Menu
Sign In to the Console
Amazon Web Services
General Reference (Version 1.0)

AWS Documentation » General Reference » AWS IP Address Ranges

AWS IP Address Ranges

Amazon Web Services (AWS) publishes its current IP address ranges in JSON format. To view the current ranges, download the .json file. To maintain history, save successive versions of the .json file on your system. To determine whether there have been changes since the last time that you saved the file, check the publication time in the current file and compare it to the publication time in the last file that you saved.

Contents

Download

Download ip-ranges.json

If you access this file programmatically, it is your responsibility to ensure that the application downloads the file only after successfully verifying the TLS certificate presented by the server.

Syntax

The syntax of ip-ranges.json is as follows. 

Copy
{
  "syncToken": "0123456789",
  "createDate": "yyyy-mm-dd-hh-mm-ss",
  "prefixes": [
    {
      "ip_prefix": "cidr",
      "region": "region",
      "service": "subset"
    }
  ],
  "ipv6_prefixes": [
    {
      "ipv6_prefix": "cidr",
      "region": "region",
      "service": "subset"
    }
  ]  
}
syncToken

The publication time, in Unix epoch time format.

Type: String

Example: "syncToken": "1416435608"

createDate

The publication date and time.

Type: String

Example: "createDate": "2014-11-19-23-29-02"

prefixes

The IP prefixes for the IPv4 address ranges.

Type: Array

ipv6_prefixes

The IP prefixes for the IPv6 address ranges.

Type: Array

ip_prefix

The public IPv4 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges. For example, prefix 96.127.0.0/17 in the file may be advertised as 96.127.0.0/21, 96.127.8.0/21, 96.127.32.0/19, and 96.127.64.0/18.

Type: String

Example: "ip_prefix": "198.51.100.2/24"

ipv6_prefix

The public IPv6 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges.

Type: String

Example: "ipv6_prefix": "2001:db8:1234::/64"

region

The AWS region or GLOBAL for edge locations. Note that the CLOUDFRONT and ROUTE53 ranges are GLOBAL. You should ignore any values other than the values listed here.

Type: String

Valid values: ap-northeast-1 | ap-northeast-2 | ap-south-1 | ap-southeast-1 | ap-southeast-2 | cn-north-1 | eu-central-1 | eu-west-1 | sa-east-1 | us-east-1 | us-gov-west-1 | us-west-1 | us-west-2 | GLOBAL

Example: "region": "us-east-1"

service

The subset of IP address ranges. Specify AMAZON to get all IP address ranges (for example, the ranges in the EC2 subset are also in the AMAZON subset). Note that some IP address ranges are only in the AMAZON subset. You should ignore any values other than the values listed here.

Type: String

Valid values: AMAZON | EC2 | CLOUDFRONT | ROUTE53 | ROUTE53_HEALTHCHECKS | S3

Example: "service": "AMAZON"

Filtering the JSON File

You can download a command line tool to help you filter the information to just what you are looking for.

Windows

The AWS Tools for Windows PowerShell includes a cmdlet, Get-AWSPublicIpAddressRange, to parse this JSON file. The following examples demonstrate its use. For more information, see Querying the Public IP Address Ranges for AWS.

Example 1. Get the creation date

Copy
PS C:\> Get-AWSPublicIpAddressRange -OutputPublicationDate

Thursday, February 18, 2016 5:22:15 PM

Example 2. Get the information for a specific region

Copy
PS C:\> Get-AWSPublicIpAddressRange -Region us-east-1

IpPrefix        Region       Service
--------        ------       -------
23.20.0.0/14    us-east-1    AMAZON
50.16.0.0/15    us-east-1    AMAZON
50.19.0.0/16    us-east-1    AMAZON
...

Example 3. Get all IP addresses

Copy
PS C:\> (Get-AWSPublicIpAddressRange).IpPrefix

23.20.0.0/14
27.0.0.0/22
43.250.192.0/24
...

Linux

The following example commands use the jq tool to parse a local copy of the JSON file.

Example 1. Get the creation date

Copy
$ jq .createDate < ipranges.json

"2016-02-18-17-22-15"

Example 2. Get the information for a specific region

Copy
$ jq  '.prefixes[] | select(.region=="us-east-1")' < ipranges.json

{
  "ip_prefix": "23.20.0.0/14",
  "region": "us-east-1",
  "service": "AMAZON"
},
{
  "ip_prefix": "50.16.0.0/15",
  "region": "us-east-1",
  "service": "AMAZON"
},
{
  "ip_prefix": "50.19.0.0/16",
  "region": "us-east-1",
  "service": "AMAZON"
},
...

Example 3. Get all IP addresses

Copy
$ jq -r '.prefixes | .[].ip_prefix' < ipranges.json

23.20.0.0/14
27.0.0.0/22
43.250.192.0/24
...

Implementing Egress Control

To allow an instance to access only AWS services, create a security group with rules that allow outbound traffic to the CIDR blocks in the AMAZON list, minus the CIDR blocks that are also in the EC2 list.

AWS IP Address Ranges Notifications

Whenever there is a change to the AWS IP address ranges, we send notifications to subscribers of the AmazonIpSpaceChanged topic. The payload contains information in the following format: 

Copy
{
  "create-time":"yyyy-mm-ddThh:mm:ss+00:00",
  "synctoken":"0123456789",
  "md5":"6a45316e8bc9463c9e926d5d37836d33",
  "url":"https://ip-ranges.amazonaws.com/ip-ranges.json"
}
create-time

The creation date and time.

Notifications could be delivered out of order. Therefore, we recommend that you check the timestamps to ensure the correct order.

synctoken

The publication time, in Unix epoch time format.

md5

The cryptographic hash value of the ip-ranges.json file. You can use this value to check whether the downloaded file is corrupted.

url

The location of the ip-ranges.json file.

If you want to be notified whenever there is a change to the AWS IP address ranges, you can subscribe as follows to receive notifications using Amazon SNS.

To subscribe to AWS IP address range notifications

  1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v2/home.

  2. In the navigation bar, change the region to US East (N. Virginia), if necessary. You must select this region because the SNS notifications that you are subscribing to were created in this region.

  3. In the navigation pane, choose Subscriptions.

  4. Choose Create subscription.

  5. In the Create subscription dialog box, do the following:

    1. For Topic ARN, copy the following Amazon Resource Name (ARN): 

      Copy
      arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged

    2. For Protocol, choose the protocol to use (for example, Email).

    3. For Endpoint, type the endpoint to receive the notification (for example, your email address).

    4. Choose Create subscription.

  6. You'll be contacted on the endpoint that you specified and asked to confirm your subscription. For example, if you specified an email address, you'll receive an email message with the subject line AWS Notification - Subscription Confirmation. Follow the directions to confirm your subscription.

Notifications are subject to the availability of the endpoint. Therefore, you might want to check the JSON file periodically to ensure that you've got the latest ranges. For more information about Amazon SNS reliability, see https://aws.amazon.com/sns/faqs/#Reliability.

If you no longer want to receive these notifications, use the following procedure to unsubscribe.

To unsubscribe from AWS IP address ranges notifications

  1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v2/home.

  2. In the navigation pane, choose Subscriptions.

  3. Select the check box for the subscription.

  4. Choose Actions, Delete subscriptions.

  5. When prompted for confirmation, choose Delete.

For more information about Amazon SNS, see the Amazon Simple Notification Service Developer Guide.