I was using the Security Group because I was operating the target service and wanted to limit the number of people who could see it. So I was trying to use Route 53 health checks for synthetic monitoring However, if you want to limit who can see while monitoring, you need the IP range of Route 53 health checks. If you check, there are two types of acquisition methods, and each has a slightly different IP, so it will be shared.
When I checked the IP range of Amazon Route 53 health checks, there are the following two patterns of how to take it
The first json is the method to check from the json of here maintained by AWS. The second SDK is a way to check the range from the Route 53 SDK. This time I will use Python
$ python --version
Python 3.6.8
$ pip list | grep boto3
boto3 1.13.9
>>> import requests
>>> ip_ranges = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json').json()['prefixes']
>>> route53_ips_json = [item['ip_prefix'] for item in ip_ranges if item["service"] == "ROUTE53_HEALTHCHECKS"]
>>> route53_ips_json
['54.252.254.192/26', '177.71.207.128/26', '54.255.254.192/26', '54.244.52.192/26', '54.251.31.128/26', '54.241.32.64/26', '54.245.168.0/26', '54.232.40.64/26', '54.248.220.0/26', '176.34.159.192/26', '54.252.79.128/26', '54.183.255.128/26', '54.250.253.192/26', '15.177.0.0/18', '54.228.16.0/26', '107.23.255.0/26', '54.243.31.192/26']
>>> len(route53_ips_json)
17
>>> import boto3
>>> client = boto3.client('route53')
>>> route53_ips_sdk = client.get_checker_ip_ranges()
>>> route53_ips_sdk['CheckerIpRanges']
['15.177.2.0/23', '15.177.6.0/23', '15.177.10.0/23', '15.177.14.0/23', '15.177.18.0/23', '15.177.22.0/23', '15.177.26.0/23', '15.177.30.0/23', '15.177.34.0/23', '15.177.38.0/23', '15.177.42.0/23', '15.177.46.0/23', '15.177.50.0/23', '15.177.54.0/23', '15.177.58.0/23', '15.177.62.0/23', '54.183.255.128/26', '54.228.16.0/26', '54.232.40.64/26', '54.241.32.64/26', '54.243.31.192/26', '54.244.52.192/26', '54.245.168.0/26', '54.248.220.0/26', '54.250.253.192/26', '54.251.31.128/26', '54.252.79.128/26', '54.252.254.192/26', '54.255.254.192/26', '107.23.255.0/26', '176.34.159.192/26', '177.71.207.128/26']
>>> len(route53_ips_sdk['CheckerIpRanges'])
32
So, as mentioned above, the length of the array is different, so there was no match So, what is different is as follows
>>> set(route53_ips_json) - set(route53_ips_sdk['CheckerIpRanges'])
{'15.177.0.0/18'}
>>> set(route53_ips_sdk['CheckerIpRanges']) - set(route53_ips_json)
{'15.177.18.0/23', '15.177.2.0/23', '15.177.42.0/23', '15.177.50.0/23', '15.177.34.0/23', '15.177.54.0/23', '15.177.10.0/23', '15.177.6.0/23', '15.177.26.0/23', '15.177.14.0/23', '15.177.46.0/23', '15.177.58.0/23', '15.177.38.0/23', '15.177.62.0/23', '15.177.22.0/23', '15.177.30.0/23'}
In other words, it was different whether it was summarized in 15.177.0.0/18.
The IP range of Route 53 health checks differed depending on the acquisition method The method of acquiring with json had a large IP range, and the SDK was in a state of being cut into small pieces. To be honest, it is doubtful which one is correct, but I personally want to reduce the maintenance of the Security Group, so I thought that json to take big is good
Recommended Posts