IP Address Manager (IPAM) uses scopes and pools to give you a centralized, hierarchical view of your IP address space. Plan your CIDR blocks in IPAM to prevent address conflicts, avoid IP exhaustion, and allocate addresses to VPCs in a controlled way.
An IPAM scope defines an independent IP address space. Create separate scopes to manage distinct address spaces for different entities — scopes can contain overlapping CIDR blocks without conflict.
An IPAM pool holds provisioned CIDR blocks within a scope. Nest pools up to 10 levels deep to represent geographic regions, lines of business, or deployment environments.
Share pools with other Alibaba Cloud accounts so that each account can allocate addresses from a controlled range without modifying the pool itself.
Two terms appear throughout this document. Provision means adding a CIDR block to an IPAM pool. Allocate means associating a CIDR block from a pool with a resource such as a VPC.
Address planning design
CIDR design for IPAM pools
Structure your pools to mirror your organization. A typical hierarchy divides address space from large to small: a top-level pool covers the total planned space, regional pools carve it into geographic segments, line-of-business pools subdivide each region, and environment pools (production, pre-release, testing) sit at the lowest level.
This hierarchy provides two benefits:
Prevents overlap — sub-pools can only provision CIDR blocks from their parent, so address ranges stay non-overlapping within a scope.
Simplifies routing and ACLs — contiguous CIDR blocks at each level make it straightforward to write routing rules and security group policies that summarize entire regions or business units.
The maximum pool depth is 10 levels.
Example: multi-region, multi-environment enterprise
Consider a company deploying core services on Alibaba Cloud with 10.0.0.0/8 as the total address space. The business has three active regions (with five more reserved), six core lines of business per region (with ten more reserved), and three environments per line of business (production, testing, development).
Step 1: Calculate the required mask lengths
| Dimension | Capacity needed | Bits added | Resulting mask |
|---|---|---|---|
| Region | 8 (3 active + 5 reserved) | /8 + 3 | /11 |
| Line of business | 16 (6 active + 10 reserved) | /11 + 4 | /15 |
| Environment | 3 | /15 + 2 | /17 |
Step 2: Assign addresses
Region allocations:
10.0.0.0/11,10.32.0.0/11,10.64.0.0/11(3 active), with five/11blocks reserved for future regions.Under each regional
/11, create/15sub-pools for each line of business.Under each line-of-business
/15, create/17sub-pools for each environment.
Step 3: Implement in IPAM
In the default private scope, create a top-level pool with
10.0.0.0/8.Under the top-level pool, create
/11sub-pools for each region.Under each regional pool, create
/15sub-pools for each line of business.Under each line-of-business pool, create
/17sub-pools for each environment. Share these pools with the business accounts that create VPCs.
Independent business environments
When two environments must stay completely isolated — for example, after a company acquisition where both organizations have overlapping IP ranges — create a separate private scope for each environment. Each scope has its own management policies and permission settings, and overlapping CIDR blocks across scopes don't cause conflicts within IPAM.
Overlapping CIDR blocks across scopes do cause routing conflicts if you later connect those networks. Before creating separate scopes with overlapping ranges, decide whether the environments will ever need to interconnect, and design your routing model accordingly.
In an acquisition scenario, creating one scope per company lets you see each company's full allocation picture independently. With that visibility, you can identify overlaps and design the network connectivity and routing model needed to merge the networks safely.
Hybrid cloud and multi-cloud networking
In a hybrid cloud or multi-cloud architecture, on-premises data centers and other cloud providers already occupy certain CIDR blocks. To prevent those ranges from being accidentally allocated to Alibaba Cloud VPCs, create custom allocations in your IPAM pool to reserve the relevant CIDR blocks. Reserved CIDRs remain visible in IPAM's allocation view but are not available for automatic assignment to cloud resources.
Plan using IPAM scopes and pools
How it works
Create an IPAM. A public scope and a private scope are created automatically and cannot be deleted.
Public scope — allocates default Alibaba Cloud IPv6 CIDR blocks for service planning.
Private scope — allocates IPv4 CIDR blocks. Create additional private scopes to manage separate IPv4 address spaces for entities with overlapping ranges (acquisitions, multi-tenant environments, security isolation).
Create a top-level pool in the appropriate scope and provision the CIDR blocks you want to manage.
Within the same scope, multiple top-level pools can coexist, but their provisioned CIDR blocks cannot overlap.
Pools in different scopes can have overlapping CIDR blocks.
Create sub-pools under the top-level pool, organized by region, department, or service. Each sub-pool inherits its address space from its parent, keeping address ranges non-overlapping within a scope.
Console
Plan independent address spaces using IPAM scopes
Go to the IPAM console. In the top menu bar, select the region where you want to create the IPAM (the managed region).
Click Create IPAM. Add one or more Effective Region values in addition to the managed region. IPAM centrally manages address resources in all effective regions. After creation, you can add or remove effective regions, but the managed region cannot be removed.
To create additional independent IPv4 address spaces, go to the IPAM Scope page and click Create Scope.
