Open in app

Sign in

Write

Sign in

Bring your own IP addresses (BYOIP) & Bring your ASN to AWS IPAM

Introduction to BYOAS and BYOIP on AWS

Aman Ullah Juman
5 min readApr 20, 2024
Bring Your Own AS on AWS

Amazon Web Services (AWS) allows users to “Bring Your Own Autonomous System” (BYOAS) and “Bring Your Own IP” (BYOIP), enabling them to manage their IP subnets and autonomous systems within the AWS ecosystem. This guide will cover the steps to provision your AS and IP subnet using AWS IP Address Manager (IPAM).

Preparing Your Certificate and ROA

To start, you need to generate a certificate to prove ownership of your AS and IP subnet:

  1. Generate the Certificate:
  • Using OpenSSL, create a private key and an X.509 certificate:
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private-key.pem
openssl req -new -x509 -key private-key.pem -days 365 -out certificate.pem
cat certificate.pem
  • Create a ROA: Generate a Route Origin Authorization (ROA) to authorize Amazon ASNs to advertise your address range. This step ensures your IP block and AS are recognized and routable within AWS.

Provisioning Your AS and IP Subnet with AWS IPAM

Once you have your certificate and ROA, you can proceed with AWS IPAM to provision your AS and IP Subnet.

Provisioning Your Autonomous System (AS)

  1. Access AWS IPAM:
  • Open the AWS Console and navigate to Amazon VPC IP Address Manager (IPAM).

2. Create IPAM and Provision BYOASN:

  • Select “Create IPAM” and then go to “BYOASNs” > “Provision BYOASN.”
  • Enter your AS number to initiate provisioning.
  • AWS generates a command to sign with your certificate, which looks like this:
text_message="1|aws|12345678910|654321|20240630|SHA256|RSAPSS"
  • Sign the message with OpenSSL to generate the base64-encoded signature:
signed_message=$( echo -n $text_message | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n")
  • Input the base64-encoded signature into AWS. This step completes the AS provisioning process.

Creating IP Pools and Provisioning BYOIP

Next, you’ll create an IP pool and provision your IP subnet:

  1. Create a Pool in IPAM:
  • In the IPAM section, select “Pools” > “Create Pool.”
  • Choose the public scope and select the appropriate IP address family (IPv4 or IPv6). Pick your region and set the service to “EC2/VPC.” For the public IP source, choose “BYOIP.” Enable “Advertisability Allowed.”

2. Add Your CIDR:

  • Enter the CIDR of your IP subnet to generate another text message for signing:
text_message="1|aws|12345678910|2abcd:123a:1234::/48|20240630|SHA256|RSAPSS"
  • Use OpenSSL to sign this message as follows:
signed_message=$( echo -n $text_message | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n")
  • Copy the base64-encoded signature into AWS, then submit.

Provisioning Your CIDR Block and Associating with BYOASN

After provisioning your CIDR block in IPAM and creating a certificate to prove ownership, you need to associate it with your Autonomous System (AS):

Manage BYOASN Associations:

  • In AWS IPAM, navigate to the “CIDR” section and select the CIDR block you provisioned.
  • Click on “Action” and select “Manage BYOASN associations.”
  • Choose your AS from the list and click “Associate.”

Advertise the CIDR Block:

  • Once your AS is associated, you can choose which AS will announce your IP block.
  • Click on “Action” and select “Advertise.” Choose the AS you want to use to announce your IP addresses. You can choose an AWS AS or your own.

At this point, AWS will begin advertising your CIDR block. This may take a few hours to propagate across AWS’s infrastructure.

Using Your Provisioned CIDR Block in AWS

After your CIDR block has been successfully advertised, you can use it within your AWS environment. Here’s how to incorporate your BYOIP into Virtual Private Clouds (VPCs) and Elastic IPs:

Add CIDR to a VPC:

  • Select a VPC from your AWS account and click “Edit CIDRs.”
  • Choose to add an IPv4 or IPv6 CIDR and select your IP block from the list managed by IPAM.

Using Your BYOIP in EC2 Instances:

  • Once your CIDR block is associated with a VPC, you can provision EC2 instances and assign IP addresses from your IPAM pool.
  • When launching an EC2 instance, select “Network Settings” and choose the VPC with your BYOIP. You can then assign an IP address from your provisioned range.

Assigning Elastic IPs:

  • If you need Elastic IPs, you can allocate them from your IPAM pool.
  • In the “Elastic IP” section, choose “Allocate new address” and select your IP pool from IPAM.

Conclusion

AWS’s BYOAS and BYOIP features offer significant flexibility and control over your network infrastructure. By following these steps, you can integrate your AS and IP subnets with AWS, allowing you to manage and use these resources across the AWS network. With your IPs provisioned and advertised, you’re ready to deploy services on AWS using your custom IP addresses.

AWS
Ripe
Ipv6
Autonomous Number
Ipv4

--

--

Aman Ullah Juman
Aman Ullah Juman

Written by Aman Ullah Juman

9 Followers
21 Following

A Tech Enthusiastic

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams