Building on unified address planning, IP Address Manager (IPAM) supports address resource management and resource monitoring:
Allocate resources from IPAM pools: Allocate IP addresses that comply with business rules from planned address pools to virtual private clouds (VPCs). Enable centralized address allocation within your organization.
Identify global address resources: Use resource discovery to find resources within the applicable scope and view their IP address usage and overlaps.
Multi-account management: Use resource directory to enable the IPAM trusted service by specifying a delegated administrator for IPAM and centrally manage the IP addresses of member accounts.
Monitor resources: Use the IP address monitoring feature to improve resource planning and allocation, ensuring network stability and security.
Allocate addresses from planned IPAM pools
During address planning, you can allocate a planned CIDR block from a top-level pool to a sub-pool. You can also perform the following operations:
VPC CIDR block allocation: When you allocate a primary or secondary CIDR block to a VPC, IPAM ensures that the allocated CIDR blocks do not overlap. Address conflicts are prevented when you interconnect VPCs.
Hybrid cloud and multi-cloud address reservation: Create a custom allocation to reserve CIDR blocks for services in data centers or on other clouds. This prevents these CIDR blocks from being allocated to cloud resources, avoiding conflicts during network connections.
After a network administrator shares a planned IPAM pool with a business account (a principal), the business account can use the shared address pool to allocate a CIDR block to a VPC or create a custom allocation.
Console
Before you begin, make sure that you have created an IPAM instance and an IPAM pool.
Allocate a CIDR block to a VPC
Create a VPC with IPAM:
Go to the VPC console - Create VPC page.
Select Allocated by IPAM, choose an IPv4 pool, and configure the mask. The system allocates the first available CIDR block that matches the specified mask by default. You can adjust the allocated IPv4 CIDR block within the pool's provisioned CIDR blocks.
To enable IPv6, select Allocated by IPAM, choose an IPv6 address pool, and configure a mask or specify a CIDR block.
Add a secondary CIDR block to an existing VPC:
To add an IPv4 CIDR block, go to the CIDR Block Management tab on the VPC details page and click Add Secondary IPv4 CIDR Block. Then, select Allocated by IPAM,, choose an IPv4 pool, and configure the netmask. The system allocates the first available CIDR block that matches the specified netmask by default.
To add an IPv6 CIDR block, click Enable IPv6 if IPv6 is not enabled for the VPC, or click Add IPv6 CIDR Block if IPv6 is already enabled. Then, select Allocated by IPAM, choose an IPv6 pool, and configure the mask or specify a CIDR block.
Create a custom allocation
Before you create a custom allocation, ensure a CIDR block is provisioned for the target IPAM pool.
Go to the IPAM console - IPAM Pool page. In the top navigation bar, select the region where the target IPAM pool is located.
Click the IPAM pool ID or Manage in the Actions column. On the Allocation tab, click Create Custom Allocation to reserve a CIDR block without allocating it to any cloud resources.
Enter a CIDR block or select an available CIDR block from the provisioned range. You can add multiple CIDR blocks.
Release an allocation
On the details page of the IPAM pool, click the Allocation tab. Find the target allocation and click Release in the Actions column.
You can release allocations of the VPC and custom allocation types.
Releasing a VPC allocation only dissociates the VPC from the IPAM pool. This action does not delete the VPC itself.
API
Create a VPC with IPAM
Allocate an IPv4 CIDR block: When calling the CreateVpc operation, specify
Ipv4IpamPoolIdto use an IPAM pool andIpv4CidrMaskto allocate an IPv4 CIDR block from that IPAM pool to the new VPC. Alternatively, you can specifyCidrBlockto use a specific CIDR block for the VPC.Allocate an IPv6 CIDR block: When allocating the IPv4 CIDR block, specify
Ipv6IpamPoolIdandIpv6CidrMask, which assigns an IPv6 CIDR block from the specified IPv6 IPAM pool to the VPC.
