How can I identify and resolve unwanted health checks from Route 53?
Last updated: 2020-06-18
My server is receiving unwanted requests from Amazon Route 53 health check servers. How can I identify and resolve this issue?
When you associate health checks with an endpoint, Route 53 sends health check requests to the endpoint IP address to validate that they're operating as intended. An issue can occur if an incorrect IP address is specified, or if a health check isn't updated or deleted when necessary.
Identify the source of unwanted requests
1. Find the source IP address of the unwanted request using the Route 53 IP address ranges. For more information, see "ROUTE53_HEALTHCHECKS" on the IP address ranges of Route 53 servers page.
2. Check the application server logs to determine whether the request was sent by the Route 53 health check servers. Route 53 health checks set the following HTTP header when performing health checks:
"Amazon-Route53-Health-Check-Service (ref <reference ID/ b5996862-d894-4595-88da-7940808e9665>; report http://amzn.to/1vsZADi)"
Example Application Load Balancer access log:
http 2020-05-12T14:14:25.000265Z app/myapplicationloadbalancer 220.127.116.11:49816 10.0.3.64:80 -1 -1 -1 502 - 241 288 "GET http:// <ALB DNS NAME>:80/ HTTP/1.1" "Amazon-Route53-Health-Check-Service (ref b5996862-d894-4595-88da-7940808e9665; report http://amzn.to/1vsZADi)" - - arn:aws:elasticloadbalancing:us-east-1:<account ID>:targetgroup/mytargetgroup
Example Microsoft Internet Information Services (IIS) access log:
Example Apache access log:
18.104.22.168 - - [time] "GET / HTTP/1.1" 403 3839 "-" "Amazon Route 53 Health Check Service; ref:47d9bc51-39d6-4cd9-9a7f-4c981c5db165; report http://amzn.to/1vsZADi"
Example NGINX access log:
NGINX access log entry: 22.214.171.124 - - [time] "GET / HTTP/1.1" 200 3770 "-" "Amazon Route 53 Health Check Service; ref:2e44063d-3b85-47c3-801e-6748cd542386; report http://amzn.to/1vsZADi" "-"
Delete or block the source of unwanted requests
1. Copy the health check ID from the application service logs.
If the health check isn't available from your AWS account, block the IP address of the health check. To block the IP address, use firewall rules, security groups, or network access control lists (NACLs).
Important: To report suspected Route 53 health check abuse, see Stop unwanted Amazon Route 53 health checks.