ip-ranges.json has overlapping IP ranges

0

Refer : ip-ranges

In the ip-ranges that AWS shares w.r.t. its publicly accessible IP Sets and which service and region they belong to, we have seen that service "AMAZON" have overlapping ip range with other services,

{
      "ip_prefix": "3.5.80.0/21",
      "region": "us-west-2",
      "service": "AMAZON",
      "network_border_group": "us-west-2"
    }

however I observed today that EC2 and S3 both are showing the same ip-range,

{
      "ip_prefix": "3.5.80.0/21",
      "region": "us-west-2",
      "service": "S3",
      "network_border_group": "us-west-2"
    }
{
      "ip_prefix": "3.5.80.0/21",
      "region": "us-west-2",
      "service": "EC2",
      "network_border_group": "us-west-2"
    }
  • I can see ip-range overlap between S3 and EC2 (ignoring AMAZON), is this expected ?
  • Can there be other overlaps where one is EC2 and other is a PaaS like Dynamo DB (Guess is that EC2s are used to host Dynamo DB)
  • Can there be an overlap between 2 PaaS like S3 and Dynamo DB ?
Gourab
asked a year ago393 views
1 Answer
0

A description is available at AWS IP address ranges which states

service

The subset of IP address ranges. The addresses listed for API_GATEWAY are egress only. Specify AMAZON to get all IP address ranges (meaning that every subset is also in the AMAZON subset). However, some IP address ranges are only in the AMAZON subset (meaning that they are not also available in another subset).

AMAZON will return all IP address ranges. Documentation does not state that whether IP ranges for different services may or may not overlap.

Are you able to share your use-case for using ip-ranges.json?

If this is for VPC, the AWS-managed prefix lists may be useful. For access to AWS services within a VPC without internet connectivity, AWS PrivateLink should help

If you are using it for third-party firewall ingress/egress control from/to AWS resources, CheckPoint has native support via Updatable Objects. For other firewalls such as Fortigate/Palo Alto, the aws-ipranges-api can help keep the ip prefixes up to date.

AWS
EXPERT
MikeLim
answered a year ago
  • I guess this could be a use case "You can also allow or deny traffic to or from specific types of AWS resources."

  • The use case is similar to Gary mentioned, for known PaaS services like S3, Dynamo DB that is being used, we will allow traffic, for EC2 and such we would have separate rules individually. But if EC2 and S3 have the same cidr that becomes difficult, and we are segmenting PaaS individually as well so if S3 and Dynamo DB have same cidr that is also an issue

  • Got it. Assuming this is in a VPC, you can block egress to internet and use AWS PrivateLink for access to specific AWS services as per https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html. I have updated my original post

  • We are reading flow logs and generating firewall rules based on ip ranges (api). So we just need a verification the overlapping of cidr ranges is it limited to EC2 (IaaS) and S3 (PaaS) only. Or do we need to consider S3 and Dynamo DB (Both PaaS) having overlapping IP ranges ?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions