Is the a way to extract IP range used by a service hosted in Amazon Kinesis firehose?

0
votes

we have an application that runs on different client systems which sends data to Amazon Kinesis Data firehose. But the client has firewall which restricts outbound traffic only to whitelisted IP addresses and does not allow domain names in their firewall regulation. I am not that familiar with aws but read that the amazon IP keeps changing. Because of this we are having problem to whitelist the IP address in the client firewall.

I came across following pages tha mentions that aws public IP address ranges available in JSON Format.

https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/

https://ip-ranges.amazonaws.com/ip-ranges.json

It's a huge list and multiple entries for the same region. can you suggest a way to somehow extract IP range that our service will use so that we can whitelist them in the client's firewall? Any other alternative is also welcomed.

Thanks in advance for any help and/or suggestions.

1
amazon-web-servicesamazon-kinesis-firehose
You could filter by region, that reduces the number of IP address ranges. Also it is important wehether your application user CloudFront or not, in this case you might need different IP ranges.gaborsch
The (very) long way: Global Accelerator (provides static IP) → Application Load Balancer → Lambda → Kinesis. Good for payloads up to 1 MB due to the limits on the ALB/Lambda integration.Michael - sqlbot
Thanks for the suggestions. We decided to use domain names in the firewall rule.G_S

1 Answers

0
votes

Firehose has regional endpoints that are listed on this page:
https://docs.aws.amazon.com/general/latest/gr/rande.html

Using the us-east-2 endpoint as an example...
Right now, firehose.us-east-2.amazonaws.com resolves, for me, to 52.95.17.2 which currently features in the ip-ranges.json document as:
service: AMAZON region: us-east-2 ip_prefix: 52.95.16.0/21

If you wanted to know which ranges to whitelist on the firewall, you'd need to get all of the ranges for AMAZON in us-east-2 (currently 34 if you include IPv6 addresses). Note: That assumes all of the endpoints fall under the AMAZON service marker and you'll be whitelisting far more services than just firehose if you whitelisted that.

Previous contact with AWS support suggests that ranges can be added without warning, so you'd need to frequently check the published ranges and update the firewall to avoid a situation where the endpoint resolved to a new IP address that wasn't whitelisted.

If you did want to go the route of frequent checks and whitelisting, then a python script like this could be used to retrieve the relevant IP ranges:

#!/usr/bin/env python
import requests
aws_response = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json')
response_json = aws_response.json()
for prefix in response_json.get('prefixes'):
    if prefix.get('service') == 'AMAZON' and prefix.get('region') == 'us-east-2':
        print(prefix.get('ip_prefix'))