Bring Your Own IP

Oracle Cloud Infrastructure allows you to Bring Your Own IP (BYOIP) address space to use with resources in Oracle Cloud Infrastructure, in addition to using Oracle owned addresses.

BYOIP lets you manage your IPv4 CIDR blocks and IPv6 prefixes to align with your existing security, management, and deployment policies and achieve:

  • Solution continuity and hardcoded dependencies: Your VCN is an extension of your public Internet presence, without needing to reinvent policies and management processes. If you have IP addresses hard-coded in devices or built architectural dependencies on specific IP addresses, using BYOIP you have a smooth migration to Oracle Cloud Infrastructure.
  • IP pool management: Some network administrators require the ability to summarize groups of IPv4 addresses into pools and to create resources for deployment such as load balancers, firewalls, or web servers. IP Pool management provides tools to manage reserved public IPv4 addresses. IPv6 does not use IP Pool management.
  • IP reputation: Some internet services rely on a contiguous IP address space (such as a full span of IP addresses from 1 through 255) and act as a trusted contact point between services such as major email service providers and mail delivery systems.

Oracle performs a validation process on imported IPv4 CIDR blocks or IPv6 prefixes, and after validation you are notified that they are available for advertisement. You can create one or many public IPv4 pools from this address space by specifying subranges from the BYOIP CIDR block and use IP pools to allocate specific resources. You can start or stop advertisement of the BYOIP routes when needed. IPv6 does not use IP pools, but you can similarly assign prefixes to VCNs and subnets.

Requirements and Preparation

  • You must have ownership of the public IPv4 CIDR block or IPv6 prefix you want to import into Oracle Cloud Infrastructure, and the ownership must be registered with a supported Regional Internet Registry (RIR). Oracle validates ownership of your addresses. Only the following registries are supported, and the addresses must have a specified type or status:

  • The addresses in the IP address range must have a clean history. We might investigate the reputation of the IP address range and reserve the right to reject an IP address range that contains an IP address that is associated with malicious behavior.

Limits and Quotas

  • Your addresses can only be imported to a specific Oracle region.
  • You can use BYOIP with an IPv4 CIDR block that is a minimum of /24 and a maximum of /8.
  • An imported IPv6 prefix must be /48 or larger.
  • You can't bring the same address range to more than one compartment at a time.
  • You can bring up to 20 IPv4 CIDR blocks or IPv6 prefixes (or combination) to your Oracle Cloud Infrastructure account.
  • You can assign up to five total IPv6 prefixes per VCN and up to three per subnet. You may assign IPv6 addresses from multiple prefixes to a VNIC if its subnet has multiple IPv6 prefixes assigned.
  • BYOIP is not available with Oracle Cloud Infrastructure Free Tier, and must be requested for Pay As You Go services.

See IP Management Limits and Requesting a Service Limit Increase for other limits-related information.

BYOIP Process Overview

The steps needed for BYOIP in Oracle Cloud Infrastructure require significant time, so plan accordingly. The process is shown in the following diagram:

Swimlane diagram showing the BYOIP import process.
  1. Within a compartment in your tenancy, you request to import a public IPv4 CIDR block or IPv6 prefix you own.
  2. Oracle issues a verification token. (API users have to modify their token. Console users get a completed token.)
  3. You add the verification token to the information about that public IPv4 CIDR block or IPv6 prefix kept by your RIR service. The details vary depending on the RIR. It can take up to one day for the update to take effect. If you move to the next step before that update takes effect, a day will be added to the total time to complete the process. See To import a BYOIP IPv4 CIDR block or IPv6 prefix for details.
  4. Create a Route Origin Authorization (ROA) with your RIR. As part of the ROA, provide the Oracle BGP ASN. Oracle's BGP ASN for the commercial cloud is 31898, except the Serbia Central (Jovanovac) region which is 14544. The ROA allows Oracle to advertise the BYOIP CIDR block.
  5. Request that Oracle finish the import request. This workflow takes up to 10 business days to complete, while Oracle communicates with the RIR and verifies that you own the IP addresses.
  6. Oracle provisions the BYOIP addresses to your compartment within your tenancy.
  7. At this point, the BYOIP IPv4 CIDR block or IPv6 prefix is yours to manage in your compartment. You can add IPv4 addresses to an IP pool, and then use them as reserved IP addresses. IPv6 prefixes do not use pools, and you can directly assign subdivisions to VCNs or the assign the entire IPv6 prefix to a VCN. You can also advertise the BYOIP CIDR Block or BYOIPv6 Prefix to the internet.

Required IAM Policy

To use Oracle Cloud Infrastructure, an administrator must be a member of a group granted security access in a policy  by a tenancy administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don't have permission or are unauthorized, verify with the tenancy administrator what type of access you have and which compartment  your access works in.

For administrators: see IAM Policies for Networking.

Limits on IAM Resources

For a list of applicable limits and instructions for requesting a limit increase, see Service Limits. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.

Managing BYOIP

Using the console

Using the API

For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.

To manage the ByoipRange object, use these operations:

The following operations are specific to BYOIPv6:

After creating a ByoipRange object

After you have created a ByoipRange object, make a copy of its validationToken and either the ipv6CidrBlock or the ipv6CidrBlock of the ByoipRange. Using any text editor, create a token string in one of the following formats.

To import an IPv4 CIDR block:

OCITOKEN::<cidrBlock>:<validationToken>

To import an IPv6 prefix:

OCITOKEN::<ipv6CidrBlock>:<validationToken>

Present this modified validation token to your Regional Internet Registry (RIR) before you request validation.

Was this article helpful?