Bring Your Own IP
(AWS-BYOIP)
by Lee Howard
AWS to Charge for IPv4
On Friday, July 28, 2023, AWS announced they would begin charging for every IPv4 address an account is allocated or using on the platform, starting February 1, 2024. That’s a change from the current scheme, which only charges you for addresses you reserve, but aren’t using, or if you reassign the same address over a hundred times a month.
The rate is $0.005 per hour per IP. Assuming 30 ½ days per month, the cost of a single IP is $3.66 per month. If you only have one address, that’s a minor increase to your monthly AWS bill. However, some enterprises and universities have moved hundreds of systems to the cloud. With current IPv4 prices for small blocks in the low $30s per address, buying a /24 (256 addresses) pays for itself in less than a year.
AWS also encouraged users to consider, “accelerating your adoption of IPv6.”
How to Discover Your Use
To see how many IPv4 addresses you’re using on AWS, log into the console, under your name on the top right choose Billing > Cost & usage reports > Create Report, enter a Report name, check Include resource IDs, Next. Choose an S3 bucket or create a new one. You may have to wait up to 24 hours to see your report under “Cost and Usage Reports.”
Warning: scary technical content follows!
How to BYOIP
After you buy your /24, here’s how you get started using it. AWS has a free way to Bring Your Own IP (BYOIP):
- Create a ROA. In ARIN, the easiest way is to log into ARIN Online > Routing Security > RPKI, then next to your OrgID choose Sign up for RPKI, Sign up for Hosted, Hosted Certificate, agree to RPKI Terms, Submit. Then Manage ROAs > Create ROA, and enter the ASN for AWS (16509 and 14618, you need both), your Prefix (IP address block), and Max Length (24, usually). Then Next > Submit.
- Create a key pair for AWS authentication, if you don’t already have one. You will need a unix-like command like console for this (such as a free EC2 instance on AWS):
$ openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private-key.pem
- Choose a password
$ openssl rsa -in private-key.pem -pubout > public-key.pem
$ openssl req -new -x509 -key private-key.pem -days 365 | tr -d "n" > certificate.pem,/code>
- Add that public certificate to the open text section of Whois. For ARIN, go back to ARIN Online > IP Addresses > Manage Networks, find your block, Actions > Modify
- From the unix console, cat certificate.pem
- Copy everything including
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
- Paste that into the Public Comments section, Save.
- Using the AWS Command Line Interface (AWS CLI) – there’s no other way, so install aws-cli if you need to – provision the block:
- Find your AWS account number; from console.aws.amazon.com, click the name at the top right, and record the numbers after “My Account”
- Create an environmental variable calls text_message to store your auth message, using your account number and block:
text_message="1|aws|123456789012|192.0.2.0/24|20241201|SHA256|RSAPSS"
- Similarly, create an environmental variable to hold the private key:
signed_message=$( echo -n $text_message | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "n")
- Provision the block:
aws ec2 provision-byoip-cidr --cidr 192.0.2.0/24 --cidr-authorization-context Message="$text_message",Signature="$signed_message" --region us-east-1
- Wait for AWS to complete the provisioning. It could take up to a week, but might take as little as a few hours. Run
aws ec2 describe-byoip-cidrs --max-results 5 --region us-east-1
to look for the block. - Tell AWS to advertise the addressed so the rest of the Internet can reach them:
aws ec2 advertise-byoip-cidr --cidr 192.0.2.0/24 --region us-east-1
The whole process, except waiting for AWS to provision, should take less than 20 minutes. Text in consolas font
above should be pasted exactly, after replacing text in red with your specific values.
Download a Word File
To download a Word file of the above, click here.