747 -> "Give me the next available /16,"
1972.587 -> and IPAM will just give it to you.
1974.87 -> So in this case, that's what I did.
1976.09 -> I said, give me an additional CIDR based on a /16.
1979.41 -> It's gonna go to US-east-1,
1981.41 -> and I have the range available there.
1984.05 -> Because I will be using this pool for creating VPCs,
1987.24 -> I can configure some of the business requirements
1990.81 -> or allocation rules settings here.
1992.69 -> So I can say, I can tell IPAM what size of VPCs
1996.38 -> I want to allow.
1997.83 -> And the biggest is gonna be a /21,
2000.17 -> the smallest, a /25.
2002.23 -> And if I don't provide any input,
2004.09 -> my default VPC is gonna be a /24, 255 or 56 IP addresses.
2010.19 -> And then if I also want,
2011.13 -> I can add tags as additional requirements,
2013.7 -> but I'm skipping that for the demo.
2016.94 -> And then I repeat that multiple times.
2018.65 -> So now I have a pool in each region.
2021.57 -> In a normal environment,
2024.03 -> you will continue the hierarchy further, right?
2026.62 -> So for the sake of an example,
2028.64 -> I'm stopping the hierarchy at the regional level,
2031.21 -> but you would continue subdividing it however you want,
2033.97 -> maybe based on environments or business units,
2037.4 -> whatever you want.
2039.77 -> So once we have those pools created,
2041.21 -> we can start creating VPCs from the relevant pools.
2044.87 -> So all we need is the ID of the pool we created
2048.01 -> in a particular region.
2050.2 -> And then we can use that in the VPC creation call.
2055.68 -> And I'm gonna show you here the CLI.
2057.32 -> Again, you can do the same thing in the console.
2059.13 -> You can do the same thing
2060.06 -> through API's CloudFormation, Terraform.
2062.66 -> But in the CLI, if you're creating the VPC,
2066.19 -> I'm specifying, I want a VPC in US-east-1
2069.15 -> and I just need to provide the ID of the IPv4 pool.
2073.12 -> I don't provide any other information.
2075.37 -> So at this point, the rules I created earlier will kick in
2080.32 -> and I'll get a default size VPC of a /24
2083.76 -> with the next available IPv4 block.
2091.11 -> So now once I created a bunch of VPCs,
2093.99 -> I can start looking at, "Are they compliant?
2096.9 -> Is there any overlap?
2099.11 -> What is the utilization of each one of my VPCs
2102.51 -> that I've just created?"
2104.21 -> And if I want to zoom in into the utilization section,
2108.5 -> I can look at resources.
2110.37 -> And here I'm showing you two different resources.
2112.38 -> The top one is a subnet.
2114.35 -> The bottom one is a VPC.
2116.68 -> And in the context of a VPC,
2118.84 -> that IP Usage percentage is showing you
2121.1 -> how many subnets you have allocated.
2123.31 -> So if you created a VPC
2125.19 -> and then created subnets out of the whole VPC size,
2127.6 -> that would be 100%.
2130.03 -> But in the case of the subnet,
2131.76 -> we're telling you how many actual IP addresses are utilized
2134.77 -> out of a particular subnet you created.
2136.69 -> So it's a slightly different metric.
2138.56 -> So just be aware.
2140.24 -> And then as Shovan mentioned,
2142.24 -> you can start monitoring your pool,
2144.14 -> see what the utilization is.
2145.5 -> And if you're running hot,
2147.49 -> maybe 60, 70, 80% utilization,
2150.29 -> you can set up a CloudWatch alarm
2151.9 -> and then you go in and expand your pools,
2153.7 -> whether the top-level pool or regional pools.
2158.606 -> Shovan also mentioned that you can set up
2160.17 -> security control policies across your whole organization
2163.21 -> and say nobody can create VPCs unless they come from IPAM.
2167.31 -> So that would prevent anybody
2168.49 -> from accidentally creating VPCs with overlap.
2171.87 -> But, say, you haven't configured that you still have,
2174.69 -> you allow your users to create VPCs however they want,
2178.96 -> so there could be a scenario when someone creates a VPC
2182.2 -> and the IP address block they use will overlap
2184.48 -> with something you already use in IPAM.
2187.5 -> IPAM would detect that and will tell you,
2189.48 -> Hey, you have two VPCs now.
2193.14 -> Both have ranges with another VPC
2195.08 -> that someone created somewhere else.
2197.22 -> You can take action and remediate.
2200.77 -> Another very cool feature is the ability
2202.57 -> to track historical usage of your IPs.
2205.76 -> And the example I'm showing here is a private IP address,
2208.32 -> 10.0.0.12 from a private scope.
2211.93 -> And what we can see here is,
2213.84 -> first, it was assigned to a particular instance
2216.14 -> and a network interface.
2217.72 -> At some point that instance disappeared
2220.29 -> and the IP address was assigned to another instance
2223.28 -> in another network interface and continues to do so
2226.36 -> because there's no end time.
2230.32 -> Okay, let's talk about bringing your own address space.
2233.79 -> So say you have an IPv6 range
2236.35 -> that you want to bring into AWS
2238.46 -> and use it in IPAM.
2239.57 -> What would you need to do?
2241.54 -> So the first thing you need to do,
2242.75 -> and that is done outside of IPAM,
2244.75 -> you have to do it on your own infrastructure,
2247.01 -> create a public and private key pair
2249.51 -> and then create a certificate.
