All Products
Search
Document Center

Virtual Private Cloud:Address planning

Last Updated:Apr 01, 2026

IP Address Manager (IPAM) uses scopes and pools to give you a centralized, hierarchical view of your IP address space. Plan your CIDR blocks in IPAM to prevent address conflicts, avoid IP exhaustion, and allocate addresses to VPCs in a controlled way.

  • An IPAM scope defines an independent IP address space. Create separate scopes to manage distinct address spaces for different entities — scopes can contain overlapping CIDR blocks without conflict.

  • An IPAM pool holds provisioned CIDR blocks within a scope. Nest pools up to 10 levels deep to represent geographic regions, lines of business, or deployment environments.

  • Share pools with other Alibaba Cloud accounts so that each account can allocate addresses from a controlled range without modifying the pool itself.

image
Two terms appear throughout this document. Provision means adding a CIDR block to an IPAM pool. Allocate means associating a CIDR block from a pool with a resource such as a VPC.

Address planning design

CIDR design for IPAM pools

Structure your pools to mirror your organization. A typical hierarchy divides address space from large to small: a top-level pool covers the total planned space, regional pools carve it into geographic segments, line-of-business pools subdivide each region, and environment pools (production, pre-release, testing) sit at the lowest level.

This hierarchy provides two benefits:

  • Prevents overlap — sub-pools can only provision CIDR blocks from their parent, so address ranges stay non-overlapping within a scope.

  • Simplifies routing and ACLs — contiguous CIDR blocks at each level make it straightforward to write routing rules and security group policies that summarize entire regions or business units.

The maximum pool depth is 10 levels.

Example: multi-region, multi-environment enterprise

Consider a company deploying core services on Alibaba Cloud with 10.0.0.0/8 as the total address space. The business has three active regions (with five more reserved), six core lines of business per region (with ten more reserved), and three environments per line of business (production, testing, development).

Step 1: Calculate the required mask lengths

DimensionCapacity neededBits addedResulting mask
Region8 (3 active + 5 reserved)/8 + 3/11
Line of business16 (6 active + 10 reserved)/11 + 4/15
Environment3/15 + 2/17

Step 2: Assign addresses

  • Region allocations: 10.0.0.0/11, 10.32.0.0/11, 10.64.0.0/11 (3 active), with five /11 blocks reserved for future regions.

  • Under each regional /11, create /15 sub-pools for each line of business.

  • Under each line-of-business /15, create /17 sub-pools for each environment.

Step 3: Implement in IPAM

  1. In the default private scope, create a top-level pool with 10.0.0.0/8.

  2. Under the top-level pool, create /11 sub-pools for each region.

  3. Under each regional pool, create /15 sub-pools for each line of business.

  4. Under each line-of-business pool, create /17 sub-pools for each environment. Share these pools with the business accounts that create VPCs.

image

Independent business environments

When two environments must stay completely isolated — for example, after a company acquisition where both organizations have overlapping IP ranges — create a separate private scope for each environment. Each scope has its own management policies and permission settings, and overlapping CIDR blocks across scopes don't cause conflicts within IPAM.

Important

Overlapping CIDR blocks across scopes do cause routing conflicts if you later connect those networks. Before creating separate scopes with overlapping ranges, decide whether the environments will ever need to interconnect, and design your routing model accordingly.

In an acquisition scenario, creating one scope per company lets you see each company's full allocation picture independently. With that visibility, you can identify overlaps and design the network connectivity and routing model needed to merge the networks safely.

image

Hybrid cloud and multi-cloud networking

In a hybrid cloud or multi-cloud architecture, on-premises data centers and other cloud providers already occupy certain CIDR blocks. To prevent those ranges from being accidentally allocated to Alibaba Cloud VPCs, create custom allocations in your IPAM pool to reserve the relevant CIDR blocks. Reserved CIDRs remain visible in IPAM's allocation view but are not available for automatic assignment to cloud resources.

image

Plan using IPAM scopes and pools

How it works

  1. Create an IPAM. A public scope and a private scope are created automatically and cannot be deleted.

    • Public scope — allocates default Alibaba Cloud IPv6 CIDR blocks for service planning.

    • Private scope — allocates IPv4 CIDR blocks. Create additional private scopes to manage separate IPv4 address spaces for entities with overlapping ranges (acquisitions, multi-tenant environments, security isolation).

  2. Create a top-level pool in the appropriate scope and provision the CIDR blocks you want to manage.

    • Within the same scope, multiple top-level pools can coexist, but their provisioned CIDR blocks cannot overlap.

    • Pools in different scopes can have overlapping CIDR blocks.

  3. Create sub-pools under the top-level pool, organized by region, department, or service. Each sub-pool inherits its address space from its parent, keeping address ranges non-overlapping within a scope.

Console

Plan independent address spaces using IPAM scopes

  1. Go to the IPAM console. In the top menu bar, select the region where you want to create the IPAM (the managed region).

