Configuring router and firewall rules for Amazon Route 53 health checks - Amazon Route 53
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring router and firewall rules for Amazon Route 53 health checks

When Route 53 checks the health of an endpoint, it sends an HTTP, HTTPS, or TCP request to the IP address and port that you specified when you created the health check. For a health check to succeed, your router and firewall rules must allow inbound traffic from the IP addresses that the Route 53 health checkers use.

For the current list of IP addresses for Route 53 health checkers, for Route 53 name servers, and for other Amazon services, see IP address ranges of Amazon Route 53 servers.

In Amazon EC2, security groups act as firewalls. For more information, see Amazon EC2 security groups in the Amazon EC2 User Guide for Linux Instances.To configure your security groups to allow Route 53 health checks, you can either allow inbound traffic from each IP address range, or you can use an Amazon-managed prefix list.

To use the Amazon-managed prefix list, modify your security group to allow inbound traffic from com.amazonaws.<region>.route53-healthchecks, where the <region> is the Amazon Web Services Region of your Amazon EC2 instance or resource. If you are using Route 53 health checks to check IPv6 endpoints, you should also allow inbound traffic from com.amazonaws.<region>.ipv6.route53-healthchecks.

For more information about Amazon-managed prefix lists, see Work with Amazon-managed prefix lists in the Amazon VPC User Guide.

Important

When you add IP addresses to a list of allowed IP addresses, add all the IP addresses in the CIDR range for each Amazon Region that you specified when you created health checks, as well as the Global CIDR range. You might see that health check requests come from just one IP address in a Region. However, that IP address can change at any time to another of the IP addresses for that Region.

If you want to make sure that you include both the current and older health checker IP addresses, add ALL /26 and /18 IP address ranges to the allow list. For a complete list, see Amazon IP address ranges in the Amazon Web Services General Reference.

When you add the Amazon-managed prefix list to your inbound security group, it automatically adds all necessary ranges.