The need for a next-generation IP Address Management (IPAM) solution has become critical. Today’s leading platforms were architected in a different era—built on centralized, appliance-based systems designed for static, on-premises networks. These legacy solutions are expensive to license, cumbersome to upgrade, and tightly controlled by vendors that make migration intentionally difficult. Integrations are often customized and brittle, forcing organizations to retain large engineering teams or pay for premium support just to maintain operational continuity. This white paper proposes a modern, cloud-native alternative designed around the real-world needs customers have voiced for years. It offers an open, scalable, and SaaS-ready approach to IPAM—one that simplifies DNS and DHCP management, reduces reliance on vendor professional services, and empowers customers to retain full ownership of their data. If the solution no longer fits, you can export your configuration and move on—no penalties, no friction. It’s time to replace complexity and cost with clarity and control. I want to emphasize that this solution does not exist today, but is a vision of what customers want and need based on years of feedback. It is by no means complete and is a work in progress with welcome input from the community.

This white paper outlines a modern, SaaS-based, microservices-driven IPAM system designed for multi-cloud environments and built with AI-powered automation, migration, and discovery capabilities.

1. Key Features

– Cloud-native SaaS architecture with microservices

– Support for overlapping IP spaces and multi-tenancy

– Distributed, fault-tolerant database (e.g., CockroachDB, YugabyteDB)

– Integration with AWS, Azure, GCP for DNS/DHCP and discovery

– Use of AI agents for configuration migration and automated discovery

– REST API and modern Web UI for automation and control

– SNMP discovery and integration with open source DNS (BIND, CoreDNS) and DHCP (ISC Kea)

2. AI Use Cases

– Parsing and migrating legacy DDI systems into new schemas

– Automated discovery of IP space and assets across hybrid environments

– Intent-based commands to simplify network management

3. Security & Automation

– OAuth2 and LDAP for authentication and RBAC

– TLS and rate-limited APIs for secure automation

– Event-driven webhooks for CI/CD integration

4. Architecture Overview

5. Cost Efficiency

– Reduced infrastructure via cloud-native scaling

– Elimination of vendor lock-in using open source DNS/DHCP

– AI automation reduces manual overhead

6. Extended DNS/DHCP Integration

– Native integration with Microsoft DNS and DHCP servers for hybrid environments.

– DNS record deployment across both cloud-native services (Route 53, Azure DNS, GCP DNS) and traditional DNS servers (BIND, PowerDNS, CoreDNS, Microsoft DNS).

– DHCP option templates to configure multiple servers simultaneously without manual replication.

– DNS templates for standardized deployment of zone files and configurations across fleets of servers.

– Support for Response Policy Zones (RPZ) to apply content filtering or threat intelligence policies.

– Redundant primary DNS setups supported, with scalable secondary DNS across on-prem and cloud environments.

– Where cloud DNS does not support secondary servers, the system can ingest cloud DNS data and deploy copies to on-prem redundant servers.

7. Recommended Open Source DNS

For scalability, ease of integration, and cloud compatibility, the most effective open source DNS servers include:

– **CoreDNS**: Highly modular, supports service discovery, metrics, and dynamic configuration; ideal for Kubernetes/cloud environments.

– **PowerDNS**: Scalable and feature-rich with built-in support for APIs, DNSSEC, RPZ, and SQL/NoSQL backends.

– **BIND 9**: Highly compatible and widely supported, with mature RPZ and DNSSEC support, though less modern in management interface.

Among these, **CoreDNS** is generally the most scalable and lightweight for modern cloud-native infrastructure, while **PowerDNS** offers the richest feature set and better integration capabilities.

8. Security Architecture and Encryption Standards

– All database content is encrypted at rest using AES-256 or equivalent encryption, ensuring compliance with modern data protection standards.

– All communication between microservices, including internal APIs and database queries, are encrypted using mTLS (mutual TLS).

– The public-facing web service and API endpoints are only available over HTTPS with TLS 1.3 support and automatic certificate renewal (e.g., via Let’s Encrypt or cloud-native solutions).

