Aws Ip Range Cidr
Nov 22nd, 2019 - written by Kimserey with .
AWS EC2 security groups rules allow us to give access to EC2 instances on certain ports and certain IP addresses. While ports and address are easy to setup, the rules also support CIDR notation which provides a way to specify a rule for a range of addresses. Today we will see how CIDR notation works and how we can use it do define IP ranges.
IP CIDR Notation
The IP in CIDR notation is written as x.x.x.x/y where x.x.x.x is the IP and y the subnet mask.
The IP being a construct of four numbers of 8 bits, its binary representation can be seen as 1111 1111 . 1111 1111 . 1111 1111 . 1111 1111 or in decimal 255.255.255.255. Now the IP can be anything from 0 to 255 for each of the four numbers, therefore it could be 192.168.10.15 which in binary is 1100 0000 . 1010 1000 . 0000 1010 . 0000 1111.
Similarly a subnet mask is represented as a series of 1. For example 255.255.0.0 being 1111 1111 . 1111 1111 . 0000 0000 . 0000 0000.
Therefore 192.168.10.15 with a subnet mask of 255.255.0.0 would mean that the subnet address is 192.168.0.0 (the result of IP AND subnet mask).
The CIDR notation is simply the total of ones (1) from left to right, here 16 hence the CIDR notation would be 192.168.10.15/16.
Now that we understand the CIDR notation, let’s see how we can use it to define IP range on AWS EC2 security group.
AWS Security Group
Taking back the previous example, we can define an inbound rule of 192.168.10.15/17.
We seen in 1) that the representation of 192.168.10.15 is 1100 0000 . 1010 1000 . 0000 1010 . 0000 1111.
17 being the number of 1, we can conlude that the subnet mask is 1111 1111 . 1111 1111 . 1000 0000 . 0000 0000.
Now if we AND both, we find that the subnet is:
| IP | 1100 0000 | 1010 1000 | 0000 1010 | 0000 1111 |
| MASK | 1111 1111 | 1111 1111 | 1000 0000 | 0000 0000 |
| SUBNET | 1100 0000 | 1010 1000 | 0— —- | —- —- |
| - | 192 | 168 | 0 - 127 | - |
Because the mask is 17, the third number last bit must match the mask which is 0 therefore constrains the IP to 0-127. This allows subnets to be divided even further and in our case it allows us to constrain the IP address in a granular fashion.
Therefore this rule will then match IP addresses from 192.168.0.0 to 192.168.127.255 which is a range of 32768 hosts 128 (0-127) * 256 (0-255).
ISP Restriction
Internet service provider can be a good way to restrict IP addresses as it kind of provides a range of IPs that are kind of in the same geolocation. For example, we can restrict our website to only viewers in Ireland using Vodafone by finding Vodafone IP range. We can get that from websites like dbip.
We can then restrict our website to 109.76.0.0/16, 109.77.0.0/16, 109.79.0.0/16, that would cover about 240,000 users which according to db-ip is about half of the known IP addresses for Vodafone in Ireland under VODAFONE-IRELAND-ASN.
Conclusion
Today we saw how IP CIDR notation can be used to provide access to a subset of IP addresses. We started by looking at what IP CIDR notation was and what the bit representation of an IP was. We then moved to look into a concrete example and how we could create an IP CIDR notation to allow an IP range on a EC2 inbound rule and lastly we concluded by looking at how we could figure out how to allow a subset of users from a particular ISP. Hope you liked this post, see you on the next one!