2252.6 -> Then you go into your regional internet registrar.
2256.33 -> So for US, that would be ARIN,
2258.04 -> for Europe, it would be RIPE.
2259.32 -> It's basically a body that manages the public address space.
2263.33 -> And then if you want AWS to advertise
2265.77 -> that address space on your behalf,
2267.82 -> you have to update a Route Origin Authorization record.
2271.83 -> So you can see here,
2273.16 -> the range we want to bring in is a /48.
2275.99 -> And we're saying we're allowing
2277.58 -> AWS autonomous system numbers, the ones you see there,
2281.73 -> 16509 and 14618 to advertise that IP address block
2287.08 -> on your behalf.
2288.44 -> And the other thing you need to do
2289.77 -> is you upload the certificate you just created
2292.37 -> also to the registrar information.
2294.75 -> So if anybody does a who is on your records,
2298.31 -> they can see that certificate.
2299.73 -> That's exactly what we will do to validate
2301.74 -> that you own the range.
2304.04 -> And then finally provision the range in IPAM.
2307.348 -> So let's see how that's done.
2309.18 -> So we're creating another pool.
2312.08 -> This time we're creating a pool in the public scope.
2315.03 -> Bring your own IP address space
2317.06 -> is using globally routable ranges.
2318.9 -> So it will be in the public scope.
2320.82 -> It would be the same if you are bringing
2322.67 -> a public IPv4 range.
2327.7 -> we're configuring it here to say that the pool
2330.03 -> that we're bringing we want AWS to publicly advertise.
2333.37 -> There is an option to not publicly advertise it
2335.46 -> and then keeping it completely private.
2338.19 -> And then we decide, "What is the prefix gonna be
2341.28 -> that we are adding here?"
2342.98 -> And we're selecting a /32.
2345.47 -> And straightaway below, we will generate a message
2349.2 -> from the prefix you're trying to add.
2351.5 -> And it will include information like the prefix,
2353.5 -> your account, the date.
2356.29 -> And then what we require you to do is copy that message
2359.61 -> and sign it with the private key you generated earlier.
2363.42 -> So now we have a signed message with your private key
2367.08 -> that can be decrypted with the public key
2370.17 -> that's stored on your certificate in the RAR.
2373.41 -> So we have the connection between your account,
2375.56 -> your range and the ownership.
2378.64 -> So after that, the range will be approved
2380.36 -> and you can start subdividing it
2381.87 -> without any additional hurdles.
2384.84 -> So in this case, what we will do is
2387.44 -> we will create a regional pool from that original range.
2391.62 -> So you can see here, the Source pool is the address block
2394.61 -> that we allocated earlier.
2396.51 -> We're specifying that this will go into US-east-1.
2399.62 -> And because in this example
2401.27 -> my hierarchy only has two levels,
2403.04 -> I will be using that range to allocate it to VPCs.
2405.78 -> So I have to tick or select the option
2408.66 -> that this will be used by EC2 or VPC.
2413.15 -> Then again, I can either select the specific range I want,
2416.42 -> or you can say, "Give me the next available one."
2419.28 -> And configure some rules here as well.
2422.58 -> For IPv6, all of the VPCs really are /56,
2426.62 -> so the rules become very simple here.
2428.68 -> So that's the only size we support today.
2432.54 -> So when I'm creating a VPC, that will have IPv6.
2436.95 -> You'll notice that I also need an IPv4 call.
2440.21 -> So each VPC today requires both IPv4 and IPv6.
2444.34 -> We have launched earlier, maybe this week
2447.22 -> or a couple of weeks ago,
2448.41 -> the ability for you to have IPv6-only subnets,
2451.9 -> but the whole VPC still needs to be 4 and v6 addressing
2454.61 -> as the main CIDRs.
2456.26 -> So that's why in this request I need to do two calls.
2460.4 -> I'm asking for a v4 pool,
2462.56 -> address from a v4 pool,
2463.78 -> as well as an address from a v6 pool.
2467.01 -> And from that point onwards, I get my VPC created.
2470.49 -> It will have both IPv6 range as well as an IPv4 range.
2474.79 -> So we'll actually have presence in both scopes.
2477.13 -> I'm showing you just the public scope
2478.68 -> and the fact that the VPC of a size /56 was created.
2485.92 -> Okay, that's it for the walkthrough.
2488.45 -> If you're interested with kind of reviewing
2491.23 -> networking fundamentals,
2492.41 -> you want to learn more about VPC components and the basics,
2495.69 -> there was a NET201 session that already happened,
2498.01 -> but it's available on demand.
2500.211 -> If you want to go more into the advanced
2502.31 -> VPC design constructs
2504.19 -> and learn about what launches happened in the last year
2507.32 -> and during re:Invent, there's a session NET206
2510.17 -> that's still available tomorrow morning
2512.7 -> if you're still here.
2515.807 -> With that, I want to thank you very much for coming.
2517.63 -> Hopefully that was useful.
2519.27 -> Please provide us feedback.
2520.951 -> Shovan and I will actually read
2522.36 -> every single (chuckles) line of feedback,
2524.38 -> so we learn and we update our sessions.
2526.68 -> Cool, thank you.

Source: https://www.youtube.com/watch?v=xtLJgJfhPLg