AWS IP address ranges - Amazon Virtual Private Cloud

AWS IP address ranges

AWS publishes its current IP address ranges in JSON format. With this information, you can identify traffic from AWS. You can also use this information to allow or deny traffic to or from some AWS services.

Note
  • Only some AWS service IP address ranges are published in ip-ranges.json; we publish the IP address ranges for services that customers commonly want to perform egress filtering on.

  • Services may use the IP address ranges to communicate with other services or services may use the IP ranges to communicate with a customer network.

To view the current ranges, download the .json file. To maintain history, save successive versions of the .json file on your system. To determine whether there have been changes since the last time that you saved the file, check the publication time in the current file and compare it to the publication time in the last file that you saved.

The IP address ranges that you bring to AWS through bring your own IP addresses (BYOIP) are not included in the .json file.

Alternatively, some services publish their address ranges using AWS-managed prefix lists. For more information, see Available AWS-managed prefix lists.

Download

Download ip-ranges.json.

If you access this file programmatically, it is your responsibility to ensure that the application downloads the file only after successfully verifying the TLS certificate presented by the server.

Syntax

The syntax of ip-ranges.json is as follows.

{ "syncToken": "0123456789", "createDate": "yyyy-mm-dd-hh-mm-ss", "prefixes": [ { "ip_prefix": "cidr", "region": "region", "network_border_group": "network_border_group", "service": "subset" } ], "ipv6_prefixes": [ { "ipv6_prefix": "cidr", "region": "region", "network_border_group": "network_border_group", "service": "subset" } ] }
syncToken

The publication time, in Unix epoch time format.

Type: String

Example: "syncToken": "1416435608"

createDate

The publication date and time, in UTC YY-MM-DD-hh-mm-ss format.

Type: String

Example: "createDate": "2014-11-19-23-29-02"

prefixes

The IP prefixes for the IPv4 address ranges.

Type: Array

ipv6_prefixes

The IP prefixes for the IPv6 address ranges.

Type: Array

ip_prefix

The public IPv4 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges. For example, prefix 96.127.0.0/17 in the file may be advertised as 96.127.0.0/21, 96.127.8.0/21, 96.127.32.0/19, and 96.127.64.0/18.

Type: String

Example: "ip_prefix": "198.51.100.2/24"

ipv6_prefix

The public IPv6 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges.

Type: String

Example: "ipv6_prefix": "2001:db8:1234::/64"

network_border_group

The name of the network border group, which is a unique set of Availability Zones or Local Zones from which AWS advertises IP addresses, or GLOBAL. Traffic for GLOBAL services can be attracted to or originate from multiple (up to all) Availability Zones or Local Zones from which AWS advertises IP addresses.

Type: String

Example: "network_border_group": "us-west-2-lax-1"

region

The AWS Region or GLOBAL. Traffic for GLOBAL services can be attracted to or originate from multiple (up to all) AWS Regions.

Type: String

Valid values: af-south-1 | ap-east-1 | ap-northeast-1 | ap-northeast-2 | ap-northeast-3 | ap-south-1 | ap-south-2 | ap-southeast-1 | ap-southeast-2 | ap-southeast-3 | ap-southeast-4 | ca-central-1 | cn-north-1 | cn-northwest-1 | eu-central-1 | eu-central-2 | eu-north-1 | eu-south-1 | eu-south-2 | eu-west-1 | eu-west-2 | eu-west-3 | me-central-1 | me-south-1 | sa-east-1 | us-east-1 | us-east-2 | us-gov-east-1 | us-gov-west-1 | us-west-1 | us-west-2 | GLOBAL

Example: "region": "us-east-1"

service

The subset of IP address ranges. The addresses listed for API_GATEWAY are egress only. Specify AMAZON to get all IP address ranges (meaning that every subset is also in the AMAZON subset). However, some IP address ranges are only in the AMAZON subset (meaning that they are not also available in another subset).

Type: String

Valid values: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CLOUDFRONT_ORIGIN_FACING | CODEBUILD | DYNAMODB | EBS | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | KINESIS_VIDEO_STREAMS | MEDIA_PACKAGE_V2 | ROUTE53 | ROUTE53_HEALTHCHECKS | ROUTE53_HEALTHCHECKS_PUBLISHING | ROUTE53_RESOLVER | S3 | WORKSPACES_GATEWAYS

Example: "service": "AMAZON"

Range overlaps

The IP address ranges returned by any service code are also returned by the AMAZON service code. For example, all IP address ranges that are returned by the S3 service code are also returned by the AMAZON service code.

