Networking & Content Delivery
Deploying Amazon VPC IP Address Manager (IPAM) using AWS Service Catalog
Planning, tracking, and monitoring IP addresses for large-scale networks can challenging. Network Administrators often use a combination of spreadsheets, confluence pages, and home-grown tools to track IP address assignments across Amazon Virtual Private Clouds (Amazon VPCs), AWS Regions, and AWS accounts. However, these methods are largely manual and prone to errors, and even a minor mistake can cause IP address conflicts that can cause issues in establishing bidirectional connectivity.
This problem is amplified in large enterprise networks, where the AWS environment spans multiple AWS Organizational Units (OUs), AWS accounts, or even AWS Organizations. This is where Amazon VPC IP Address Manager (IPAM) comes in. IPAM simplifies IP address planning, tracking, and monitoring for your enterprise. With IPAM, you can release applications more quickly because developers don’t have to wait for the networking team to manage IP addresses. You can find overlapping IP addresses and fix them before issues arise with network connectivity. IPAM can notify you if your IP address pools are nearing exhaustion—it lets you quickly and efficiently perform routine IP address management activities.
If you combine IPAM with the power of Infrastructure-as-Code (IaC), then you can deploy IPAM across your environment quickly and in compliance with best practices. In this post, we describe a solution to turn on IPAM using AWS Service Catalog, and we walk you through it step-by-step. AWS Service Catalog uses AWS CloudFormation to abstract the underlying complexity and provides standardized deployments.
Solution overview
The solution described in this post uses AWS Service Catalog to provision VPC IPAM pools across multiple accounts. We create two AWS Service Catalog Portfolios: (1) IPAM Main Portfolio which comprises three Service Catalog products, and (2) IPAM Spoke Portfolio which comprises one Service Catalog product. A Service Catalog product is an IT service or application that you want to make available for deployment on AWS. Using AWS Resource Access Manager (AWS RAM), we share these products with specific AWS accounts, or the entire Organization. This makes the products available to both existing and future accounts in your organization. Users with access to the AWS Service Catalog can provision these products in a self-service manner. This solution uses CloudFormation to create the Service Catalog portfolios and its products, as shown in the following diagram (figure 1).
Portfolios and products overview
IPAM Main Portfolio: This portfolio comprises three Service Catalog products and is shared with the NetworkHub/Networking account where the IPAM pools are to be provisioned.
- Delegate IPAM Product: This product delegates the NetworkHub account as the IPAM Delegated Administrator account.
- IPAM CloudFormation Macro Product: This product deploys a CloudFormation Macro and the underlying AWS Lambda function which is used to perform the template processing for the macro. The Lambda function accepts the provided IPAM template (ipam-product.yml) and returns the processed template as a response. This CloudFormation Macro processes the ipam-product.yml base template to dynamically render a CloudFormation template for creating multiple IPAM resources from a single resource definition. It is primarily used to replicate the IPAM resource block for all provided AWS Regions in the pOperatingRegionList parameter value in the source template. It dynamically creates multiple IPAM Pool resources from the defined CIDR blocks in the template, for all provided pOperatingEnvironmentsList (Prod,NonProd).
- IPAM Product: This product is used to provision the IPAM Scope and IPAM Pools, as well as share the created IPAM Pools across multiple AWS accounts. The input is a base CloudFormation template with IPAM Scope, IPAM Pool, and AWS RAM resources. The previous CloudFormation Macro processes this template, and the processed template contains the resource blocks for each Regional and environment-specific pool described in the input parameters. It also creates resources blocks for sharing the IPAM pools across multiple AWS accounts.
IPAM Spoke Portfolio: This portfolio comprises one service catalog product and is shared across all spoke accounts.
- IPAM Spoke Product: This product creates a VPC and its subnets in the spoke account using the provisioned IPAM pool to get the CIDRs for the VPC.
Prerequisites
The following prerequisites are required before continuing:
- We assume that you have the following AWS accounts and OU structure in your environment:
- Management Account – the root user for this account and the AWS Identity and Access Management (IAM) user or IAM administrator user for this account have full access to all resources within your organization.
- A Network Hub Account – the account which is to be used as the IPAM Delegated Administrator account.
-
Note that to follow along with this post, create a Network Hub Account if you don’t have one already.
-
- Resource sharing with Organizations is turned on.
- We assume you are familiar with the most common IPAM constructs.
An example walkthrough
In this section, we consider a top-level pool (e.g., 10.0.0.0/8) that we use as an input for our IPAM solution. Two Regional pools are created from the CIDRs sourced from the top-level pool. A Production IPv4 pool and a Non-Production IPv4 pool are then created from the Regional pool. The following diagram (figure 2) shows an example of the IPAM pool hierarchy for IPv4 across multiple Regions within a top-level IPAM pool for the Organization. We do not discuss IPv6 in this post, but it follows the same pattern as IPv4.
