Migrating Your Own IPv4 Address to AWS (BYOIP)

Introduction

IPv4 addresses are a scarce and valuable resource in today’s internet landscape. Many organizations already own public IPv4 address blocks allocated by a Regional Internet Registry (RIR) such as APNIC, ARIN, RIPE, or AFRINIC.

AWS allows you to bring your own IP addresses (BYOIP) and use them with AWS resources like Elastic IPs, Amazon CloudFront, Amazon Global Accelerator, and Amazon EC2, giving you control over your IP reputation, easing migration from on-premises to cloud, and avoiding costly DNS changes.

In this blog, we will walk you through migrating your IPv4 addresses to AWS.

Why Bring Your Own IPv4 to AWS?

• Preserve IP Reputation – Avoid deliverability and blacklist issues.
• Minimize Downtime – Customers and partners can continue using the same IPs.
• Simplify Migration – No need to update firewall rules or allowlists.
• Maintain Brand Trust – Consistent IP addressing for services and applications.

Prerequisites

Before you begin:

1. You own the IPv4 range (registered in your RIR WHOIS record).
2. IPv4 block size is /24 or larger (minimum requirement for AWS BYOIP).
3. AWS CLI installed and configured with admin-level IAM permissions.
4. Planned AWS Region for deploying your IPs.
5. Access your RIR portal to create a Route Origin Authorization (ROA).

Step-by-Step BYOIP Process

Step 1: Create Route Origin Authorization (ROA)

Before AWS can advertise your IP range, your RIR must authorize AWS ASN (usually AS16509) to announce it.

Log in to your RIR portal (APNIC, ARIN, RIPE, AFRINIC).

Create a ROA record:

1. Prefix: Your IPv4 block (e.g., 203.0.113.0/24)
2. Max Length: Same as your prefix size (e.g., /24)
3. Origin ASN: 16509 (AWS public ASN)

Save and publish the ROA.

Wait for RPKI propagation (can take 1–24 hours).

Step 2: Verify IP Ownership

Confirm WHOIS details for your IP block:

Bash

Make sure:

1. Your organization is listed as the owner.
2. The block matches the prefix size AWS requires.
3. No conflicting advertisements exist.

Step 3: Provision BYOIP in AWS

Once ROA is active, provision your CIDR in AWS:

Bash

Check provisioning status:

Bash

The status will move from pending-provision → provisioned.

Step 4: Advertise Your Range

After AWS finishes provisioning:

Bash

Verify:

Bash

Status should now be advertised.

Step 5: Allocate Elastic IPs from Your BYOIP Pool

Find your BYOIP pool ID:

Bash

Allocate an EIP:

Bash

Associate it with an EC2 instance:

Bash

Step 6: Withdraw & Deprovision (If Needed)

Withdraw advertisement:

Bash

Deprovision:

Bash

Best Practices

1. Always create ROA first, AWS will reject provisioning if ROA is missing.
2. Use Amazon Global Accelerator for multi-region workloads.
3. Monitor using Amazon CloudWatch and Amazon VPC Flow Logs.
4. Keep RIR contact details and ROA up to date.
5. Test IP reachability before production cutover.

Conclusion

By bringing your IPv4 address range to AWS, you maintain control over your IP identity, preserve your reputation, and simplify cloud migration.

Drop a query if you have any questions regarding IPv4 address and we will get back to you quickly.

About CloudThat