Amazon Route 53
Developer Guide (API Version 2013-04-01)

Configuring Router and Firewall Rules for Amazon Route 53 Health Checks

When Route 53 checks the health of an endpoint, it sends an HTTP, HTTPS, or TCP request to the IP address and port that you specified when you created the health check. For a health check to succeed, your router and firewall rules must allow inbound traffic from the IP addresses that the Route 53 health checkers use. (In Amazon EC2, security groups act as firewalls. For more information, see Amazon EC2 Security Groups in the Amazon EC2 User Guide for Linux Instances.)

For the current list of IP addresses for Route 53 health checkers, for Route 53 name servers, and for other AWS services, see IP Address Ranges of Amazon Route 53 Servers.


When you whitelist IP addresses, whitelist all the IP addresses in the CIDR range for each AWS Region that you specified when you created health checks. You might see that health check requests come from just one IP address in a Region. However, that IP address can change at any time to another of the IP addresses for that Region.