AWS IP address ranges
AWS publishes its current IP address ranges in JSON format. With this information, you can identify traffic from AWS. You can also allow or deny traffic to or from specific types of AWS resources.
To view the current ranges, download the .json
file. To maintain history,
save successive versions of the .json
file on your system. To determine
whether there have been changes since the last time that you saved the file, check the
publication time in the current file and compare it to the publication time in the last file
that you saved.
The IP address ranges that you bring to AWS through bring your own IP addresses (BYOIP)
are not included in the .json
file.
Alternatively, some services publish their address ranges using AWS-managed prefix lists. For more information, see Available AWS-managed prefix lists.
Contents
Download
Download ip-ranges.json
If you access this file programmatically, it is your responsibility to ensure that the application downloads the file only after successfully verifying the TLS certificate presented by the server.
Syntax
The syntax of ip-ranges.json
is as follows.
{ "syncToken": "
0123456789
", "createDate": "yyyy
-mm
-dd
-hh
-mm
-ss
", "prefixes": [ { "ip_prefix": "cidr
", "region": "region
", "network_border_group": "network_border_group
", "service": "subset
" } ], "ipv6_prefixes": [ { "ipv6_prefix": "cidr
", "region": "region
", "network_border_group": "network_border_group
", "service": "subset
" } ] }
- syncToken
-
The publication time, in Unix epoch time format.
Type: String
Example:
"syncToken": "1416435608"
- createDate
-
The publication date and time, in UTC YY-MM-DD-hh-mm-ss format.
Type: String
Example:
"createDate": "2014-11-19-23-29-02"
- prefixes
-
The IP prefixes for the IPv4 address ranges.
Type: Array
- ipv6_prefixes
-
The IP prefixes for the IPv6 address ranges.
Type: Array
- ip_prefix
-
The public IPv4 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges. For example, prefix 96.127.0.0/17 in the file may be advertised as 96.127.0.0/21, 96.127.8.0/21, 96.127.32.0/19, and 96.127.64.0/18.
Type: String
Example:
"ip_prefix": "198.51.100.2/24"
- ipv6_prefix
-
The public IPv6 address range, in CIDR notation. Note that AWS may advertise a prefix in more specific ranges.
Type: String
Example:
"ipv6_prefix": "2001:db8:1234::/64"
- network_border_group
-
The name of the network border group, which is a unique set of Availability Zones or Local Zones from which AWS advertises IP addresses, or
GLOBAL
. Traffic forGLOBAL
services can be attracted to or originate from multiple (up to all) Availability Zones or Local Zones from which AWS advertises IP addresses.Type: String
Example:
"network_border_group": "us-west-2-lax-1"
- region
-
The AWS Region or
GLOBAL
. Traffic forGLOBAL
services can be attracted to or originate from multiple (up to all) AWS Regions.Type: String
Valid values:
af-south-1
|ap-east-1
|ap-northeast-1
|ap-northeast-2
|ap-northeast-3
|ap-south-1
|ap-south-2
|ap-southeast-1
|ap-southeast-2
|ap-southeast-3
|ap-southeast-4
|ca-central-1
|cn-north-1
|cn-northwest-1
|eu-central-1
|eu-central-2
|eu-north-1
|eu-south-1
|eu-south-2
|eu-west-1
|eu-west-2
|eu-west-3
|me-central-1
|me-south-1
|sa-east-1
|us-east-1
|us-east-2
|us-gov-east-1
|us-gov-west-1
|us-west-1
|us-west-2
|GLOBAL
Example:
"region": "us-east-1"
- service
-
The subset of IP address ranges. The addresses listed for
API_GATEWAY
are egress only. SpecifyAMAZON
to get all IP address ranges (meaning that every subset is also in theAMAZON
subset). However, some IP address ranges are only in theAMAZON
subset (meaning that they are not also available in another subset).Type: String
Valid values:
AMAZON
|AMAZON_APPFLOW
|AMAZON_CONNECT
|API_GATEWAY
|CHIME_MEETINGS
|CHIME_VOICECONNECTOR
|CLOUD9
|CLOUDFRONT
|CLOUDFRONT_ORIGIN_FACING
|CODEBUILD
|DYNAMODB
|EBS
|EC2
|EC2_INSTANCE_CONNECT
|GLOBALACCELERATOR
|KINESIS_VIDEO_STREAMS
|MEDIA_PACKAGE_V2
|ROUTE53
|ROUTE53_HEALTHCHECKS
|ROUTE53_HEALTHCHECKS_PUBLISHING
|ROUTE53_RESOLVER
|S3
|WORKSPACES_GATEWAYS
Example:
"service": "AMAZON"
Range overlaps
The IP address ranges returned by any service code are also returned by the
AMAZON
service code. For example, all IP address ranges that are
returned by the S3
service code are also returned by the
AMAZON
service code.