Add a secondary CIDR block to an existing VPC
To add an IPv4 CIDR block, call the AssociateVpcCidrBlock operation. Specify
IpamPoolIdto use an IPAM pool, andSecondaryCidrMaskorSecondaryCidrBlock.To add an IPv6 CIDR block, call the AssociateVpcCidrBlock operation. Specify the
IpamPoolIdparameter to use an IPAM pool, and either theIpv6CidrMaskorIPv6CidrBlockparameter.
Create a custom allocation
Call the CreateIpamPoolAllocation operation to create a custom allocation from an IPAM pool and reserve a specific CIDR block.
Release an allocation
Call the DeleteIpamPoolAllocation operation to release an allocation from an IPAM pool.
Terraform
Terraform does not support allocating IPv6 CIDR blocks to VPCs from IPAM.
Resources: alicloud_vpc, alicloud_vpc_ipv4_cidr_block, and alicloud_vpc_ipam_ipam_pool_allocation
# Specify the region where the IPAM pool resides.
provider "alicloud" {
region = "cn-hangzhou"
}
# Specify the ID of the IPAM pool.
variable "ipam_pool_id" {
default = "ipam-pool-bp10******" # Replace with the actual ID of the IPAM pool.
}
# Create a VPC and allocate a primary CIDR block to the VPC.
resource "alicloud_vpc" "example_ipam_vpc" {
vpc_name = "example_ipam_vpc_name"
ipv4_ipam_pool_id = var.ipam_pool_id # Specify the ID of the IPAM pool.
ipv4_cidr_mask = 24 # The IPv4 network mask.
}
# Allocate a secondary CIDR block to the VPC.
resource "alicloud_vpc_ipv4_cidr_block" "example_secondary_cidr_block" {
vpc_id = alicloud_vpc.example_ipam_vpc.id # Specify the ID of the VPC.
ipv4_ipam_pool_id = var.ipam_pool_id # Specify the ID of the IPAM pool.
secondary_cidr_mask = 20 # The IPv4 network mask.
}
# Create a custom allocation.
resource "alicloud_vpc_ipam_ipam_pool_allocation" "example_ipam_pool_allocation" {
ipam_pool_allocation_name = "example_ipam_pool_allocation_name"
ipam_pool_id = var.ipam_pool_id # Specify the ID of the IPAM pool.
cidr = "10.0.160.0/22" # Reserve the specified CIDR block.
}Restrict VPC CIDR block allocation
In a multi-account environment, CIDR block conflicts often arise when business accounts independently create VPCs with private CIDR blocks. To restrict arbitrary allocation, you can use a management account to create a control policy and attach it to a folder or member. This policy restricts business accounts to allocating VPC CIDR blocks only from shared IPAM pools. IPAM ensures that the allocated CIDR blocks do not overlap, which prevents address conflicts when you connect VPCs.
Control policies apply to all Resource Access Management (RAM) users and RAM roles of members in a resource directory, but not to the root users of the member accounts. The management account is not a member of a resource directory. Therefore, control policies do not apply to any identities within the management account.
Use resource discovery to view address usage
Allocating addresses from a planned IPAM pool ensures that the CIDR blocks allocated to VPCs comply with business rules. For existing VPCs and vSwitches, and for VPCs created without using IPAM, you can use resource discovery to view all VPC and vSwitch CIDR blocks.
The management status for VPCs created using IPAM is Hosted, while the status for resources created without using IPAM is Not hosted. If a resource meets the specified rules and is imported into an IPAM pool, its status changes to Hosted.
Manage addresses using resource discovery
Resource discovery continuously monitors the IP address usage of VPC and vSwitch CIDR blocks within the Effective Region. After you associate a resource discovery with an IPAM instance, the instance centrally manages the discovered CIDR blocks.
1. The effective region of a default resource discovery is the same as the region of the IPAM instance and cannot be modified.
