How do I troubleshoot common BYOIP configuration errors in my VPC?

6 minute read
0

I want to configure Bring Your Own IP (BYOIP) for my Amazon Virtual Private Cloud (Amazon VPC).

Short description

The following are common errors that occur when you configure BYOIP in your VPC:

  • The Route Origin Authorization (ROA) isn't valid or isn't found for the CIDR and Amazon Autonomous System Numbers (ASNs).
  • An X509 certificate wasn't found in the WHOIS remarks.
  • The IP range isn't an acceptable allocation type in the associated internet registry.
  • The CidrAuthorizationContext signature can't be verified with the X509 certificates in the Regional Internet Registries (RIR) records.
  • Your IP address is stuck in the pending-provision state.

Resolution

Error: The ROA isn't valid or isn't found for the CIDR and Amazon ASNs

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent version of the AWS CLI.

Create an ROA to authorize Amazon ASNs 16509 and 14618 to advertise your address ranges. It takes up to 24 hours for the ROA to make the ASNs available for Amazon.

To confirm ROA creation and ASN mapping, use rpki-validator from RIPE. Use either a browser or a curl from command line to complete the confirmation.

Browser example

https://rpki-validator.ripe.net/json?select-prefix=X.X.X.X/{prefix-length}

Note: In the previous example, replace X.X.X.X/{prefix-length} with your address range.

Command line example

curl https://rpki-validator.ripe.net/json?select-prefix=X.X.X.X/{prefix-length}

Note: In the previous example, replace X.X.X.X/{prefix-length} with your address range.

Example of valid output:

{
  "metadata": {
  "generated": 1685008213,
    "generatedTime": "2023-05-25T09:50:13Z"
  },
  "roas": [
    { "asn": "AS14618", "prefix": "X.X.X.X/{prefix-length}", "maxLength": X, "ta": "arin" },
    { "asn": "AS16509", "prefix": "X.X.X.X/{prefix-length}", "maxLength": X, "ta": "arin" }
  ]
}

Example of non-valid output:

{
  "metadata": {
  "generated": 1685008305,
    "generatedTime": "2023-05-25T09:51:45Z"
  },
  "roas": [

  ]
}

To avoid this error, complete the following tasks:

  • The ROA must be valid for both ASNs for the period in use. It also must be specific to the address ranges that you bring into AWS. For more information, see the "Preparing your IP address range" section in Introducing Bring Your Own IP (BYOIP).
  • Wait 24 hours after you create an ROA before you re-provision.

Error: No X509 certificate could be found in the WHOIS remarks

Common reasons for this error include the following reasons:

  • There isn't a certificate in the RDAP record for the RIR.
  • There are new line characters in the certificate.
  • The certificate isn't valid.
  • The certificate isn't generated from the valid key pair.

Make sure to create and upload the certificate correctly. For more information, see Create a key pair for AWS authentication.

To troubleshoot this error, verify that the uploaded certificate is valid. Use WHOIS to check the record for the network range in the RIR.

For ARIN:

whois -a <Public IP>

Check the Comments section for the NetRange (network range). Add the certificate to the Public Comments section for your address range.

For RIPE:

whois -r <Public IP>

Check the descr section for the inetnum object (network range) in the WHOIS display. Add the certificate to the desc field for your address range.

For APNIC:

whois -A <Public IP>

Check the remarks section for the inetnum object (network range) in the WHOIS display. Make sure that the certificate is in the remarks field for your address range.

After you complete the check, complete the following tasks:

  1. If there isn't a certificate, then create a new certificate. Then, follow the steps that are outline in the Resolution section of this article to upload it.
    If there's a certificate, then make sure that there are no new lines. If there are any new lines, then remove the lines as shown in the following example:

    openssl req -new -x509 -key private.key -days 365 | tr -d "\n" > publickey.cer
  2. Verify that the certificate is valid. To do this, copy the certificate content into a new file and run the following command:

    openssl x509 -in example.crt -text -noout

    If you receive an unable to load certificate error, then add a new line after BEGIN CERTIFICATE and another new line before END CERTIFICATE.

  3. If none of the above apply, then an incorrect key pair was used to generate the certificate.

Error: The IP range isn't an acceptable allocation type in the associated internet registry

The following are reasons for this error:

  • The RIR allocation type for the address range is wrong.
  • The registry isn't supported.

There are five regional internet registries (RIR): AFRINIC, ARIN, APNIC, LACNIC, and RIPE. AWS supports ARIN, RIPE, and APNIC registered prefixes.

To verify the RIR, use WHOIS:

whois <public ip>

For RIPE: Verify that the Status is ALLOCATED PA, LEGACY, or ASSIGNED PI.

For ARIN: Verify that the NetType is Direct Allocation or Direct Assignment.

For APNIC: Verify that the Status is ALLOCATED PORTABLE or ASSIGNED PORTABLE.

Note: Some comments might state Addresses within this block are non-portable. This comment is an additional confirmation that the RIR can't provision that address range.

The preceding error occurs for the following reasons:

  • The Status (for RIPE and APNIC) or NetType (for ARIN) is none of the statuses listed in the preceding section.
  • The registry isn't supported.

Error: The CidrAuthorizationContext signature can't be verified with the X509 certificates in the RIR records

When you provision the address ranges, AWS must verify the signature for the API call. AWS uses the public key derived from the certificate to verify the signature in the aws ec2 provision-byoip-cidr API call. This error indicates a failure to cryptographically verify the signature.

The following are common reasons for this error:

  • When you provision, you aren't using the correct signature.
  • You signed the message with the wrong private key.
  • You uploaded the wrong certificate in the RDAP record with the RIR

Error: Your IP address is stuck in the "pending-provision" state

It takes up to one week to complete the provisioning process for publicly advertisable ranges. Use the describe-byoip-cidrs command to monitor progress, as shown in the following example:

aws ec2 describe-byoip-cidrs --max-results 5 --region us-east-1

If the status changes to failed-provision, then run the provision-byoip-cidr command again after you resolve the issues.

For more information, see Provision a publicly advertised address range in AWS.

Related information

Bring your own IP addresses (BYOIP) in Amazon Elastic Compute Cloud (Amazon EC2)

Bring your own IP

AWS OFFICIAL
AWS OFFICIALUpdated 10 months ago