The AWS IP range is different depending on the acquisition method.

background

I was using the Security Group because I was operating the target service and wanted to limit the number of people who could see it. So I was trying to use Route 53 health checks for synthetic monitoring However, if you want to limit who can see while monitoring, you need the IP range of Route 53 health checks. If you check, there are two types of acquisition methods, and each has a slightly different IP, so it will be shared.

Acquisition method

When I checked the IP range of Amazon Route 53 health checks, there are the following two patterns of how to take it

  1. json
  2. SDK

The first json is the method to check from the json of here maintained by AWS. The second SDK is a way to check the range from the Route 53 SDK. This time I will use Python

environment

$ python --version
Python 3.6.8
$ pip list | grep boto3
boto3                               1.13.9

Verification

json confirmation

>>> import requests
>>> ip_ranges = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json').json()['prefixes']
>>> route53_ips_json = [item['ip_prefix'] for item in ip_ranges if item["service"] == "ROUTE53_HEALTHCHECKS"]
>>> route53_ips_json
['54.252.254.192/26', '177.71.207.128/26', '54.255.254.192/26', '54.244.52.192/26', '54.251.31.128/26', '54.241.32.64/26', '54.245.168.0/26', '54.232.40.64/26', '54.248.220.0/26', '176.34.159.192/26', '54.252.79.128/26', '54.183.255.128/26', '54.250.253.192/26', '15.177.0.0/18', '54.228.16.0/26', '107.23.255.0/26', '54.243.31.192/26']
>>> len(route53_ips_json)
17

Check the SDK

>>> import boto3
>>> client = boto3.client('route53')
>>> route53_ips_sdk = client.get_checker_ip_ranges()
>>> route53_ips_sdk['CheckerIpRanges']
['15.177.2.0/23', '15.177.6.0/23', '15.177.10.0/23', '15.177.14.0/23', '15.177.18.0/23', '15.177.22.0/23', '15.177.26.0/23', '15.177.30.0/23', '15.177.34.0/23', '15.177.38.0/23', '15.177.42.0/23', '15.177.46.0/23', '15.177.50.0/23', '15.177.54.0/23', '15.177.58.0/23', '15.177.62.0/23', '54.183.255.128/26', '54.228.16.0/26', '54.232.40.64/26', '54.241.32.64/26', '54.243.31.192/26', '54.244.52.192/26', '54.245.168.0/26', '54.248.220.0/26', '54.250.253.192/26', '54.251.31.128/26', '54.252.79.128/26', '54.252.254.192/26', '54.255.254.192/26', '107.23.255.0/26', '176.34.159.192/26', '177.71.207.128/26']
>>> len(route53_ips_sdk['CheckerIpRanges'])
32

the difference

So, as mentioned above, the length of the array is different, so there was no match So, what is different is as follows

>>> set(route53_ips_json) - set(route53_ips_sdk['CheckerIpRanges'])                                                                         
{'15.177.0.0/18'}
>>> set(route53_ips_sdk['CheckerIpRanges']) - set(route53_ips_json)
{'15.177.18.0/23', '15.177.2.0/23', '15.177.42.0/23', '15.177.50.0/23', '15.177.34.0/23', '15.177.54.0/23', '15.177.10.0/23', '15.177.6.0/23', '15.177.26.0/23', '15.177.14.0/23', '15.177.46.0/23', '15.177.58.0/23', '15.177.38.0/23', '15.177.62.0/23', '15.177.22.0/23', '15.177.30.0/23'}

In other words, it was different whether it was summarized in 15.177.0.0/18.

Summary

The IP range of Route 53 health checks differed depending on the acquisition method The method of acquiring with json had a large IP range, and the SDK was in a state of being cut into small pieces. To be honest, it is doubtful which one is correct, but I personally want to reduce the maintenance of the Security Group, so I thought that json to take big is good

Recommended Posts

The AWS IP range is different depending on the acquisition method.
In Python, change the behavior of the method depending on how it is called
The problem becomes easier to solve depending on the formulation method
The one who is not on DVD
If branch depending on whether there is a specific element in the list