I am struggling to understand the correct format for whitelisting IP address ranges to a database and webbapp hosted on an AWS EC2 instance.
For example, if this is a users given IP address: 23.283.149.136
How would I whitelist the users IP address range? I know IP addresses change subtle amounts.
Would it be 23.283.149.0/24? Or 23.283.149.0/32?
I ultimately ask the users for their work or home IP address to whitelist for the EC2 instance and have been having issues with their IP addresses changing.
You have to get more information on which subnet they are on, and whitelist that entire subnet. In your example, whitelisting the CIDR
23.283.149.0/24 would allow the last octet of the IP address to change and they would still be able to connect. Here are a couple of use cases I have run in to in the past:
- Whitelisting a home router IP address. This usually comes in the form of a Wide Area Network (WAN) IP address that is assigned to the home router and doesn’t change. In this case, whitelisting a
/32of that address should be fine. If they decide to move homes or internet providers, you will have to manually change the whitelist.
- Corporate IP subnets. These can be wider for example
/24to allow for wider ranges of subnets.
Where this gets untenable is if you have to accomodate remote users, for example someone who is a digital nomad and connects from coffee shop. In that case their IP address would change every day, sometimes multiple times a day, and would be impossible to manage.
As a result, many just allow
0.0.0.0/0 which is all IP addresses on ports 443 or 80, and place filters in front that block out known bad IP addresses. AWS WAF is one product that could be used to help with this.