When service A uses resources from service B, there are IP address ranges that are returned by the service codes for both service A and service B. However, these IP address ranges are used exclusively by service A, and can't be used by service B. For example, Amazon S3 uses resources from Amazon EC2, so there are IP address ranges that are returned by both the S3 and EC2 service codes. However these IP address ranges are used exclusively by Amazon S3. Therefore, the S3 service code returns all IP address ranges that are used exclusively by Amazon S3. To identify the IP address ranges that are used exclusively by Amazon EC2, find the IP address ranges that are returned by the EC2 service code but not the S3 service code.

Filtering the JSON file

You can download a command line tool to help you filter the information to just what you are looking for.

Windows

The AWS Tools for Windows PowerShell includes a cmdlet, Get-AWSPublicIpAddressRange, to parse this JSON file. The following examples demonstrate its use. For more information, see Querying the Public IP Address Ranges for AWS and Get-AWSPublicIpAddressRange.

Example 1. Get the creation date
PS C:\> Get-AWSPublicIpAddressRange -OutputPublicationDate Wednesday, August 22, 2018 9:22:35 PM
Example 2. Get the information for a specific Region
PS C:\> Get-AWSPublicIpAddressRange -Region us-east-1 IpPrefix Region NetworkBorderGroup Service -------- ------ ------- ------- 23.20.0.0/14 us-east-1 us-east-1 AMAZON 50.16.0.0/15 us-east-1 us-east-1 AMAZON 50.19.0.0/16 us-east-1 us-east-1 AMAZON ...
Example 3. Get all IP addresses
PS C:\> (Get-AWSPublicIpAddressRange).IpPrefix 23.20.0.0/14 27.0.0.0/22 43.250.192.0/24 ... 2406:da00:ff00::/64 2600:1fff:6000::/40 2a01:578:3::/64 2600:9000::/28
Example 4. Get all IPv4 addresses
PS C:\> Get-AWSPublicIpAddressRange | where {$_.IpAddressFormat -eq "Ipv4"} | select IpPrefix IpPrefix -------- 23.20.0.0/14 27.0.0.0/22 43.250.192.0/24 ...
Example 5. Get all IPv6 addresses
PS C:\> Get-AWSPublicIpAddressRange | where {$_.IpAddressFormat -eq "Ipv6"} | select IpPrefix IpPrefix -------- 2a05:d07c:2000::/40 2a05:d000:8000::/40 2406:dafe:2000::/40 ...
Example 6. Get all IP addresses for a specific service
PS C:\> Get-AWSPublicIpAddressRange -ServiceKey CODEBUILD | select IpPrefix IpPrefix -------- 52.47.73.72/29 13.55.255.216/29 52.15.247.208/29 ...

Linux

The following example commands use the jq tool to parse a local copy of the JSON file.

Example 1. Get the creation date
$ jq .createDate < ip-ranges.json "2016-02-18-17-22-15"
Example 2. Get the information for a specific Region
$ jq '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json { "ip_prefix": "23.20.0.0/14", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, { "ip_prefix": "50.16.0.0/15", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, { "ip_prefix": "50.19.0.0/16", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, ...
Example 3. Get all IPv4 addresses
$ jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json 23.20.0.0/14 27.0.0.0/22 43.250.192.0/24 ...
Example 4. Get all IPv6 addresses
$ jq -r '.ipv6_prefixes | .[].ipv6_prefix' < ip-ranges.json 2a05:d07c:2000::/40 2a05:d000:8000::/40 2406:dafe:2000::/40 ...
Example 5. Get all IPv4 addresses for a specific service
$ jq -r '.prefixes[] | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json 52.47.73.72/29 13.55.255.216/29 52.15.247.208/29 ...
Example 6. Get all IPv4 addresses for a specific service in a specific Region
$ jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json 34.228.4.208/28
Example 7. Get information for a certain network border group
$ jq -r '.prefixes[] | select(.region=="us-west-2") | select(.network_border_group=="us-west-2-lax-1") | .ip_prefix' < ip-ranges.json 70.224.192.0/18 52.95.230.0/24 15.253.0.0/16 ...

