Companies that set up servers with popular cloud providers might assume that their IP addresses will be associated with the countries those providers' data centers are located in, but that isn't always the case.
David O'Neill, founder and CEO of APImetrics, an API monitoring provider, discovered this when running API tests on behalf of a client in the European Union that must block access to requests from non-EU users due to online gambling regulatory requirements.
APImetrics' tests were run using machines located in European data centers of Amazon AWS, Google Cloud Platform and Microsoft Azure. O'Neill was able to verify that the servers in each were relatively co-located by running API calls between servers hosted at each of the three providers. But when running tests with Google Cloud Platform and Microsoft Azure, requests were blocked as being out of region.
O'Neill's suspicion: "It looks like Google and Microsoft use IP address ranges that are all US regardless of where the servers are located."
Although O'Neill noted that "reverse IP look-up is more of an art than a science," the problems he ran into with Google Cloud Platform and Azure appeared to be widespread. That suggested to him that "a small number of random IP addresses were correctly located but not enough to give a consistent experience."
According to O'Neill, this is probably an issue that hasn't been top of mind for the affected providers. "Google does have a huge ‘block’ of IP addresses that their Cloud Platform uses and we’ve seen other problems when some of that range is blacklisted temporarily by another service too," he explained. "Which makes us think that this hasn’t been something that a lot of thought has been put into."
I reached out to Google and Microsoft for comment and a Microsoft employee pointed me to the Azure datacenter IP ranges, which Microsoft provides in XML format. In testing a random sample of IP addresses associated with the company's European and Southeast Asian data centers through IP Location, I found that some geolocation data providers were able to identify the IP addresses as being within the expected region, while others were not.
For example, IP2Location correctly identified an IP address associated with the Microsoft Azure Southeast Asian data center as being located in Singapore while four other geolocation data providers identified the same IP address as being located in Washington state, where Microsoft is headquartered.
This highlights the aforementioned challenges associated with reverse IP look-up and confirms that this issue is a real one certain companies might have to grapple with. So what can companies that might be impacted by this do? Unfortunately, there don't appear to be many options.
"Technically speaking, it is not the responsibility of Google nor Microsoft to accurately report the location of specific IP addresses — and if they’ve bought their IP ranges centrally and manage them centrally, it might be impossible for them to do so on a local basis," O'Neill told me. "We do see a lot more variability in Amazon IP addresses suggesting to us that they’ve bought ranges locally when they’ve set up their server farms."
Based on his experience, "For people building web solutions that have a requirement to be very regionally specific, then we would say that at the moment that AWS would be a better choice for developers." He also added, "What is unclear to us at the moment is how easy this will be for Google and Microsoft to fix, but it probably should be fixed for the benefit of people using IP blocking to determine access for content, specialist services like gambling, or confirming the location of servers for PII (Personal Identifying Information) purposes."
In the meantime, companies that use geolocation should be aware of this issue and might want to consider using multiple geolocation data providers, as well as the official IP address range information where it is offered by cloud providers.