When service A uses resources from service B, there are IP address ranges that are
returned by the service codes for both service A and service B. However, these IP
address ranges are used exclusively by service A, and can't be used by service B.
For example, Amazon S3 uses resources from Amazon EC2, so there are IP address ranges that are
returned by both the S3
and EC2
service codes. However these
IP address ranges are used exclusively by Amazon S3. Therefore, the S3
service
code returns all IP address ranges that are used exclusively by Amazon S3. To identify the IP
address ranges that are used exclusively by Amazon EC2, find the IP address ranges that are
returned by the EC2
service code but not the S3
service code.
Filtering the JSON file
You can download a command line tool to help you filter the information to just what you are looking for.
Windows
The AWS Tools for Windows PowerShell includes a cmdlet, Get-AWSPublicIpAddressRange
,
to parse this JSON file. The following examples demonstrate its use. For more information, see Querying the Public IP Address Ranges for AWS
Example 1. Get the creation date
PS C:\>
Get-AWSPublicIpAddressRange -OutputPublicationDate
Wednesday, August 22, 2018 9:22:35 PM
Example 2. Get the information for a specific Region
PS C:\>
Get-AWSPublicIpAddressRange -Region us-east-1
IpPrefix Region NetworkBorderGroup Service -------- ------ ------- ------- 23.20.0.0/14 us-east-1 us-east-1 AMAZON 50.16.0.0/15 us-east-1 us-east-1 AMAZON 50.19.0.0/16 us-east-1 us-east-1 AMAZON ...
Example 3. Get all IP addresses
PS C:\>
(Get-AWSPublicIpAddressRange).IpPrefix
23.20.0.0/14 27.0.0.0/22 43.250.192.0/24 ... 2406:da00:ff00::/64 2600:1fff:6000::/40 2a01:578:3::/64 2600:9000::/28
Example 4. Get all IPv4 addresses
PS C:\>
Get-AWSPublicIpAddressRange | where {$_.IpAddressFormat -eq "Ipv4"} | select IpPrefix
IpPrefix -------- 23.20.0.0/14 27.0.0.0/22 43.250.192.0/24 ...
Example 5. Get all IPv6 addresses
PS C:\>
Get-AWSPublicIpAddressRange | where {$_.IpAddressFormat -eq "Ipv6"} | select IpPrefix
IpPrefix -------- 2a05:d07c:2000::/40 2a05:d000:8000::/40 2406:dafe:2000::/40 ...
Example 6. Get all IP addresses for a specific service
PS C:\>
Get-AWSPublicIpAddressRange -ServiceKey CODEBUILD | select IpPrefix
IpPrefix -------- 52.47.73.72/29 13.55.255.216/29 52.15.247.208/29 ...
Linux
The following example commands use the
jq tool
Example 1. Get the creation date
$
jq .createDate < ip-ranges.json
"2016-02-18-17-22-15"
Example 2. Get the information for a specific Region
$
jq '.prefixes[] | select(.region=="us-east-1")' < ip-ranges.json
{ "ip_prefix": "23.20.0.0/14", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, { "ip_prefix": "50.16.0.0/15", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, { "ip_prefix": "50.19.0.0/16", "region": "us-east-1", "network_border_group": "us-east-1", "service": "AMAZON" }, ...
Example 3. Get all IPv4 addresses
$
jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json
23.20.0.0/14 27.0.0.0/22 43.250.192.0/24 ...
Example 4. Get all IPv6 addresses
$
jq -r '.ipv6_prefixes | .[].ipv6_prefix' < ip-ranges.json
2a05:d07c:2000::/40 2a05:d000:8000::/40 2406:dafe:2000::/40 ...
