You can use IP Address Manager (IPAM) scopes and IPAM pools to plan and allocate usable address segments. This helps you avoid CIDR overlaps and reduces the risk of IP address exhaustion.
An IPAM scope represents an independent IP address space. You can create different scopes to manage separate IP address spaces for different entities. Different scopes can contain overlapping CIDR blocks.
After you create an IPAM pool and provision a CIDR block within an IPAM scope, you can divide the usable address segments hierarchically based on factors such as region, department, or line-of-business.
You can share planned IPAM pools with multiple business accounts. These accounts can then allocate address resources from the shared pools.
Address planning design
CIDR design for IPAM pools
The CIDR design for IPAM pools allows for flexible and efficient management by dividing IP address segments into multiple levels based on factors such as region, department, or line-of-business.
Hierarchical planning: First, create large regional CIDR blocks. Then, you can subdivide them for different departments or lines-of-business to avoid IP address conflicts. This method allows network administrators to easily aggregate and allocate CIDR blocks, which simplifies network management and routing configuration.
Division logic: The hierarchical deployment design of IPAM pools is flexible. You can build multi-level, multi-region address planning solutions based on various factors such as region, department, line-of-business, or product. You can also configure corresponding security groups, network ACLs, and firewalls. The hierarchy depth cannot exceed 10 levels.
For example, a company plans to deploy multiple core services on Alibaba Cloud and use 10.0.0.0/8 as the total planned address space for its cloud network. The business architecture has the following characteristics: multi-region deployment, multi-environment deployment (each service has independent production, pre-release, and testing environments that are strictly isolated), and some services that require network connectivity. You can follow the CIDR design principles for IPAM pools to divide and allocate address segments hierarchically.
Network planning and design:
Confirm planning dimensions: Based on the business architecture, determine the planning levels, which are region, line-of-business, and business environment.
Reserve space for expansion: For regions, plan for three active regions and reserve space for five more. For lines-of-business, plan for six core lines-of-business within each region and reserve space for 10 more. For business environments, each line-of-business includes production, testing, and development environments.
Plan CIDRs hierarchically:
Divide the address space by region: To support eight regions, you must divide the space into eight address segments (2³ = 8). Therefore, the network mask for each regional address segment is
/11(/8+ 3).Example allocation: Allocate
10.0.0.0/11,10.32.0.0/11, and10.64.0.0/11to the three active regions and reserve the remaining five address segments.Following the same logic, the network mask for each line-of-business address segment is
/15(supports 16 lines-of-business,/11+ 4), and the network mask for each business environment address segment is/17(supports three business environments,/15+ 2).
Implement address planning using IPAM:
Create a top-level pool: In the default private scope, create a top-level pool with the CIDR block
10.0.0.0/8.Create regional pools: Under the
10.0.0.0/8pool, create/11sub-pools to represent each region.Create line-of-business pools: Under each regional pool, create
/15sub-pools to represent each line-of-business.Create business environment pools: Under each line-of-business pool, create
/17sub-pools for allocation. These pools can be shared with business accounts for creating VPCs or custom allocations.
Independent business environments
Business environments, such as those for acquired companies or multi-tenant services, require independent management or a higher level of isolation. You can create multiple private scopes to manage different environments. Different scopes can have independent management policies and permission settings, and can contain overlapping CIDR blocks. However, you must evaluate whether network interconnection is required between these environments. Overlapping CIDR blocks can cause network conflicts during interconnection and require careful planning.
For example, consider a company acquisition scenario where Company A acquires Company B. The two companies may have overlapping IP address ranges. You can create separate scopes for each company to prevent conflicts in IPAM, even if their addresses overlap. You can also use each scope to understand the IP address allocation of each company. With this information, you can design appropriate network connectivity and routing models to ensure the network operates effectively after the acquisition and to avoid IP address conflicts.
Hybrid cloud and multi-cloud networking design
If you have a network architecture with hybrid cloud networking and multi-cloud deployments, you can create custom CIDR allocations in an IPAM pool. This reserves CIDR blocks for data centers and other cloud providers. This practice ensures that the reserved CIDR blocks are not allocated to other cloud resources, which prevents IP address conflicts between your cloud VPCs and the CIDR blocks of your data centers or other cloud providers.
Plan using IPAM scopes and pools
You can use IPAM scopes and IPAM pools to plan usable CIDR blocks.
