DEV Community

Learn2Skills for AWS Community Builders

Posted on

Bring Your Own IP Address to the Cloud

Bring your own IP
EASILY MIGRATE TO AWS WITH YOUR PUBLIC ipv4 ADDRESSES
Keep your IP address reputation Avoid changes to IP address whitelists Move legacy applications with no need to change IP addresses.

Migration
Avoid IP address changes to applications when you migrate to the AWS Cloud.

Prerequisite

  1. The address range must be registered with your regional internet registry (RIR)
  2. Supported RIRs include the American Registry for internet numbers (ARIN) and RIPE

Preparing you IP range
Authorization- Create an ROA to authorize Amazon ASNs 16509 and 14618 to advertise your address range.

ROA- ROA is a cryptographically signed object that states which autonomous system (AS) is authorized to orginate a particular IP address prefix or set of prefixes. ROAs may only be generated for internter nuber resources covered by your resource certificate

To get ROA
ARIN:
https://www.arin.net/resources/rpki/roarequest.html

RIPE:
https://www.ripe.net/manage-ips-and-asns/resourcemanagement/certification/resource-certification-roamanagement

Preparing you IP range
Authorization- Create an ROA to authorize Amazon ASNs 16509 and 14618 to advertise your address range.

Authentication- Generate an RSA 2048-bit key pair
openssl genrsa -out private.key 2048

Create a signed message.
example
1|aws|account|cidr|YYYYMMDD|SHA256|RSAPSS

Image description

The following command signs the message using the key pair you created and save it as base64_urlsafe_signature:

echo "1|aws|123456789012|198.51.100.0/24|20191201|SHA256|RSAPSS" | tr -d "\n" | openssl dgst -sha256 - sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private.key -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n" > base64_urlsafe_signature

Update the RDAP record for your RIR with the X509 certificate
Be sure to copy the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- from the certificate.

To view your certificate, run the following command:
cat publickey.cer

For ARIN, add the certificate in the "public comments" section for your address range.

For RIPE, add the certificate as a new "desc" field for your address range.

More details- (BYOIP guide)

BYOIP Reference Architecture-1
Image description

BYOIP Reference Architecture-2
Image description

Refer- Reference Architecture

Top comments (0)