Identifying EC2 Machine IP Ranges
Now days, network-edge security is a well established practice - with firewalls providing IP based protection in every organization (and even in almost every home).
So it doesn’t surprise me that I get receive the following quite often from customers and peers: “What is the IP range of my EC2 machines?”
First, the origin of the question
In an on-premise scenario, we usually know before-hand the IP range of the network we are attaching our machine to, and proceed therefrom to assign it an IP address either via DHCP or manually. (in the future, I’ll post why DHCP is so much better, even for servers).
In EC2, AWS provides us with an IP address via DHCP. This mechanism works just fine - but doesn’t tell us what is the IP range of our machines (which could come in handy in case we are looking to group them together under the same firewall rule).
Also, in the AWS console, we can set firewall rules based on Security Group, but not with AWS as a whole.
The answer: AWS is multi-tenant, so you don’t get a private IP range - next best thing is to the entire EC2 IP range.
AWS really managed to hide this information in their discussion board, but here it is (subject to future change), ordered by Region:
US East (N.Virginia) | US West (N.California) | EU (Ireland) | Asia Pacific (Singapore) |
216.182.224.0/20 (216.182.224.0 - 216.182.239.255) 72.44.32.0/19 (72.44.32.0 - 72.44.63.255) 67.202.0.0/18 (67.202.0.0 - 67.202.63.255) 75.101.128.0/17 (75.101.128.0 - 75.101.255.255) 174.129.0.0/16 (174.129.0.0 - 174.129.255.255) 204.236.192.0/18 (204.236.192.0 - 204.236.255.255) 184.73.0.0/16 (184.73.0.0 - 184.73.255.255) 184.72.128.0/17 184.72.128.0 - 184.72.255.255) |
204.236.128.0/18 (216.236.128.0 - 216.236.191.255) 184.72.0.0/18 (184.72.0.0 - 184.72.63.255) |
79.125.0.0/17 (79.125.0.0 - 79.125.127.255) |
175.41.128.0/18 (175.41.128.0 - 175.41.191.255) |
A final word of caution
Filtering network traffic by IP is a great first-line of defense, but by no means should it by your only!
Not only could an attack originate from the above EC2 IP range, and thus falsely “validated” by your firewall rule - even when properly configured it was already easily circumvented in the past (and the knowledge is already out there on how to do it again, and again).
In order to further control the initialization of network traffic, I strongly advise you to use SSL coupled with PKI or consider limiting yourself to VPN traffic.