Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Known hosts outbound ip

Samantha Adrichem
Samantha Adrichem July 15, 2025

This bitbucket feature 

image.png 

used to use the Atlassian outbound ips as listed here: https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/ 

How-ever it doesn't seem to be doing that anymore, so the fetch button is now failing, for we of course block unknown ip's in the firewall for security reasons.

We can't go whitelisting the entirety of amazon web services. So what are the outbound ips for this lovely feature?

 

Answer
Watch
Like Be the first to like this
87 views

2 answers

0 votes
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 16, 2025

Hi Samantha,

It's not clear which IPs you have whitelisted.

I believe the SSH keyscans are running from the exhaustive list of IP addresses mentioned in the second paragraph of this section:

and not only by Atlassian IP ranges listed below this section. I will reach out to the development team to double-check, I will let you know as soon as I have an update.

If you don't want to to whitelist all AWS IP ranges, you can work around this the following way:

Prerequisites

  • The pipelines step has a size of 4x or larger (please keep in mind that larger size steps consume more build minutes than 1x steps)
  • The pipelines step has the flag atlassian-ip-ranges
  • The Docker image used as a build container for the step needs to have an SSH client installed, or you'll need to install one during the step
  • You whitelist on your server the IP ranges and addresses mentioned in this section, Atlassian IP ranges

Then, in your bitbucket-pipelines.yml file, in the step where you connect to your server, add the following command:

- ssh-keyscan ip_or_domain_name_of_server >> ~/.ssh/known_hosts

Replace ip_or_domain_name_of_server with the public IP address or domain name of your server.

If the step has a size of 4x or larger and the atlassian-ip-ranges flag, then it will run from one of the IPs listed in Atlassian IP ranges and you will only need to whitelist the IPs mentioned in that section. The command will then be able to connect to your server to fetch its fingerprint in known_hosts, and then you can add the ssh command that connects to your server. So, the step would look like this (in bold are the necessary step options for this to work):

image: atlassian/default-image:4

pipelines:
  default:
    - step:
        size: 4x
        runtime:
          cloud:
            atlassian-ip-ranges: true
        script:
          - echo "I use atlassian-ip-ranges"
          - ssh-keyscan ip_or_domain_name_of_server >> ~/.ssh/known_hosts
          - <ssh command to you server>

If your server is listening on a port other than the default one for SSH (which is port 22), you'll need to specify it in the ssh-keyscan command, as follows:

- ssh-keyscan -p port_number ip_or_domain_name_of_server >> ~/.ssh/known_hosts

where port_number replace with the number of the port where your server accepts SSH connections.

Please feel free to reach out if you have any questions!

Kind regards,
Theodora

View More Comments
Samantha Adrichem
Samantha Adrichem July 17, 2025

I believe the SSH keyscans are running from the exhaustive list of IP addresses mentioned in the second paragraph of this section:

That's the list we whitelisted

 

If you don't want to to whitelist all AWS IP ranges, you can work around this the following way:

It's not the pipelines itself, we already use 4x in the pipelines and that works fine. It's the web interface's repository settings -> ssh keys -> known hosts -> fetch button for remote hosts.

 

- ssh-keyscan ip_or_domain_name_of_server >> ~/.ssh/known_hosts

That could work, but the interface button is preferred. Will test this as a work-around though 

 

[edit]: work-around works, still would love to have the ips whitelisted correctly to do it in the interface though, since the entire thought about loading it once and remembering it, instead of determining it each run, is that you're sure it's your server

Like
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 18, 2025

Hi Samantha,

Thank you for the update. It's good to hear that the workaround works. I'm still waiting for feedback from my team regarding which IP ranges the UI SSH keyscans run from.

In the meantime, I'm a bit confused regarding the IPs you have whitelisted. The exhaustive list of Pipelines IPs includes all IPs used by Pipelines, so the keyscan from the UI should succeed.

Can you please clarify which of the following two you have whitelisted?

  1. An exhaustive list of IP addresses that the traffic may come from on AWS can be found by using the following endpoint, filtering to records where the service equals EC2 or S3, and using the us-east-1 and us-west-2 regions.
  2. Only the Atlassian IP ranges listed here: https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/#Atlassian-IP-ranges?

Kind regards,
Theodora

Like
Reply
0 votes
Shawn Doyle - ReleaseTEAM
Shawn Doyle - ReleaseTEAM
Community Champion
July 15, 2025

Hi @Samantha Adrichem 

 

If you haven't tried yet, this list was updated on Jun 16th 2025 ip-ranges.atlassian.com

I'm not sure if the support page reflects the changes yet. 

View More Comments
Samantha Adrichem
Samantha Adrichem July 17, 2025

I've asked our server admin to double check this list as well. Will have to wait for it now :) 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin Site Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security