Logo of Trend Micro

EC2-Classic Elastic IP Address Limit Checkup

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: EC2-009

Determine if the number of EC2-Classic Elastic IPs (EIPs) allocated per region is close to the limit number established by Amazon for accounts that support EC2-Classic platform and request limit increase in order to avoid encountering IP resource limitations on future EC2 provisioning sessions. As the IPv4 public IP addresses are a scarce resource nowadays, by default, all AWS accounts are limited to 5 (five) Elastic IP addresses per region.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Performance
efficiency

Monitoring your EC2-Classic Elastic IP (EIP) limits will help you avoid public IP resources starvation in case you need to expand rapidly your AWS EC2-Classic infrastructure.

Audit

For AWS accounts that support EC2-Classic platform, Amazon sets automatically a fixed limit of 5 for the number of Elastic IPs available per region. To determine if your account has reached the default EIP limit, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Elastic IPs.

04 Click inside the Elastic IP addresses properties box located under the dashboard top menu, choose the Scope option from the dropdown list and select EC2 to return the Elastic IPs allocated for the EC2-Classic platform. This filtering method will help you to identify how many EC2-Classic Elastic IPs are currently allocated within the current AWS region in order to determine if your account has reached the default limit of five (5) EIP addresses. If the number of EIPs returned is equal to 5 and your cloud architecture needs to scale up, we strongly recommend that you open an AWS support case and request a limit increase for Elastic IPs, as specified in the Remediation/Resolution section.

05 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-account-attributes command (OSX/Linux/UNIX) to expose the maximum number of Elastic IP addresses that you can allocate for your EC2-Classic infrastructure within the selected AWS region: 

aws ec2 describe-account-attributes
	--region us-east-1
	--attribute-names max-elastic-ips

02 The command output should return the limit set by AWS for the number of allocated EIPs as the value of the AttributeValue parameter: 

{
    "AccountAttributes": [
        {
            "AttributeName": "max-elastic-ips",
            "AttributeValues": [
                {
                    "AttributeValue": "5"
                }
            ]
        }
    ]
}

03 Run describe-addresses command (OSX/Linux/UNIX) using the AWS region name to determine how many Elastic IPs are currently allocated within the selected region (if the command does not return an output, there are no Elastic IPs currently assigned): 

aws ec2 describe-addresses
	--region us-east-1
	--filters "Name=domain,Values=standard"
	--output table
	--query 'Addresses[].PublicIp'

04 The command output should return all EC2-Classic EIPs assigned in the US East region:

--------------------
| DescribeAddresses|
+------------------+
|  54.32.120.115   |
|  52.121.39.108   |
|  51.44.109.147   |
|  52.235.140.130  |
|  54.104.141.207  |
+------------------+

If the number of EIPs returned is equal to 5 and your architecture needs to scale up, we highly recommend that you open an AWS support case and request a limit increase for Elastic IPs as presented in the Remediation/Resolution section.

05 Repeat steps no. 1 – 4 to perform the CLI audit process for other AWS regions.

Remediation / Resolution

To request an increase for the EC2-Classic Elastic IP limit, perform the following:

Note: Requesting to increase the limit for the number of Elastic IPs per region using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center page at http://aws.amazon.com/contact-us/eip_limit_request/.

03 On the Create Case support page, perform the following:

  1. Under Regarding section, select Service Limit Increase.
  2. Choose Elastic IPs from the Limit Type dropdown list as the type of limit to increase.
  3. In the Request <number> section, perform the following actions:
    • Select the AWS region where an EIP limit increase is required from the Region dropdown list.
    • Select EC2-Classic Elastic IP Address Limit from the Limit dropdown list.
    • In the New limit value box, enter the new EIP limit value to request for the selected region.
  4. If you need to add multiple limit requests (e.g. for different AWS regions), click the Add another request button to add as many requests as needed.
  5. In the Use Case Description textbox, describe your use case(s) so AWS Support can evaluate your request and understand your need for additional EIPs.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the limit request. A customer support representative will contact you shortly. Once the request is approved, you will be able to allocate new EC2-Classic Elastic IPs within the specified AWS regions.

References

Publication date Jun 10, 2016

Related EC2 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

EC2-Classic Elastic IP Address Limit Checkup

Risk level: Medium