Whitelist AWS IPs

Question

we whitelist client IPs on our server. We have a new client and the client is telling us they use AWS servers and they said "you'll need to whitelist their (AWS) IPs list from the us-east-1 region". They provided us a spreadsheet of these IPs (164 ips).

Does this seem reasonable that a customer would use all IPs from a AWS region ?

Thanks

Answer 1

Yeah it doesn't sound reasonable, just lazy really. You should be able to narrow this down to specific services. You can ask them to provide you with the AWS service endpoints they use or specific public IP's and do a lookup for the associated prefixes at http://www.queryaws.net.

You can also use this site to find all public IP prefixes for a specific region and service.

Answer 2

A NAT gateway is NOT REALLY MANDATORY for meeting this requirement.

There are 2 possibilities:

1. Your Client will be accessing your service from a single server which has a public static IP (Elastic IP)
2. Your Client will be accessing your service from a single server/multiple servers that don't have a public static IP

In first case, you can simply white-list the clients elastic IP.

In second case, all their traffic will be routed via an AWS internet gateway which definitely will have an IP address associated to it. You will just need to white list that internet gateway IP instead of white-listing all the IPs

Answer 3

It doesn't make sense that they would use ALL the IPs. It does make sense that they don't know the IP they will be using ahead of time, and can only tell you that it will be from that list of IPs. If that's a problem then you could ask your customer to create a NAT Gateway with a static IP address (AWS Elastic IP), which you could then whitelist. However that will require added monthly costs, and added complication to your user.