  2. Click Create IPAM. Add one or more Effective Region values in addition to the managed region. IPAM centrally manages address resources in all effective regions. After creation, you can add or remove effective regions, but the managed region cannot be removed.

  3. To create additional independent IPv4 address spaces, go to the IPAM Scope page and click Create Scope.

Create an IPAM pool and provision CIDR blocks

Go to the IPAM console - IPAM Pool page. Select the managed region and click Create IPAM Pool.

Configure the following parameters:

ParameterDescription
IPAM ScopeSelect a scope that matches the IP version you need to plan.
CIDR RangeSelect IPAM to create a top-level pool, or select IPAM Pool and specify a Source IPAM Pool to create a sub-pool.
IP VersionDetermined by the scope type. Public scope: IPv6 only (use Assign BGP (Multi-ISP) for the CIDR type). Private scope: IPv4 only.
Effective RegionResources can only be allocated from the pool if their region matches this setting. Required for IPv6 pools. Optional for IPv4 pools — if the source pool has an effective region set, the sub-pool inherits it. Cannot be changed after creation.
Automatically Import Discovered ResourceWhen enabled, IPAM uses resource discovery to find VPCs in the effective region and imports those whose CIDRs fall within the pool's range but are not yet tracked. Requires Effective Region to be set. If multiple overlapping CIDRs are discovered, only the largest is imported; if multiple identical CIDRs are discovered, only one is imported at random.
Provision CIDR BlockAllocations to resources can only be made from pools that have provisioned CIDR blocks. For a top-level IPv6 pool, select an address mask to provision one block. For a top-level IPv4 pool, enter one or more CIDR blocks. For sub-pools, enter CIDR blocks, select an address mask, or use the visualization interface to select from the source pool.
Allocation RuleSets the minimum, default, and maximum network mask lengths for allocations from this pool. Range: 0–128 for IPv6, 0–32 for IPv4. Modify these rules later on the Compliance Rules tab of the pool's details page.

After a pool has provisioned CIDR blocks, create a sub-pool under it or create a VPC using IPAM planning.

Deprovision a CIDR block

Before deprovisioning, make sure the CIDR block has no allocations to VPCs or IPAM pools and no custom allocations. Click the pool ID or Manage in the Actions column. On the CIDR tab, find the target CIDR block and click Deprovision in the Actions column.

Delete an IPAM pool

Deprovision all CIDR blocks in the pool first. Then click Delete in the Actions column or on the pool's details page.

Delete an IPAM scope

The two default scopes cannot be deleted. To delete a custom scope, first delete all IPAM pools within it, then click Delete in the Actions column or on the scope's details page.

Delete an IPAM

Delete all IPAM pools and custom scopes first. Then click Delete in the Actions column for the target IPAM or on its details page.

API

Plan independent address spaces using IPAM scopes

  1. Call OpenVpcIpamService to activate IPAM.

  2. Call CreateIpam to create an IPAM.

  3. Call CreateIpamScope to create a private IPAM scope.

Create an IPAM pool and provision a CIDR block

  1. Call CreateIpamPool to create an IPAM pool.

  2. Call AddIpamPoolCidr to provision a CIDR block to the pool.

Clean up resources

Terraform

Resources: alicloud_vpc_ipam_service, alicloud_vpc_ipam_ipam, alicloud_vpc_ipam_ipam_scope, alicloud_vpc_ipam_ipam_pool, alicloud_vpc_ipam_ipam_pool_cidr
# Specify the region where you want to create the IPAM.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Activate the IPAM service (required on first use).
resource "alicloud_vpc_ipam_service" "example_ipam_service" {
}

# Create an IPAM.
resource "alicloud_vpc_ipam_ipam" "example_ipam" {
  ipam_name             = "example_ipam_name"
  operating_region_list = ["cn-hangzhou"] # Effective regions for this IPAM.
}

# Create a private IPAM scope.
resource "alicloud_vpc_ipam_ipam_scope" "example_ipam_scope" {
  ipam_scope_name = "example_ipam_scope_name"
  ipam_id         = alicloud_vpc_ipam_ipam.example_ipam.id
  ipam_scope_type = "private"
}

# Create a top-level IPAM pool.
resource "alicloud_vpc_ipam_ipam_pool" "example_parentIpamPool" {
  ipam_scope_id  = alicloud_vpc_ipam_ipam_scope.example_ipam_scope.id
  ipam_pool_name = "example_parentIpamPool_name"
  pool_region_id = alicloud_vpc_ipam_ipam.example_ipam.region_id
  ip_version     = "IPv4"
}

# Provision a CIDR block to the top-level pool.
resource "alicloud_vpc_ipam_ipam_pool_cidr" "example_ipamPoolCidr" {
  cidr         = "10.0.0.0/16"
  ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id
}