– All API calls require authentication via OAuth 2.0, and token scopes control access levels.

– Logs and audit trails are securely transmitted and stored with encryption and tamper detection.

9. Remote Server Terminal Access Feature

– The system includes an optional secure web-based terminal feature that allows administrators to initiate terminal sessions directly to DNS or DHCP servers (excluding cloud-native services like Route 53 or Azure DNS).

– These sessions are initiated via a browser-based terminal emulator embedded in the web UI.

– Connections are authenticated using pre-stored SSH keys with strict RBAC controls to prevent unauthorized access.

– Session logging is available to ensure auditability, and timeout policies can be enforced for inactive sessions.

– Terminal access is restricted to users with elevated privileges and can be disabled per policy or tenant configuration.

10. Recommended Encrypted Database for Scalability and Redundancy

Based on the need for built-in encryption, strong consistency, and multi-cloud support, CockroachDB is the top recommendation for the IPAM platform.

– AES-256 encryption at rest (native)

– TLS and mTLS encryption for all internal traffic

– Multi-node write support using Raft consensus

– Self-healing and automatic replication

– Fully SQL-compatible with PostgreSQL wire protocol

– Natively supported on AWS, Azure, and GCP, as well as Kubernetes

11. IPAM Microservices Architecture Breakdown

The following microservices are proposed for the next-generation IPAM system, each deployable as an independent container/service for scalability and fault isolation:

– **API Gateway**: Handles external REST API traffic, enforces rate limiting, authentication, and API versioning.
– **Authentication Service**: Manages OAuth2, LDAP integration, token issuance, and user sessions.
– **UI Frontend**: Single-page application (SPA) served over HTTPS, interacts exclusively with the REST API.
– **IP Management Service**: Handles IP allocation, reservation, subnet management, and tracking.
– **DNS Management Service**: Manages DNS zones, records, templates, and deploys configurations to on-prem or cloud DNS.
– **DHCP Management Service**: Handles pools, options, templates, and syncs with DHCP servers like ISC Kea or Microsoft.
– **Discovery Service**: Cloud-native discovery (AWS, Azure, GCP), SNMP-based device discovery, and resource inventory.
– **Migration/Import Service**: Parses and imports from legacy systems like Infoblox, BlueCat, phpIPAM.
– **Config Deployment Service**: Pushes validated configuration templates to remote DNS/DHCP servers asynchronously.
– **Terminal Proxy Service**: Secure web terminal proxy to access remote servers via SSH with stored keys.
– **Monitoring & Telemetry**: Collects metrics, health checks, system logs, and exports to Prometheus/Grafana.
– **Audit Logging Service**: Tracks all API usage, configuration changes, terminal sessions, and writes to tamper-evident logs.
– **Webhook/Event Bus**: Triggers external systems or pipelines based on defined event conditions.

12. Logging, Audit, and Upgrade Management

– All system components (DNS, DHCP, IPAM, API services) support user-configurable logging using the Syslog standard format.

– Logs can be directed to external destinations (e.g., SIEM, syslog collectors, or cloud-native logging platforms) via user-defined policies.

– The IPAM platform integrates a built-in AI log analysis engine that continuously monitors logs, detects anomalies, parses error/warning messages, and provides recommended actions or links to knowledge base articles.

– A dedicated audit service tracks every change to configuration, users, and system settings. Each entry is stored in a secure, queryable audit database with the following characteristics:

– Exportable monthly

– Automatically purged after a retention period

– Archived logs remain searchable in separate audit archives

– The main application supports full export/import of system and configuration data to enable seamless upgrades or migrations.

– As a SaaS platform, upgrades are performed in place using blue-green or canary deployment patterns to minimize downtime.

– A rollback mechanism is embedded into the system, allowing administrators to revert the database schema and configuration to a known good state if necessary.

13. Recommended User Interface Design for Scalability

To effectively manage and configure large-scale DNS/DHCP/IP infrastructure, the UI must emphasize usability, performance, and data clarity.

