Build scalable IPv4 addressing with AWS NAT gateway in regional availability mode, Amazon VPC IPAM policies and Prefix Lists

Today, AWS announced two new features that work together to simplify how you manage public IPv4 addresses at scale: AWS NAT gateway in regional availability mode and Amazon VPC IP Address Manager (IPAM) policies that define a public IPv4 allocation strategy. NAT gateway in regional availability mode automatically expands and contracts across availability zones following your workload footprint, while IPAM policies allow you to centrally define and enforce rules for public IPv4 address allocation on AWS regions across your organization. In addition, by leveraging the recently launched IPAM integration with AWS prefix lists, you can simplify client and partner IPv4 allowlisting workflows.

In this post, we show how NAT gateway in regional availability mode and IPAM policies with prefix lists integration simplify public IPv4 address management at scale. These features eliminate the operational overhead of managing NAT infrastructure across multiple availability zones, provide centralized control over IP allocation strategies, and automate partner allowlisting through IPAM prefix list integration.

Whether you’re looking to streamline operations for large-scale deployments with Amazon-provided contiguous IPv4 blocks or Bring Your Own IPv4 (BYOIPv4), or simplify security management with clients and third-party providers, this post demonstrates how these capabilities streamline operations, simplify configuration, and reduce manual coordination.

Prerequisites

We assume you’re familiar with networking constructs on AWS, including Amazon VPC, NAT gateway, Elastic IP addresses, AWS prefix lists and AWS Resource Access Manager (RAM). We do not focus on defining these services in detail, but we do outline their capabilities and how they work together to enable scalable public IPv4 addressing. We also assume you have a basic understanding of IPAM concepts, including IPAM pools and public IP management. For additional background on IPAM, we recommend reviewing the IPAM documentation. If you plan to use AWS Organizations to enforce IPAM policies across multiple accounts, familiarity with Organizations policies and organizational units will be helpful.

How it works

Managing public IPv4 addresses across a large AWS deployment presents several operational challenges. As workloads expand to new availability zones, you need to provision additional NAT gateways, create public subnets, and update route tables. Historically, when working with clients or third-party providers that require IP allowlisting, you had to manually track and share IP address ranges, then coordinate updates whenever addresses change. For organizations using Amazon-assigned public IPv4 addresses or BYOIPv4 to facilitate contiguous IP assignments, ensuring that all resources consistently use addresses from the correct pools required ongoing coordination with application teams.

NAT gateway in regional availability mode addresses the infrastructure management challenge by automatically scaling across availability zones as your workload footprint changes. You create a single NAT gateway in regional availability mode for your VPC, and it handles the complexity of multi-AZ expansion without requiring public subnets or additional route table management. IPAM policies for public IPv4 allocation provide centralized control over which IP addresses your resources use. You can define allocation strategies that ensure resources always draw from specific IPAM pools, whether those contain Amazon-provided contiguous IPv4 blocks or BYOIPv4 addresses. This eliminates the need to rely on individual application teams to follow best practices. IPAM prefix list automation tracks contiguous address blocks allocated from your IPAM pool and automatically maintains a managed prefix list with those CIDRs, which you can share with partners via AWS Resource Access Manager. As your NAT gateway in regional availability mode scales and uses additional addresses, the prefix list updates automatically, and partner security constructs reflect the changes without manual coordination.

You start by creating a public-scoped IPAM pool containing either Amazon-provided public IPv4 blocks or BYOIPv4 CIDRs. For partner allowlisting scenarios, provision contiguous address blocks to minimize prefix list entries. Next, create an IPAM policy that maps NAT gateway in regional mode public IPv4 address allocation to your designated pool, with optional Amazon address overflow for capacity safety. Attach this policy to your AWS organization, organizational unit, or specific accounts to enforce it across your desired scope. When you create a NAT gateway in regional availability mode, it automatically requests public IPv4 addresses based on your IPAM policy, drawing from the designated pool. As the NAT gateway expands to new availability zones following your workload footprint, it continues allocating addresses from the same pool. You configure IPAM prefix list automation to track the contiguous blocks used in your pool, and IPAM automatically updates a managed prefix list with those CIDRs. Then, you can share the prefix list with partners or end clients via AWS RAM. They can reference this list in their security group rules or AWS Web Application Firewall (WAF) configurations, eliminating the need for manual coordination.