Create an IPAM pool and provision CIDR blocks
Go to the IPAM console - IPAM Pool page. Select the managed region and click Create IPAM Pool.
Configure the following parameters:
| Parameter | Description |
|---|---|
| IPAM Scope | Select a scope that matches the IP version you need to plan. |
| CIDR Range | Select IPAM to create a top-level pool, or select IPAM Pool and specify a Source IPAM Pool to create a sub-pool. |
| IP Version | Determined by the scope type. Public scope: IPv6 only (use Assign BGP (Multi-ISP) for the CIDR type). Private scope: IPv4 only. |
| Effective Region | Resources can only be allocated from the pool if their region matches this setting. Required for IPv6 pools. Optional for IPv4 pools — if the source pool has an effective region set, the sub-pool inherits it. Cannot be changed after creation. |
| Automatically Import Discovered Resource | When enabled, IPAM uses resource discovery to find VPCs in the effective region and imports those whose CIDRs fall within the pool's range but are not yet tracked. Requires Effective Region to be set. If multiple overlapping CIDRs are discovered, only the largest is imported; if multiple identical CIDRs are discovered, only one is imported at random. |
| Provision CIDR Block | Allocations to resources can only be made from pools that have provisioned CIDR blocks. For a top-level IPv6 pool, select an address mask to provision one block. For a top-level IPv4 pool, enter one or more CIDR blocks. For sub-pools, enter CIDR blocks, select an address mask, or use the visualization interface to select from the source pool. |
| Allocation Rule | Sets the minimum, default, and maximum network mask lengths for allocations from this pool. Range: 0–128 for IPv6, 0–32 for IPv4. Modify these rules later on the Compliance Rules tab of the pool's details page. |
After a pool has provisioned CIDR blocks, create a sub-pool under it or create a VPC using IPAM planning.
Deprovision a CIDR block
Before deprovisioning, make sure the CIDR block has no allocations to VPCs or IPAM pools and no custom allocations. Click the pool ID or Manage in the Actions column. On the CIDR tab, find the target CIDR block and click Deprovision in the Actions column.
Delete an IPAM pool
Deprovision all CIDR blocks in the pool first. Then click Delete in the Actions column or on the pool's details page.
Delete an IPAM scope
The two default scopes cannot be deleted. To delete a custom scope, first delete all IPAM pools within it, then click Delete in the Actions column or on the scope's details page.
Delete an IPAM
Delete all IPAM pools and custom scopes first. Then click Delete in the Actions column for the target IPAM or on its details page.
API
Plan independent address spaces using IPAM scopes
Call OpenVpcIpamService to activate IPAM.
Call CreateIpam to create an IPAM.
Call CreateIpamScope to create a private IPAM scope.
Create an IPAM pool and provision a CIDR block
Call CreateIpamPool to create an IPAM pool.
Call AddIpamPoolCidr to provision a CIDR block to the pool.
Clean up resources
Call DeleteIpamPoolCidr to deprovision a CIDR block from a pool.
Call DeleteIpamPool to delete a pool.
Call DeleteIpamScope to delete a custom scope.
Call DeleteIpam to delete the IPAM.
Terraform
Resources: alicloud_vpc_ipam_service, alicloud_vpc_ipam_ipam, alicloud_vpc_ipam_ipam_scope, alicloud_vpc_ipam_ipam_pool, alicloud_vpc_ipam_ipam_pool_cidr
# Specify the region where you want to create the IPAM.
provider "alicloud" {
region = "cn-hangzhou"
}
# Activate the IPAM service (required on first use).
resource "alicloud_vpc_ipam_service" "example_ipam_service" {
}
# Create an IPAM.
resource "alicloud_vpc_ipam_ipam" "example_ipam" {
ipam_name = "example_ipam_name"
operating_region_list = ["cn-hangzhou"] # Effective regions for this IPAM.
}
# Create a private IPAM scope.
resource "alicloud_vpc_ipam_ipam_scope" "example_ipam_scope" {
ipam_scope_name = "example_ipam_scope_name"
ipam_id = alicloud_vpc_ipam_ipam.example_ipam.id
ipam_scope_type = "private"
}
# Create a top-level IPAM pool.
resource "alicloud_vpc_ipam_ipam_pool" "example_parentIpamPool" {
ipam_scope_id = alicloud_vpc_ipam_ipam_scope.example_ipam_scope.id
ipam_pool_name = "example_parentIpamPool_name"
pool_region_id = alicloud_vpc_ipam_ipam.example_ipam.region_id
ip_version = "IPv4"
}
# Provision a CIDR block to the top-level pool.
resource "alicloud_vpc_ipam_ipam_pool_cidr" "example_ipamPoolCidr" {
cidr = "10.0.0.0/16"
ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id
}
# Create a sub-pool under the top-level pool.
resource "alicloud_vpc_ipam_ipam_pool" "example_childIpamPool" {
ipam_pool_name = "example_childIpamPool_name"
ipam_scope_id = alicloud_vpc_ipam_ipam_scope.example_ipam_scope.id
pool_region_id = alicloud_vpc_ipam_ipam.example_ipam.region_id
source_ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id
ip_version = "IPv4"
}
# Provision a CIDR block to the sub-pool.
resource "alicloud_vpc_ipam_ipam_pool_cidr" "example_childIpamPoolCidr" {
cidr = "10.0.0.0/24"
ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_childIpamPool.id
}Share planned pools with multiple accounts
A network admin (pool owner) can share an IPAM pool with a business account (principal). The principal can then allocate addresses from the shared pool to VPCs or create custom allocations, but cannot modify the pool's provisioned CIDRs or allocation rules.
