Bring Your Own IP

Oracle Cloud Infrastructure allows you to Bring Your Own IP (BYOIP) address space to use with resources in Oracle Cloud Infrastructure, in addition to using Oracle owned addresses. BYOIP lets you manage your IPv4 CIDR blocks to align with your existing security, management, and deployment policies and achieve:

  • Solution continuity and hardcoded dependencies: Your VCN is an extension of your public Internet presence, without needing to reinvent policies and management processes. If you have IP addresses hard-coded in devices or built architectural dependencies on specific IP addresses, using BYOIP you have a smooth migration to Oracle Cloud Infrastructure.
  • IP pool management: Some network administrators require the ability to summarize groups of IP addresses into pools and to create resources for deployment such as load balancers, firewalls, or web servers. IP Pool management provides tools to manage reserved public IP addresses.
  • IP reputation: Some Internet services rely on a contiguous IP address space (such as a full span of IP addresses from 1 through 255) and act as a trusted contact point between services such as major email service providers and mail delivery systems.

Oracle performs a validation process on imported CIDR blocks, and after validation you are notified that the CIDR block is available for advertisement. You can also create one or many public IP pools from this address space by specifying subranges from the BYOIP CIDR block and use IP pools to allocate specific resources. You can start or stop advertisement of the BYOIP routes when needed.

Requirements and Preparation

  • You must have ownership of the public IPv4 CIDR block you want to import into Oracle Cloud Infrastructure, and the ownership must be registered with a supported Regional Internet Registry (RIR). Oracle validates ownership of your addresses. Only the following registries are supported, and the addresses must have a specified type or status:

  • The addresses in the IP address range must have a clean history. We might investigate the reputation of the IP address range and reserve the right to reject an IP address range that contains an IP address that is associated with malicious behavior.

Limits and Quotas

  • Your addresses can only be imported to a specific Oracle region.
  • You can use BYOIP with an IPv4 CIDR block that is a minimum of /24 and a maximum of /8.
  • You can't bring the same address range to more than one compartment at a time.
  • You can bring up to 10 IPv4 address ranges to your Oracle Cloud Infrastructure account.
  • BYOIP is not available with Oracle Cloud Infrastructure Free Tier or Pay As You Go services.

BYOIP Process Overview

The steps needed for BYOIP in Oracle Cloud Infrastructure require significant time, so plan accordingly. The process is shown in the following diagram:

Swimlane diagram showing the BYOIP import process.
  1. You request to import a public IPv4 CIDR block you own.
  2. Oracle issues a verification token.
  3. You modify and add the verification token to the information about that public IPv4 CIDR block kept by your RIR service. The details vary depending on the RIR. It can take up to one day for the update to take effect. If you move to the next step before that update takes effect, a day will be added to the total time to complete the process. See To import a BYOIP CIDR block for details.
  4. Create a Route Origin Authorization (ROA) with your RIR. As part of the ROA, provide the Oracle BGP ASN (31898 for the commercial cloud). This allows Oracle to advertise the BYOIP CIDR block.
  5. Request that Oracle finish the import request, creating a workflow that could take up to 10 days to complete, where Oracle communicates with the RIR and verifies that you own the IP addresses in the CIDR block.
  6. Oracle provisions the BYOIP CIDR block to your VCN.
  7. At this point, the BYOIP CIDR block is yours to manage in your VCN. You can add addresses to an IP pool, and then use them as reserved IP addresses. You can also advertise the IP addresses to the internet.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators: see IAM Policies for Networking.

Limits on IAM Resources

See Service Limits for a list of applicable limits and instructions for requesting a limit increase. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.

Managing BYOIP using the console

To import a BYOIP CIDR block
  1. From the BYOIP list page, click Import BYOIP CIDR Block. The Import BYOIP CIDR Block screen appears.
  2. In the Import BYOIP CIDR Block screen, enter a name for the BYOIP CIDR Block, choose the compartment, and enter the CIDR block you intend to bring to your tenancy. Avoid entering confidential information.
  3. Click Save Changes. The details page for that BYOIP import request appears.
  4. In the Next Steps section, make a copy of the validation token. Modify the token slightly, adding the following information as shown. You can use any text editor.

