Amazon EC2 instances primarily use two types of IP addresses when launched: private IPs within your VPC and public IPs when assigned. For your specific MySQL access scenario, you'll need to whitelist both the region-specific public IP ranges for instances with public IPs and the VPC-specific private IP ranges for internal communication.
AWS publishes its IP address ranges in machine-readable JSON format at:
https://ip-ranges.amazonaws.com/ip-ranges.json
This file gets updated regularly and contains:
- All AWS public IP ranges
- Region-specific allocations
- Service-specific ranges (EC2, S3, etc.)
- IPv4 and IPv6 addresses
Here's a Python script to extract EC2 IPs for a specific region:
import requests
import json
def get_ec2_ips(region):
response = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json')
data = response.json()
ec2_ips = [
prefix['ip_prefix']
for prefix in data['prefixes']
if prefix['service'] == 'EC2' and prefix['region'] == region
]
return ec2_ips
# Example: Get all EC2 IPs for us-east-1
print(get_ec2_ips('us-east-1'))
To automatically update your firewall when AWS changes its IP ranges:
- Set up a Lambda function triggered by CloudWatch Events (schedule it to run daily)
- Compare the current JSON with your last stored version
- Update firewall rules via API if changes are detected
Example AWS CLI command to update security groups:
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 3306 \
--cidr 203.0.113.0/24
- Remember that Auto Scaling groups can span multiple Availability Zones
- For maximum security, consider using VPC peering or PrivateLink instead of public IP whitelisting
- The IP ranges file includes a
createDatefield you can use for change detection - Always test new ranges in a staging environment first
Amazon Web Services publishes its current IP address ranges in JSON format through an official endpoint. For EC2 instances, these IP ranges are organized by region and service. The authoritative source is regularly updated and available at:
https://ip-ranges.amazonaws.com/ip-ranges.jsonHere's a Python script using boto3 to fetch and parse EC2 IP ranges for a specific region:
import json
import requests
def get_ec2_ip_ranges(region='us-east-1'):
url = "https://ip-ranges.amazonaws.com/ip-ranges.json"
response = requests.get(url)
data = response.json()
ec2_prefixes = [
prefix['ip_prefix']
for prefix in data['prefixes']
if prefix['service'] == 'EC2' and prefix['region'] == region
]
return ec2_prefixes
# Example usage
print(get_ec2_ip_ranges('eu-west-1'))For MySQL database access from auto-scaled EC2 instances, you can create a Lambda function that updates security groups when IP ranges change:
import boto3
from datetime import datetime
def update_security_group(event, context):
ec2 = boto3.client('ec2')
current_ranges = get_ec2_ip_ranges()
response = ec2.describe_security_groups(GroupIds=['sg-12345678'])
existing_rules = response['SecurityGroups'][0]['IpPermissions']
new_rules = [{
'IpProtocol': 'tcp',
'FromPort': 3306,
'ToPort': 3306,
'IpRanges': [{'CidrIp': ip} for ip in current_ranges]
}]
ec2.revoke_security_group_ingress(
GroupId='sg-12345678',
IpPermissions=existing_rules
)
ec2.authorize_security_group_ingress(
GroupId='sg-12345678',
IpPermissions=new_rules
)
return {'status': 'success', 'timestamp': str(datetime.now())}AWS provides an SNS topic for IP range changes. Subscribe to it using:
aws sns subscribe \
--topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged \
--protocol email \
--notification-endpoint your.email@example.comInstead of managing public IP ranges, consider using VPC peering or AWS PrivateLink for more secure database access:
# Create a VPC peering connection
aws ec2 create-vpc-peering-connection \
--vpc-id vpc-12345678 \
--peer-vpc-id vpc-87654321 \
--peer-region eu-west-1- Cache the IP ranges locally with TTL validation
- Implement gradual security group updates to avoid connection drops
- Monitor AWS Health Dashboard for IP range change announcements
- Consider using NAT Gateway with static IPs for more predictable outbound traffic