Do you manage an AWS environment or build workloads on AWS? If so, you probably have heard last year that AWS announced charges for public IPv4 usage. As you know, addressing this change isn't straightforward—it often requires re-architecting or minimizing public IPv4 use.

Northwestern University attempted to tackle this challenge by bringing their own public IPv4 addresses into AWS. Matthew Rich, Manager of Cloud Systems Engineering at Northwestern, shares his experience in a brief write up below. Notably, his write up includes details about technical features and steps that have not made its way to AWS docs yet.

If you’ve been experimenting with BYOIPv4, reach out and share your findings at tmanik@internet2.edu. We hope you enjoy the read below.


Prepared by Matthew Rich, 6/3/2024

In February 2024, Amazon began charging for all public IPv4 addresses in AWS accounts. From March through May 2024, Northwestern IT ran a project to determine whether Northwestern’s public IPv4 space could be assigned to AWS and used in customer accounts to avoid these charges. The project consisted of choosing a /24 CIDR range of Northwestern’s public IPv4 space, assigning it to AWS to advertise, implementing AWS IP Address Manager (IPAM) to manage the address pool in one AWS account, sharing a portion of the IP address pool to another account, and monitoring cost of the solution.

Although the project team was able to get the solution to work, the expense, potential savings, and migration effort required make this not a viable solution.

The primary reason is cost. The billing dimension for AWS IPAM, the service that must be used to manage BYOIP, is $0.00027/IP address/hour. If this included only the /24 range (256 addresses) assigned to AWS that would be roughly $50/month. However, because IPAM was enabled in a “delegated administrator” account for the AWS organization, IPAM automatically discovers and manages all AWS accounts in the organization. The monthly cost for IPAM is therefore roughly $225/month.

In addition, there are limitations on how BYOIP addresses can be used in AWS. Namely, they can only be used for Elastic IP addresses (which are directly attached to individual virtual servers), NAT gateways, and network load balancers. The Northwestern AWS account with the highest monthly charges currently pays roughly $200/month for public IPv4 usage, but only about 1/4th of that is for Elastic IPs and NAT gateways. They do not use network load balancers. Transitioning from AWS public IPv4 addresses to BYOIP addresses would mean multiple migrations with downtime, including for services which are no longer actively maintained by that team. This migration itself would entail more work than can be justified by the cost savings, even if there were cost savings to be realized.

Finally, the implementation of IP pool sharing in the AWS IPAM service necessitates dividing the top-level pool of 256 addresses into sub-pools that are shared to individual accounts. This would mean guessing at the size of the sub-pools to share to other accounts and necessarily inefficient usage, as an account needing e.g., 10 IP addresses would have to be assigned a minimum of 16.

Northwestern IT should remove the assignment of the /24 public IP range from AWS and disable the IPAM service in its AWS organization. The feature set as built today does not offer any cost savings.

The Northwestern IT Cloud Operations team should continue to monitor public IPv4 usage in Northwestern AWS accounts and make customers aware of best practices for minimizing public IPv4 usage. Currently that means minimizing Elastic IP usage and consolidating multiple applications behind a single Application Load Balancer. In addition, as AWS makes service improvements, especially around the availability of IPv6 for its own managed services, the Cloud Operations team should keep the Northwestern public cloud community updated with new guidance and recommendations.