How do I troubleshoot BYOIP configuration errors in my VPC?

7 minute read

I want to troubleshoot errors that I encounter when I configure Bring Your Own IP (BYOIP) for my Amazon Virtual Private Cloud (Amazon VPC).

Short description

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

The following issues occur when you configure BYOIP in your VPC:

Your Route Origin Authorization (ROA) isn't valid or doesn't exist for your Classless Inter-Domain Routing (CIDR) block and Amazon Autonomous System Numbers (ASNs).
An X.509 certificate isn't in the WHOIS remarks.
Your IP address range doesn't use an accepted allocation type in its associated internet registry.
AWS can't verify the CidrAuthorizationContext signature with the X.509 certificates in the Regional Internet Registries (RIR) records.
Your IP address is stuck in the pending-provision state.

For more information, see Bring your own IP addresses (BYOIP) to Amazon Elastic Compute Cloud (Amazon EC2), and the Bring Your Own IP section of Amazon VPC FAQs.

To resolve BYOIP configuration issues, complete the following actions based on the error that you encounter.

Resolution

Troubleshoot a ROA that isn't valid or isn't found for your CIDR block and Amazon ASNs

Create a ROA to authorize Amazon ASNs 16509 and 14618 to advertise your address ranges. For more information, see: Create a ROA object in your RIR.

Important: Your ROA must meet the following BYOIP requirements:

Check that your ROA must be valid for both ASNs for the period in use.
Your ROA must be specific to the address ranges that you bring into AWS.
For IPv4, the ROA must contain the address range that you want to bring to AWS and you must set the maximum length to /24. For IPv6, the most specific range you can bring is /48 for publicly advertisable CIDR ranges and /60 for non-publicly advertisable CIDR ranges.
Important: If you must create a ROA object for Amazon VPC IP Address Manager (IPAM), then set the maximum IPv4 prefix length to /24. If you must add IPv6 CIDR ranges to an advertisable pool, then set the maximum length of an IP address prefix to /48. For more information about BYOIP addresses to IPAM, see Tutorial: Bring your IP addresses to IPAM.

For more information about creating a ROA request, see the following resources, depending on where you registered your IP address range:

ARIN: Route Origin Authorization (ROA) Overview
RIPE: Using the Hosted Certification Authority
APNIC: Route Management

Important: AWS supports only prefixes that you register with ARIN, RIPE, or APNIC.

It takes up to 24 hours for the ROA to make the ASNs available for Amazon. Wait 24 hours after you create a ROA before you deprovision and re-provision your address range.

Use Routinator with either your browser or the AWS CLI to confirm that you created your ROA and mapped it to your ASNs. For more information, see Routinator on the official Routinator website.

Enter the following URL into your browser:

https://rpki-validator.ripe.net/json?select-prefix=example-public-IP/example-prefix-length

-or-

In the AWS CLI, run the following curl command:

curl https://rpki-validator.ripe.net/json?select-prefix=example-public-IP/example-prefix-length

Note: In the previous examples, replace example-public-IP/example-prefix-length with your address range.

The following example AWS CLI output is valid for ASN AS13335 and IP Address 1.1.1.0/24:

{
"metadata": {
"generated": 1770933536,
"generatedTime": "2026-02-12T21:58:56Z"
},
"roas": [
{ "asn": "AS**13335**", "prefix": "**1.1.1.0/24**", "maxLength": 24, "ta": "apnic" }
],
"routerKeys": [],
"aspas": []
}

The following example output is invalid:

{
"metadata": {
"generated": 1685008305,
"generatedTime": "2023-05-25T09:51:45Z"
},
"roas": []
}

If your output is invalid, then check that your ROA meets the previous requirements.

Troubleshoot an X.509 certificate that isn't in the WHOIS remarks

The following issues cause invalid X.509 self-sign certificates:

There isn't a certificate in the Registration Data Access Protocol (RDAP) record for the RIR.
There are new line characters in the certificate.
The certificate isn't valid.
You didn't generate the certificate from a valid key pair.

Important: When you set up BYOIP, you must correctly create and upload your X.509.

Verify that your certificate is valid based on the registry that you used to register your certificate then troubleshoot the error.

For ARIN, RIPE and APNIC

To verify that a certificate that you registered is valid, run one of the following WHOIS commands:

whois -h whois.example-RIR.net example-public-IP

-or-

whois -h whois.example-RIR.net example-address-range

Note: Replace example-public-IP with your IP address. Replace example-public-IP/example-address-range with your address range in CIDR notification. Replace whois.example-RIR.net with the hostname of the RIR that you use.

