Logo of Trend Micro

EC2-VPC Elastic IP Address Limit Checkup

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: EC2-010

Determine if the number of EC2-VPC Elastic IPs (EIPs) allocated per region is close to the limit number established by AWS for accounts that support Virtual Private Clouds (VPCs) and request limit increase in order to avoid encountering IP resource limitations on future EC2 provisioning sessions. As the IPv4 public IP addresses are a scarce resource nowadays, all AWS accounts are limited to 5 (five) Elastic IP addresses per region.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

Monitoring your Elastic IP (EIP) limits will help you avoid public IP resources starvation in case you need to expand fast your AWS EC2-VPC infrastructure.

Audit

When you create your account, AWS sets automatically a fixed limit of 5 for the number of Elastic IPs available per region. To determine if your account has reached the EIP limit, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Elastic IPs.

04 Click inside the Elastic IP addresses properties box located under the dashboard top menu, choose the Scope option from the dropdown list and select VPC to return the Elastic IPs allocated for the EC2-VPC platform. This filtering technique will help you to identify how many EC2-VPC Elastic IPs are currently allocated inside the current AWS region in order to determine if your account has reached the default limit of five (5) EIP addresses. If the number of EIPs returned is equal to 5 and your cloud architecture needs to scale up, we strongly recommend that you open an AWS support case and request a limit increase for Elastic IPs, as demonstrated step by step in the Remediation/Resolution section.

05 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-account-attributes command (OSX/Linux/UNIX) to expose the maximum number of Elastic IP addresses that you can allocate for your EC2-VPC infrastructure within the selected AWS region: 

aws ec2 describe-account-attributes
	--region us-east-1
	--attribute-names vpc-max-elastic-ips

02 The command output should return the limit set by AWS for the number of allocated EIPs as the value of the AttributeValue parameter: 

{
    "AccountAttributes": [
        {
            "AttributeName": "vpc-max-elastic-ips",
            "AttributeValues": [
                {
                    "AttributeValue": "5"
                }
            ]
        }
    ]
}

03 Run describe-addresses command (OSX/Linux/UNIX) using the AWS region name to determine how many Elastic IPs are currently allocated within the selected region (if the command does not produce an output, there are no Elastic IPs assigned): 

aws ec2 describe-addresses
	--region us-east-1
	--filters "Name=domain,Values=vpc"
	--output table
	--query 'Addresses[].PublicIp'

04 The command output should return all EIPs assigned in the US East region: 

--------------------
| DescribeAddresses|
+------------------+
|  52.204.147.117  |
|  52.21.39.200    |
|  52.204.11.47    |
|  52.204.142.140  |
|  52.204.141.157  |
+------------------+

If the number of EIPs returned is equal to 5 and your architecture needs to scale up, we highly recommend that you open an AWS support case and request a limit increase for Elastic IPs, as explained in the Remediation/Resolution section.

05 Repeat steps no. 1 – 4 to perform the CLI audit process for other AWS regions.

Remediation / Resolution

To request an increase for the EC2-VPC Elastic IP limit, you need to perform the following:

Note: Requesting to increase the limit for the number of Elastic IPs per region using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center page at http://aws.amazon.com/contact-us/eip_limit_request/.

03 On the Create Case support page, perform the following:

  • Under Regarding section, select Service Limit Increase.
  • Choose Elastic IPs from the Limit Type dropdown list as the type of limit to increase.
  • In the Request <number> section, perform the following actions:
    • Select the AWS region where an EIP limit increase is required from the Region dropdown list.
    • Select New VPC Elastic IP Address Limit from the Limit dropdown list.
    • In the New limit value box, enter the new EIP limit value to request for the selected region.
  • If you need to add multiple limit requests (e.g. for other AWS regions), click the Add another request button to add as many requests as needed.
  • In the Use Case Description textbox, describe your use case(s) so AWS Support can evaluate your request and understand your need for additional EIPs.
  • Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  • Click Submit to send the limit request. A customer support representative will contact you shortly. Once the request is approved, you will be able to allocate new EC2-VPC Elastic IPs within the specified AWS regions.

References

Publication date Jun 9, 2016

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

EC2-VPC Elastic IP Address Limit Checkup

Risk level: Medium