APNIC · BGP · ASN · PI Space

Own Your Internet Identity
Public IP Subnet & BGP Routing for Indian Enterprises

Stop renting IP addresses from your ISP. Get your own provider-independent IP block from APNIC, announce it via BGP through multiple ISPs, and achieve true ISP independence with zero-downtime failover.

Learn About IPv4

ISP-Dependent IPs = Vendor Lock-in

Most Indian enterprises use IP addresses assigned by their ISP. These are Provider Aggregated (PA) addresses — they belong to the ISP, not to you. The moment you switch providers, every public IP changes.

That means updating every DNS record, every firewall rule, every VPN endpoint, every partner whitelist, every SPF/DKIM record. Your email sender reputation — built over years — resets to zero because it was tied to the ISP's IP block, not yours.

Worse, a single ISP connection means a single point of failure. When that link goes down, your entire internet presence goes dark — websites, email, VPN, SaaS access, everything.

Zero
Failover with Single ISP
100%
Downtime During ISP Migration
Days
To Update DNS/Firewall After IP Change
Permanent
IP Reputation Loss Risk

What is Provider Independent (PI) IP Space?

The difference between renting someone else's addresses and owning your own.

Provider Independent (PI) IP space is allocated directly to your organisation by a Regional Internet Registry (RIR) — in India's case, APNIC (Asia Pacific Network Information Centre). Unlike PA (Provider Aggregated) addresses that your ISP assigns you, PI addresses belong to you. You can announce them via any ISP using BGP.

The minimum globally routable block size is a /24 (256 IP addresses). This is the smallest prefix that most ISPs and transit providers will accept into their BGP routing tables. Larger allocations — /23, /22, /21 — are available based on justified need.

Once you have PI space and an ASN (Autonomous System Number), you are no longer tied to any ISP. You can peer with multiple providers, switch ISPs without changing a single IP, and control your own routing policy.

Attribute PA (ISP-Assigned) PI (Your Own)
OwnershipISP owns IPsYou own IPs
PortabilityLost on ISP changeStays with you forever
MultihomingNot possibleAnnounce via 2+ ISPs
FailoverManual / DNS-basedAutomatic via BGP
IP ReputationTied to ISPTied to your org
Routing ControlISP decidesYou decide (BGP policy)

BGP: The Protocol That Runs the Internet

Every packet on the internet reaches its destination because of BGP. Here is what it does for your enterprise.

What BGP Does

BGP (Border Gateway Protocol) is how networks on the internet tell each other "I can reach these IP addresses." When you get your own ASN and IP block, you use BGP to announce your addresses to your ISPs. Those ISPs propagate the announcement to the global routing table — and the entire internet now knows how to reach your IPs, through your chosen ISPs.

ASN: Your Routing Identity

An Autonomous System Number (ASN) is your unique identity on the internet's routing plane. It tells other networks "this is who is announcing this IP block." APNIC allocates 32-bit ASNs to Indian organisations. Your ASN appears in every BGP route announcement and is visible in global routing databases — it is your organisation's identity on the internet backbone.

Multihoming

Announce your /24 (or larger) block via two or more ISPs simultaneously. Both ISPs advertise your prefix to the internet. If ISP-A's link goes down, BGP detects the failure (typically within seconds), withdraws the route via ISP-A, and all traffic automatically flows through ISP-B. No DNS changes, no manual intervention, no downtime visible to your users.

Traffic Engineering

BGP gives you granular control over how traffic enters and leaves your network. Use AS path prepending to make one ISP preferred over another. Set local preference to control outbound path selection. Use BGP communities to signal upstream providers. Route specific destination prefixes via specific ISPs — for example, cloud traffic via the ISP with direct peering to AWS/Azure.

5 Key Benefits of Owning Your IP Space

Why enterprises with critical internet-facing infrastructure invest in PI space and BGP.

ISP Independence

Switch ISPs without changing a single IP address, DNS record, firewall rule, or VPN configuration. Your IP space travels with you — the ISP is just a transport pipe.

Automatic Failover

BGP detects link failure and reroutes traffic to the surviving ISP within seconds. No manual DNS failover, no TTL wait times, no operator intervention required.

Traffic Engineering

Control inbound and outbound traffic paths with AS path prepending, local preference, MED, and BGP communities. Route cloud traffic via peered ISPs for lower latency.

IP Reputation Control

Your email deliverability, DNS reputation, and security posture are tied to your own IP block — not shared with or dependent on your ISP's address space.

DDoS Mitigation

During a volumetric DDoS attack, swing your prefix announcement to a scrubbing centre or DDoS mitigation provider. Clean traffic returns to you — without changing any infrastructure.

Who Needs Their Own IP Subnet & BGP?

Any organisation where internet downtime or IP address change has serious business consequences.

Universities

10,000+ concurrent users, eduroam federation, research network peering (NKN/ERNET), multiple campus links. Universities are natural BGP multihoming candidates — many already have APNIC allocations through NKN.

BFSI

RBI mandates business continuity and disaster recovery for banking infrastructure. BGP multihoming with automatic failover is the standard approach for ensuring uninterrupted access to internet banking, payment gateways, and SWIFT connectivity.

Hospitals & Healthcare

Patient portals, telemedicine platforms, ABHA/ABDM health data exchange, lab integration systems. Internet downtime in healthcare directly impacts patient care. BGP failover ensures continuous availability of critical health IT systems.

SaaS & Hosting

Customer-facing SaaS applications, web hosting, and managed service providers cannot tolerate ISP dependency. Own your IP block, maintain consistent reverse DNS, and guarantee uptime SLAs with BGP multihoming.

