Cloudformation support for IPAM?

0

From Cloudformation documentation I understood it would be possible to use IPAM when creating a VPC https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html

Type: AWS::EC2::VPC
Properties: 
  CidrBlock: String
  EnableDnsHostnames: Boolean
  EnableDnsSupport: Boolean
  InstanceTenancy: String
  Ipv4IpamPoolId: String
  Ipv4NetmaskLength: Integer
  Tags: 
    - Tag

However when I did use Ipv4IpamPoolId and Ipv4NetmaskLength I got the error

Properties validation failed for resource VPC with message: #: extraneous key [Ipv4IpamPoolId] is not permitted #: extraneous key [Ipv4NetmaskLength] is not permitted

It says also CidrBlock is mandatory parameter, but not being clear how that would work with IPAM. Or should it rather be either CidrBlock or Ipv4IpamPoolId + Ipv4NetmaskLength?

Did anyone else run into the same issue and was there a fix or work-a-round for this?

  • FYI; Cloudformation AWS::EC2::VPC does now support IPAM and documentation is also updated with CirdBlock being conditional.

profile picture
EXPERT
Kallu
asked 2 years ago1796 views
3 Answers
1

The Ipv4IpamPoolId resource is not yet supported/deployed as a part of CloudFormation (though exists in the documentation). It is part of the roadmap to have this released.

AWS
Phani_L
answered 2 years ago
0
Accepted Answer

The latest aws -cli seems to work as expected, but the example from AWS documentation fails, as it should do, because using IPAM pool and cird-block together doesn't make sense :-)

% aws --version
aws-cli/2.0.61 Python/3.7.4 Darwin/21.2.0 exe/x86_64

Example from documentation doesn't just fail, but also produces a misleading error msg. There is nothing wrong with netmask of /24 as I can later provision VPC with /24 from IPAM pool. Instead it should point that I'm trying to use a combination of cmd-line options that doesn't make sense.

% aws ec2 create-vpc --ipv4-ipam-pool-id ipam-pool-xxxxxxxxxxxxxxxxx --cidr-block 10.2.0.0/24
An error occurred (InvalidParameterValue) when calling the CreateVpc operation: The allocation size is too big for the pool.

If I just drop --cidr-block, and use default CIDR of my IPAM pool (/21) it works as expected

% aws ec2 create-vpc --ipv4-ipam-pool-id ipam-pool-xxxxxxxxxxxxxxxxx                         
{
    "Vpc": {
        "CidrBlock": "10.2.16.0/21",
        "DhcpOptionsId": "dopt-01234567",
        "State": "pending",
        "VpcId": "vpc-xxxxxxxxxxxxxxxxx",
        "OwnerId": "123456789012",
        "InstanceTenancy": "default",
        "Ipv6CidrBlockAssociationSet": [],
        "CidrBlockAssociationSet": [
            {
                "AssociationId": "vpc-cidr-assoc-xxxxxxxxxxxxxxxxx",
                "CidrBlock": "10.2.16.0/21",
                "CidrBlockState": {
                    "State": "associated"
                }
            }
        ],
        "IsDefault": false
    }
}

I can also specify a CIDR of /24, or any other that is valid for the IPAM pool.

% aws ec2 create-vpc --ipv4-ipam-pool-id ipam-pool-xxxxxxxxxxxxxxxxx --ipv4-netmask-length 24 
{
    "Vpc": {
        "CidrBlock": "10.2.24.0/24",
        "DhcpOptionsId": "dopt-700ae019",
        "State": "pending",
        "VpcId": "vpc-xxxxxxxxxxxxxxxxx",
        "OwnerId": "123456789012",
        "InstanceTenancy": "default",
        "Ipv6CidrBlockAssociationSet": [],
        "CidrBlockAssociationSet": [
            {
                "AssociationId": "vpc-cidr-assoc-xxxxxxxxxxxxxxxxx",
                "CidrBlock": "10.2.24.0/24",
                "CidrBlockState": {
                    "State": "associated"
                }
            }
        ],
        "IsDefault": false
    }
}

So, it seems that Cloudformation just isn't up-to-date with documentation and VPC API :-(

profile picture
EXPERT
Kallu
answered 2 years ago
0

Good question. You're right.

Try the combination of Ipv4IpamPoolId and CidrBlock. Like you said, CidrBlock shows as a required field today.

From AWS's other (non-CloudFormation documentation), I see this command:

aws ec2 create-vpc --region us-east-1 --ipv4-ipam-pool-id 
ipam-pool-04111dca0d960186e --cidr-block 10.0.0.0/24

Which omits the Ipv4NetmaskLength property, but uses both --ipv4-ipam-pool-id and --cidr-block.

Reference: https://docs.aws.amazon.com/vpc/latest/ipam/tutorials-create-vpc-ipam.html

jsonc
answered 2 years ago
  • Example doesn't work. I think this is just a bug in documentation as it doesn't make sense to specify both cidr-block and ipv4-ipam-pool-id. If I drop, --cidr-block it creates the VPC using default mask of ipam-pool, just like you would expect.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions