Skip to main content

 

Cisco Meraki Documentation

Determining IP address ranges needed for *.amazon.com (s3.amazon.com)

System Manager networks require communication with *.amazon.com through the upstream firewall. Features such as mobile configurations, deployment profiles, and temporary copies of software installation files are stored securely on Amazon servers for each Systems manager network. Without this access, these settings and files will not be pushed to the device. In case an upstream filter or security policy does not allow firewall rules by domain name, the IP address of the Amazon Cloud instance can be found using the following instructions from on-site. Since these IP addresses will differ with geographical location, this cannot be from a remote machine. 

Note: Each mobile device needs to be able to individually access Amazon. If the device connects through a network that does not allow access to Amazon, updates requiring that storage will be postponed until connectivity is established.


1. Find the IP address of s3.amazonaws.com

2. Run a whois on that IP address

3. The IP range Amazon uses will display


1. Find the IP address of s3.amazonaws.com


Using a tool such as dig or nslookup in Command Prompt, find the IP address of s3.amazonaws.com. Both Windows 7 and Mac OS X have nslookup by default, as shown below. 

1069c9ac-074d-4e60-92f4-bbd8666f27c7



2. Run a whois


Using the whois command, or an external page such as ARIN, look up the IP address from step 1 to determine the IP address range that is used. The NetRange field indicated the range of addresses, and the CIDR field provides a CIDR notation for this range, which may be needed in some firewalls.


d3309de2-7f66-4d00-a6d8-6f4570099ec6

3. Add the IP range to an upstream firewall


This displayed range contains the public-facing IP addresses Amazon uses for the S3 cloud in your area. Again, these vary based on geography, so ensure this test is run on-site. With this IP range determined, simply add a rule in any upstream firewall device. If that device is an MX Security Appliance, then information on creating rules of this type can be found here. For third-party devices, please refer to the product documentation.


Utilizing Amazon's cloud technology allows us to adapt faster and better to storage needs, making for a better experience using the System Manager product. With a firewall rule created, and traffic uninhibited, software installations, configuration storage, and deployment profiles can be used with ease.