Manufacturing & OT

SCADA and ICS systems often have hardcoded IP dependencies in PLC configurations, HMI systems, and historian databases. Changing public IPs in an OT environment is a plant shutdown event. PI space eliminates that risk entirely.

Government

GeM procurement portals, e-governance platforms, and citizen-facing services require sovereign network control. Government entities can obtain PI space through NIC/NKN or directly from APNIC for complete routing independence.

APNIC Process for Indian Enterprises

Getting your own IP block and ASN from APNIC is a structured process. Here is exactly what it involves.

1

Apply to APNIC

Apply for APNIC membership directly or through a sponsoring LIR (Local Internet Registry). Direct membership gives you full control over your allocations and WHOIS records. Sponsoring LIR route is simpler for organisations that only need a single /24.

2

Get ASN Allocated

APNIC allocates a 32-bit ASN to your organisation. You need to demonstrate that you will peer with at least two upstream ISPs (multihoming justification). The ASN is your permanent routing identity.

3

Get IP Space Allocated

Apply for a /24 (256 IPs) at minimum — this is the smallest prefix accepted in the global BGP table. Justify your addressing plan based on current and projected need. Larger blocks (/23, /22) are available with documented justification.

4

Create Route Objects in APNIC WHOIS (IRR)

Register route objects in the Internet Routing Registry (IRR) database. These objects tell the world which ASN is authorized to originate your IP prefix — critical for ISPs that filter routes based on IRR data.

5

Configure BGP Peering with Your ISPs

Establish eBGP sessions with each upstream ISP. Announce your /24 prefix with your ASN as origin. Configure inbound and outbound route policies — prefix filters, AS path prepending, local preference — to control traffic flow.

6

Sign Up for RPKI (Route Origin Validation)

Create ROA (Route Origin Authorization) records in APNIC's RPKI system. This cryptographically signs your route announcements, preventing BGP hijacking — where someone else announces your prefix. RPKI is now considered mandatory for any serious BGP deployment.

~₹1.2L/yr
APNIC Membership Fee
2–4 Weeks
Typical Allocation Timeline
3 Documents
Company registration, network diagram, addressing plan

Implementation Requirements

What you need to deploy BGP multihoming in your network.

BGP-Capable Router or Firewall

FortiGate appliances support full BGP with route maps, prefix lists, and communities — combining next-gen firewall, SD-WAN, and BGP router in a single appliance. Alternatively, dedicated routers from Cisco, Juniper, or Arista.

Minimum 2 ISP Connections with Diverse Paths

Two ISP links from different providers, ideally entering your building through different physical paths (separate fibre entries, or one fibre + one wireless). Path diversity is what gives BGP failover its reliability.

LOA (Letter of Authorization)

A signed Letter of Authorization from the IP space holder (you) to each ISP, authorizing them to accept and propagate your BGP prefix announcement. Standard document — Ogma provides templates.

Route Objects in IRR Database

Registered route objects in APNIC's IRR that document the mapping between your IP prefix and your ASN. Required by most transit providers for route acceptance.

RPKI Certificates for Route Security

ROA (Route Origin Authorization) records that cryptographically prove your ASN is authorized to announce your prefix. Prevents BGP hijacking and is increasingly required by major transit providers worldwide.

Frequently Asked Questions

Common questions from Indian enterprises evaluating PI space and BGP deployment.

A /24 (256 IP addresses) is the minimum prefix length accepted by most ISPs and transit providers in the global BGP routing table. Anything smaller — /25 or below — will be filtered out by the majority of networks and will not be globally routable. If you need fewer than 256 IPs, you can still use a /24 and allocate only what you need internally.

APNIC membership fees are tiered by allocation size and paid as a flat annual membership — there is no per-IP recurring charge. The fee covers ASN and IP allocation, WHOIS database maintenance, IRR registration, and RPKI certificates. Share your target prefix size and Ogma will return the current APNIC tier fee plus our consulting estimate within 2 hours.

Yes. FortiGate runs full BGP including eBGP and iBGP, route maps, prefix lists, AS path manipulation, community tagging, BFD (Bidirectional Forwarding Detection) for sub-second failure detection, and graceful restart. FortiGate is particularly well-suited because it combines NGFW, SD-WAN, and BGP routing in a single appliance — eliminating the need for a separate dedicated router in front of or behind the firewall.

Default BGP hold time is 90 seconds (with keepalive at 30 seconds), meaning a peer failure is detected in about 90 seconds. However, with BFD (Bidirectional Forwarding Detection) enabled — which FortiGate supports — failure detection drops to sub-second (typically 150-300 milliseconds). Combined with BGP convergence, total failover time is typically 1-3 seconds with BFD, or 90-180 seconds with default BGP timers.

Not necessarily. Once BGP is properly configured and tested, it is largely stable and self-managing. Route announcements and failover happen automatically. However, you do need someone who understands BGP for initial deployment, policy changes, ISP additions, and troubleshooting. Ogma provides ongoing managed services for organisations that prefer to outsource BGP operations.

PA (Provider Aggregated) space is assigned to you by your ISP from their larger allocation. If you leave that ISP, you lose those IPs. PI (Provider Independent) space is allocated directly to your organisation by the RIR (APNIC for India). You own it, you control it, and you can announce it via any ISP using BGP. PI space is portable and permanent — it stays with your organisation regardless of which ISPs you use.

Ready to Own Your IP Space?

Ogma handles the entire process — APNIC application, ASN allocation, IP space procurement, IRR registration, RPKI setup, and BGP configuration on your firewall. From application to live BGP peering, typically within 4 weeks.