How to determine the IP ranges of AWS services for security groups

Amazon on Mobile Device

This post will show you how to determine the IP address ranges of Amazon Web Services (or AWS) services. Knowing the IP address range will enable you to allow/deny access to these AWS services by using (amongst other) security groups. Setting the permitted IP ranges for a security group is an essential part of tightening security.

YouTube player

What are the AWS security groups?

AWS Security groups are virtual firewalls that help to control network traffic. For example, you could have a security group that only allow traffic into the group from a specific IP address. Use Anto’s Public IP tool to determine your current IP. You could also deny traffic to a range of IP addresses.

The problem with using IP addresses

IP addresses change! Imagine a service such as AWS S3. The AWS S3 service is a global service. There are perhaps thousands of S3 servers globally, all waiting for the next request. Today the IP address will be ‘x’ and tomorrow it could be ‘y’. Which one IP or IP range do you add to your security group?

It is for this reason that we want to use the DNS name instead. DNS automatically resolves the latest new IP address. Unfortunately, you cannot use a DNS name with security groups, so you must set an IP address. Thus, we need to look up the IP address and update it when it changes. AWS owns many IP addresses, so you may want to automate the update process. (Anto has a script for that!)

Lookup the current IP address ranges for AWS services

AWS publishes its current IP address ranges for all its services in JSON format. You can reference this JSON file here at Alternatively, use the AWS IP ranges tool from Anto, if the JSON file is confusing. Finally, read this helpful document about the AWS IP ranges.

The IP range list provided by AWS is a very comprehensive list, and it includes all the IP addresses for all the AWS services. The services include, but are not limited too S3, EC2, Route53 Health Checks and more. Furthermore, it contains the IP v4 and IP v6 ranges.

Apply the IP range to your security group

Take the following steps to apply your IP address range to your security group:

  1. Navigate to your EC2 dashboard in the AWS management console.
  2. Then click on the ‘security groups’ menu item in the ‘network security’ section.
  3. Select your security group and click on the inbound or outbound tab.
  4. Click on the edit button and then add your IP address range as well as the rule type and port range.

See an example below of editing an inbound IP range. You may need to add multiple rules and edit the outbound rules. The configuration depends on what you are trying to achieve. Read the following doc for more information: using-network-security.

You may also be interested in

About the Authors

Anto's editorial team loves the cloud as much as you! Each member of Anto's editorial team is a Cloud expert in their own right. Anto Online takes great pride in helping fellow Cloud enthusiasts. Let us know if you have an excellent idea for the next topic! Contact Anto Online if you want to contribute.

Support the Cause

Support Anto Online and buy us a coffee. Anything is possible with coffee and code.

Buy me a coffee

About Anto Online

Having started his career in 1999 as a Desktop Support Engineer, Anto soon changed paths and became a developer. After several years of development experience, he transitioned into a consultant. As an enterprise application consultant for a leading SaaS software provider, Anto specializes in AWS's serverless technologies. By day, Anto focuses on helping customers leverage the power of serverless technologies. By night, he indulges his passion for cloud computing by playing with Python and trying out things that are currently beyond the scope of his work. Sometimes Anto needs help as there are not enough hours at night. So Anto relies on a team of fellow Cloud enthusiasts to help him out. Each one is a Cloud expert in their own right, and Anto takes great pride in helping them learn and grow.

View all posts by Anto Online →

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.