Undocumented outgoing IPs of bitbucket cloud

Hi @Finererp,

The community question Matthias shared has more info on this issue. I just wanted to address this:

Docker machine ip`s are different from the document to allow in server firewall.

The documentation of Bitbucket Pipelines Cloud IP addresses is divided into two sections:

• Section 1: Valid IP addresses for Bitbucket Pipelines build environments
  
  This section applies to 1x/2x step sizes (or 4x/8x steps that have not been explicitly flagged to use atlassian-ip-ranges). An exhaustive list of IP addresses from which the traffic may originate on AWS can be obtained by using the following endpoint. You should filter records where the service equals EC2 or S3, and focus on the us-east-1 and us-west-2 regions. However, we do not recommend using these IP ranges as a security control due to their broad nature.

• Section 2: Atlassian IP Ranges
  
  This section pertains to steps specifically configured to use Atlassian IP ranges. These are applicable only to 4x and 8x size steps that have the atlassian-ip-ranges: true flag enabled. The step sizes 4x and 8x are only available for builds running under a paid Bitbucket Cloud plan (Standard or Premium)

The endpoint https://ip-ranges.amazonaws.com/ip-ranges.json applicable to 1x/2x step sizes (or 4x/8x steps that have not been explicitly flagged to use atlassian-ip-ranges) lists CIDR blocks, so you may not find the exact IP address such a step uses in that list.

You can use this tool https://thameera.com/awsip/ to check if a certain IP address is from AWS and which CIDR block it belongs to. When you get the CIDR block, you can search https://ip-ranges.amazonaws.com/ip-ranges.json for that CIDR block to confirm it's listed there.

Checking the IP you provided, 34.201.21.164, it belongs to 34.192.0.0/12 which is listed in https://ip-ranges.amazonaws.com/ip-ranges.json. The service is EC2 and the region us-east-1, which is consistent with our documentation.

Kind regards,
Theodora