Implementing egress control

To allow resources you've created with one AWS service to only access other AWS services, you can use the IP address range information in the ip-ranges.json file to perform egress filtering. Ensure that the security group rules allow outbound traffic to the CIDR blocks in the AMAZON list. There are quotas for security groups. Depending on the number of IP address ranges in each Region, you might need multiple security groups per Region.

Note

Some AWS services built on EC2 and use EC2 IP address space. If you block traffic to EC2 IP address space, you block traffic to these non-EC2 services as well.

AWS IP address ranges notifications

Whenever there is a change to the AWS IP address ranges, we send notifications to subscribers of the AmazonIpSpaceChanged topic. The payload contains information in the following format:

{ "create-time":"yyyy-mm-ddThh:mm:ss+00:00", "synctoken":"0123456789", "md5":"6a45316e8bc9463c9e926d5d37836d33", "url":"https://ip-ranges.amazonaws.com/ip-ranges.json" }
create-time

The creation date and time.

Notifications could be delivered out of order. Therefore, we recommend that you check the timestamps to ensure the correct order.

synctoken

The publication time, in Unix epoch time format.

md5

The cryptographic hash value of the ip-ranges.json file. You can use this value to check whether the downloaded file is corrupted.

url

The location of the ip-ranges.json file.

If you want to be notified whenever there is a change to the AWS IP address ranges, you can subscribe as follows to receive notifications using Amazon SNS.

To subscribe to AWS IP address range notifications
  1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home.

  2. In the navigation bar, change the Region to US East (N. Virginia), if necessary. You must select this Region because the SNS notifications that you are subscribing to were created in this Region.

  3. In the navigation pane, choose Subscriptions.

  4. Choose Create subscription.

  5. In the Create subscription dialog box, do the following:

    1. For Topic ARN, copy the following Amazon Resource Name (ARN):

      arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged
    2. For Protocol, choose the protocol to use (for example, Email).

    3. For Endpoint, type the endpoint to receive the notification (for example, your email address).

    4. Choose Create subscription.

  6. You'll be contacted on the endpoint that you specified and asked to confirm your subscription. For example, if you specified an email address, you'll receive an email message with the subject line AWS Notification - Subscription Confirmation. Follow the directions to confirm your subscription.

Notifications are subject to the availability of the endpoint. Therefore, you might want to check the JSON file periodically to ensure that you've got the latest ranges. For more information about Amazon SNS reliability, see https://aws.amazon.com/sns/faqs/#Reliability.

If you no longer want to receive these notifications, use the following procedure to unsubscribe.

To unsubscribe from AWS IP address ranges notifications
  1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home.

  2. In the navigation pane, choose Subscriptions.

  3. Select the check box for the subscription.

  4. Choose Actions, Delete subscriptions.

  5. When prompted for confirmation, choose Delete.

For more information about Amazon SNS, see the Amazon Simple Notification Service Developer Guide.

Release notes

The following table describes updates to the syntax of ip-ranges.json. We also add new Region codes with each Region launch.

Description Release date
Added the MEDIA_PACKAGE_V2 service code. May 9, 2023
Added the CLOUDFRONT_ORIGIN_FACING service code. October 12, 2021
Added the ROUTE53_RESOLVER service code. June 24, 2021
Added the EBS service code. May 12, 2021
Added the KINESIS_VIDEO_STREAMS service code. November 19, 2020
Added the CHIME_MEETINGS and CHIME_VOICECONNECTOR service codes. June 19, 2020
Added the AMAZON_APPFLOW service code. June 9, 2020
Add support for the network border group. April 7, 2020
Added the WORKSPACES_GATEWAYS service code. March 30, 2020
Added the ROUTE53_HEALTHCHECK_PUBLISHING service code. January 30, 2020
Added the API_GATEWAY service code. September 26, 2019
Added the EC2_INSTANCE_CONNECT service code. June 26, 2019
Added the DYNAMODB service code. April 25, 2019
Added the GLOBALACCELERATOR service code. December 20, 2018
Added the AMAZON_CONNECT service code. June 20, 2018
Added the CLOUD9 service code. June 20, 2018
Added the CODEBUILD service code. April 19, 2018
Added the S3 service code. February 28, 2017
Added support for IPv6 address ranges. August 22, 2016
Initial release November 19, 2014

Learn more