How can I identify and resolve unwanted health checks from Route 53?

Short description

When you associate health checks with an endpoint, Route 53 sends health check requests to the endpoint IP address to validate that they're operating as intended. An issue can occur if an incorrect IP address is specified, or if a health check isn't updated or deleted when necessary.

Resolution

Identify the source of unwanted requests

1.     Find the source IP address of the unwanted request using the Route 53 IP address ranges. For more information, see "ROUTE53_HEALTHCHECKS" on the IP address ranges of Route 53 servers page.

2.     Check the application server logs to determine whether the request was sent by the Route 53 health check servers. Route 53 health checks set the following HTTP header when performing health checks:

"Amazon-Route53-Health-Check-Service (ref <reference ID/ b5996862-d894-4595-88da-7940808e9665>; report http://amzn.to/1vsZADi)"

Example Application Load Balancer access log:

http 2020-05-12T14:14:25.000265Z app/myapplicationloadbalancer 54.241.32.97:49816 10.0.3.64:80 -1 -1 -1 502 - 241 288 "GET http:// <ALB DNS NAME>:80/ HTTP/1.1" "Amazon-Route53-Health-Check-Service (ref b5996862-d894-4595-88da-7940808e9665; report http://amzn.to/1vsZADi)" - - arn:aws:elasticloadbalancing:us-east-1:<account ID>:targetgroup/mytargetgroup

Example Microsoft Internet Information Services (IIS) access log:

Amazon+Route+53+Health+Check+Service;+ref:b5996862-d894-4595-88da-7940808e9665;+report+http://amzn.to/1vsZADi

Example Apache access log:

54.228.16.1 - - [time] "GET / HTTP/1.1" 403 3839 "-" "Amazon Route 53 Health Check Service; ref:47d9bc51-39d6-4cd9-9a7f-4c981c5db165; report http://amzn.to/1vsZADi"

Example NGINX access log:

NGINX access log entry: 54.232.40.80 - - [time] "GET / HTTP/1.1" 200 3770 "-" "Amazon Route 53 Health Check Service; ref:2e44063d-3b85-47c3-801e-6748cd542386; report http://amzn.to/1vsZADi" "-"

Delete or block the source of unwanted requests

1.    Copy the health check ID from the application service logs.

2.    If the health check is available from your AWS account, update the health check to monitor the intended IP address or domain name. Or, delete the health check if it's no longer required.

If the health check isn't available from your AWS account, block the IP address of the health check. To block the IP address, use firewall rules, security groups, or network access control lists (NACLs).

Important: To report suspected Route 53 health check abuse, see Stop unwanted Amazon Route 53 health checks.

Related information

How can I stop Route 53 health check requests that are sent to my application?