Bring your own IP to CloudFront using IPAM (supports IPv4 and IPv6) - Amazon Virtual Private Cloud
Why use this feature?Who should use this feature?When to use this feature?PrerequisitesGlobal service configuration stepsCleanup

Bring your own IP to CloudFront using IPAM (supports IPv4 and IPv6)

IPAM's BYOIP for global services lets you use your own IPv4 and IPv6 addresses with AWS global services like CloudFront. Unlike regional BYOIP, your IP addresses are advertised from multiple edge locations simultaneously through anycast routing.

This tutorial covers:

  • Creating global IPAM pools for IPv4 (/24) and/or IPv6 (/48) address ranges

  • Provisioning Anycast Static IP lists with your own IP addresses

  • Advertising your CIDRs globally through CloudFront edge locations

  • Dual-stack configurations using separate IPv4 and IPv6 IPAM pools

Why use this feature?

  • Maintain IP allowlisting – Use existing approved IP addresses instead of updating firewall configurations

  • Simplify migrations – Migrate from other CDNs without changing IP infrastructure

  • Consistent branding – Keep your existing IP address space when moving to AWS

  • IPv6 readiness – Support modern dual-stack architectures with both IPv4 and IPv6

Who should use this feature?

Organizations that need their own IP addresses with global content delivery:

  • Large enterprises with IP allowlisting requirements

  • Companies migrating from other CDNs with existing IP addresses

  • Organizations with strict security policies requiring specific IP ranges

  • Enterprises requiring dual-stack (IPv4/IPv6) configurations for global reach

When to use this feature?

Use BYOIP for global services when you need to:

  • Maintain existing IP allowlisting with partners/clients

  • Migrate from another CDN using your IP addresses

  • Meet compliance requirements for specific IP ranges

  • Deploy dual-stack architectures supporting both IPv4 and IPv6 clients

Note

Requires /24 CIDR blocks for IPv4. Dual-stack (IPv4 and IPv6) requires /24 IPv4 and /48 IPv6 CIDR blocks. Currently available for CloudFront only.

Prerequisites

Complete these steps before starting:

Global service configuration steps

The following steps differ from the standard regional BYOIP process and establish the pattern for global services. For dual-stack deployments, you'll create separate pools for IPv4 and IPv6, then provision both to CloudFront.

Step 1: Create global pool(s) for anycast services

Instead of creating a regional pool, create a global pool for anycast services:

Console

To create a global pool using the console:

  1. Open the IPAM console at https://console.aws.amazon.com/ipam/.

  2. In the navigation pane, choose Pools

  3. Choose Create pool

  4. Source: Choose your top-level BYOIP pool

  5. Locale: Choose Global

  6. Service: Choose Global services (appears when Global is selected)

  7. Public IP source: Choose BYOIP

  8. CIDRs to provision: Specify your /24 CIDR range (for IPv4) or /48 CIDR range (for IPv6)

  9. Choose Create pool

CLI

For IPv4:

aws ec2 create-ipam-pool \
  --ipam-scope-id scope-id \
  --locale None \
  --address-family ipv4 \
  --source-ipam-pool-id top-level-pool-id

aws ec2 provision-ipam-pool-cidr \
  --ipam-pool-id global-pool-id \
  --cidr your-ipv4-/24

For IPv6:

aws ec2 create-ipam-pool \
  --ipam-scope-id scope-id \
  --locale None \
  --address-family ipv6 \
  --source-ipam-pool-id top-level-pool-id

aws ec2 provision-ipam-pool-cidr \
  --ipam-pool-id global-pool-id \
  --cidr your-ipv6-/48
Important

  • For IPv4: You must allocate the full /24 block to this pool. You can provision more specific ranges within this block for different uses.

  • For IPv6: You must allocate the full /48 block to this pool. You can provision more specific ranges within this block for different uses.

Step 2: Create service-specific resources

For CloudFront, create an anycast IP list that uses your IPAM pool. For detailed instructions, see Bring your own IP to CloudFront using IPAM in the Amazon CloudFront Developer Guide.

Key parameters for IPAM integration:

  • IP address type – Choose BYOIP

  • IPAM pool – Select your global pool from Step 1 (IPv4 or IPv6)

  • IP count – Enter 3 (required for CloudFront)

Step 3: Associate with service resources

Associate your Anycast Static IP list with a CloudFront distribution. For detailed instructions, see Bring your own IP to CloudFront using IPAM in the Amazon CloudFront Developer Guide.

Key configuration:

  • In distribution settings, select your Anycast IP List from Step 2

Step 4: Prepare for migration

  • Lower DNS TTL – Set DNS TTL for your records to 60 seconds or lower

  • Wait for propagation – Allow time for the new TTL to take effect across the internet

Step 5: Advertise CIDR globally

Use the IPAM global advertisement command:

Console

To advertise the CIDR using the console:

  1. Open the IPAM console at https://console.aws.amazon.com/ipam/.

  2. In the navigation pane, choose Pools

  3. Select your global pool

  4. Choose the CIDRs tab

  5. Select your CIDR and choose Actions > Advertise CIDR

  6. Confirm the advertisement

CLI

For IPv4:

aws ec2 advertise-byoip-cidr \
  --cidr your-ipv4-/24

For IPv6:

aws ec2 advertise-byoip-cidr \
  --cidr your-ipv6-/48
Important

  • Withdraw advertisement from your previous provider before running this command

  • Update DNS records to point to CloudFront to complete the migration (A records for IPv4, AAAA records for IPv6)

Cleanup

To clean up resources created in this tutorial:

Important

Delete CloudFront resources first, then proceed with IPAM cleanup to avoid service disruptions.