Example 5. Get all IPv4 addresses for a specific service
$
jq -r '.prefixes[] | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json
52.47.73.72/29 13.55.255.216/29 52.15.247.208/29 ...
Example 6. Get all IPv4 addresses for a specific service in a specific Region
$
jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json
34.228.4.208/28
Example 7. Get information for a certain network border group
$
jq -r '.prefixes[] | select(.region=="us-west-2") | select(.network_border_group=="us-west-2-lax-1") | .ip_prefix' < ip-ranges.json
70.224.192.0/18 52.95.230.0/24 15.253.0.0/16 ...
Implementing egress control
To allow an instance to access only AWS services, ensure that the security group
rules allow outbound traffic to the CIDR blocks in the AMAZON
list, minus
the CIDR blocks that are also in the EC2
list. IP addresses in the
EC2
list can be assigned to EC2 instances.
There are quotas for security groups. Depending on the number of IP address ranges in each Region, you might need multiple security groups per Region.
Windows PowerShell
The following PowerShell example shows you how to get the IP addresses that are in
the AMAZON
list but not the EC2
list. Copy the script and
save it in a file named Select_address.ps1
.
$amazon_addresses = Get-AWSPublicIpAddressRange -ServiceKey amazon $ec2_addresses = Get-AWSPublicIpAddressRange -ServiceKey ec2 ForEach ($address in $amazon_addresses) { if( $ec2_addresses.IpPrefix -notcontains $address.IpPrefix) { ($address).IpPrefix } }
You can run this script as follows:
PS C:\>
.\Select_address.ps1
13.32.0.0/15 13.35.0.0/16 13.248.0.0/20 13.248.16.0/21 13.248.24.0/22 13.248.28.0/22 27.0.0.0/22 43.250.192.0/24 43.250.193.0/24 ...
jq
The following example shows you how to get the IP addresses that are in the
AMAZON
list but not the EC2
list, for all
Regions:
jq -r '[.prefixes[] | select(.service=="AMAZON").ip_prefix] - [.prefixes[] | select(.service=="EC2").ip_prefix] | .[]' < ip-ranges.json
52.94.22.0/24 52.94.17.0/24 52.95.154.0/23 52.95.212.0/22 54.239.0.240/28 54.239.54.0/23 52.119.224.0/21 ...
The following example shows you how to filter the results to one Region:
jq -r '[.prefixes[] | select(.region=="us-east-1" and .service=="AMAZON").ip_prefix] - [.prefixes[] | select(.region=="us-east-1" and .service=="EC2").ip_prefix] | .[]' < ip-ranges.json
Python
The following python script shows you how to get the IP addresses that are in
the AMAZON
list but not the EC2
list. Copy the script and
save it in a file named get_ips.py
.
#!/usr/bin/env python import requests ip_ranges = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json').json()['prefixes'] amazon_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "AMAZON"] ec2_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "EC2"] amazon_ips_less_ec2=[] for ip in amazon_ips: if ip not in ec2_ips: amazon_ips_less_ec2.append(ip) for ip in amazon_ips_less_ec2: print(str(ip))
You can run this script as follows:
$
python ./get_ips.py
13.32.0.0/15 13.35.0.0/16 13.248.0.0/20 13.248.16.0/21 13.248.24.0/22 13.248.28.0/22 27.0.0.0/22 43.250.192.0/24 43.250.193.0/24 ...
AWS IP address ranges notifications
Whenever there is a change to the AWS IP address ranges, we send notifications to
subscribers of the AmazonIpSpaceChanged
topic. The payload contains
information in the following format:
{ "create-time":"
yyyy
-mm
-dd
Thh
:mm
:ss
+00:00", "synctoken":"0123456789
", "md5":"6a45316e8bc9463c9e926d5d37836d33
", "url":"https://ip-ranges.amazonaws.com/ip-ranges.json" }
- create-time
-
The creation date and time.
Notifications could be delivered out of order. Therefore, we recommend that you check the timestamps to ensure the correct order.
- synctoken
-
The publication time, in Unix epoch time format.
