Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Clarification on IP Ranges Compatibility Across Different Step Sizes

anusha malledi August 29, 2024

 

We are in the process of configuring our Bitbucket Pipelines to utilize specific IP ranges provided by Atlassian. Security requirements require that we limit the allowed IP ranges via IAM policies. We need some clarification on which IP ranges will function with various step sizes (1x, 2x, 4x, 8x) after September 17th.

  1. IP Ranges for 1x and 2x Step Sizes:

    • Will ip-ranges.atlassian work for 1x and 2x step sizes after September 17th  without requiring additional configuration flags?
  2. IP Ranges for 4x and 8x Step Sizes:

    • For 4x and 8x step sizes, the documentation indicates the need to use the atlassian-ip-ranges runtime flag. Without this flag, the IP ranges might not function as expected.
    • Enabling this flag causes issues with the 2x step size, leading to conflicts between different step sizes.

1 answer

0 votes
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 3, 2024

Hi @anusha malledi and welcome to the community!

All steps (regardless of size) that run on Atlassian Cloud infrastructure are hosted on Amazon Web Services. An exhaustive list of the IPs used for all steps can be found here, filtering to records where the service equals EC2 or S3, and using the us-east-1 and us-west-2 regions.

This is a large number of IP ranges. If you prefer to use a more limited or narrowed IP range, you can use the runtime option with atlassian-ip-ranges in your bitbucket-pipelines.yml file for a certain step:

This is only possible for steps with size 4x and 8x. Then, these steps will use a more limited set of IPs and the number of IP ranges you will need to allowlist is smaller. You can find this limited set of IP ranges here:

It is not mandatory to use the flag atlassian-ip-ranges with 4x and 8x size steps. It is an option that you have, so that you whitelist a smaller number of IP ranges on your firewall.

However, if you have steps of all sizes (including 1x and 2x) that make requests to the same server, then you will need to allowlist the more exhaustive, longer list of IP ranges I mentioned in the beginning.

Please feel free to reach out if you have any questions.

Kind regards,
Theodora

anusha malledi September 3, 2024

Thank you for your response.

I filtered IPs from the below link to only bitbucket product and used 4x in my step. I get 403 error but with the same list, If I add a atlassian-ip-ranges flag, it worked but not for 2x.  

 

Link: https://ip-ranges.atlassian.com/

Error:


failed to pull and unpack image "*******.dkr.ecr.us-east-2.amazonaws.com/dnsutils-awscli:latest": failed to resolve reference "********.dkr.ecr.us-east-2.amazonaws.com/dnsutils-awscli:latest": unexpected status from HEAD request to https://*******.dkr.ecr.us-east-2.amazonaws.com/v2/dnsutils-awscli/manifests/latest: 403 Forbidden

 

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 4, 2024

Hi Anusha,

Thank you for the info.

The link you use is not the correct one for Bitbucket Pipelines.

If you use both 2x and 4x steps to connect to your server, you need to whitelist the IP ranges from the following link, filtering to records where the service equals EC2 or S3, and using the us-east-1 and us-west-2 regions.


If you use only 4x or 8x steps to connect to your server, you can whitelist only a smaller number of IP ranges, that are listed here:

You will also need to use the atlassian-ip-ranges flag for these steps, if you plan to whitelist only this more limited set of IPs. This flag does not work for steps of size 1x and 2x.


Does this make sense? Or do you have any questions?

Kind regards,
Theodora

anusha malledi September 4, 2024

That makes sense.

Amazonaws IP after filtering to EC2, it gave an exhausted list of 1160 IPs which is over the AWS limit of allowed permissions.

Added I tried using those amazonaws ips as well which gave 403 error for 4x without the flag but I used on top of ip-ranges ips, will ip-ranges atlassian IPs block the use of 4x step size if we use both together? 

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 6, 2024

Hi Anusha,

Whitelisting both sets of IPs is not going to block the use of 4x sizes. If you still get a 403 error, then some IPs are not whitelisted.

 

For the IPs from Amazon AWS, you need to filter for records where service is EC2 and also where the service is S3 (not only the EC2 ones). And then, out of those, filter further for us-east-1 and us-west-2 regions.

These are used by Pipelines steps of all sizes (and 4x steps that don't have the atlassian-ip-ranges flag).

 


If the number of these IPs is over the limit of allowed permissions, you can use 4x size steps with the atlassian-ip-ranges flag in your yml. Then, you only need to whitelist the IPs below (and not the Amazon AWS ones):

34.199.54.113/32

34.232.25.90/32

34.232.119.183/32

34.236.25.177/32

35.171.175.212/32

52.54.90.98/32

52.202.195.162/32

52.203.14.55/32

52.204.96.37/32

34.218.156.209/32

34.218.168.212/32

52.41.219.63/32

35.155.178.254/32

35.160.177.10/32

34.216.18.129/32

3.216.235.48/32

34.231.96.243/32

44.199.3.254/32

174.129.205.191/32

44.199.127.226/32

44.199.45.64/32

3.221.151.112/32

52.205.184.192/32

52.72.137.240/32

Reference: https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/#Atlassian-IP-ranges

Kind regards,
Theodora

anusha malledi September 6, 2024

Sure, I will give it a try with the Amazon AWS Ips with all the filters and IPs in place.

Like Theodora Boudale likes this

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin Site Admin
TAGS
AUG Leaders

Atlassian Community Events