Recommended design principles include:

– Use a modular dashboard with collapsible panels for navigation and filtering large datasets.
– Implement dynamic tables with virtual scrolling, infinite load, and server-side filtering.
– Allow customizable views and saved searches for different operational roles.
– Use tag-based filtering, advanced sorting, and quick search boxes for rapid access.
– Provide multi-tab or split-view interfaces to enable managing multiple contexts (e.g., different subnets or DNS zones) simultaneously.
– Offer in-line editing for records and templated wizards for complex configurations.
– Use color-coded alerts, hover tooltips, and badges to highlight audit changes or system warnings.
– Incorporate real-time charts and counters (via WebSockets) for DHCP leases, DNS updates, and system load.
– Integrate breadcrumb navigation, a global search bar, and keyboard shortcuts for power users.

14. Displaying Overlapping and Distributed Network Address Space

The IPAM platform includes a dynamic interface to visualize all allocated network space across clouds and on-premises environments. Each subnet is represented in context-specific views, allowing users to clearly understand deployment status and potential conflicts.

Overlapping subnets are grouped by ‘deployment context’ such as cloud provider, site, or purpose (e.g., Dev, Prod, Test). The interface provides visual indicators for overlap, conflict detection in deployable platforms, and real-time utilization metrics.

Below is an example chart showing simulated utilization data across different contexts and deployment platforms:

Key display features:

– Color-coded bars for utilization levels (green: unique, red: overlapping)
– Hover-over tooltips and click-through details for each CIDR block
– Per-platform and per-region filters to isolate deployable subnets
– Conflict warnings when overlapping subnets are assigned to the same on-prem platform
– Breadcrumb navigation from high-level global map down to specific subnet details
– Subnet inspector pane showing context, usage, history, and deployment target

15. Progressive Configuration Flow and Menu Structure

To enable a clean and scalable user onboarding experience, the IPAM interface is designed with a progressive setup flow. This guides users from organization creation, through cloud/on-prem integrations, down to DNS/DHCP deployments and IP assignments. The interface supports complete abstraction of cloud-specific structures like ‘projects’ (GCP), ‘resource groups’ (Azure), and ‘accounts’ (AWS).

The setup hierarchy and recommended menu structure are outlined below:

Each level in this hierarchy maps directly to a menu section in the IPAM interface. The onboarding flow enforces dependency order (e.g., DNS records cannot be created before IPs and subnets are assigned), while enabling bulk imports and templates to streamline mass configuration.

Recommended Menu Structure

– **System**: Global settings, user and role definitions, access policies, API tokens.
– **Organizations**: Define and manage organizations, map admins, assign regions.
– **Infrastructure**: Connect cloud providers and define on-prem discovery agents.
– **Network Design**: Create and import virtual networks, assign subnets to environments.
– **IP Resources**: Assign, track, or deploy IPs as static or DHCP-managed.
– **DNS Records**: Create DNS records and zones, and deploy them to chosen cloud/on-prem platforms.
– **Servers**: Register DNS and DHCP servers, assign pools/zones, push configuration.
– **Discovery**: Auto-discover IPs, DNS zones, and on-prem devices via SNMP/cloud APIs.
– **Audit & Logs**: Review system activity, track user changes, manage and export logs.

16. Database Schema and Storage Model

The IPAM platform uses a distributed, encrypted relational database system to ensure high availability, consistency, and scalability. All core data objects (users, organizations, IP addresses, DNS zones, DHCP scopes, cloud integrations, etc.) are designed with multi-tenant isolation and can support overlapping address space within logical contexts.