After you create an IPAM, a public scope and a private scope are created by default. These scopes cannot be deleted.
Public scope: Supports the allocation of default Alibaba Cloud IPv6 address segments for service planning and resource allocation.
Private scope: Supports the allocation and use of IPv4 address segments. You can create different private scopes to independently manage different address spaces.
You can create different private scopes to independently manage separate IP address spaces for different entities with overlapping address ranges. This is suitable for scenarios such as company acquisitions, multi-tenant environments, or security isolation.
Create IPAM pools and divide address segments hierarchically based on region, department, or service:
Provision the CIDR blocks that you plan to manage and use in a top-level pool.
The CIDR blocks provisioned to pools in different IPAM scopes can overlap. Therefore, you must evaluate whether network interconnection is required between different environments. When networks are interconnected, overlapping CIDR blocks can cause access conflicts and require careful planning.
Within the same IPAM scope, you can create multiple top-level pools, but the CIDR blocks provisioned to these top-level pools cannot overlap.
Based on region or service, divide the planned CIDR blocks of the top-level pool to create multiple levels of IPAM sub-pools. This ensures that different environments use non-overlapping address ranges to avoid conflicts.
Console
Plan independent address spaces using IPAM scopes
Go to the IPAM console. In the top menu bar, select the region where you want to create the IPAM. This is the managed region of the IPAM.
Click Create IPAM. In addition to the managed region, you can add other Effective Region. IPAM centrally manages address resources within all applicable regions. After an IPAM is created, you can add or remove applicable regions. However, the managed region cannot be removed.
By default, a public scope and a private scope are created. To create additional independent IPv4 address spaces, go to the IPAM Scope page and click Create Scope.
Create an IPAM pool to plan address segments
Go to the IPAM console - IPAM Pool page. At the top of the page, select the managed region for the IPAM and click Create IPAM Pool.
IPAM Scope: Select a scope based on the IP version of the address segment that you need to plan.
CIDR Range:
IPAM: Creates a top-level pool in the IPAM scope. Select this option when you first plan address segments for a service.
IPAM Pool: Creates a sub-pool using another IPAM pool as the Source IPAM Pool. You can select a CIDR block from the source pool to provision for the new sub-pool. Select this option to further subdivide an existing address space.
IP Version: The IP version for address segments in the IPAM Scope.
If you select a public scope, only IPv6 is supported. Select Assign BGP (Multi-ISP) for the IPv6 CIDR block type.
If you select a private scope, only IPv4 is supported.
Effective Region: A resource can be allocated an address from the pool only if the region of the resource is the same as the applicable region.
The applicable region must be within the scope of the IPAM's applicable regions and cannot be modified after it is set.
This parameter is required when you plan IPv6 address segments. A sub-pool inherits the applicable region from its source pool.
This parameter is optional when you plan IPv4 address segments. If the source pool has an applicable region set, the sub-pool inherits it. If the source pool does not have an applicable region set, the applicable region that you set for the sub-pool must be within the scope of the IPAM's applicable regions.
Automatically Import Discovered Resource: If you enable this feature, IPAM continuously uses resource discovery to find VPCs in the applicable region. It then imports resources whose CIDR blocks are within the current pool's range and are not yet allocated in IPAM for address management.
This parameter is effective only after you set an Effective Region. If an Effective Region is not set for the pool, you cannot enable Automatically Import Discovered Resource.
If IPAM discovers multiple overlapping CIDR blocks, it automatically imports only the largest one.
If IPAM discovers multiple identical CIDR blocks, it randomly imports only one of them.
After you create an IPAM pool instance, you can enable or disable auto import on the Details tab of its details page or on its Edit page.
Provision CIDR Block: You can allocate CIDRs to resources only from an IPAM pool that has a provisioned CIDR block.
For an IPv6 top-level pool, you can only select an address mask to provision one CIDR block. For an IPv4 top-level pool, you can only enter address segments to provision multiple CIDR blocks.
For a sub-pool, you can provision multiple CIDR blocks by entering address segments, selecting an address mask, or selecting an allocatable portion of the source pool in the visualization interface.
After you create an IPAM pool, you can provision CIDR blocks on the CIDR tab of the IPAM pool instance details page.
Allocate Rule: When you allocate a CIDR block to a resource from the pool, the mask length must be between the minimum and maximum network mask lengths. If no mask length is specified, the default network mask length is used.
