In companies, that I used to work, there were different ways to manage CIDRs:
Custom Internal Web portal - a custom web application that has the CIDRs and IPs of all subnets and servers. This was good, but was prone to errors. Wrong copy of a CIDR could lead to overlap. It may lack some advanced features and may require further development.You need to manage the CIDRs at two places - the portal and on the device, that needs to be configured. It is not centralised
Excel spreadsheet - this sounds ugly, but it is good enough small solutions, where you don't have more than 50 VPC CIDRs.You can have a rule for overlapping CIDRs to mark them in red. Again you need two manage everything at two places and is not centralised. You will also need a version control or centralised place to store it.
Confluence - better than excel in many ways.
CMDB - this is by far the best option and can scale easily. It is centralised and is single source of truth. You can use it to create VPCs and at same time it could be used for auditing CIDRs, that are given. There is a catch: the CMDB should not allow overlapping CIDRs in case of mistake like copying and pasting.
A possible solution for managing, tracking and monitoring IP addresses is Amazon VPC IP Address Manager, which lets us allocate CIDRs to VPC using specific business rules. If we have a networking account, the architecture could look like:
- We create Organization pool and divide it into different regions
- For each region we divide further into environments like production, preproduction and development
- A last split is used for the sub pool which is shared with the department or business unit and could be used for VPC creation. Resource Access Management is used for sharing sub pools with accounts or OU within the AWS Organization
This is useful approach for several reasons:
- A centralised view for auditing of IP addresses
- It is automated, so the clients (business units) could use part of the pull to create their footprint in the Cloud
- Monitor IP address space that's in use and monitor resources that are using space against business rules
- Enable cross-region and cross-account sharing of your Bring Your Own IP (BYOIP) addresses
- Organize IP address space into routing and security domains
- Provision Amazon-provided contiguous IPv6 CIDR blocks to pools for VPC creation
- Troubleshoot network connectivity issues
- Scale easily without overlapping CIDRs
- Automatically allocate CIDRs to VPCs using specific business rules
- View the history of IP address assignments in your organization
To illustrate how the picture will look like, we can use following terraform module:
module "ipam" {
source = "aws-ia/ipam/aws"
version = "1.1.6"
top_cidr = ["10.0.0.0/8"]
top_name = "IPAM Company X Inc."
pool_configurations = {
eu-west-1 = {
description = "2nd level, locale eu-west-1 pool"
cidr = ["10.0.0.0/16", "10.1.0.0/16"]
sub_pools = {
integration = {
name = "integration"
cidr = ["10.0.0.0/20"]
allocation_resource_tags = {
env = "integration"
}
sub_pools = {
"machine learning" = {
cidr = ["10.0.0.0/24"]
locale = "eu-west-1"
}
network = {
cidr = ["10.0.1.0/24"]
}
}
}
}
}
}
}
The module supports ram sharing and the pools could be shared with other accounts. The IPAM pools structure will look like:
Sources:
https://registry.terraform.io/modules/aws-ia/ipam/aws/latest
https://docs.aws.amazon.com/vpc/latest/ipam/what-it-is-ipam.html
Top comments (0)