How do I set up IPAM with accounts outside my Organizations?
I recently integrated with another AWS Organizations. I want to integrate the IP Address Manager (IPAM) of my organization with AWS accounts in the other Organizations.
Resolution
Note: Review the considerations and limitations with integrating the Amazon Virtual Private Cloud (Amazon VPC) IPAM of your organization with accounts that are external to your AWS Organizations.
Prerequisite
Note: If you already integrated your IPAM with your organization, then proceed to the next section.
Create an IPAM in the delegated admin account of organization A. This account becomes the administrative account for IPAM service functionality for accounts in both organizations. For more information on how to delegate an IPAM account, see Integrate IPAM with accounts in an AWS Organizations.
Identify the AWS accounts for integration
At a minimum, you must have two AWS Organizations for integration. Each has its own IPAM administrator account.
- The Organizations owner account for organization A.
- The IPAM admin account for organization A.
- The Organizations owner account for organization B.
- The IPAM admin account for organization B.
Integrate your IPAM with the accounts in the new organization
This example integrates the IPAM for organization A with the accounts in organization B. After integration, organization A's IPAM admin account provides IPAM service functionality for accounts in both organizations.
Register the organization B IPAM admin account
Complete the following steps in organization B's management account:
- Open the IPAM console.
- Register the organization B admin account as the IPAM delegated administrator. For more information, see Integrate IPAM with accounts in an AWS Organizations.
Set up the resource discovery in organization B
Complete the following steps in organization B's IPAM admin account. For more information on resource discoveries, see Work with resource discoveries.
- Open the IPAM console.
- Create a resource discovery.
- Use the Resource Access Manager to share the resource discovery with organization A's IPAM admin account.
Note: The resource discovery must be in the same AWS Region as the IPAM in organization A. In most cases, the resource discovery must also have the same operating Regions as the IPAM. However, to have more control over the monitoring of accounts in organization B, select a subset of the IPAM’s operating Regions.
Accept the resource share in organization A
Complete the remaining steps in organization A's IPAM admin account.
- Open the IPAM console.
- Accept the resource share invitation in organization A’s IPAM admin account.
- Associate the IPAM with the resource discovery.
Note: Repeat the preceding steps to integrate accounts from another AWS Organizations into your IPAM setup.
Manage IPAM resources
- Organization A’s IPAM account can now monitor and manage IPAM resources that accounts in organization B owns. For more information, see Managing IP address space in IPAM.
- You can now share IPAM pools directly with member accounts in organization B. For more information, see Share an IPAM pool using AWS RAM.
Stop monitoring accounts in organization B
To stop the IPAM in organization A from monitoring accounts in organization B, take any of the following actions:
- Disassociate the resource discovery from the IPAM in organization A's admin account.
- Update a resource share in AWS RAM in organization B's IPAM admin account to stop sharing the resource discovery.
- Delete the resource directory in organization B's IPAM admin account.
Relevant content
- Accepted Answerasked 4 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