Addressing centralized and distributed egress architectures

Distributed egress

Each application VPC has its own NAT gateway in regional availability mode. All NAT gateways use addresses from the same contiguous IPAM pool through IPAM policy enforcement. You create an IPAM policy that maps Elastic IP address allocation to your contiguous IPAM pool and attach it to your AWS Organization. When application teams create NAT gateways in their VPCs, those gateways automatically use addresses from the designated pool without requiring coordination with the network team. The IPAM-managed prefix list reflects all contiguous blocks used across your organization, which you share with partners who can allowlist your entire organization’s egress traffic through one security construct. This provides distributed egress for scale and performance while maintaining centralized control over addressing and client or partner relationships.

Centralized egress

You can deploy a centralized egress VPC with a NAT gateway in regional availability mode that serves multiple application VPCs. Application VPCs connect to the egress VPC via AWS Transit Gateway or AWS Cloud WAN. Outbound traffic flows through the transit gateway to the egress VPC, where the NAT gateway performs network address translation using Elastic IP addresses from your IPAM pool. The NAT gateway uses addresses from a contiguous IPAM pool, and those addresses are automatically reflected in a managed prefix list that you share with partners. This architecture provides centralized control over egress traffic, simplified client and partner allowlisting through automation, and cost optimization when using BYOIPv4 addresses.

Walkthrough

In this walkthrough, we create a NAT gateway in regional availability mode that uses addresses from a contiguous IPAM pool, configure IPAM policies to enforce this allocation strategy, and set up automated prefix list updates for partner allowlisting.

Before you begin, you need:

• An AWS account with appropriate AWS Identity and Access Manager (IAM) permissions for VPC, IPAM, and AWS RAM.
• A VPC where you will deploy the NAT gateway in regional availability mode.
• An IPAM in Advanced Tier mode.
• (Optional) AWS Organizations configured if you want to enforce policies across multiple accounts.

Step 1: Create an IPAM pool with contiguous addresses

First, create a public-scoped IPAM pool that will provide addresses for your NAT gateway in regional availability mode. Navigate to the VPC console and choose your existing IPAM or create a new IPAM. Create a new pool with the following settings:

• Scope: Public
• Address family: IPv4
• Provision an IPv4 CIDR to the pool: We chose Amazon-provided CIDR with a /29 network mask. You can also use BYOIPv4. If you need a larger contiguous IPv4 block, you can request a service quota increase.

Figure 1: IPAM public scope pool for NAT gateway in regional availability mode public IPv4 addresses

Step 2: Create an IPAM policy

Next, create an IPAM policy that defines how public IPv4 addresses should be allocated to your NAT gateway in regional availability mode. The policy supports multiple rules evaluated in order. You can create sophisticated allocation strategies with different pools for different resource types or tags. The following screenshot shows the IPAM policy creation steps. Configure:

• Policy name (e.g., RNAT-Policy)
• IPAM ID: your IPAM ID

Figure 2: IPAM policy for public IPv4 addresses allocation to NAT gateways in regional availability

Step 3: Add an IPv4 allocation rule to the IPAM policy rule

Within the IPAM policy, create an IP allocation rule for NAT gateway in regional availability mode. Choose:

• Locale: Region where the policy should apply
• Resource type: RNAT (Regional Network Address Translation)
• Rule: Choose the pool to be used by IPAM for IP allocations

Figure 3: IPAM policy rule for public IPv4 address allocation to NAT gateways in regional availability mode

Step 4: Configure IPAM prefix list automation

Configure IPAM to automatically maintain a prefix list with the contiguous blocks from your pool. In the IPAM console, enable prefix list automation for your pool and specify the prefix list to manage. IPAM automatically adds entries to the prefix list as addresses from contiguous blocks are allocated.