2. Resource discovery is updated every 5 minutes.
When you create an IPAM instance, the system creates a default resource discovery and associates it with the IPAM instance. VPC CIDR blocks that meet the following rules are automatically imported into the corresponding address pool for unified management:
Only unallocated CIDR blocks that are within the provisioned CIDR block of the address pool are imported.
CIDR blocks are imported only into address pools in the default scope where Automatically Import Discovered Resource is enabled.
If multiple discovered CIDR blocks overlap, IPAM imports only the largest CIDR block.
If multiple identical CIDR blocks are discovered, IPAM randomly imports one of them.
If no IPAM instance is created, you can create a custom resource discovery to track the IP address usage of VPC and vSwitch CIDR blocks. If an IPAM instance is later created in the managed region, the custom resource discovery is automatically converted into a default resource discovery.
Console
Create a resource discovery
When you create an IPAM instance, the system creates a default resource discovery and associates it with the IPAM instance.
If no IPAM instance is created, you can create a custom resource discovery.
Go to the IPAM console - Resource Discovery page and select the region where you want to create the resource discovery. The region you select becomes the managed region. Then, click Create Resource Discovery.
In addition to the managed region, you can add other Effective Region. Resource discovery continuously discovers VPCs and vSwitch CIDR blocks within all Effective Region.
After the resource discovery is created, you can add or remove applicable regions. However, the managed region cannot be removed.
After a resource discovery is created, the Discovered Resources tab on the resource discovery details page displays the IP address usage for VPC and vSwitch CIDR blocks in the Effective Region.
Delete a resource discovery
Default resource discovery: You can delete a default resource discovery only by deleting the IPAM instance.
Custom resource discovery: Find the custom resource discovery, and in the Actions column, click Delete.
API
If no IPAM instance is created:
Call the CreateIpamResourceDiscovery operation to create a custom resource discovery.
Call the DeleteIpamResourceDiscovery operation to delete a custom resource discovery.
Terraform
If no IPAM instance is created, you can create a custom resource discovery.
Resource: alicloud_vpc_ipam_ipam_resource_discovery
# Specify a region where no IPAM instance is created and a custom resource discovery can be created.
provider "alicloud" {
region = "cn-shanghai"
}
resource "alicloud_vpc_ipam_ipam_resource_discovery" "example_ipam_resource_discovery" {
operating_region_list = ["cn-shanghai"] # Specify the applicable region of the IPAM resource discovery.
ipam_resource_discovery_name = "example_ipam_resource_discovery_name"
}Use shared resource discovery for unified address management
If business accounts use unplanned CIDR blocks to create resources, address conflicts can occur. A network administrator can associate an IPAM instance with a resource discovery shared by a business account to centrally manage resources across multiple accounts and resolve address conflicts.
Both default and custom resource discoveries can be shared.
The applicable region of a shared resource discovery and the applicable region of the network administrator's IPAM instance can be different, but their managed regions must be the same. If the applicable regions are different:
The resource owner (business account in this example) and the network administrator can manage and view all resources within the applicable region of the resource discovery.
After the network administrator associates the resource discovery with an IPAM instance, the administrator can manage only the resources within the applicable region of the IPAM instance.
Console
This section describes how to share a vSwitch with any account. To share resources only within a resource directory, see Share resources only within a resource directory.
Share a resource discovery
A business account shares a created resource discovery with a network administrator:
Go to the IPAM console - Resource Discovery page. In the top navigation bar, select the region where the resource discovery is located. Click the resource discovery instance ID or click Manage in the Actions column. On the Sharing Management tab, click Create Resource Share.
On the Create Resource Share page, follow the steps to configure the resource share.
Set Resources to IPAM Resource Discovery and select the IPAM resource discovery to share.
The permission associated with an IPAM resource discovery is AliyunRSDefaultPermissionIpamResourceDiscovery.
Set Principals to All Accounts and Method to Add Manually. In the Principal ID field, enter the Alibaba Cloud account ID of the address pool principal, and then click Add.
After reviewing the information, click Confirm at the bottom of the page.
