Enterprise Cloud Consultancy in The UK and Europe

AWS Address Range Updates

AWS updates its IP address ranges periodically and you can subscribe to these updates. Whenever there is a change to the AWS IP address ranges, Amazon send notifications to subscribers of the AmazonIpSpaceChanged topic.

This is important if you have implemented egress control in your VPC that limits access to the AWS service address range.

The ranges are located at  ip-ranges.json.

The JSON file gives the region, the ip range(prefix), the network border group and the service name or IPv4 and IPv6 prefixes.

AWS Prefixes

ip_prefix
The public IPv4 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges. For example, prefix 96.127.0.0/17 in the file may be advertised as 96.127.0.0/21, 96.127.8.0/21, 96.127.32.0/19, and 96.127.64.0/18.

Example: "ip_prefix": "198.51.100.2/24"

ipv6_prefix
The public IPv6 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges.

Example: "ipv6_prefix": "2001:db8:1234::/64"

network_border_group
The name of the network border group, which is a unique set of Availability Zones or Local Zones from where AWS advertises IP addresses.

Example: "network_border_group": "us-west-2-lax-1"

region
The AWS Region or GLOBAL for edge locations. The CLOUDFRONT and ROUTE53 ranges are GLOBAL.

Valid values: ap-east-1 | ap-northeast-1 | ap-northeast-2 | ap-northeast-3 | ap-south-1 | ap-southeast-1 | ap-southeast-2 | ca-central-1 | cn-north-1 | cn-northwest-1 | eu-central-1 | eu-north-1 | eu-west-1 | eu-west-2 | eu-west-3 | sa-east-1 | us-east-1 | us-east-2 | us-gov-east-1 | us-gov-west-1 | us-west-1 | us-west-2 | GLOBAL

Example: "region": "us-east-1"

service
The subset of IP address ranges. The addresses listed for API_GATEWAY are egress only. Specify AMAZON to get all IP address ranges (meaning that every subset is also in the AMAZON subset). However, some IP address ranges are only in the AMAZON subset (meaning that they are not also available in another subset).

Type: String

Valid values: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CODEBUILD | DYNAMODB | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | ROUTE53 | ROUTE53_HEALTHCHECKS | S3 | WORKSPACES_GATEWAYS

Example: "service": "AMAZON"

Parsing the File

On Linux use the jq tool to parse the file.


# get IPs for a specific region
$ jq '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json # get IPs for a specific service $jq -r '.prefixes[] | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json

Python

The following python script shows you how to get the IP addresses that are in the AMAZON list but not the EC2 list. Copy the script and save it in a file named get_ips.py.


#!/usr/bin/env python
import requests

ip_ranges = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json').json()['prefixes']
amazon_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "AMAZON"]
ec2_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "EC2"]

amazon_ips_less_ec2=[]

for ip in amazon_ips:
if ip not in ec2_ips:
amazon_ips_less_ec2.append(ip)

for ip in amazon_ips_less_ec2: print(str(ip))