3

How do I specify an address range? I get a cryptic error every time I try to do so.

According to whois, my ISP'S address range is 98.0.0.0 - 98.15.255.255. The error given is: "The source needs to be a CIDR block or a Security Group ID."

Their example is in this form: 203.0.113.0/24 but I confess I don't fully understand that, unless it simple implies to allow the first 24 values of the last octet. If so, then I would need to supply hundreds or thousands of such rules.

MLu
  • 23,798
  • 5
  • 54
  • 81
S M
  • 39
  • 1
  • 2
  • You'd be better off permitting your individual IP address. If it changes regularly then you can have a script on a raspberry pi / PC run every minute / hour / day to update your security groups to update / create new rules. Something like [this](http://www.edwiget.name/2013/11/automatically-changing-dynamic-ips-in-aws-security-group/). – Tim Sep 10 '19 at 23:16
  • You need to study subnets a little bit. 203.0.113.0/24 means 203.0.113.0 to 203.0.113.255. In your case you have a 98.0.0.0/12 subnet (which means exactly 98.0.0.0 - 98.15.255.255). So use that in your configuration. – Overmind Sep 11 '19 at 06:19

1 Answers1

6

As the message says Amazon requires CIDR Address in the security group, not an address range. CIDR is a way to describe network blocks by slicing the 32 bits of IPv4 address into a network part and host part.

The CIDR format is IP.AD.DR.ES/PREFIX where the PREFIX is the length of the network part of the address in bits. For example network range: 10.0.0.0 - 10.0.0.255 has the first 3 bytes assigned to the network and the last byte used by the hosts in the network. Hence the prefix is 3*8=24 and the network range 10.0.0.0 - 10.0.0.255 is equivalent to CIDR range 10.0.0.0/24.

If your ISP address range is 98.0.0.0 - 98.15.255.255 it means that the first 12 bits of the address is their networkblock and the last 20 bits they can assign to hosts or internal networks. Hence the answer to your question is 98.0.0.0/12 - use this in the Security Group.

To calculate CIDRs from address ranges you can use for example https://ip2cidr.com/ or many other online tools.

I won't go into more details about CIDR here, read it up on Wikipedia or google for something like CIDR explanation.

Hope that helps :)

BTW Although your original question was on-topic it was asked in the answers, that's why it was deleted.

MLu
  • 23,798
  • 5
  • 54
  • 81
  • Ahh...got it, thank you. Makes perfect sense. Overwhelmed with things I'm learning, and not a network guru, but I'm working on it . – S M Sep 11 '19 at 18:24
  • I get downvoted for commenting on a valid answer that I found helpful?? Seriously? So now you'll downvote me for this too also I suppose? – S M Apr 17 '20 at 23:36
  • @SM take it easy mate, I didn’t downvote you ;) – MLu Apr 17 '20 at 23:44
  • No I figured it wasn't you, but probably Stack Overflow. I have no idea, but I think it's pretty lame. Thanks again for your help - much appreciated! – S M Apr 19 '20 at 15:58