[donny@scyber ~]$ cat ./blog/aws-vpc-ipam-solution.md

Building Enterprise-Grade AWS VPC IPAM with Terraform

July 26, 2025 8 min read
AWS Infrastructure Terraform

How I built a sophisticated hierarchical IP Address Management solution using AWS VPC IPAM and Terraform, featuring an innovative Streamlit-based "IPAM Configurator" tool that revolutionizes enterprise network planning.

## The Challenge: Enterprise IP Management at Scale

Managing IP address space across large AWS environments is more complex than most organizations anticipate. When you're dealing with multiple AWS accounts, regions, and business units, traditional spreadsheet-based IP management quickly becomes a bottleneck that leads to conflicts, delays, and security gaps.

During my time at AWS, I've seen countless enterprises struggle with IP address allocation, especially when scaling across multiple regions or during cloud migrations. The manual processes, lack of automation, and absence of centralized governance create operational overhead that slows down development teams and increases risk.

That's why I built this comprehensive Amazon VPC IP Address Manager (IPAM) solution—to demonstrate how enterprise-grade network management can be automated, governed, and scaled using Infrastructure as Code.

## Solution Architecture: Four-Tier Hierarchical Design

The solution implements a sophisticated four-tier hierarchical pool structure that mirrors real-world organizational requirements. The diagram below illustrates the complete architecture and data flow from the IPAM Configurator through to deployment:

AWS VPC IPAM Architecture with IPAM Configurator - Complete workflow from Streamlit application to Terraform deployment
Complete AWS VPC IPAM Architecture and Data Flow 
Top-Level Pool (Global CIDR: 10.0.0.0/8)
├── Regional Pools (per AWS region: 10.0.0.0/12, 10.16.0.0/12, …)
│   ├── Business Unit Pools (per BU: 10.0.0.0/14, 10.4.0.0/14, …)
│   │   └── Environment Pools (dev/qa/prod: 10.0.0.0/16, 10.1.0.0/16, …)

This hierarchy provides several key benefits:

  • Organizational Alignment: Matches business unit and environment structure
  • Scalable Governance: Policies applied at appropriate hierarchy levels
  • Conflict Prevention: Automatic CIDR containment validation
  • Multi-Region Consistency: Centralized control with regional allocation

## The Innovation: IPAM Configurator Tool

The standout feature of this solution is the "IPAM Configurator"—a Streamlit-based web application that revolutionizes how organizations plan and deploy their IPAM infrastructure.

Donny's IPAM Configurator Demo - Complete Streamlit application workflow
Donny's IPAM Configurator: Demo

Traditional IPAM planning involves complex subnet math, spreadsheets, and manual validation that's error-prone and time-consuming. The IPAM Configurator eliminates these pain points with an interactive, visual approach to network design.

Key Configurator Features:

  • • Interactive Web Interface with real-time validation
  • • Automated CIDR calculation with containment checking
  • • Visual representation via Sunburst diagrams
  • • Terraform tfvars file generation
  • • Drag-and-drop resource ordering
  • • Flexible reservation strategies
  • • Multi-tab workflow design

The tool is built using modern Python technologies including Streamlit for the web interface, Pandas for data manipulation, Plotly for visualization, and NetworkX for graph operations. The core logic handles complex CIDR validation and hierarchical allocation calculations that would typically require manual verification.

# Live Demo: Complete Workflow

Watch this complete demonstration showing the entire process from cloning the AWS Samples repository to deploying the IPAM solution with Terraform:

Demo covers: Repository setup → IPAM Configurator → Terraform deployment → AWS Console verification

## Technical Implementation Deep Dive

The Terraform implementation follows enterprise-grade patterns with comprehensive validation, modular design, and operational excellence principles:

AWS Resources

  • • Amazon VPC IPAM instance
  • • IPAM scopes for private IP management
  • • Hierarchical IPAM pools (~67 pools)
  • • AWS RAM resource shares
  • • Cross-account principal associations

Terraform Modules

  • • Root orchestration module
  • • Core IPAM hierarchy module
  • • Standardized tags module
  • • Validation logic module
  • • Cross-region compatibility

One of the most challenging aspects was implementing comprehensive validation logic to prevent configuration errors. The solution includes CIDR well-formedness checks, containment validation across hierarchy levels, and automated conflict detection.

