Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2-Classic Elastic IP Address Limit

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-009

Determine if the number of EC2-Classic Elastic IPs (EIPs) allocated per AWS cloud region is close to the limit number established by AWS for accounts that support the EC2-Classic platform and request a limit increase in order to avoid reaching IP resource limitations for Amazon EC2 instances. Because the IPv4 public IP addresses are a scarce resource nowadays, by default, all AWS cloud accounts are limited to 5 (five) Elastic IP addresses per region.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

Monitoring your EC2-Classic Elastic IP limits will help you avoid public IP resource starvation in case you need to expand rapidly your Amazon EC2-Classic infrastructure.


Audit

For AWS cloud accounts that support the EC2-Classic platform, Amazon sets automatically a fixed limit of 5 for the number of Elastic IPs available per region. To determine if your AWS cloud account has reached the default EIP limit, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, select Elastic IPs.

04 Click inside the Filter Elastic IP addresses box located under the console top menu, choose Scope,**and select EC2-Classic**.

05 Count the number of EC2-Classic Elastic IP (EIP) addresses returned by the Amazon EC2 console in order to determine if the selected AWS cloud region has already reached the default limit of 5 (five) EIP addresses. If the number of Elastic IPs is equal to 5, you must take action and create a support case to request Amazon Web Services (AWS) to increase the limit for the EC2-Classic Elastic IP addresses in the selected AWS cloud region.

06 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-account-attributes command (OSX/Linux/UNIX) with custom query filters to describe the maximum number of EC2-Classic Elastic IP addresses that you can allocate within the selected AWS cloud region:

aws ec2 describe-account-attributes
  --region us-east-1
  --attribute-names max-elastic-ips
  --query 'AccountAttributes[*].AttributeValues[*].AttributeValue[]'

02 The command output should return the limit set for the number of allocated Amazon EIPs in the selected AWS region:

[
	"5"
]

03 Run describe-addresses command (OSX/Linux/UNIX) with custom query filters to list the EC2-Classic Elastic IP addresses available in the selected AWS cloud region:

aws ec2 describe-addresses
  --region us-east-1
  --filters "Name=domain,Values=standard"
  --output table
  --query 'Addresses[].PublicIp'

04 The command output should return a table with the allocated EIP addresses:

-------------------
|DescribeAddresses|
+-----------------+
|    10.0.0.5     |
|    10.0.0.6     |
|    10.0.0.7     |
|    10.0.0.8     |
|    10.0.0.9     |
+-----------------+

Count the number of EC2-Classic Elastic IP addresses returned by the describe-addresses command output in order to determine if the selected AWS cloud region has already reached the default limit of 5 (five) EIP addresses. If the number of Elastic IPs is equal to 5, as shown in the output example above, you must take action and create a support case to request Amazon Web Services (AWS) to increase the limit for the EC2-Classic Elastic IP addresses in the selected AWS cloud region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To request an increase for the EC2-Classic Elastic IP address limit, perform the following operations:

Note: Creating a support case to request a service limit increase using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center console at https://console.aws.amazon.com/support/.

03 In the Open support cases section, choose Create case to initiate the request process.

04 On the Create case page, perform the following actions:

  1. Select the Service limit increase option.
  2. Choose Elastic IPs from the Limit type dropdown list.
  3. In the Request <number> section, perform the following:
    • Select the AWS cloud region where an EIP limit increase is required from the Region dropdown list.
    • Select EC2-Classic Elastic IP Address Limit from the Limit dropdown list.
    • In the New limit value box, enter the new Elastic IP limit to request for the selected AWS region.
  4. If you need to add multiple limit requests (i.e. for other AWS cloud regions), choose Add another request to add as many requests as needed.
  5. For Case Description, provide a concise description where you provide the reason for your service limit increase request. This will help the AWS support team to evaluate your request.
  6. For Contact options, choose your preferred correspondence language from the Preferred contact language dropdown list, then select a preferred contact method that AWS support team can use to respond to your request from the Contact methods section.
  7. Choose Submit to send your request to Amazon Web Services. A customer support representative should contact you shortly. Once the request is approved by AWS, you should be able to allocate new EC2-Classic Elastic IPs within the specified AWS cloud regions.

References

Publication date Jun 10, 2016