Sometimes it’s handy to know what IP address ranges are used in different AWS Regions. You may want to whitelist access to your region AWS endpoints, or from global CloudFront location, or set up some special routing rules, or look up which region a certain IP belongs to.

ip-ranges.json & filter-ip-ranges

AWS publishes ip-ranges.json file with all that info. But it’s a huge JSON and not really meant for human consumption. So here I wrote a small parser: filter-ip-ranges

It’s a standalone Python program – just download it (or GIT clone the aws-utils github repository) make it executable (chmod +x filter-ip-ranges) and run.

If you just run it it will print all the ranges from all regions and services.

~/aws-utils $ ./filter-ip-ranges
# SERIAL=1545170057
3.0.0.0/15
3.8.0.0/14
3.16.0.0/14
[... 860 more ...]
216.182.232.0/22
216.182.236.0/23
216.182.238.0/23

It’s a good start, the script apparently works and can download and parse the ip-ranges.json file.

How about printing only the prefixes from Sydney region (ap-southeast-2) with some extra info (-v)?

~/aws-utils $ filter-ip-ranges -v ap-southeast-2
# SERIAL=1545170057
# 1323 prefixes found / 865 prefixes consolidated / 38 prefixes matching
3.104.0.0/14 ap-southeast-2 AMAZON EC2
13.54.63.128/26 ap-southeast-2 CLOUDFRONT
13.55.255.216/29 ap-southeast-2 CODEBUILD
13.210.2.192/26 ap-southeast-2 AMAZON_CONNECT
52.92.52.0/22 ap-southeast-2 AMAZON S3
[...]
54.252.0.0/16 ap-southeast-2 AMAZON EC2
54.252.79.128/26 ap-southeast-2 ROUTE53_HEALTHCHECKS
54.252.254.192/26 ap-southeast-2 ROUTE53_HEALTHCHECKS
54.253.0.0/16 ap-southeast-2 AMAZON EC2
103.8.172.0/22 ap-southeast-2 AMAZON

As we can see each prefix has some tags – is it used for EC2? S3? CloudFront? Route53 Health Checks?

Let’s see what prefixes are used for S3 in the Sydney region:

~/aws-utils $ ./filter-ip-ranges -v ap-southeast-2 S3
52.92.52.0/22 ap-southeast-2 AMAZON S3
52.95.128.0/21 ap-southeast-2 AMAZON S3
54.231.248.0/22 ap-southeast-2 AMAZON S3
54.231.252.0/24 ap-southeast-2 AMAZON S3

Or maybe you’re after all Cloud Front prefixes all around the world to create a whitelist for your firewall?

~/aws-utils $ ./filter-ip-ranges -v CLOUDFRONT
13.32.0.0/15 GLOBAL AMAZON CLOUDFRONT
13.35.0.0/16 GLOBAL AMAZON CLOUDFRONT
13.54.63.128/26 ap-southeast-2 CLOUDFRONT
13.59.250.0/26 us-east-2 CLOUDFRONT
13.113.203.0/24 ap-northeast-1 CLOUDFRONT
[...]

The GLOBAL ones are edge-locations, the ones with region name are, well, in that region.

Looking up IP addresses

Finally we can check to which region belongs a given IP address, let’s say this blog’s address:

~/aws-utils $ ./filter-ip-ranges -v 13.211.106.115
# SERIAL=1545170057
# 1323 prefixes found / 865 prefixes consolidated / 1 prefixes matching
13.210.0.0/15 ap-southeast-2 AMAZON EC2

Not surprisingly it’s in the Sydney region as we can see from the ap-southeast-2 label.

One little issue we see here is that in ip-ranges.json quite a lot is hidden under the EC2 label – even though this blog’s IP is actually an Elastic Load Balancer the prefix tag is EC2 and not ELB. We can’t do much about it until Amazon labels the prefixes in the JSON file in a more granular way.

I hope you find this little script handy!