Perform the following checks in your results based on your RIR:

For ARIN: Check the Public Comments section for the NetRange (network range) in the command output. Verify that the certificate is in the Public Comments section for your address range.
For APNIC: Check the remarks section for the inetnum object (network range) in the command output. Verify that the certificate is in the remarks field for your address range.
For RIPE: Check the descr section for the inetnum object (network range) in the command output. Verify that the certificate is in a descr field for your address range.

Troubleshoot the error

After you complete the check, complete the following steps:

If there isn't a certificate, then create and upload a new certificate.
-or-
If there's a certificate, then make sure that it doesn't contain any new lines. If there are new lines, then remove the lines. The following example certificate doesn't contain any new lines:
```
openssl req -new -x509 -key private-key.pem -days 365 | tr -d "\n" > certificate.pem
```

Copy the certificate content into a new file and run the following command to verify that the certificate is valid:

openssl x509 -in certificate.pem -text -noout

Note: If you receive "unable to load certificate" or "Could not find certificate" errors, then add one new line after BEGIN CERTIFICATE and before END CERTIFICATE.

If you still receive the error, then you used an incorrect key pair to generate the certificate. Create and upload a new X.509 certificate.

Troubleshoot an IP range that isn't an acceptable allocation type in the associated internet registry

The following issues cause this error:

The RIR allocation type for the address range is wrong.
AWS doesn't support the registry.

Run one of the following WHOIS commands:

whois -h whois.iana.org example-public-IP

-or-

whois -h whois.iana.org example-public-IP/example-prefix-length

Note: Replace example-public-IP with your IP address. Replace example-public-IP/example-address-range with your address range in CIDR notification.

In the output, review the organization section, and check that AWS supports your registry. Make sure that you registered the address range in the inetnum section with your RIR.

Troubleshoot "The CidrAuthorizationContext signature can't be verified with the X509 certificates in the RIR records" errors

When you provision the address ranges, AWS must verify the signature for the API call. AWS uses the public key derived from the certificate to verify the signature in the provision-byoip-cidr API operation. This error indicates that AWS couldn't verify the signature.

The following issues cause this error:

When you provision, you don't use the correct signature.
You signed the message with the wrong private key.
You uploaded the wrong certificate in the RDAP record with the RIR.

To resolve this error, create and upload a new X.509 certificate.

Troubleshoot an IP address that's stuck in the "pending-provision" state

It takes up to one week to complete the provision process for publicly advertisable ranges.

Run the describe-byoip-cidrs AWS CLI command to monitor your progress:

aws ec2 describe-byoip-cidrs --max-items example-value --region example-region

Note: Replace example-value with the total number of items that you must see in the command's output. Replace example-region with your AWS Region.

If the status changes to failed-provision, then verify that you correctly composed and signed your authorization message. Then, run the provision-byoip-cidr command again. For more information, see Provision a publicly advertisable address range in AWS.

Topics: Networking & Content Delivery
Tags: Amazon VPC
Language: English

AWS OFFICIALUpdated 3 months ago

No comments

Relevant content

Using byoip address with a Lightsail instance?
Accepted Answer
rbdii
asked 2 years ago
Can I use BYOIP (Bring Your Own IP) in different regions?
RCF
asked 4 years ago
BYOIP Public pool and RAM sharing with Multiple accounts in same OU
AWS-User-8094407
asked 3 years ago
The number of BYOIP CIDRs for this account has reached the maximum allowed limit.
Rafael
asked 2 years ago
BYOIP result in "No X509 certificate could be found in the Whois remarks"
Stephane F
asked 2 years ago
Why does my Amazon VPC internet connectivity fail when I attach BYOIP to my resources?
AWS OFFICIALUpdated a year ago
How do I troubleshoot the "The allocation ID is not valid, cannot release allocation for resource type VPC" error?
AWS OFFICIALUpdated a year ago
How do I troubleshoot 500 errors when I use VPC link integrations with API Gateway REST APIs?
AWS OFFICIALUpdated 7 months ago
How do I troubleshoot errors with Elastic IP addresses in Amazon VPC?
AWS OFFICIALUpdated 2 years ago
Creating a Site-to-Site VPN with Public IPv4 Encryption Domain Using AWS Bring Your Own IP Address (BYOIP) feature
EXPERT
Mandar Alankar
published 10 months ago