How Cloud Providers Publish Their IP Ranges (and Why You Should Monitor Them)
AWS, Google Cloud, and Azure all publish their IP ranges as machine-readable JSON feeds. Security teams use these to allowlist traffic, detect exfiltration, and stay ahead of IP space changes.
Every major cloud provider maintains a machine-readable list of the IP prefixes they operate. These feeds are updated whenever a provider adds a new region, expands an existing one, or retires old address space. For network engineers, these feeds are essential: they are the authoritative answer to "is this IP address from AWS?" and the basis for allowlisting, alerting, and traffic analysis.
AWS IP Ranges
Amazon Web Services publishes its IP ranges at https://ip-ranges.amazonaws.com/ip-ranges.json. The feed includes a sync token (a Unix timestamp that changes with each update) and a creation date. Each entry lists an IP prefix, the AWS region (e.g. us-east-1), and a service label (e.g. EC2, CLOUDFRONT, S3, AMAZON). The AMAZON service tag covers the entire AWS IP space and is a superset of all other service tags. Browse the current dataset on our AWS IP ranges page.
Google Cloud IP Ranges
Google Cloud publishes its ranges at https://www.gstatic.com/ipranges/cloud.json. The format is similar to AWS — each entry has an IPv4 prefix, a service name, and a scope (region or global). Google also publishes a separate feed for its broader Google infrastructure (including Google Bot, Google APIs, etc.) at a different endpoint. Our Google Cloud IP ranges page covers the cloud-specific prefixes.
Azure IP Ranges
Microsoft Azure takes a different approach: rather than a single JSON endpoint, Azure uses Service Tags — named groups of IP prefixes associated with specific Azure services. The downloadable JSON file (updated weekly) contains thousands of prefixes grouped by service tag, region, and platform. The Azure IP ranges page explains the service tag system in detail.
Why Monitor These Feeds
Cloud IP space changes constantly. AWS adds new regions, expands existing ones, and occasionally retires blocks. If your firewall allows specific AWS CIDR blocks and AWS adds new prefixes, your allowlist immediately becomes incomplete. Organisations that need tight egress control — preventing data exfiltration through cloud services, for example — must track these feeds to keep their rules current.
Practical Monitoring Approaches
- Sync token check: Compare the AWS sync token on each poll. If it changes, pull the full feed and diff against your known set.
- Webhook notifications: AWS SNS publishes an event whenever ip-ranges.json changes. Subscribe to the topic
arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged. - Scheduled diffs: A daily cron that downloads the feed and diffs against yesterday's version gives you a change log for audit purposes.
- SIEM integration: Feed current cloud IP ranges into your SIEM so analysts can quickly determine whether an IP in an alert belongs to a cloud provider.