Log on to the network administrator account and accept the sharing invitation:
Go to the Resource Sharing - Shared To Me page in the Resource Management console.
In the top-left corner of the top menu bar, select the region that contains the shared resource, and then click Accept in the Status column for the target resource share.
After the resource is shared, the network administrator can view information about the resources and IP address usage of each business account.
The network administrator associates the shared resource discovery with an IPAM instance in the same managed region:
Go to the IPAM console - IPAM page and select the region where the target IPAM instance is located. Click the target IPAM instance ID or Manage in the Actions column. On the Associated Resource Discovery tab, click Associated Resource Discovery and select the resource discovery shared by the business account.
After the association is complete, the network administrator can centrally manage resources in the associated region. On the Resource Management, they can view information such as address overlaps and utilization.
Dissociate an IPAM instance from a resource discovery
Only actively established associations can be canceled. A default resource discovery that is created and associated when an IPAM instance is created cannot be dissociated.
On the Associated Resource Discovery tab of the target IPAM, click Disassociate in the Actions column for the resource discovery. After the resource discovery is dissociated, IPAM can no longer manage its discovered address resources.
Cancel sharing a resource discovery
Use a business account. On the Resource Discovery details page, click the Sharing Management tab, click the target Resource Share to open its details page, and then click Delete Resource Share.
Even if the network administrator has associated the resource discovery with an IPAM instance, the business account can cancel the sharing. After the cancellation, the association is automatically deleted.
API
Shared resource discovery
Share a resource discovery with any account
Use the identity credentials of the business account to call the CreateResourceShare operation to create a resource share. Make sure that the
AllowExternalTargetsparameter is set toTrue.Use the identity credentials of the network administrator to call ListResourceShareInvitations to query the received resource sharing invitations, and then call AcceptResourceShareInvitation to accept the invitation.
Share a resource discovery only within a resource directory
Use the identity credentials of the management account of your resource directory to call the EnableSharingWithResourceDirectory operation to enable sharing across your organization.
Use the identity credentials of the business account to call the CreateResourceShare operation to create a resource share. Make sure that the
AllowExternalTargetsparameter is set toTrue.
Use the identity credentials of the business account to call the DeleteResourceShare operation to delete a resource share and cancel sharing the resource discovery.
Associate a resource discovery with an IPAM instance
Call the AssociateIpamResourceDiscovery operation to associate a resource discovery with an IPAM instance.
Call the DissociateIpamResourceDiscovery operation to dissociate a resource discovery from an IPAM instance.
Terraform
Terraform does not support sharing resource discoveries.
Multi-account IP address resource management
If your enterprise uses a resource directory to manage multiple accounts, the management account of the resource directory can set a delegated administrator for IP Address Manager (IPAM). The IPAM delegated administrator can then centrally view IP address resource usage across all accounts in the enterprise.
Scope
The IPAM trusted service only supports operations by the IPAM delegated administrator of the resource directory. The organization administrator or other members cannot perform these operations.
Delegating an administrator: A resource directory supports only one delegated administrator for the IPAM trusted service. The delegated administrator account must be a member of the resource directory and cannot be the management account of the organization.
Managing members:
When the IPAM delegated administrator adds a member, the IPAM trusted service is enabled for the resource directory. When all members are removed, the IPAM trusted service is disabled.
An IPAM delegated administrator can use an IPAM instance in only one region to manage resource directory members. To use an IPAM instance in a different region, you must first remove all members from the current IPAM instance. Then, you must add the members to the IPAM instance in the new region.
The IPAM delegated administrator cannot manage the root node or the root folder of the resource directory as a member.
Member accounts managed by IPAM cannot share their own resource discoveries with the IPAM delegated administrator.
If the number of member accounts managed by the IPAM trusted service reaches the quota and you add more member accounts to a managed folder in the resource directory, the new accounts that exceed the quota are not managed by the IPAM trusted service.
Revoking delegation: When the IPAM delegated administrator removes all managed members, the delegated administrator account can be deleted or the delegation can be revoked.
