This post will show you how to determine the IP address ranges of Amazon Web Services (or AWS) services. Knowing the IP address range will enable you to allow/deny access to these AWS services by using (amongst other) security groups. Setting the permitted IP ranges for a security group is an essential part of tightening security.
What are the AWS security groups?
AWS Security groups are virtual firewalls that help to control network traffic. For example, you could have a security group that only allow traffic into the group from a specific IP address. Use Anto’s Public IP tool to determine your current IP. You could also deny traffic to a range of IP addresses.
The problem with using IP addresses
IP addresses change! Imagine a service such as AWS S3. The AWS S3 service is a global service. There are perhaps thousands of S3 servers globally, all waiting for the next request. Today the IP address will be ‘x’ and tomorrow it could be ‘y’. Which one IP or IP range do you add to your security group?
It is for this reason that we want to use the DNS name instead. DNS automatically resolves the latest new IP address. Unfortunately, you cannot use a DNS name with security groups, so you must set an IP address. Thus, we need to look up the IP address and update it when it changes. AWS owns many IP addresses, so you may want to automate the update process. (Anto has a script for that!)
Lookup the current IP address ranges for AWS services
AWS publishes its current IP address ranges for all its services in JSON format. You can reference this JSON file here at https://ip-ranges.amazonaws.com/ip-ranges.json. Alternatively, use the AWS IP ranges tool from Anto, if the JSON file is confusing. Finally, read this helpful document about the AWS IP ranges.
The IP range list provided by AWS is a very comprehensive list, and it includes all the IP addresses for all the AWS services. The services include, but are not limited too S3, EC2, Route53 Health Checks and more. Furthermore, it contains the IP v4 and IP v6 ranges.
Apply the IP range to your security group
Take the following steps to apply your IP address range to your security group:
- Navigate to your EC2 dashboard in the AWS management console.
- Then click on the ‘security groups’ menu item in the ‘network security’ section.
- Select your security group and click on the inbound or outbound tab.
- Click on the edit button and then add your IP address range as well as the rule type and port range.
See an example below of editing an inbound IP range. You may need to add multiple rules and edit the outbound rules. The configuration depends on what you are trying to achieve. Read the following doc for more information: using-network-security.
You may also be interested in
About the Authors
Anto's editorial team loves the cloud as much as you! Each member of Anto's editorial team is a Cloud expert in their own right. Anto Online takes great pride in helping fellow Cloud enthusiasts. Let us know if you have an excellent idea for the next topic! Contact Anto Online if you want to contribute.
Support the Cause
Support Anto Online and buy us a coffee. Anything is possible with coffee and code.