4

I'm serving HTTP traffic on port 80 through an ELB. Since a short time, a growing amount of clients are asking me what our IP addresses are (to harvest data). Apparently they can't whitelist the DNS of the ELB, only IP addresses ("Your IP addresses change all the time, how are we supposed to cope with this!").

One solution I could think of was keeping track of my ELB's IP addresses pool and list them some file on the server to the client? Maybe that's cumbersome, but I'm having a hard time finding info or articles about experiences with this, though I can't imagine it being a rare situation.

Is there any common method to provide people the pool of IP addresses my ELB uses? Or is that ridiculous and they'd just have to use some solution which can whitelist DNS addresses?

Bas Peeters
  • 223
  • 1
  • 5
  • 11
  • 1
    Doomed to failure unfortunately. Unless Amazon provides this solution for you, there is absolutely zero expectation of those IP addresses ever remaining the same. Any addresses that you observe should be considered volatile at best. – Andrew B Feb 05 '15 at 09:15
  • What I expected. But whitelisting a DNS in a firewall is should be possible, right? Should they just replace their firewall software? I don't think it's weird at all that IP address can be volatile considering the concept of Load Balancing. – Bas Peeters Feb 05 '15 at 09:18
  • Nope. Skipping the details of why such an implementation would be mad (and terribly insecure), any firewall that accepts a DNS record on input is typically going to convert that to an IP address at runtime. [Perhaps you could elaborate on what these clients are trying to accomplish?](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) – Andrew B Feb 05 '15 at 09:22
  • Every once in a while someone needs the public IP addresses on which our web service runs. The core of the problem is that they're using a firewall solution which doesn't allow them to specify DNS addresses, only IP addresses. What they're trying to do varies per client and I don't know what new/other clients will think of next. Think of using SharePoint to get RSS feeds, custom scripts that scrape web page contents, etc. What they're actually doing is beyond the scope of my question. – Bas Peeters Feb 05 '15 at 09:30
  • It's actually at the core of your question. This means that they're either behind a firewall that only allows outbound traffic based on destination IP, or that the firewalls aren't stateful (doubtful). That kind of design simply isn't compatible with an ELB-style service and it's not a problem you can solve for them with your current design. – Andrew B Feb 05 '15 at 09:36
  • My question explains that they indeed are behind a firewall that only allows outbound traffic based on destination IP. I don't think that what they are trying to do is at the core of my question, because I'm looking for a solution regardless of that (Which also includes educating them on what best-practices exist in firefalling). I have no interest in their reasons, other than them being able to reach my servers. If they can't do that then they should ping my DNS and keep a list of IP's or change their firewall software. I was hoping to find some articles about peoples experiences with this. – Bas Peeters Feb 05 '15 at 09:52
  • 2
    Your IP addresses change, and often. The answer to "what is your IP" is found in DNS at any given time. The answer to "what is the list of all IP addresses you will ever use" is undefinable. – Hyppy Feb 05 '15 at 14:46
  • But that is not my question – Bas Peeters Feb 05 '15 at 14:59

1 Answers1

9

Is there any common method to provide people the pool of IP addresses my ELB uses?

Yes, ELB is is built upon EC2 and AWS publishes a list of all public IP ranges in use by specific regions. It should be safe to assume that every IP your ELB could use will fall within the published range for its region.

These IP ranges are subject to change without notice, but AWS maintains a current list in a JSON format that can be used to maintain the white-list automatically.

On the other hand, this is kind of redundant as the whole point of DNS is to provide a current list of IPs associated with a hostname.

Or is that ridiculous and they'd just have to use some solution which can whitelist DNS addresses?

It's not entirely ridiculous that they can't white-list a hostname as any firewall solution which supports that would have to either resolve the DNS hostname to an IP at runtime then respect the TTL to keep this list up to date, or else function at layer 7 and inspect the host HTTP header field.

What is somewhat unusual is that they want to white-list outbound connections, it's more common to want to white-list inbound connections (such as when you're trying to access their API) and in which case you can assign the instances behind your ELB an EIP so when your application servers initiate an outbound connection they have a static IP (although doing this can get in the way of auto scaling).

In general ELB isn't intended to be a silver bullet for everyone, it makes compromises that deliver significant benefits (such as transparent scaling) for 90% of use cases at the expense of a minority of would-be users. If you really need a static IP for your load balancer then OpsWorks makes orchestrating HAProxy almost as easy.

thexacre
  • 1,849
  • 12
  • 14
  • 1
    That answer Yes is very dangerous. It essentially means every possible IP owned by AWS. By the time you parse and add it your firewall, Amazon would have released a few more new public IPs. – so_mv Oct 16 '15 at 13:48
  • The point of whitelisting IP addresses is to prevent access to "bad" addresses. Whitelisting all of AWS is a ridiculous solution, because it would allow access to the OP's target, _and_ all the "bad" stuff hosted within AWS. – Phil Nov 23 '16 at 03:57