Deployment instructions
The deployment of IPAM has two phases:
Phase 1: Deploy the AWS Service Catalog Portfolio in the Management Account
Step 1 – Create an S3 bucket to hold the Service Catalog Portfolio CloudFormation templates
- Download the s3Bucket.yml CloudFormation template to create an Amazon Simple Storage Service (Amazon S3) bucket. This template creates two S3 buckets. One bucket named control-tower-storage-{AccountId}-{Region} to hold the Service Catalog Product template files. And the second S3 bucket named control-tower-uploadbuckets3accesslogs-{AccountId}-{Region} to log the Amazon S3 server access logs of the control-tower-storage-{AccountId}-{Region} bucket. Server access logging provides detailed records for the requests that are made to the bucket. This access log information can be useful in security and access audits.
- Navigate to the CloudFormation console in the Management Account, and in the left pane select Stacks. Create a stack using the downloaded s3Bucket.yml template and provide your organization ID in the template parameters section.
- Once the stack is deployed, navigate to the Amazon S3 console and select the control-tower-storage-{AccountId}-{Region} bucket that you just created using the CloudFormation template. Upload the four Service Catalog product template files (ipam-delegate.yml, ipam-macro.yml, ipam-product.yml, ipam-spoke-product.yml) to this S3 bucket. The following diagram (figure 3) shows the CloudFormation templates uploaded to the S3 bucket.
Step 2 – Enable trusted access for AWS Service Catalog in Organizations
- Sign in to the AWS Organizations console of the Management Account. You must sign in as an IAM user, assume an IAM Role with admin privileges, or sign in as the root user (not recommended) in the Organization’s management account.
- On the Services page, find the row for the Service Catalog service that you want to enable trusted access.
- Choose Enable trusted access.
- In the confirmation dialog box, check the box to Show the option to enable trusted access, enter enable in the box, and then choose Enable trusted access. The following diagram (figure 4) shows the trusted access enabled for AWS Service Catalog.
Step 3 – Deploy the Service Catalog Portfolios using CloudFormation
- Download the ipamportfolio.yml template and navigate to the CloudFormation console to create a stack using the this template.
- Update the appropriate Amazon S3 URLs of the above four templates in the parameters section of the ipamportfolio.yml template, and provide the organization ID. This template creates the service catalog portfolios (IPAM Main Portfolio and IPAM Spoke Portfolio), creates the service catalog products (it does not provision the product yet – follow Phase 2 for provisioning the products) for IPAM automation, and shares the portfolio with the provided Organization.
- Validate the successful deployment of the resources via the CloudFormation console (as shown in the following diagram (figure 5)) and Portfolios tab on the AWS Service Catalog console (as shown in the following diagram (figure 6)).
Phase 2: Setup user access and provision the above created IPAM products using AWS Service Catalog
The IPAM Service Catalog product comprises four main deployment steps:
Step 1 – Delegate an IPAM Administrator Account using the Delegate IPAM Product in your Management Account
- Sign in to your AWS Management Console of the Management Account.
- Navigate to the AWS Service Catalog console, and select Portfolios on the left navigation pane.
- Select the Local tab on the top and choose IPAM Main Portfolio that was created in Phase 1.
- On the portfolio details page, choose the Access tab.
- Choose Grant Access. Add the IAM Role, user, or group that you want the end users to use to launch the product. Select Grant Access.
- Login back to the Management Account using the IAM Role or User or Group granted access above, if not already logged-in via that IAM Role or User or Group. In the left navigation pane, choose Products.
- Select Delegate IPAM Product and select Launch Product.
- On the Launch Product page, enter a name for your provisioned product and provide the product parameters.
- Select Launch Product. This product delegates the NetworkHub account as the IPAM delegated administrator account.
Step 2 – Deploy the CloudFormation Macro definition using the IPAM CloudFormation Macro Product in your NetworkHub Account
- Sign in to your AWS Management Console of the NetworkHub Account via the AWS role that has Administrator access.
- Navigate to the AWS Service Catalog console, and select Portfolios on the left navigation pane.
- On the Imported tab, choose IPAM Main Portfolio that was shared by the Management Account.
- On the portfolio details page, choose the Access tab.
- Choose Grant Access. Add the IAM Role, user, or group that you want the end users to use to launch the product. Select Grant Access.
- Login back to the NetworkHub Account using the IAM Role or User or Group granted access above, if not already logged-in via that IAM Role or User or Group. In the left navigation pane, choose Products.