Below is a high-level diagram showing the core entities and their relationships:

Each major component of the system has its own dedicated schema including:

– Organizations and Role-Based Access Control (RBAC)

– Cloud and On-Premise Resource Tracking

– Subnets, IP Pools, Static and DHCP IP Records

– DNS Zones, Records, and Templates

– DHCP Servers, Scopes, and Option Sets

– Audit Logs and AI-Powered Log Insights

– SSH Terminal Sessions and Deployment Jobs

17. AI Recommendation Engine for Network Optimization

The IPAM platform includes a built-in AI Recommendation Engine that provides real-time suggestions for optimizing network design, based on observed configurations across cloud and on-premises infrastructure. This engine analyzes network topology, utilization, server placement, user access patterns, and configuration history to guide admins toward best practices.

Input Factors Considered

– Cloud subnet and DNS/DHCP server deployments
– User and server geographic locations
– On-prem network accessibility via SNMP and topology data
– DNS query volumes and latency distribution
– DHCP lease churn and subnet utilization metrics
– Admin activity patterns and roles
– Address conflicts or fragmentation
– Zone distribution and server proximity

Examples of AI Recommendations

– ‘You are using overlapping 10.0.0.0/24 in AWS and GCP. Consider restructuring by cloud region to avoid deployable conflicts.’
– ‘DNS response latency to European clients can be improved by deploying secondary nodes in Azure EU.’
– ‘Subnet 10.0.5.0/24 is over 90% utilized. Consider allocating an additional /24 for future growth.’
– ‘Multiple DHCP servers are assigned to low-churn pools. Pool size may be reduced by 25%.’

Recommendation Panel Interface

Recommendations are presented in a dedicated UI panel that supports sorting by severity, category (conflict, optimization, usage), and the ability to take action (e.g., acknowledge, dismiss, deploy as a draft config). Each suggestion includes a natural language explanation powered by a language model, along with a link to the relevant part of the system for rapid response.

Conclusion

This white paper outlines a vision for a next-generation, customer-centric IPAM solution that is cloud-native, open, and scalable. It addresses the limitations of legacy systems by offering a modern approach grounded in automation, extensibility, and user freedom. However, building such a solution requires more than a vision—it demands industry support, collaboration, and investment. As this document continues to evolve based on real-world feedback and technological advances, we invite forward-looking organizations to engage, contribute, and help bring this platform to life. The time for a better IPAM solution is now—and the opportunity for those willing to build it is significant.

Basic preliminary tables creation

1. IP Address and Device Metadata

Stores all assigned IP addresses, associated devices, metadata, and relationships.

CREATE TABLE ip_addresses (
ip_id         UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
ip_address    INET NOT NULL,
subnet_id     UUID REFERENCES subnets(subnet_id),
mac_address   MACADDR,
hostname      VARCHAR(255),
device_id     UUID REFERENCES devices(device_id),
assigned_at   TIMESTAMPTZ DEFAULT now(),
status        VARCHAR(20) DEFAULT ‘active’
);

CREATE TABLE devices (
device_id     UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
name          VARCHAR(255),
type          VARCHAR(100), — router, VM, switch, etc.
manufacturer VARCHAR(100),
os_version    VARCHAR(100),
location      VARCHAR(255),
cloud_provider VARCHAR(50), — aws, azure, gcp, onprem
created_at    TIMESTAMPTZ DEFAULT now()
);

2. DNS Zones and Parameters

Stores forward and reverse zones, zone templates, and DNS records.

CREATE TABLE dns_zones (
zone_id       UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
name          VARCHAR(255) NOT NULL,
zone_type     VARCHAR(20), — ‘forward’ or ‘reverse’
dns_template UUID REFERENCES dns_config_templates(template_id),
description   TEXT,
created_at    TIMESTAMPTZ DEFAULT now()
);

CREATE TABLE dns_records (
record_id     UUID PRIMARY KEY DEFAULT gen_random_uuid(),
zone_id       UUID NOT NULL REFERENCES dns_zones(zone_id),
record_type   VARCHAR(10), — A, AAAA, PTR, CNAME, etc.
name          VARCHAR(255),
value         VARCHAR(255),
ttl           INT DEFAULT 3600,
created_at    TIMESTAMPTZ DEFAULT now()
);

3. DHCP Configuration

Stores DHCP scopes, leases, and associated templates.

