EC2-VPC Elastic IP Address Limit

Risk Level: Medium (should be achieved)

Rule ID: EC2-010

Determine if the number of EC2-VPC Elastic IPs allocated per AWS region is close to the limit number established by AWS for cloud accounts that support Virtual Private Clouds (VPCs) and request limit increase in order to avoid reaching IP resource limitations during Amazon EC2 instance provisioning. Because the IPv4 public IP addresses are a scarce resource nowadays, all the AWS accounts are limited to 5 (five) Elastic IP addresses per region.

This rule can help you with the following compliance standards:

APRA
MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

Monitoring your Elastic IP (EIP) limits will help you avoid public IP resources starvation in case you need to expand fast your Amazon EC2-VPC infrastructure.

Audit

When you create your cloud account, AWS sets automatically a fixed limit of 5 for the number of Elastic IPs available per region. To determine if your AWS account has reached the EIP limit, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, select Elastic IPs.

04 Click inside the Filter Elastic IP addresses box located under the console top menu, choose Scope, and select VPC.

05 Count the number of Elastic IP (EIP) addresses returned by the Amazon EC2 console in order to determine if the selected AWS cloud region has already reached the default limit of 5 (five) EIP addresses. If the number of Elastic IPs is equal to 5, you must take action and create a support case to request Amazon Web Services (AWS) to increase the limit for the Elastic IP addresses in the selected AWS cloud region.

06 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-account-attributes command (OSX/Linux/UNIX) with custom query filters to describe the maximum number of EC2-VPC Elastic IP addresses that you can allocate within the selected AWS cloud region:

aws ec2 describe-account-attributes
  --region us-east-1
  --attribute-names vpc-max-elastic-ips
  --query 'AccountAttributes[*].AttributeValues[*].AttributeValue[]'

02 The command output should return the limit set for the number of allocated Amazon EIPs in the selected AWS region:

[
	"5"
]

03 Run describe-addresses command (OSX/Linux/UNIX) with custom query filters to list the EC2-VPC Elastic IP addresses available in the selected AWS cloud region:

aws ec2 describe-addresses
  --region us-east-1
  --filters "Name=domain,Values=vpc"
  --output table
  --query 'Addresses[].PublicIp'

04 The command output should return a table with the allocated EIP addresses:

-------------------
|DescribeAddresses|
+-----------------+
|    10.0.0.5     |
|    10.0.0.8     |
|    10.0.0.3     |
|    10.0.0.9     |
|    10.0.0.6     |
+-----------------+

Count the number of Elastic IP (EIP) addresses returned by the describe-addresses command output in order to determine if the selected AWS cloud region has already reached the default limit of 5 (five) EIP addresses. If the number of Elastic IPs is equal to 5, you must take action and create a support case to request Amazon Web Services (AWS) to increase the limit for the Elastic IP addresses in the selected AWS cloud region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To request an increase for the Elastic IP (EIP) address limit, perform the following operations:

Note: Creating a support case to request a service limit increase using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center console at https://console.aws.amazon.com/support/.

03 In the Open support cases section, choose Create case to initiate the request process.

04 On the Create case page, perform the following actions:

Select the Service limit increase option.
Choose Elastic IPs from the Limit type dropdown list.
In the Request <number> section, perform the following:
- Select the AWS cloud region where an EIP limit increase is required from the Region dropdown list.
- Select New VPC Elastic IP Address Limit from the Limit dropdown list.
- In the New limit value box, enter the new Elastic IP limit to request for the selected AWS region.
If you need to add multiple limit requests (i.e. for other AWS cloud regions), choose Add another request to add as many requests as needed.
For Case Description, provide a concise description where you provide the reason for your service limit increase request. This will help the AWS support team to evaluate your request.
For Contact options, choose your preferred correspondence language from the Preferred contact language dropdown list, then select a preferred contact method that AWS support team can use to respond to your request from the Contact methods section.
Choose Submit to send your request to Amazon Web Services. A customer support representative should contact you shortly. Once the request is approved by AWS, you should be able to allocate new EC2-VPC Elastic IPs within the specified AWS cloud regions.

References

AWS Command Line Interface (CLI) Documentation
ec2
describe-account-attributes
describe-addresses

Publication date Jun 9, 2016

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

References

Related EC2 rules