IT Knowledgebase
< All Topics
Print

Optimizing Public IPv4 Address Cost in AWS

Starting Feb 2024, Amazon Web Services (AWS) will charge for the use of IPv4. While the initial cost of $0.005 may not seem high, it adds up to $43.80 per year, which is close to the price of buying an IPv4 outright. This can be burdensome considering it applies to not only Elastic IPs attached to instances, but also VPN Gateways (two per VPN), Global Accelerator, Public Facing ELBs, and NAT Gateways.

                                 Public IPv4 address pricing take effect after February 1, 2024
                                 Public IPv4 address pricing take effect after February 1, 2024

Steps to Prepare:

  1. Identify Your Public IPv4 Addresses: To begin, identify the public IPv4 addresses being used by your AWS resources. AWS offers tools and services that can assist you in efficiently tracking these addresses.
  2. Evaluate the Need for Public IPs: Assess whether you truly require a public IP for each associated resource. In many cases, private IPs or Network Address Translation (NAT) gateways may be sufficient.
  3. Review Your EC2 Instances: Analyze your EC2 instances to determine which ones require public IPs. AWS recommends using private IPs whenever possible to reduce costs.

Identifying Public IPv4 Addresses (Monitoring Public IPs):

This involves creating IPAM and visualizing the insights of public IPs.

  1. Open the IPAM console at https://console.aws.amazon.com/ipam/.
  2. In the navigation pane, choose Public IP insights.

3. If no IPAM has been created, click on Create IPAM.

4. Start by creating an IPAM with a free tier that offers limited features but provides insights into all your public IPv4 addresses.

5. Provide the name and description, and also select the region for the IPAM. Then, click on Create IPAM .

6. (Alternative) : If you are familiar with the AWS CLI tool, you can create an IPAM with just a single command.

aws ec2 create-ipam --description my-ipam --region us-east-1 
--operating-regions RegionName=us-east-1

7. After creating IPAM, you will need to wait for some time to obtain insights on Public IP.

8. After some time, to view details for a public IP address, select an IP address by clicking on it.

9. View the following information about the IP address:

  • Details: The same information is visible in the columns of the main Public IP insights pane, such as the Address type and Service.
  • Inbound security group rules: If this IP address is associated with an EC2 instance, these are the security group rules that control the inbound traffic to the instance.
  • Outbound security group rules: If this IP address is associated with an EC2 instance, these are the security group rules that control the outbound traffic from the instance.
  • Tags: Key and value pairs that act as metadata for organizing your AWS resources.

You can also see, sort, filter, and learn more about each of the public IPv4 addresses that you are using:

From this, you will gain knowledge on how to visualize all of your public IPv4 addresses. This will help you determine if you truly need a public IP for each associated resource. Additionally, you can create a list of IPs that should be removed. Also, you can remove the unassociated EIP immediately.

💡 Tip:

Best practices for Public IPv4 usage optimization:

Here are a couple of ways you can reduce or eliminate the number of Public IPv4s in your AWS environment.

1. Integrating NAT gateways and Elastic Load Balancers for internet traffic (With Cost Analysis)

Outbound Internet Traffic:

Let’s consider a workload deployed in a default VPC in us-east-1. This workload utilizes an average of 100 Amazon EC2 instances per month and has an aggregated Data Transfer Out to the internet of 100 GB. The following architecture diagram illustrates an example of this deployment, where all EC2 instances are automatically assigned EC2 Public IPv4 addresses.

When using AWS NAT gateway for the same workload, we can optimize the use of public IPv4 addresses, as shown in the following architecture.

In this case, using the EC2 public IP setup costs $365/month while the NAT gateway approach costs $77.50/month.

Conversely, if we consider a workload with four EC2 instances, deployed across the two AZs in the same setup, with the same total data processing requirements of 100 GB in a month, the public IPv4 charges become:

  • EC2 public IPv4 charges: 4 EC2 Public IPs x $0.005/IP/hour x 730 hours = $14.60/month

In this case, using the EC2 public IP setup costs $14.60/month while the NAT gateway approach costs $77.50/month, as calculated in the previous example.

NAT Gateway:

The NAT Gateway is a managed service that provides outbound internet access for instances in a private subnet. It automatically scales to handle increased traffic from your instances without the need for patching or monitoring.

If you absolutely need IPv4 NATting and reliability is your top priority, there is no better solution than this. The only drawback is that it costs $0.045 per hour, which amounts to approximately $32 per month, plus an additional $0.045 per GB of traffic.

Pricing:

NAT Instance (An alternative to NAT Gateway):

NAT Gateway and NAT Instance are two options for implementing Network Address Translation (NAT) in a VPC. NAT Gateway is a fully managed service that offers high availability and scalability, but it can be more expensive. On the other hand, a NAT Instance provides more control over the instance but requires manual setup and ongoing maintenance. The best option for you will ultimately depend on your specific use case, budget, and security requirements.

Deploy an EC2 Instance with a public IP in the public subnet. In our case, we chose a t4g.small instance, but for low-traffic situations, you can opt for a smaller size. With a t4g.micro instance, you will only spend about $3.5/month!

For the NAT instance, we will use the t4g.nano EC2 instance, the cost of this instance will be as follows:

Inbound internet traffic

Let’s consider an internet-facing web application deployed in a default VPC, which utilizes 100 Amazon EC2 instances per month. This web application processes 10 GB of client traffic per hour, resulting in a total of 1 GB of egress data originating from the VPC and going to the internet. The architecture diagram shown below illustrates the sample setup. All EC2 instances are configured with Elastic IPv4 addresses, and the DNS for the web application endpoint is managed in Amazon Route 53.

To assess the cost of using Elastic IP addresses associated with the web application instances, we can apply the same calculations as above with $365.00/month

For this workload, we can assess the integration of both an Application Load Balancer for client traffic and a NAT gateway for egress traffic originating in the VPC. The figure below shows an example architecture of this web application, which utilizes an internet-facing Application Load Balancer and a NAT gateway in each availability zone (AZ).

This yields a total cost of integrating AWS NAT gateway and Application Load Balancer of $155.17/month, while the Elastic IP approach totals $365.00/month. In this example, without taking into account the additional benefits provided by Elastic Load Balancers, we can optimize public IPv4 address usage and cost by adopting NAT gateway and Application Load Balancer.

2. Migration to IPV6:

If you have an existing VPC that only supports IPv4 and resources in your subnet that are configured to use IPv4, you have the option to enable IPv6 support for your VPC and resources. In this case, your VPC can operate in dual-stack mode, allowing your resources to communicate over either IPv4, IPv6, or both. It’s important to note that IPv4 and IPv6 communication are independent of each other.

Dual Stack VPC
Dual Stack VPC

Amazon VPC includes built-in support for address assignment via DHCP for both IPv4 and IPv6. The process of address allocation is similar to reserving static addresses in traditional DHCP servers. The IP address assigned to the elastic network interface determines the IP address offered by the VPC DHCP infrastructure to the resource requesting an address.

Migrating IPV4 to IPV6:

I will assume that you already have an EC2 instance with properly configured IPv4 settings. It is important to follow the following instructions in the exact order as described below to avoid any failures.

If you want to launch a new instance with IPv6, you can proceed after reading the guide below. Essentially, you need to create all the resources mentioned in the last paragraph in the VPC section of the AWS console.

  1. To add an IPv6 address to an EC2 instance in the AWS console, locate the desired instance and click on the VPC ID.
  2. Click on Actions >> Edit CIDR’s
  3. Click on Add IPv6 CIDR’s

4. On the next screen, click Add new IPv6 CIDR.

5. Select Amazon-provided IPv6 CIDR block and choose the AWS zone where your EC2 instance resides.  

6. Navigate to your VPC and click the route table

7. Click the Routes tab and then Edit routes

8. You should already see a local IPv6 network here. Now, we need to add a route to ensure that external IPv6 traffic is routed to the internet gateway. Click on Add route and enter “::/0” under Destination. This represents the default route in CIDR notation, and it applies to all IPv6 traffic. For the target, select Internet gateway, which is the same as for your IPv4 traffic.

9. Navigate to your EC2 instance, click the Networking tab, and then click the network interface ID. On the Network interfaces page, click the ID again. In the Actions menu, you’ll find the Manage IP addresses link.

10. On the Manage IP addresses page, click the arrow next to the ID, and then in the IPv6 section, click Assign new IP address. Click Save.

After assigning this, you have successfully assigned the IPv6 address to your instance.