CREATE TABLE dhcp_scopes (
scope_id      UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
subnet_id     UUID REFERENCES subnets(subnet_id),
lease_time    INT,
options       JSONB,
dhcp_template UUID REFERENCES dhcp_config_templates(template_id),
created_at    TIMESTAMPTZ DEFAULT now()
);

CREATE TABLE dhcp_leases (
lease_id      UUID PRIMARY KEY DEFAULT gen_random_uuid(),
ip_id         UUID NOT NULL REFERENCES ip_addresses(ip_id),
device_id     UUID REFERENCES devices(device_id),
lease_start   TIMESTAMPTZ,
lease_end     TIMESTAMPTZ,
mac_address   MACADDR,
status        VARCHAR(20) DEFAULT ‘active’
);

4. Application Settings and Preferences

Stores application-level and user-specific customization options.

CREATE TABLE app_settings (
setting_id   UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id       UUID NOT NULL,
key          STRING NOT NULL,
value        JSONB NOT NULL,
scope        STRING NOT NULL DEFAULT ‘global’ — or ‘user’
);

CREATE TABLE user_preferences (
preference_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id       UUID NOT NULL,
key           STRING NOT NULL,
value         JSONB NOT NULL,
updated_at    TIMESTAMPTZ DEFAULT now()
);

5. Credential and Key Management

Stores credential references for SSH, cloud APIs, and DNS providers.

CREATE TABLE credentials (
cred_id       UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
name          STRING NOT NULL,
type          STRING NOT NULL, — ‘ssh’, ‘cloud_api’, ‘dns_api’
provider      STRING,
secret_ref    STRING NOT NULL,
usage_scope   STRING,
created_by    UUID,
created_at    TIMESTAMPTZ DEFAULT now()
);

6. DNS and DHCP Templates

Stores reusable configuration templates for DNS and DHCP.

CREATE TABLE dns_config_templates (
template_id   UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
name          STRING NOT NULL,
config_type   STRING NOT NULL,
content       JSONB NOT NULL,
version       INT DEFAULT 1,
created_at    TIMESTAMPTZ DEFAULT now()
);

CREATE TABLE dhcp_config_templates (
template_id   UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
name          STRING NOT NULL,
config_type   STRING NOT NULL,
content      JSONB NOT NULL,
version       INT DEFAULT 1,
created_at    TIMESTAMPTZ DEFAULT now()
);

CREATE TABLE server_config_assignments (
assignment_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
server_type   STRING NOT NULL,
server_id     UUID NOT NULL,
template_id   UUID NOT NULL,
assigned_at   TIMESTAMPTZ DEFAULT now()
);

7. Monitoring and Alerts

Stores alert thresholds and generated system alerts.

CREATE TABLE system_alerts (
alert_id      UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
type          STRING NOT NULL,
severity      STRING NOT NULL,
message       STRING NOT NULL,
component     STRING,
component_id UUID,
resolved      BOOL DEFAULT false,
created_at    TIMESTAMPTZ DEFAULT now(),
resolved_at   TIMESTAMPTZ
);

CREATE TABLE alert_thresholds (
threshold_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
metric        STRING NOT NULL,
limit         INT NOT NULL,
alert_level   STRING NOT NULL
);

8. Import and Export History

Tracks data import and export operations for migration and backup.

CREATE TABLE import_sessions (
import_id     UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
source_type   STRING NOT NULL,
status        STRING DEFAULT ‘pending’,
summary       JSONB,
started_at    TIMESTAMPTZ,
completed_at TIMESTAMPTZ
);

CREATE TABLE export_snapshots (
snapshot_id   UUID PRIMARY KEY DEFAULT gen_random_uuid(),
org_id        UUID NOT NULL,
export_type   STRING NOT NULL,
location      STRING NOT NULL,
created_by    UUID,
created_at    TIMESTAMPTZ DEFAULT now()
);

Next Generation IP Management System