Solution providing AWS IP prefixes as web feeds for use by firewalls and other applications. Allows IP address lookup.
AWS publishes its IP ranges in json format through ip-ranges.json. The IP prefixes are commonly used by network firewalls for inbound and/or outbound network access control.
A common use case is Amazon CloudFront with on-premises web server as origin; only CloudFront origin facing (and if in use Route 53 Health Checks) IP prefixes are allowed inbound access at perimeter network firewall. Another use case is for egress control where firewall administrators allow-list or deny-list outbound network acess to all or specific AWS service or Region such as Route 53 name servers or Amazon S3
Typically, the firewall administrator will extract out required IP prefixes from ip-ranges.json for use in firewall rules. The IP prefixes need to be updated whenever there are changes and users can subscribe to AWS IP address ranges notifications
This project makes IP prefixes available as web feeds for automatic updates by firewalls. Users have the option to filter IP prefixes by service, Region and network border group, and in combined IPv4 and IPv6, IPv4 only or IPv6 only format. Entire solution is serverless and can be deployed with a single CloudFormation template.
Solution is mentioned in blog post How to enhance CloudFront origin security of on-premise web servers using third-party firewalls
The solution can be implemented using different AWS Services. Click on links below for deployment details:
Firewalls that support external IP prefixes web feeds include (but not limited to)
- CheckPoint: External Network Feeds
- Cisco Secure Firewall: Custom Security Intelligence Feeds (Network)
- FortiGate: Threat Feeds (IP Address)
- Juniper: Custom Feed (Dynamic Address)
- OPNsense: Aliases (URL Tables (IPs))
- Palo Alto Networks: External Dynamic List (IP Address)
- pfSense: Aliases (URL Tables (IPs))
Some firewalls have limited native support for AWS IP prefixes
- CheckPoint: Updatable Objects
- Palo Alto Networks: EDL Hosting Service
Refer to vendor website documentation for configuration steps.
Use different URLs to return IP prefixes or other values:
/: return CloudFront origin facing prefixes, customizable viaawsServicesin CloudFormation template and Lambda functionSERVICESenvironment variable/SERVICE: listing of available services/REGION: listing of available Regions/NETWORK: listing of network border groups which are a unique set of Availability Zones or Local Zones from where AWS advertises IP addresses/SERVICE/<SERVICE>: prefixes for specific SERVICE, e.g./SERVICE/CLOUDFRONT_ORIGIN_FACING/SERVICE/<SERVICE>/<REGION>: prefixes for specific SERVICE and REGION, e.g./SERVICE/S3/us-east-1/REGION/<REGION>: prefixes for specific REGION, e.g./REGION/ap-southeast-1/REGION/<REGION>/<SERVICE>: prefixes for specific REGION and SERVICE, e.g./REGION/ap-southeast-1/EC2_INSTANCE_CONNECT/NETWORK/<NETWORK>: prefixes for specific network border group, e.g./NETWORK/us-east-1-nyc-1/SEARCH/<IP ADDRESS>: IPv4 or IPv6 address to query, e.g./SEARCH/13.34.96.200. This will return any matching entries, e.g.ip_prefix,region,service,network_border_group 13.34.96.224/27,ap-southeast-1,AMAZON,ap-southeast-1/createDate: ip-ranges.json publication date and time, in UTC YY-MM-DD-hh-mm-ss format/syncToken: ip-ranges.json publication time, in Unix epoch time format
For IP prefixes, append /ipv4.txt or /ipv6.txt to filter by IPv4 or IPv6 prefixes respectively, e.g. /SERVICE/ROUTE53_HEALTHCHECKS/ipv4.txt
To remove created resources, delete the CloudFormation stack
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.