The simplest, most portable guardrail validates a single variable — it works on every Terraform version because the condition only references the variable it's attached to: 

variable "top_level_cidr" {
  type        = string
  description = "Global CIDR for the top-level IPAM pool (e.g. 10.0.0.0/8)."

  validation {
    # Must be a syntactically valid IPv4 CIDR...
    condition     = can(cidrhost(var.top_level_cidr, 0))
    error_message = "top_level_cidr must be a valid IPv4 CIDR, e.g. 10.0.0.0/8."
  }

  validation {
    # ...and broad enough to carve regional/BU/env pools beneath it.
    condition     = tonumber(split("/", var.top_level_cidr)[1]) <= 12
    error_message = "top_level_cidr prefix must be /12 or larger (smaller number) to leave room for the hierarchy."
  }
}

Validating that one pool actually fits inside another means comparing two variables in a single condition. That cross-variable reference requires Terraform 1.9+ (earlier versions reject a validation block that references anything but its own variable). Note the explicit tonumber()split() returns strings: 

# Terraform >= 1.9: a validation rule may reference other variables.
variable "regional_prefix_length" {
  type        = number
  description = "Prefix length for each regional pool (e.g. 12 for a /12)."

  validation {
    condition = (
      var.regional_prefix_length > tonumber(split("/", var.top_level_cidr)[1])
      && var.regional_prefix_length <= 28
    )
    error_message = "Regional prefix must be longer (more specific) than the top-level CIDR and no longer than /28."
  }
}

🚀 Try It Yourself:

The complete solution is available as an AWS Sample on GitHub. Clone the repository and follow the demo above to deploy your own enterprise IPAM solution: 

git clone https://github.com/aws-samples/sample-amazon-vpc-ipam-terraform

## Enterprise Integration Patterns

This IPAM solution is designed to integrate seamlessly with enterprise AWS environments and existing Infrastructure as Code workflows:

AWS Organizations Integration

The solution leverages AWS Resource Access Manager (RAM) to share IPAM pools across organizational accounts. This enables centralized governance while allowing distributed teams to provision VPCs using organization-managed IP space.

Account Factory for Terraform (AFT) Compatibility

For organizations using AFT, this IPAM solution can be deployed as a global customization, providing immediate IP management capabilities for newly provisioned accounts.

Downstream VPC Provisioning

VPC modules can directly reference IPAM pools using data sources, eliminating manual CIDR specification and ensuring automatic compliance with organizational IP allocation policies. 

# VPC integration example
resource "aws_vpc" "main" {
  ipv4_ipam_pool_id   = data.aws_vpc_ipam_pool.environment.id
  ipv4_netmask_length = 18
  
  tags = {
    Name = "production-vpc"
    Environment = "prod"
  }
}

## Operational Excellence & Governance

Beyond the technical implementation, this solution addresses critical operational requirements for enterprise environments:

Compliance & Governance

  • Auto-import capabilities for existing VPCs and subnets into appropriate pools
  • Policy-based allocation rules preventing overlapping address space
  • Reserved CIDR functionality for infrastructure and future expansion

Monitoring & Observability

  • CloudWatch integration for IPAM utilization metrics
  • Audit trails for all IP allocation and deallocation events
  • Compliance reporting for organizational IP usage patterns

Cost Optimization

The solution includes cost-aware design patterns, utilizing AWS free tier where possible and implementing efficient resource tagging for cost allocation across business units and environments.

## Real-World Impact & Lessons Learned

Building this IPAM solution taught me several important lessons about enterprise infrastructure automation:

The Power of Visual Planning Tools

The IPAM Configurator's visual interface dramatically reduces the time from network design to deployment. What used to take days of spreadsheet work and manual validation can now be accomplished in hours with immediate visual feedback and automated validation.

Validation is Critical

Complex infrastructure solutions require comprehensive validation at multiple levels. The time invested in building robust validation logic pays dividends by preventing costly misconfigurations and deployment failures.

Enterprise Integration Patterns Matter

Solutions that don't integrate well with existing enterprise patterns and workflows will struggle for adoption. This IPAM solution was designed from the ground up to work with AWS Organizations, AFT, and common enterprise Terraform patterns.

## Wrapping Up

This AWS VPC IPAM solution represents the kind of enterprise-grade infrastructure automation that can dramatically improve operational efficiency while reducing risk. The combination of Terraform best practices, comprehensive validation, and innovative tooling creates a solution that scales with organizational growth.

If you want to go deeper, the full pattern is public: the AWS Prescriptive Guidance write-up covers the architecture decisions, and the Terraform is open-sourced on aws-samples so you can read it, fork it, and adapt the hierarchy to your own account and region layout.

Read the pattern and grab the code:

AWS Prescriptive Guidance → aws-samples on GitHub →
DS
author.profile

Donny Schreiber

Cloud and product security engineer at AWS Professional Services, based in Boulder, Colorado. I write about cloud security, DevSecOps, infrastructure-as-code, and the security side of AI — drawn from daily practice.

AWS Expert Infrastructure Terraform
# related_posts.available()
about-me.md

About Me: From Enterprise Security to Cloud & AI Security Engineering

How I went from enterprise cybersecurity to a security engineer at AWS Professional Services — and the self-taught curiosity behind it.

Published July 26, 2025
vibe-coding-security.md

The Security Side of Vibe Coding

What AI-generated code gets wrong — real incidents and practical guardrails.

Published February 13, 2026