4.1. Create an AWS prefix list

Navigate to the VPC console and choose Managed prefix lists. Choose Create prefix list and configure:

• Name: a name for your prefix list (e.g., Prefix-list-for-allowlisting-RNAT)
• Max entries: a max number of prefix list entries, depending on how many Amazon-assigned contiguous IPv4 blocks you have or plan to have in your IPAM pool
• Address family: IPv4

Figure 4: AWS prefix list creation

Choose Create prefix list.

4.2. Create prefix list resolver

Navigate in the VPC IPAM Console to Prefix list resolvers and choose Create prefix list resolver. Configure:

• Address family: IPv4
• Name: A name for your IPAM managed prefix list (e.g., RNAT-EIPs-prefix-list)
• (Optional) Description: Add a relevant description

Figure 5: IPAM prefix list resolver

Choose Next to configure the rule by which IPAM populates the prefix list. Configure:

• Rule type: IPAM pool CIDR
• IPAM scope: Your IPAM public scope ID

Then choose Add new condition and configure:

• Property: IPAM pool ID
• Operation: Equals
• Value: Your IPAM pool ID for NAT in regional availability mode created in Step 1

Figure 6: IPAM prefix list resolver rule configuration

Review and validate your configuration:

Figure 7: IPAM prefix list resolver rule configuration validation

Then choose Validate and create.

4.3. Associate the IPAM prefix list resolver with the prefix list

Check that the prefix list resolver creation is complete, as shown in the following screenshot, and observe that no Targets are configured:

Figure 8: IPAM prefix list resolver rule details

Choose Create target and configure:

• Region: the region of your prefix list and IPAM policy
• Prefix list: Choose the prefix list ID you created at Step 4.1.
• Version tracking method: Keep the default Always track latest version

Figure 9: IPAM prefix list resolver rule target

Step 5: Create a NAT gateway in regional availability mode

Navigate to the VPC console and create a NAT gateway with the following settings:

• Availability mode: Regional
• VPC: Choose your VPC
• IP address allocation: Automatic (the NAT gateway will use your IPAM policy)

The NAT gateway in regional availability mode automatically expands to availability zones where you have active workloads, and requests Elastic IP addresses based on your IPAM policy, drawing from the designated pool.

Figure 10: Create NAT gateway in regional availability mode

Next, update your private subnets route tables to direct internet-bound traffic to the NAT gateway in regional availability mode. In each route table, create a route with destination 0.0.0.0/0 with the target set to the NAT gateway in regional availability mode ID.

Step 6: Verify configuration

After you create the target, verify the prefix list sync is complete, as shown in the following screenshot:

Figure 11: Verify AWS prefix list automatic updates via the IPAM prefix list resolver

Select the prefix list ID to view the IPAM pool CIDRs automatically populated in the prefix list:

Figure 12: AWS prefix list automatic updates via the IPAM prefix list resolver

Step 7: Share the prefix list using AWS RAM

Use AWS Resource Access Manager to share the managed prefix list with your partner’s AWS account. Your partner can then reference this prefix list in their security group rules or AWS WAF configurations. As your NAT gateway in regional availability mode scales and uses additional addresses, the prefix list updates automatically. Navigate to the AWS RAM console and choose Create resource share. Choose the prefix list to share and the accounts, AWS Organizations, or Organization Units you want to share the prefix list with. The recipient accounts will need to accept the share, if it is not automatically accepted by the AWS RAM Organization Sharing feature.

Monitoring and operations

• Monitoring IPAM pool utilization: IPAM provides Amazon CloudWatch metrics for pool utilization, including the `PercentAssigned` metric that shows how much of your pool capacity is in use. Set up CloudWatch alarms to notify you when pools approach capacity, allowing you to provision additional CIDRs before the pool is depleted. When you enable Amazon address overflow in your IPAM policy, resources automatically fall back to Amazon-provided addresses when your pool is full, ensuring service continuity while you expand capacity.
• Tracking NAT gateway in regional availability mode expansion: NAT gateway in regional availability mode emits CloudWatch metrics for each availability zone where it operates. You can monitor metrics like `ActiveConnectionCount`, `BytesInFromDestination`, and `BytesOutToDestination` per AZ to understand your traffic patterns.
• Viewing public IP usage with Public IP Insights: IPAM Public IP Insights provides visibility into your public IPv4 address usage across AWS services. With IPAM policies, you gain additional capability to view resources using addresses from specific IPAM pools or specific CIDRs within pools.
• Managing prefix list updates: IPAM automatically updates your managed prefix lists as addresses are allocated from or released to contiguous blocks in your pools. You can view prefix list entries in the VPC console and track changes through AWS CloudTrail.