The value range for the minimum, default, and maximum network mask lengths for an IPv6 address pool is 0 to 128. For an IPv4 address pool, it is 0 to 32.
You can modify these rules on the Compliance Rules tab of the IPAM pool instance details page.
For a pool with a provisioned CIDR block, you can create a sub-pool or create a VPC with IPAM planning.
Deprovision a CIDR block
Before you deprovision a CIDR block, make sure that it has no addresses allocated to VPCs or IPAM pools and that no custom allocations exist. Click the ID of the target pool instance or click Manage in the Actions column. On the CIDR tab, find the target CIDR block and click Deprovision in the Actions column.
Delete an IPAM pool
Before you delete a pool, make sure all its provisioned CIDR blocks have been deprovisioned. In the Actions column for the pool or on its details page, click Delete.
Delete an IPAM scope
The two default scopes cannot be deleted. To delete a custom scope, you must first delete all IPAM pools within it, and then click Delete in the Actions column or on the scope's details page.
Delete an IPAM
Before deleting an IPAM, ensure that all its IPAM pools and custom scopes have been deleted. In the Actions column for the target IPAM or on its details page, click Delete.
API
Plan independent address spaces using IPAM scopes
Call OpenVpcIpamService to activate IPAM.
Call CreateIpam to create an IPAM.
Call CreateIpamScope to create a private IPAM scope.
Create an IPAM pool and provision a CIDR block
Call CreateIpamPool to create an IPAM pool.
Call AddIpamPoolCidr to provision a CIDR block to the IPAM pool.
Clean up resources
Call DeleteIpamPoolCidr to delete a CIDR block that is provisioned to an IPAM pool.
Call DeleteIpamPool to delete an IPAM pool.
Call DeleteIpamScope to delete a custom IPAM scope.
Call DeleteIpam to delete an IPAM.
Terraform
Resources: alicloud_vpc_ipam_service, alicloud_vpc_ipam_ipam, alicloud_vpc_ipam_ipam_scope, alicloud_vpc_ipam_ipam_pool, alicloud_vpc_ipam_ipam_pool_cidr
# Specify the region where you want to create the IPAM.
provider "alicloud" {
region = "cn-hangzhou"
}
# If you are using IPAM for the first time, you must activate the IPAM service.
resource "alicloud_vpc_ipam_service" "example_ipam_service" {
}
# Create an IPAM.
resource "alicloud_vpc_ipam_ipam" "example_ipam" {
ipam_name = "example_ipam_name"
operating_region_list = ["cn-hangzhou"] # Specify the applicable region of the IPAM.
}
# Create an IPAM scope.
resource "alicloud_vpc_ipam_ipam_scope" "example_ipam_scope" {
ipam_scope_name = "example_ipam_scope_name"
ipam_id = alicloud_vpc_ipam_ipam.example_ipam.id
ipam_scope_type = "private" # A private scope.
}
# Create an IPAM pool.
resource "alicloud_vpc_ipam_ipam_pool" "example_parentIpamPool" {
ipam_scope_id = alicloud_vpc_ipam_ipam_scope.example_ipam_scope.id # Specify the scope of the IPAM pool.
ipam_pool_name = "example_parentIpamPool_name"
pool_region_id = alicloud_vpc_ipam_ipam.example_ipam.region_id # Specify the applicable region of the IPAM pool.
ip_version = "IPv4" # Specify the IP version of the IPAM pool.
}
# Allocate a CIDR block to the IPAM pool.
resource "alicloud_vpc_ipam_ipam_pool_cidr" "example_ipamPoolCidr" {
cidr = "10.0.0.0/16" # Specify the CIDR block.
ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the IPAM pool.
}
# Create an IPAM sub-pool.
resource "alicloud_vpc_ipam_ipam_pool" "example_childIpamPool" {
ipam_pool_name = "example_childIpamPool_name"
ipam_scope_id = alicloud_vpc_ipam_ipam_scope.example_ipam_scope.id # Specify the scope of the IPAM pool.
pool_region_id = alicloud_vpc_ipam_ipam.example_ipam.region_id # Specify the applicable region of the IPAM pool.
source_ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id # Specify the ID of the source IPAM pool.
ip_version = "IPv4" # Specify the IP version of the IPAM pool.
}
# Allocate a CIDR block to the IPAM sub-pool.
resource "alicloud_vpc_ipam_ipam_pool_cidr" "example_childIpamPoolCidr" {
cidr = "10.0.0.0/24" # Specify the CIDR block.
ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_childIpamPool.id # Specify the ID of the IPAM pool.
}Share planned pools with multiple accounts
A network administrator can share an address pool with a business account (the principal). The business account can then use the shared pool to allocate addresses to VPCs or create custom allocations.
Share resources with any Alibaba Cloud account: The principal must accept the resource sharing invitation.
Share within a resource directory: The principal does not need to confirm the invitation and accepts it by default.
Console
This section describes how to share an IPAM pool with any account. For more information about sharing within a resource directory, see Share resources only within a resource directory.
Share an IPAM pool
Log on as the pool owner and go to the IPAM console - IPAM Pool page. At the top of the page, select the region where the target pool is located. Click the ID of the target pool instance or click Manage in the Actions column. On the Sharing Management tab, click Create Resource Share.
On the Create Resource Share page, follow the steps to configure resource sharing.
Set Resources to IPAM Pool and select the IPAM pool to share.
The permission for IPAM pool resources is AliyunRSDefaultPermissionIpamPool.
For Principal Scope, select All Accounts. For Method, select Add Manually. In the Principal ID field, enter the Alibaba Cloud account ID of the pool's principal, and then click Add.
After you verify the configuration, click OK at the bottom of the page.
Log on using the pool principal's account to accept the sharing invitation:
Go to the Resource Sharing - Shared To Me page of the Resource Management console.
In the top-left corner of the top menu bar, select the region where the shared resource is located. Then, click Accept in the Status column of the target resource share.
After the resource is shared, the principal can view it on the Pools Shared with Me tab of the IPAM Pool page. The principal can use this pool to plan and create a VPC with IPAM or plan and create a VPC with IPAM.
Stop sharing
Log on with the pool owner's account. On the Sharing Management tab of the IPAM Pool details page, click the ID of the target Resource Share that you want to delete. On its details page, select Delete Resource Share.
After you stop sharing, the pool principal can no longer view the pool, but address allocations created using the shared pool are not affected. When the created VPC is deleted, the corresponding pool allocation is released.
The pool owner can manage the pool's allocations, including releasing VPC-type allocations and custom allocations created by the pool principal.
API
Share an IPAM pool
Method 1: Share with any account
Using the identity credentials of the pool owner, call CreateResourceShare to create a resource share, and make sure to set the
AllowExternalTargetsparameter toTrue.Using the identity credentials of the pool principal, first call ListResourceShareInvitations to query the received resource sharing invitations, and then call AcceptResourceShareInvitation to accept the invitation.
Method 2: Share only within a resource directory
Using the identity credentials of the management account of the resource directory, call EnableSharingWithResourceDirectory to enable resource sharing for the resource directory.
Using the identity credentials of the pool principal, call CreateResourceShare to create a resource share, and make sure to set the
AllowExternalTargetsparameter toTrue.
Stop sharing
Using the identity credentials of the pool owner, call DeleteResourceShare to delete the resource share.
Terraform
Terraform does not currently support sharing IPAM pools.
More information
Billing
The IP Address Manager (IPAM) feature is in public preview and is free to use during this period.
Quota limits
Quota name | Description | Default limit | Increase quota |
ipam_quota_per_region | The number of IPAMs that a user can create in each region. | 1 | Cannot be increased |
ipam_scope_quota_per_ipam | The number of IPAM scopes that can be created in each IPAM. | 5 | |
ipam_pool_quota_depth | The maximum depth of each address pool. | 10 | |
ipam_cidr_quota_per_ipam_pool | The number of CIDR blocks that can be provisioned in each address pool. | 50 | |
ipam_sub_pool_quota_per_ipam_pool | The number of sub-pools that can be created in each address pool. | 50 | |
ipam_pool_quota_per_scope | The number of address pools that can be created in each private IPAM scope. | 500 | |
resource_share_quota_per_ipam_pool | The number of resource shares that can be created for each IPAM pool. | 100 | |
shared_ipam_pool_quota_per_user | The number of shared address pools that each user can have. | 100 | |
ipam_public_ipv6_top_pool_quota_per_region_isp | The number of public IPv6 IPAM top-level pools of each ISP type that a user can create in each region. | 1 | |
ipam_cidr_quota_per_public_ipv6_top_pool | The number of CIDR blocks that a user can provision for a public IPv6 IPAM top-level pool in each region. | 1 |