- md5
-
The cryptographic hash value of the
ip-ranges.json
file. You can use this value to check whether the downloaded file is corrupted. - url
-
The location of the
ip-ranges.json
file.
If you want to be notified whenever there is a change to the AWS IP address ranges, you can subscribe as follows to receive notifications using Amazon SNS.
To subscribe to AWS IP address range notifications
Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home
. -
In the navigation bar, change the Region to US East (N. Virginia), if necessary. You must select this Region because the SNS notifications that you are subscribing to were created in this Region.
-
In the navigation pane, choose Subscriptions.
-
Choose Create subscription.
-
In the Create subscription dialog box, do the following:
-
For Topic ARN, copy the following Amazon Resource Name (ARN):
arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged
-
For Protocol, choose the protocol to use (for example,
Email
). -
For Endpoint, type the endpoint to receive the notification (for example, your email address).
-
Choose Create subscription.
-
-
You'll be contacted on the endpoint that you specified and asked to confirm your subscription. For example, if you specified an email address, you'll receive an email message with the subject line
AWS Notification - Subscription Confirmation
. Follow the directions to confirm your subscription.
Notifications are subject to the availability of the endpoint. Therefore, you might
want to check the JSON file periodically to ensure that you've got the latest ranges.
For more information about Amazon SNS reliability, see https://aws.amazon.com/sns/faqs/#Reliability
If you no longer want to receive these notifications, use the following procedure to unsubscribe.
To unsubscribe from AWS IP address ranges notifications
-
Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home
. -
In the navigation pane, choose Subscriptions.
-
Select the check box for the subscription.
-
Choose Actions, Delete subscriptions.
-
When prompted for confirmation, choose Delete.
For more information about Amazon SNS, see the Amazon Simple Notification Service Developer Guide.
Release notes
The following table describes updates to the syntax of ip-ranges.json
.
We also add new Region codes with each Region launch.
Description | Release date |
---|---|
Added the MEDIA_PACKAGE_V2 service code. |
May 9, 2023 |
Added the CLOUDFRONT_ORIGIN_FACING service code. |
October 12, 2021 |
Added the ROUTE53_RESOLVER service code. |
June 24, 2021 |
Added the EBS service code. |
May 12, 2021 |
Added the KINESIS_VIDEO_STREAMS service code. |
November 19, 2020 |
Added the CHIME_MEETINGS and CHIME_VOICECONNECTOR service codes. |
June 19, 2020 |
Added the AMAZON_APPFLOW service code. |
June 9, 2020 |
Add support for the network border group. | April 7, 2020 |
Added the WORKSPACES_GATEWAYS service code. |
March 30, 2020 |
Added the ROUTE53_HEALTHCHECK_PUBLISHING service code. |
January 30, 2020 |
Added the API_GATEWAY service code. |
September 26, 2019 |
Added the EC2_INSTANCE_CONNECT service code. |
June 26, 2019 |
Added the DYNAMODB service code. |
April 25, 2019 |
Added the GLOBALACCELERATOR service code. |
December 20, 2018 |
Added the AMAZON_CONNECT service code. |
June 20, 2018 |
Added the CLOUD9 service code. |
June 20, 2018 |
Added the CODEBUILD service code. |
April 19, 2018 |
Added the S3 service code. |
February 28, 2017 |
Added support for IPv6 address ranges. | August 22, 2016 |
Initial release | November 19, 2014 |
Learn more
-
AMAZON_APPFLOW
– IP address ranges -
AMAZON_CONNECT
– Set up your network -
CHIME_MEETINGS
– Configuring for media and signaling -
CLOUDFRONT
– Locations and IP address ranges of CloudFront edge servers -
DYNAMODB
– IP address ranges -
EC2
– Public IPV4 addresses -
EC2_INSTANCE_CONNECT
– EC2 Instance Connect prerequisites -
GLOBALACCELERATOR
– Location and IP address ranges of Global Accelerator edge servers -
ROUTE53_HEALTHCHECKS
– IP address ranges of Amazon Route 53 servers -
ROUTE53_HEALTHCHECKS_PUBLISHING
– IP address ranges of Amazon Route 53 servers -
WORKSPACES_GATEWAYS
– PCoIP gateway servers