IP Allocation Discipline

IPAM.

Use an IPAM tool

AWS IPAM, NetBox, Infoblox, or equivalent. The IPAM tool is the single source of truth for every CIDR the org has ever allocated, across every account, region, and VPC. The alternative is the shared spreadsheet that nobody updates and the route table that ends up fighting itself.

• Collision detection before write. Conflict check on every allocation request. Reality stays consistent across teams and accounts.
• Pre-allocation diff per VPC. Surface the proposed CIDR against existing routes. Catches overlap before peering breaks.
• Single source of truth. One IPAM of record for the org. Replaces the shared spreadsheet that nobody trusts.
• API-first integration. Programmatic client for Terraform and CI. Manual CIDR picks disappear from the workflow.

Allocation policy

The allocation policy fixes the address-space waste that comes from ad-hoc requests. The right policy compounds across years and surfaces the wrong one in the form of stranded /16s and impossible peering arrangements.

• 10.0.0.0/8 reserved for VPCs. Org-wide private space. Single global pool, carved by region.
• Per-region /12 plus per-VPC /16 default. Each region gets a dedicated /12; each VPC defaults to a /16 within its region's block. Cross-region peering stays clean.
• Right-size for actual workload. Smaller block where the service is small. Address space stays available for growth.
• Reserve half of each block for expansion. Initial allocation uses half the planned space. Future expansion does not require re-IP.

Quarterly review

Quarterly review keeps the IPAM honest. Without it the allocation policy drifts into "we always do it that way," unused VPCs squat on /16s nobody can reclaim, and the address space leaks until a peering negotiation surfaces the mess.

• Reclaim unused allocations. Quarterly sweep of VPCs with no traffic. Address space returns to the pool.
• Right-size over-allocated VPCs. Identify /16s carrying /24-sized workloads. Schedule downsizing where peering allows.
• Flag VPCs approaching capacity. High-utilisation review surfaces expansion candidates before they hit the wall.
• Per-team allocation ownership. Each block has a named owner. Operational reviews actually have someone to ask.

Automation

Automation is what makes the policy actually stick. Manual CIDR picks are how the spreadsheet of doom returns by Q3.

• IaC integration. Terraform modules pull allocations from the IPAM. Manual CIDR picks disappear from PRs.
• Auto-allocation for new VPCs. New VPC requests get a policy-conformant CIDR automatically. Drift between intent and reality stops at write time.
• Per-allocation audit log. Every request captures requester, reason, ticket. Operational reviews and security audits have the data they need.
• Quarterly drift detection. IPAM-vs-reality reconciliation per region. Surfaces unmanaged CIDRs before they become legacy.