AWS IP address ranges
AWS publishes its current IP address ranges in JSON format. With this information, you can identify traffic from AWS. You can also use this information to allow or deny traffic to or from some AWS services.
Considerations
We publish the IP address ranges for services that customers commonly use to perform egress filtering. We don't publish the IP address ranges for all services.
Services use their IP address ranges to communicate with other services or to communicate with a customer network.
The IP address ranges that you bring to AWS through bring your own IP addresses (BYOIP) are not included in the
.json
file. For more information, see Advertise your address range through AWS in the Amazon EC2 User Guide.
Some services publish their address ranges using AWS-managed prefix lists. For more information, see Available AWS-managed prefix lists.
Download the JSON file
To view the current address ranges, download ip-ranges.json
The following is an example curl command that saves the JSON file to the current directory.
curl -O https://ip-ranges.amazonaws.com/ip-ranges.json
If you access this file programmatically, it is your responsibility to ensure that the application downloads the file only after successfully verifying the TLS certificate presented by the server.
To receive notifications of updates to the JSON file, see AWS IP address ranges notifications.
Egress control
To allow resources you've created with one AWS service to only access other AWS services, you can use the IP address range information in the ip-ranges.json file to perform egress filtering. Ensure that the security group rules allow outbound traffic to the CIDR blocks in the AMAZON list. There are quotas for security groups. Depending on the number of IP address ranges in each Region, you might need multiple security groups per Region.
Note
Some AWS services are built on EC2 and use EC2 IP address space. If you block traffic to EC2 IP address space, you block traffic to these non-EC2 services as well.
Geolocation feed
The IP address ranges in ip-ranges.json
are by AWS Region. However,
a Local Zone is not in the same physical location as its parent Region. The geolocation
data published in geo-ip-feed.csv