    The completed token string might look something like: OCITOKEN::

  5. Create a Route Origin Authorization (ROA) object that authorizes Oracle to advertise the BYOIP CIDR block. The Oracle BGP ASN is 31898 for the commercial cloud. For the US Government Cloud, see Oracle's BGP ASN. Set an expiry date at least 6 months in the future. Follow the instructions appropriate for your RIR.

    If you do not create an ROA, Oracle can't advertise the BYOIP CIDR block. Without being able to advertise the routes, there may be little point in importing them.
  6. Now add the modified validation token to the RIR account information associated with your address range. Each RIR uses a slightly different method:
    • ARIN: Add the modified token string in the "Public Comments" section associated with your address range.
    • RIPE NCC: Add the modified token string as a new "descr" field associated with your address range.
    • APNIC: Add the modified token string to the "remarks" field for your address range by emailing it to The email must be sent from the APNIC authorized contact account for the IP address range.

    The modified validation string must be associated with the address range information. Do not add it to the information for the organization that owns the address range.
  7. Wait until both the ROA and the token registration is complete (up to a day) before you click the Finish Import button. Otherwise, the process can be delayed up to one day.
  8. Return to the details page for the BYOIP request and click Finish Import. A confirmation screen appears.
  9. Click Finish Import, confirming that you would like to validate the BYOIP request: . Allow up to 10 days for Oracle to contact your RIR, validate the import, and provision the CIDR block. View the work requests to see the status.
To view your BYOIP CIDR blocks
  1. Confirm you are viewing the region and compartment you're interested in.
  2. Open the navigation menu and click Networking. Under IP Management, click BYOIP.
To rename a BYOIP CIDR block
  1. In the details page for that BYOIP CIDR block, click Rename. A window appears.
  2. In the window, enter the new name. Avoid entering confidential information.
  3. Click Save Changes.
To remove a BYOIP CIDR block from a pool

To successfully remove a BYOIP CIDR block from a pool, there must be no reserved public IP addresses in that address range. You may have to terminate one or more reserved public IP addresses.
  1. In the details page for your BYOIP CIDR block, click on the Action Icon corresponding to the subrange you want to remove from a public IP pool, and then click on Remove from Public IP Pool . A confirmation window appears.
  2. If you are sure you want to delete the BYOIP CIDR block, click on Remove CIDR Block.
To delete a BYOIP CIDR block

To successfully delete a BYOIP CIDR block, it must be in the CREATING, PROVISIONED, ACTIVE, or FAILED state, and it must not have any subranges added to public IP pools.


If you delete a BYOIP CIDR block, you need to repeat the import process to undo your action.
  1. In the details page for your BYOIP CIDR block, click Delete . A confirmation window appears.
  2. If you are sure you want to delete the BYOIP CIDR block, click Delete BYOIP CIDR block.
To withdraw a BYOIP CIDR block
  1. In the details page for a BYOIP CIDR block currently being advertised, click Withdraw. A confirmation window appears.
  2. In the confirmation window, click on Withdraw.
To divide a BYOIP CIDR block and assign subranges to a public IP pool
  1. From a BYOIP detail page, scroll down to the BYOIP CIDR Block Subranges section and click Manage BYOIP CIDR Block. The Manage BYOIP CIDR Blocks screen appears.
  2. Either by entering a number for the CIDR suffix or using the up/down arrows next to the suffix, change the suffix number (often a /24). New rows in the table appear, representing possible subranges within the entire CIDR block.
  3. For each of the newly created subranges of the BYOIP CIDR block, check the box in the first column of the table and click Add BYOIP CIDR Blocks to Public IP Pools.
    1. Choose whether to Select an Existing Public IP Pool or Create New Public IP Pool.
      • Select an Existing Public IP Pool: Choose an existing IP pool using the selection list.
      • Create New Public IP Pool: Assign the new pool a name and choose a compartment. You can move the public IP pool to another compartment later. Avoid entering confidential information.
    2. Click Add BYOIP CIDR Blocks to Public IP Pools
  4. Repeat the previous step until all subranges of the BYOIP CIDR block are assigned to a public IP pool, then click Submit.

If a subrange of a BYOIP CIDR block is left unassigned to a pool, the table may look different after you click Submit.