[VMC on AWS] IP ranges used by Amazon S3 differ depending on confirmation method.
Article ID: 325155
Updated On:
Products
VMware Cloud on AWS
Issue/Introduction
This article provides information why the output results differ depending on the confirmation method of the IP address range used by Amazon S3.
Symptoms:
The output result differs depending on the confirmation method of the IP address range used by Amazon S3.
Specifically, there is a difference in the output result of the IP address range used in S3 confirmed by the following two methods.
Cases using the "curl" command
$ curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.region=="region_name") | select(.service=="S3") | .ip_prefix'
3.x.x.0/22
3.x.x.0/21
52.x.x.0/17
52.x.x.0/17
35.x.x.x/28
35.x.x.x/28
Cases using the "aws cli" command
$ aws ec2 describe-prefix-lists --region region_name
PREFIXLISTS pl-68a54001 com.amazonaws.region_name.s3
CIDRS 3.x.x.0/22
CIDRS 3.x.x.0/21
CIDRS 52.x.x.0/17
CIDRS 52.x.x.0/17
The differences in this example are as follows.
35.x.x.x/28
35.x.x.x/28
Symptoms:
The output result differs depending on the confirmation method of the IP address range used by Amazon S3.
Specifically, there is a difference in the output result of the IP address range used in S3 confirmed by the following two methods.
Cases using the "curl" command
$ curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.region=="region_name") | select(.service=="S3") | .ip_prefix'
3.x.x.0/22
3.x.x.0/21
52.x.x.0/17
52.x.x.0/17
35.x.x.x/28
35.x.x.x/28
Cases using the "aws cli" command
$ aws ec2 describe-prefix-lists --region region_name
PREFIXLISTS pl-68a54001 com.amazonaws.region_name.s3
CIDRS 3.x.x.0/22
CIDRS 3.x.x.0/21
CIDRS 52.x.x.0/17
CIDRS 52.x.x.0/17
The differences in this example are as follows.
35.x.x.x/28
35.x.x.x/28
Cause
The ip-ranges.json is future looking and involved all reserved, but unused CIDR ranges as well however the DescribePrefixLists returns the actively used prefixes for a given time.
CIDR addresses 35.x.x.x/28 & 35.x.x.x/28 is missing from output of describe-prefix-lists output. AWS checked this discrepancy with their VPC team and they confirmed that this occurs because they do try to keep online ip-range json file updated all the time but some time it gets delayed in updating and you may get some difference in prefixes list and ip-range file. And also the range we publish in ip-json list is the max that we have allocated to that service at this point and these CIDR addresses changes from time to time.
These IP CIDR are front end Load balancer Virtual IPs, these are not actual servers hosting S3 data, so even if you get one CIDR only in Prefix list output, you should be able to reach your buckets without any issues.
CIDR addresses 35.x.x.x/28 & 35.x.x.x/28 is missing from output of describe-prefix-lists output. AWS checked this discrepancy with their VPC team and they confirmed that this occurs because they do try to keep online ip-range json file updated all the time but some time it gets delayed in updating and you may get some difference in prefixes list and ip-range file. And also the range we publish in ip-json list is the max that we have allocated to that service at this point and these CIDR addresses changes from time to time.
These IP CIDR are front end Load balancer Virtual IPs, these are not actual servers hosting S3 data, so even if you get one CIDR only in Prefix list output, you should be able to reach your buckets without any issues.
Resolution
If you are trying to whitelist the IP address in their firewall or Security group, its recommended to use the ip-ranges.json output as we will add the extra CIDR IP to the service anytime and that time the API (DescribeManagedPrefixLists) will also get updated.
Additional Information
Feedback
Yes
No
Powered by