# Create a sub-pool under the top-level pool.
resource "alicloud_vpc_ipam_ipam_pool" "example_childIpamPool" {
  ipam_pool_name      = "example_childIpamPool_name"
  ipam_scope_id       = alicloud_vpc_ipam_ipam_scope.example_ipam_scope.id
  pool_region_id      = alicloud_vpc_ipam_ipam.example_ipam.region_id
  source_ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_parentIpamPool.id
  ip_version          = "IPv4"
}

# Provision a CIDR block to the sub-pool.
resource "alicloud_vpc_ipam_ipam_pool_cidr" "example_childIpamPoolCidr" {
  cidr         = "10.0.0.0/24"
  ipam_pool_id = alicloud_vpc_ipam_ipam_pool.example_childIpamPool.id
}

Share planned pools with multiple accounts

A network admin (pool owner) can share an IPAM pool with a business account (principal). The principal can then allocate addresses from the shared pool to VPCs or create custom allocations, but cannot modify the pool's provisioned CIDRs or allocation rules.

Permissions for pool owners and principals

FeatureResource ownerPrincipal
Allocate resources from a pool when creating a VPCSupportedSupported
Allocate a secondary CIDR block for a VPCSupportedSupported
Delete an IPAM poolSupportedNot supported
Modify IPAM pool informationSupportedSupported (name and description only)
Query an IPAM poolSupportedSupported
Query CIDR information of an IPAM poolSupportedSupported
Provision a CIDR block to a poolSupportedNot supported
Deprovision a CIDR blockSupportedNot supported
Create a custom allocationSupportedSupported
Release a custom allocationSupportedSupported (only allocations created by the principal)
Query custom allocationsSupportedSupported
Modify allocation rulesSupportedNot supported
Enable/disable auto importSupportedNot supported
Query resources in a poolSupportedNot supported
image

Console

This section describes sharing a pool with any Alibaba Cloud account. To share within a resource directory instead, see Share resources only within a resource directory.

Share an IPAM pool

Performed by the pool owner:

  1. Log on as the pool owner. Go to the IPAM console - IPAM Pool page and select the region where the pool is located. Click the pool ID or Manage in the Actions column. On the Sharing Management tab, click Create Resource Share.

  2. On the Create Resource Share page:

    1. Set Resources to IPAM Pool and select the pool to share.

    2. The permission for IPAM pool resources is AliyunRSDefaultPermissionIpamPool.

    3. For Principal Scope, select All Accounts. For Method, select Add Manually. Enter the Alibaba Cloud account ID of the principal and click Add.

    4. Verify the configuration and click OK.

Performed by the principal:

  1. Log on with the principal's account. Go to the Resource Sharing - Shared To Me page of the Resource Management console.

  2. In the top-left corner, select the region where the shared resource is located. Click Accept in the Status column of the target resource share.

  3. After accepting, the principal can view the pool on the Pools Shared with Me tab of the IPAM Pool page and use it to plan and create a VPC with IPAM or create a custom allocation.

Stop sharing

Performed by the pool owner:

On the Sharing Management tab of the IPAM Pool details page, click the ID of the resource share to delete. On its details page, select Delete Resource Share.

After stopping sharing:

  • The principal can no longer view the pool, but existing address allocations created from the shared pool are not affected.

  • Allocations are released automatically when the associated VPC is deleted.

  • The pool owner can still manage the pool's allocations, including releasing VPC-type allocations and custom allocations created by the principal.

API

Share an IPAM pool

Method 1: Share with any account

All steps in this method require the identity credentials of the respective account.

  1. As the pool owner, call CreateResourceShare to create a resource share. Set AllowExternalTargets to True.

  2. As the principal, call ListResourceShareInvitations to retrieve the sharing invitation, then call AcceptResourceShareInvitation to accept it.

Method 2: Share within a resource directory

  1. As the management account of the resource directory, call EnableSharingWithResourceDirectory to enable resource sharing for the directory.

  2. As the pool principal, call CreateResourceShare to create the resource share. Set AllowExternalTargets to True.

Stop sharing

As the pool owner, call DeleteResourceShare to delete the resource share.

Terraform

Terraform does not currently support sharing IPAM pools.

More information

Billing

IPAM is in public preview and is free to use during this period.

Quota limits

Quota nameDescriptionDefault limitAdjustable
ipam_quota_per_regionIPAMs per user per region1No
ipam_scope_quota_per_ipamIPAM scopes per IPAM5
ipam_pool_quota_depthMaximum pool hierarchy depth10
ipam_cidr_quota_per_ipam_poolCIDR blocks provisioned per pool50
ipam_sub_pool_quota_per_ipam_poolSub-pools per pool50
ipam_pool_quota_per_scopePools per private IPAM scope500
resource_share_quota_per_ipam_poolResource shares per pool100
shared_ipam_pool_quota_per_userShared pools per user100
ipam_public_ipv6_top_pool_quota_per_region_ispPublic IPv6 top-level pools per ISP type per region1
ipam_cidr_quota_per_public_ipv6_top_poolCIDR blocks per public IPv6 top-level pool per region1