Benefits

NAT gateway in regional availability mode with IPAM policies creates an automated workflow for managing public IPv4 addresses at scale. This delivers the following benefits:

• Automated client and partner IPv4 allowlisting end-to-end: When you combine NAT gateway in regional availability mode with IPAM policies and IPAM prefix list automation, you create a fully automated allowlisting workflow. Your NAT gateway in regional availability mode automatically uses contiguous IP blocks from your designated IPAM pool, those blocks are reflected in managed prefix lists, and partners can reference those lists in their security constructs. As your infrastructure scales across availability zones, the entire chain updates automatically without manual intervention.
• Consistent addressing across dynamic infrastructure: NAT gateway in regional availability mode automatically expands and contracts across availability zones following your workload footprint. By enforcing IPAM policies, you ensure that all IP addresses used by the NAT gateway come from your designated contiguous IPAM pool, regardless of which availability zones are active. This consistency simplifies partner relationships and security management as your infrastructure changes.
• Simplified operational model: The integration eliminates multiple layers of manual coordination. You no longer need to provision NAT gateways per availability zone, track which IP addresses are in use, manually update prefix lists, or notify partners when addresses change. IPAM policies ensure the right addresses are used, NAT gateway in regional availability mode handles the infrastructure scaling, and prefix list automation keeps security constructs current.
• Cost optimization with automated BYOIPv4 enforcement: For organizations using BYOIPv4 to reduce AWS public IPv4 charges, IPAM policies ensure NAT gateways in regional availability mode consistently use addresses from BYOIPv4 pools as they scale. The Amazon-provided address overflow option provides a safety net if your pool approaches capacity, allowing operations to continue while you provision additional addresses.
• Reduced security management complexity: Instead of managing individual IP addresses or large CIDR blocks in partner allowlists, the integration allows you to share a single managed prefix list that automatically reflects your contiguous address blocks. Partners configure their security groups or AWS WAF rules once, using the prefix lists you share with them, and updates propagate automatically as your NAT gateway in regional availability mode scales.

Cleanup

To avoid incurring ongoing charges, delete the Regional NAT Gateway from the VPC console, remove the IPAM policy attachment from your AWS Organizations policy, delete the IPAM pool if no longer needed, the test IPAM, and any AWS RAM shares associated with the managed prefix list.

Best practices and considerations

• Plan for expansion time: NAT gateway in regional availability mode takes 15-20 minutes on average to expand to new availability zones. Plan your workload deployments accordingly, or manually provision availability zones in advance if you need immediate coverage.
• Service integration: At launch, IPAM policies support Elastic IP addresses and NAT gateway in regional availability mode. We’re adding additional service integrations over time.
• Existing resource migration: Resources that already have Amazon-provided public IPv4 addresses can migrate to using addresses from IPAM pools. For Elastic IP addresses and most services offering static addresses, this is an opt-in operation to avoid disrupting existing allowlist configurations.

Conclusion

NAT gateway in regional availability mode and IPAM policies for public IPv4 allocation work together to simplify how you manage public addressing at scale. NAT gateway in regional availability mode eliminates the operational complexity of multi-AZ NAT infrastructure by automatically expanding and contracting with your workload footprint. IPAM policies provide centralized control over IP allocation strategies, ensuring resources consistently use addresses from designated pools without requiring coordination with application teams. The integration with IPAM prefix list automation creates an end-to-end solution for partner allowlisting. Your NAT gateway in regional availability mode automatically uses contiguous blocks from your IPAM pool, those blocks are reflected in managed prefix lists, and partners can reference those lists in their security constructs. As your infrastructure scales, the entire chain updates automatically. To get started, visit the Amazon VPC documentation for NAT gateway in regional availability mode and IPAM policies. If you have questions about this post, start a new thread on AWS re:Post or contact AWS Support.

About the authors