Can someone explain to me how to BYOIP into AWS and use AS prepends? Have been unsuccessful in finding how. Thanks, Hank
how hard did you look? i got this detailed AI answer by just posting your question into google! -mel beckman Understanding AWS Bring Your Own IP (BYOIP) and AS Path Prepending AWS BYOIP allows you to use your own public IPv4 addresses with AWS services like EC2, Global Accelerator, and Elastic IP Addresses (EIPs). This is particularly useful if you want to maintain brand consistency, simplify migration, or improve IP address reputation. BYOIP Process on AWS 1. Prerequisites: * Your IP address range must be registered with a Regional Internet Registry (RIR) like ARIN, RIPE, or APNIC. * The address range should be registered to a business or institutional entity. * You need to provide proof of ownership and authorize Amazon to advertise the address range. * The addresses should have a clean history (not associated with malicious activity). * You must stop advertising the IP address range from other locations before advertising it through AWS. 2. Authorization and Provisioning: * Create a ROA: Create a Route Origin Authorization (ROA) object with your RIR to authorize Amazon's ASNs (16509 and 14618) to advertise your IP range. * Generate an X.509 Certificate: Create a self-signed X.509 certificate and add it to your RIR's RDAP record to link the IP range to your AWS account. * Create a Signed Message: Create a signed authorization message that includes your AWS account ID, IP address range, and an expiration date. * Provision with AWS CLI: Use the AWS CLI to provision the IP address range within a specific AWS region. * Wait for Provisioning: AWS will verify the IP range and approve the provisioning request. 3. Advertising and Allocation: * Advertise the Range: Use the AWS CLI to advertise the IP address range through AWS. * Create Elastic IP Addresses: Allocate Elastic IP addresses from the provisioned IP address pool and associate them with your AWS resources. Using AS Path Prepending AS path prepending is a technique used in BGP (Border Gateway Protocol) to influence the inbound traffic routing to your network. It involves adding your own Autonomous System Number (ASN) multiple times to the AS path in BGP advertisements. This makes the path appear longer and less preferred to other BGP speakers, causing them to choose alternative routes. How to Use AS Path Prepending with AWS BYOIP: 1. Bring your ASN to IPAM: You can now bring your own ASN to IPAM and associate it with your BYOIP CIDR. 2. Associate with BYOIP CIDR: After provisioning your ASN, associate it with the BYOIP CIDR that you brought to AWS. 3. Advertise with your ASN: When advertising the BYOIP CIDR, choose the ASN you brought to IPAM. Note: While AS path prepending can be useful for influencing traffic flow, using excessive prepending can have negative consequences, including suboptimal routing and increased risk of route hijacking. It is generally recommended to use BGP communities for traffic engineering when possible. On Jun 23, 2025, at 2:43 AM, Hank Nussbacher via NANOG <nanog@lists.nanog.org> wrote: Can someone explain to me how to BYOIP into AWS and use AS prepends?
how hard did you look? i got this detailed AI answer by just posting your question into google! -mel beckman
Mel- Thank you for providing another object lesson as to why "this is what AI said" is exceptionally unhelpful. On Mon, Jun 23, 2025 at 6:31 AM Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
how hard did you look? i got this detailed AI answer by just posting your question into google! -mel beckman
Understanding AWS Bring Your Own IP (BYOIP) and AS Path Prepending AWS BYOIP allows you to use your own public IPv4 addresses with AWS services like EC2, Global Accelerator, and Elastic IP Addresses (EIPs). This is particularly useful if you want to maintain brand consistency, simplify migration, or improve IP address reputation. BYOIP Process on AWS
1. Prerequisites: * Your IP address range must be registered with a Regional Internet Registry (RIR) like ARIN, RIPE, or APNIC. * The address range should be registered to a business or institutional entity. * You need to provide proof of ownership and authorize Amazon to advertise the address range. * The addresses should have a clean history (not associated with malicious activity). * You must stop advertising the IP address range from other locations before advertising it through AWS. 2. Authorization and Provisioning: * Create a ROA: Create a Route Origin Authorization (ROA) object with your RIR to authorize Amazon's ASNs (16509 and 14618) to advertise your IP range. * Generate an X.509 Certificate: Create a self-signed X.509 certificate and add it to your RIR's RDAP record to link the IP range to your AWS account. * Create a Signed Message: Create a signed authorization message that includes your AWS account ID, IP address range, and an expiration date. * Provision with AWS CLI: Use the AWS CLI to provision the IP address range within a specific AWS region. * Wait for Provisioning: AWS will verify the IP range and approve the provisioning request. 3. Advertising and Allocation: * Advertise the Range: Use the AWS CLI to advertise the IP address range through AWS. * Create Elastic IP Addresses: Allocate Elastic IP addresses from the provisioned IP address pool and associate them with your AWS resources.
