Identifying the Correct AWS IP Range for a Firewall Whitelist

I currently have an AWS Lambda function I’m configuring to connect with our sFTP server. I have an account created, but I need a list or range of IP addresses to get whitelisted in our firewall. AWS posts its outbound IP address ranges here…

https://ip-ranges.amazonaws.com/ip-ranges.json

That’s great, but the only IP address I can seem to pull from my Lambda function does not fall into any of these ranges. I presume it’s an internal IP address. Does anyone have experience mapping internal AWS cloud IPs to external ones listed in the ranges? Thank you.

Your Lambda should be attached to a VPC. Then from the VPC the IP Address(es) of your NAT Gateway(s) will be the one that your Lambda will be coming from.

If your sFTP server is also in AWS you may want to also set it up with a Private Route, so you don't have to cross the internet. But this would require your IP addresses in your VPC be in separate range of the sFTP server.

You need to find the public IP for you VPC. This could be you NAT Gateway or an Elastic IP.

Once you find this IP address you can lookup the IP on https://www.queryaws.net and it'll give you the subnet, region and service.

You can use that single host in your FW allow list but it's better to use the subnet or even better you can take the region and service and do look up all the prefixes that match this using the Attribute search on https://www.queryaws.net too.