Console
Ensure that you have enabled Resource Directory and created a multi-account system.
Log on with the management account of your resource directory and go to the Trusted Services page of Resource Management. Find IP Address Manager and click Manage in the Actions column. In the Delegated Administrator Account section, click Add and select a member of the resource directory to designate as the IPAM delegated administrator.
Log on with the IPAM delegated administrator account and create an IPAM instance. Then, go to the Multi-account Management page in the IPAM console and Add member . After adding the members, the delegated administrator can use resource discovery to view the IP address usage of all managed member accounts in the active region of the IPAM instance.
Resource discovery is updated every 5 minutes.
When an IPAM delegated administrator manages members, IPAM creates a service-linked role for each included member account and attaches the following access policy.
API
Call EnableResourceDirectory to enable Resource Directory. Then, call CreateFolder and CreateResourceAccount to create a multi-account system.
Use the management account of the resource directory to call RegisterDelegatedAdministrator to set the IPAM delegated administrator.
The IPAM delegated administrator calls OpenVpcIpamService to enable IPAM and then calls CreateIpam to create an IPAM instance.
The IPAM delegated administrator calls AddIpamMembers to add members. This allows the administrator to centrally view the IP address resource usage of all managed member accounts in the region where the IPAM instance is active.
Resource monitoring
Monitor address utilization
Monitor address utilization to promptly scale out resources that have high utilization.
To monitor the address utilization of an IPAM pool, go to the IPAM console - IPAM Pools page and click the ID of the target IPAM pool.
On the Details tab, you can view the number of available IP addresses in the IPAM pool and the number of IP addresses that are allocated to resources and sub-pools. If the IPAM pool is a sub-pool, you can also view the address utilization of both the sub-pool and its source pool.
On the IP Usage and Allocation tabs, you can view the allocation details of the IPAM pool.
Monitor the address utilization of VPCs and vSwitches:
Go to the IPAM console - Resource Discovery page. Click the ID of the target resource discovery to view the CIDR blocks and IP address usage of all VPCs and vSwitches within the applicable scope.
Go to the IPAM console - IPAM Scopes page and click the ID of the target scope.
On the Resource Management tab, you can view the CIDR blocks and IP address usage of VPCs and vSwitches within this scope. Click the ID of a VPC or vSwitch to view its IP address usage.
On the Monitoring Chart tab, you can use line charts to monitor the address utilization of VPCs and vSwitches within this scope over time.
Monitor address overlaps
Monitor address overlaps to proactively identify and resolve address conflicts in your network. This prevents access conflicts during network interconnection.
Go to the IPAM console - IPAM Scopes page and click the ID of the target scope.
On the Resource Management tab, you can view the overlap status of VPC and vSwitch CIDR blocks within the current scope. If any CIDR blocks overlap, click View in the Overlap Status column to view the details of the conflicting instances.
On the Monitoring Chart tab, the line charts allow you to monitor the number of overlapping CIDR blocks in this scope over time.
Monitor the management status and compliance of CIDR blocks
Go to the IPAM console - IPAM Scopes page and click the ID of the target scope. On the Overview, Resource Management, and Monitoring Chart tabs, check whether a resource's CIDR block is managed by an IPAM pool and complies with the pool's allocation rules.
More information
Billing
IPAM is in public preview. It is free of charge during the public preview period.
Quotas
Quota name | Description | Default limits | Increase quota |
ustom_ipam_resource_discovery_quota_per_region | The number of custom resource discoveries that can be created by an Alibaba Cloud account in a region. | 1 | Cannot be increased |
resource_share_quota_per_ipam_resource_discovery | The number of resource shares that can be created for each resource discovery. | 100 | |
shared_ipam_resource_discovery_quota_per_user | The number of shared resource discoveries that a user can have. | 100 | |
ipam_resource_directory_member_detail_quota | The maximum number of member accounts that can be managed by the IPAM trusted service. | 1000 |