Using AS Path Prepending AS path prepending is a technique used in BGP (Border Gateway Protocol) to influence the inbound traffic routing to your network. It involves adding your own Autonomous System Number (ASN) multiple times to the AS path in BGP advertisements. This makes the path appear longer and less preferred to other BGP speakers, causing them to choose alternative routes. How to Use AS Path Prepending with AWS BYOIP:
1. Bring your ASN to IPAM: You can now bring your own ASN to IPAM and associate it with your BYOIP CIDR. 2. Associate with BYOIP CIDR: After provisioning your ASN, associate it with the BYOIP CIDR that you brought to AWS. 3. Advertise with your ASN: When advertising the BYOIP CIDR, choose the ASN you brought to IPAM.
Note: While AS path prepending can be useful for influencing traffic flow, using excessive prepending can have negative consequences, including suboptimal routing and increased risk of route hijacking. It is generally recommended to use BGP communities for traffic engineering when possible.
On Jun 23, 2025, at 2:43 AM, Hank Nussbacher via NANOG < nanog@lists.nanog.org> wrote:
Can someone explain to me how to BYOIP into AWS and use AS prepends? _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZOARZWLK...
Hey Hank,
Can someone explain to me how to BYOIP into AWS and use AS prepends?
are you referring to prepending your AS (once) to AS16509 or prepending your AS / AS16509 a number of times to steer traffic? The first one can be done through BYOASNs in IPAM - ref: https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-byoasn.html. The second isn’t strictly possible, but you can control whether your prefixes are advertised or not via: - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/adver... - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/withd... If your plan was to use prepending to control whether your traffic goes to AWS or somewhere else for some sort of disaster recovery, you can achieve something very similar with the two commands/APIs above at the cost of a slightly higher convergence time. These two operations can be automated through a range of health checks. The only config which can’t be easily replicated is where you would use prepend on both sides to steer traffic away from primary location in case it stays up but you lose management/control (2x prepend on primary, 3x prepend on secondary - secondary can attract traffic by flipping to 1x prepend) but I haven’t seen it used in a looong time. Giorgio
On Mon, Jun 23, 2025 at 2:42 AM Hank Nussbacher via NANOG <nanog@lists.nanog.org> wrote:
Can someone explain to me how to BYOIP into AWS and use AS prepends?
Hi Hank, I'm a bit confused by your question. Last I heard, the address blocks you bring into AWS are exclusive to AWS. If you try to use the same prefix somewhere else too, you'll end up with some black holes due to the vagaries of network routing. You'd be begging for failure. With that in mind, what are you trying to accomplish with AS prepends for AWS BYOIP? Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Last I looked at this ( probably a year ago ) , any IPs you setup for AWS BYOIP were announced direct from AWS ASNs. There wasn't an option to put your own ASN in there, or modify anything related to the advertisement. On Mon, Jun 23, 2025 at 5:43 AM Hank Nussbacher via NANOG < nanog@lists.nanog.org> wrote:
Can someone explain to me how to BYOIP into AWS and use AS prepends?
Have been unsuccessful in finding how.
Thanks,
Hank
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/4ND4K7NT...
participants (5)
-
Giorgio Bonfiglio -
Hank Nussbacher -
Mel Beckman -
Tom Beecher -
William Herrin