We are in the process of configuring our Bitbucket Pipelines to utilize specific IP ranges provided by Atlassian. Security requirements require that we limit the allowed IP ranges via IAM policies. We need some clarification on which IP ranges will function with various step sizes (1x, 2x, 4x, 8x) after September 17th.
IP Ranges for 1x and 2x Step Sizes:
IP Ranges for 4x and 8x Step Sizes:
atlassian-ip-ranges
runtime flag. Without this flag, the IP ranges might not function as expected.Hi @anusha malledi and welcome to the community!
All steps (regardless of size) that run on Atlassian Cloud infrastructure are hosted on Amazon Web Services. An exhaustive list of the IPs used for all steps can be found here, filtering to records where the service equals EC2 or S3, and using the us-east-1 and us-west-2 regions.
This is a large number of IP ranges. If you prefer to use a more limited or narrowed IP range, you can use the runtime option with atlassian-ip-ranges in your bitbucket-pipelines.yml file for a certain step:
This is only possible for steps with size 4x and 8x. Then, these steps will use a more limited set of IPs and the number of IP ranges you will need to allowlist is smaller. You can find this limited set of IP ranges here:
It is not mandatory to use the flag atlassian-ip-ranges with 4x and 8x size steps. It is an option that you have, so that you whitelist a smaller number of IP ranges on your firewall.
However, if you have steps of all sizes (including 1x and 2x) that make requests to the same server, then you will need to allowlist the more exhaustive, longer list of IP ranges I mentioned in the beginning.
Please feel free to reach out if you have any questions.
Kind regards,
Theodora
Thank you for your response.
I filtered IPs from the below link to only bitbucket product and used 4x in my step. I get 403 error but with the same list, If I add a atlassian-ip-ranges flag, it worked but not for 2x.
Link: https://ip-ranges.atlassian.com/
Error:
failed to pull and unpack image "*******.dkr.ecr.us-east-2.amazonaws.com/dnsutils-awscli:latest": failed to resolve reference "********.dkr.ecr.us-east-2.amazonaws.com/dnsutils-awscli:latest": unexpected status from HEAD request to https://*******.dkr.ecr.us-east-2.amazonaws.com/v2/dnsutils-awscli/manifests/latest: 403 Forbidden
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Anusha,
Thank you for the info.
The link you use is not the correct one for Bitbucket Pipelines.
If you use both 2x and 4x steps to connect to your server, you need to whitelist the IP ranges from the following link, filtering to records where the service equals EC2 or S3, and using the us-east-1 and us-west-2 regions.
If you use only 4x or 8x steps to connect to your server, you can whitelist only a smaller number of IP ranges, that are listed here:
You will also need to use the atlassian-ip-ranges flag for these steps, if you plan to whitelist only this more limited set of IPs. This flag does not work for steps of size 1x and 2x.
Does this make sense? Or do you have any questions?
Kind regards,
Theodora
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
That makes sense.
Amazonaws IP after filtering to EC2, it gave an exhausted list of 1160 IPs which is over the AWS limit of allowed permissions.
Added I tried using those amazonaws ips as well which gave 403 error for 4x without the flag but I used on top of ip-ranges ips, will ip-ranges atlassian IPs block the use of 4x step size if we use both together?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Anusha,
Whitelisting both sets of IPs is not going to block the use of 4x sizes. If you still get a 403 error, then some IPs are not whitelisted.
For the IPs from Amazon AWS, you need to filter for records where service is EC2 and also where the service is S3 (not only the EC2 ones). And then, out of those, filter further for us-east-1 and us-west-2 regions.
These are used by Pipelines steps of all sizes (and 4x steps that don't have the atlassian-ip-ranges flag).
If the number of these IPs is over the limit of allowed permissions, you can use 4x size steps with the atlassian-ip-ranges flag in your yml. Then, you only need to whitelist the IPs below (and not the Amazon AWS ones):
34.199.54.113/32
34.232.25.90/32
34.232.119.183/32
34.236.25.177/32
35.171.175.212/32
52.54.90.98/32
52.202.195.162/32
52.203.14.55/32
52.204.96.37/32
34.218.156.209/32
34.218.168.212/32
52.41.219.63/32
35.155.178.254/32
35.160.177.10/32
34.216.18.129/32
3.216.235.48/32
34.231.96.243/32
44.199.3.254/32
174.129.205.191/32
44.199.127.226/32
44.199.45.64/32
3.221.151.112/32
52.205.184.192/32
52.72.137.240/32
Kind regards,
Theodora
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Sure, I will give it a try with the Amazon AWS Ips with all the filters and IPs in place.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.