- In the left navigation pane, choose Products.
- Select IPAM CloudFormation Macro Product, and select Launch Product.
- On the Launch Product page, enter a name for your provisioned product and provide the product parameters.
- Select Launch Product.
Note that this template does not take-in any input parameters and is used to process the IPAM template provided in the next section.
Step 3 – Deploy the AWS Service Catalog IPAM Product in your NetworkHub Account
- Sign in to your AWS Management Console of the NetworkHub Account via the AWS role that was granted access to the portfolios in the previous step.
- Navigate to the AWS Service Catalog console, and choose Portfolios.
- In the left navigation pane, choose Products.
- Select IPAM Product and select Launch Product.
- On the Launch Product page, enter a name for your provisioned product and provide the following product parameters:
- pOrgId: ID of Organization
- pOperatingRegionList: A list of Regions where the IPAM is allowed to manage IP address CIDRs.
- Example: “us-east-1,us-east-2”
- pMainPoolCIDRIPv4List: IPv4 CIDR provisioned to the main IPAM pool (TOP-LEVEL-POOL).
- Example: “10.0.0.0/8”
- pRegionalPool1CIDRIPv4List: The list of CIDRs for Regional pools (one per Region) provisioned from the main IPAM pool, given in order as pOperatingRegionList.
- Example: “10.0.0.0/16,10.1.0.0/16”
- pOperatingEnvironmentsList: A list of Environments where the IPAM is allowed to manage IP address CIDRs
- Example: “Prod,NonProd”
- pPoolCIDRIPv4ListProd: The list of production pool CIDRs (one per Region) provisioned from the respective Regional IPAM pool, given in order as pOperatingRegionList.
- Example: “10.0.1.0/24,10.1.1.0/24”
- pPoolCIDRIPv4ListNonProd: The list of non-production pool CIDRs (one per Region) provisioned from the respective Regional IPAM pool, given in order as pOperatingRegionList.
- Example: “10.0.2.0/24,10.1.2.0/24”
- Select Launch Product.
Step 4 – Deploy the Spoke VPC Product using the IPAM Spoke Product in your Spoke Account
- Sign in to your AWS Management Console of the Spoke Account.
- Navigate to the AWS Service Catalog console, and choose Portfolios.
- On the Imported tab, choose Ipam Spoke Portfolio.
- On the portfolio details page, choose the Access tab.
- Choose Grant Access. Add the IAM Role, user, or group that you want the end users to use to launch the product. Select Grant Access.
- Note that if you have a common IAM Role deployed across all your spoke accounts, the previous five steps can be eliminated by updating the IPAMSpokeProductLaunchConstraintRole parameter in the ipamportfolio.yml template, with the local IAM Role name. Then, un-comment the IPAMSpokeProductLaunchRoleConstraint resource and update your ipamportfolio.yml stack.
- Login back to the Spoke Account using the IAM Role or User or Group granted access previously, if not already logged-in via that IAM Role or User or Group. In the left navigation pane, choose Products.
- Select IPAM Spoke Product and select Launch Product.
- On the Launch Product page, enter a name for your provisioned product and provide the following product parameters:
- pVpcSize: Size for the VPC. Either small (supports 256 IP addresses), medium (supports 512 IP addresses), or large (supports 1024 IP addresses).
- pNumberOfAZs: Number of Availability Zones (AZs). The value must lie between two and four.
- IPAMRegion: Region of IPAM Scope
- Default: “us-east-1”
- Select Launch Product.
- Validate the VPC creation. The VPCs are created based on the size that you provide (small, medium, or large) and the CIDRs in the IPAM pool provisioned for this Organization.
Cleanup steps
All the resources deployed through CloudFormation templates should be deleted after successful testing and validation to avoid any unwanted costs.
- Go to the Service Catalog console, identify the Provisioned Products from the left navigation pane, and terminate the product. This would terminate the corresponding CloudFormation stacks on your behalf.
- Go to the CloudFormation console, identify the stack used to deploy the Service Catalog Portfolio, and delete them.
- In spoke accounts, you can shut down the provisioned AWS Service Catalog product(s), which would terminate the corresponding CloudFormation stacks on your behalf.
Note that in a multi account setup, you must navigate through account boundaries and follow the previous steps where products were deployed.
Conclusion
In this blog post, we demonstrated how to deploy AWS VPC IPAM programmatically, by utilizing AWS Service Catalog. The AWS Service Catalog includes the IPAM portfolios and products which can be created using the provided CloudFormation templates. We also demonstrated how to create IPAM pools for different regions from a single resource definition using CloudFormation Macros, thereby eliminating the need for duplicating resources manually in the CloudFormation templates.