Permissions for pool owners and principals
| Feature | Resource owner | Principal |
|---|---|---|
| Allocate resources from a pool when creating a VPC | Supported | Supported |
| Allocate a secondary CIDR block for a VPC | Supported | Supported |
| Delete an IPAM pool | Supported | Not supported |
| Modify IPAM pool information | Supported | Supported (name and description only) |
| Query an IPAM pool | Supported | Supported |
| Query CIDR information of an IPAM pool | Supported | Supported |
| Provision a CIDR block to a pool | Supported | Not supported |
| Deprovision a CIDR block | Supported | Not supported |
| Create a custom allocation | Supported | Supported |
| Release a custom allocation | Supported | Supported (only allocations created by the principal) |
| Query custom allocations | Supported | Supported |
| Modify allocation rules | Supported | Not supported |
| Enable/disable auto import | Supported | Not supported |
| Query resources in a pool | Supported | Not supported |
Console
This section describes sharing a pool with any Alibaba Cloud account. To share within a resource directory instead, see Share resources only within a resource directory.
Share an IPAM pool
Performed by the pool owner:
Log on as the pool owner. Go to the IPAM console - IPAM Pool page and select the region where the pool is located. Click the pool ID or Manage in the Actions column. On the Sharing Management tab, click Create Resource Share.
On the Create Resource Share page:
Set Resources to IPAM Pool and select the pool to share.
The permission for IPAM pool resources is
AliyunRSDefaultPermissionIpamPool.For Principal Scope, select All Accounts. For Method, select Add Manually. Enter the Alibaba Cloud account ID of the principal and click Add.
Verify the configuration and click OK.
Performed by the principal:
Log on with the principal's account. Go to the Resource Sharing - Shared To Me page of the Resource Management console.
In the top-left corner, select the region where the shared resource is located. Click Accept in the Status column of the target resource share.
After accepting, the principal can view the pool on the Pools Shared with Me tab of the IPAM Pool page and use it to plan and create a VPC with IPAM or create a custom allocation.
Stop sharing
Performed by the pool owner:
On the Sharing Management tab of the IPAM Pool details page, click the ID of the resource share to delete. On its details page, select Delete Resource Share.
After stopping sharing:
The principal can no longer view the pool, but existing address allocations created from the shared pool are not affected.
Allocations are released automatically when the associated VPC is deleted.
The pool owner can still manage the pool's allocations, including releasing VPC-type allocations and custom allocations created by the principal.
API
Share an IPAM pool
Method 1: Share with any account
All steps in this method require the identity credentials of the respective account.
As the pool owner, call CreateResourceShare to create a resource share. Set
AllowExternalTargetstoTrue.As the principal, call ListResourceShareInvitations to retrieve the sharing invitation, then call AcceptResourceShareInvitation to accept it.
Method 2: Share within a resource directory
As the management account of the resource directory, call EnableSharingWithResourceDirectory to enable resource sharing for the directory.
As the pool principal, call CreateResourceShare to create the resource share. Set
AllowExternalTargetstoTrue.
Stop sharing
As the pool owner, call DeleteResourceShare to delete the resource share.
Terraform
Terraform does not currently support sharing IPAM pools.
More information
Billing
IPAM is in public preview and is free to use during this period.
Quota limits
| Quota name | Description | Default limit | Adjustable |
|---|---|---|---|
| ipam_quota_per_region | IPAMs per user per region | 1 | No |
| ipam_scope_quota_per_ipam | IPAM scopes per IPAM | 5 | — |
| ipam_pool_quota_depth | Maximum pool hierarchy depth | 10 | — |
| ipam_cidr_quota_per_ipam_pool | CIDR blocks provisioned per pool | 50 | — |
| ipam_sub_pool_quota_per_ipam_pool | Sub-pools per pool | 50 | — |
| ipam_pool_quota_per_scope | Pools per private IPAM scope | 500 | — |
| resource_share_quota_per_ipam_pool | Resource shares per pool | 100 | — |
| shared_ipam_pool_quota_per_user | Shared pools per user | 100 | — |
| ipam_public_ipv6_top_pool_quota_per_region_isp | Public IPv6 top-level pools per ISP type per region | 1 | — |
| ipam_cidr_quota_per_public_ipv6_top_pool | CIDR blocks per public IPv6 top-level pool per region | 1 | — |