3. Removing Public IP Address Assignment for EC2 Instances if not needed

In this document, you will find clear instructions on how to remove public IPs. The steps include creating Amazon Machine Images (AMIs), launching new instances with Auto assign Public IP disabled option. Follow these instructions to reduce costs and ensure zero downtime.

Creating an AMI from an Existing Server

1. Access the AWS Management Console:

2. Navigate to EC2 Dashboard:

  • Click on Services in the top left corner and select EC2 under the Compute section.

3. Locate the Existing Instance:

  • In the EC2 Dashboard, select Instances from the left-hand navigation pane.
  • Identify and select the instance for which you want to create an AMI.

4. Create an AMI:

  • With the instance selected, click on the Actions button, navigate to Image and templates, and select Create Image.
  • Provide a name and description for the AMI.
  • Make sure to Enable No Reboot .
  • Click on Create Image to initiate the AMI creation process.

5. Monitor the AMI Creation:

  • Go to the AMIs section in the EC2 Dashboard.
  • Monitor the status of the new AMI until it is marked as available.

Launching an Instance from the AMI

Create an EC2 instance named IPV4-POC with a public IPv4 address for demonstration purposes. You can see the setup below.

Removing Auto-Assigned Public IP

1. Create Elastic Network Interface (ENI):

  • In the EC2 Dashboard, go to Network & Security and select Network Interfaces.
  • Click Create Network Interface and specify the same availability zone as the instance
  • Attach the newly created ENI to the instance
  • Verify the ENI is attached to the instance
  • Select the newly allocated Elastic IP

2. Create Elastic IP (EIP):

  • In the EC2 Dashboard, go to Elastic IPs and click Allocate Elastic IP address.

3. Associate EIP with ENI:

  • In the Elastic IP section, select the new Elastic IP, click Actions, and choose Associate Elastic IP
  •  Associate it with the ENI.
  •  Verify the EIP association with the instance

4. Disassociate EIP from ENI:

  • To prevent cost incurring for a public IP, disassociate the Elastic IP from the ENI when it is not needed.
  • In the Elastic IP section, select the Elastic IP, click Actions, and choose Disassociate Elastic IP address.
  • Once the EIP has been disassociated and no other dependencies; Release Elastic IP addresses.

5. Keep Additional ENI:

  • Keep the additional ENI attached to the instance to prevent the auto-assignment of public IP even after server restarts

Verification

1. Verify Public IP Association:

  • In the AWS Management Console, navigate to the EC2 Dashboard.
  • Select Instances from the left-hand navigation pane.
  • Choose the instance that you launched.
  • In the bottom panel, check the Description tab for the Public IP field. It should be blank.

2. Check Network Interfaces:

  • In the EC2 Dashboard, navigate to Network & Security and select Network Interfaces.
  • Identify the ENI that you created and attached to the instance.
  • Ensure that the ENI does not have a public IP associated with it.

3. Server Restart Verification:

  • Connect to your instance using SSH or other appropriate methods.
  • Restart the server.
  • After the server has restarted, reconnect to the instance. Verify the instance doesn’t have public IP

4. Removing Public IPs of Autoscaling instances

Steps:

  1. Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

3. Select the Auto Scaling Group (ASG) that you want to examine and click on launch template/configuration

4. Then, click on actions and start modifying the template

5. Choose the Details tab, then select the Network Interfaces tab to view the configuration information available for the associated network interface. Check the value available in the Auto-assign public IP column to determine if the resource is configured to assign public IPs at launch. If the value is set to Enabled, all the Amazon EC2 instances launched within the selected Auto Scaling Groups (ASG) get public IP addresses.

Conclusion

In this document, we discussed the importance of evaluating the need for public IPs in AWS and provided recommendations for optimizing their usage and cost. We highlighted the benefits of using private IPs or NAT gateways instead of public IPs whenever possible. We also covered the process of monitoring and managing public IPv4 addresses using the IPAM console, including creating IPAMs, viewing IP details, and removing unassociated EIPs. Additionally, we explored best practices for optimizing public IPv4 usage, such as integrating NAT gateways and Elastic Load Balancers for internet traffic and considering migration to IPv6. Lastly, we provided instructions for removing public IP address assignments for EC2 instances and autoscaling instances. By following these recommendations and best practices, organizations can effectively manage and optimize their AWS public IPv4 addresses, resulting in cost savings and improved resource utilization.