0

I have AWS infrastructure running over AWS ELB (Classic Load Balancer) and EC2.

I need to know IP range for AWS ELB in EU (Ireland) Knexusplatform-Live-SaaS-IR-1436765642.eu-west-1.elb.amazonaws.com, what will be ELB IP range for white listing?

I came to know from blog nslookup and dig command can find IPs associated with ELB with below script

#IP address assign to ELB
nslookup Knexusplatform-Live-SaaS-IR-1436765642.eu-west-1.elb.amazonaws.com \
| grep Address | grep 'Address: ' | awk '{ print $2}'
#below is out put
176.34.119.175
54.247.161.83

Now I am confused with below questions

  1. Will IP assigned (176.34.119.175,54.247.161.83) to ELB change?
  2. If IP changed, will new IP changed to same CIDR range?
  3. If yes to 2nd question, Is there any Linux tool which can find CIDR against IP?

As per this URL https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html, I came to know with below bash script total 81 IP ranges,

#Download IP Address range
wget https://ip-ranges.amazonaws.com/ip-ranges.json -Ot /tmp/ip-ranges.json

#EU-WEST IP Range
jq -r '.prefixes[] | select(.region=="eu-west-1" and .service=="AMAZON").ip_prefix' \
< /tmp/ip-ranges.json

54.155.0.0/16
172.96.98.0/24
52.95.104.0/22
52.30.0.0/15
54.154.0.0/16
46.137.0.0/17
52.144.208.64/26
52.94.216.0/21
52.208.0.0/13
52.119.192.0/22
52.18.0.0/15
52.93.21.14/32
99.80.0.0/15
18.200.0.0/16
54.231.128.0/19
52.144.208.192/26
54.74.0.0/15
54.216.0.0/15
54.78.0.0/16
3.40.0.0/14
185.143.16.0/24
52.93.112.35/32
52.48.0.0/14
52.94.5.0/24
54.240.220.0/22
54.170.0.0/15
46.51.192.0/20
178.236.0.0/20
52.218.0.0/17
52.93.0.0/24
99.82.162.0/24
54.239.99.0/24
52.94.26.0/23
54.247.0.0/16
52.119.240.0/21
54.194.0.0/15
52.93.18.178/32
34.240.0.0/13
52.94.248.16/28
52.46.240.0/22
54.72.0.0/15
54.239.0.48/28
79.125.0.0/17
54.220.0.0/16
52.94.24.0/23
52.93.17.16/32
52.92.40.0/21
52.93.16.0/24
52.95.255.64/28
63.32.0.0/14
18.202.0.0/15
176.32.104.0/21
54.76.0.0/15
54.240.197.0/24
52.95.244.0/24
185.48.120.0/22
52.144.210.0/26
52.144.208.128/26
34.248.0.0/13
52.93.17.17/32
52.144.210.128/26
54.239.32.0/21
176.34.128.0/17
52.95.61.0/24
52.93.18.179/32
52.93.112.34/32
52.94.196.0/24
54.228.0.0/16
54.229.0.0/16
52.16.0.0/15
46.137.128.0/18
52.93.2.0/24
46.51.128.0/18
54.246.0.0/16
52.95.112.0/20
52.93.21.15/32
54.239.113.0/24
52.95.60.0/24
18.201.0.0/16
87.238.80.0/21
176.34.64.0/18
Ron Maupin
  • 102,040
  • 26
  • 123
  • 202
Ramratan Gupta
  • 103
  • 1
  • 6

1 Answers1

3

The answer depends on the kind of ELB you are using. If you use an Application Load Balancer then it can change the underlying IPs at any time. If you use a Network Load Balancer than you can use static IPs. And apparently it is now possible to chain the two to get the best of both worlds.

So with an ALB, the answer to your first question is "yes, possibly", and the second one "not necessarily", and the third is "yes, with ipcalc for example".

If at all possible I would really suggest you from IP white-listing to domain-name filtering on your firewall (or go through an http proxy).

Jeremy Gibbons
  • 2,449
  • 11
  • 15