Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Need to verify IP Range list to Whitelist BitBucket on AWS

Budggy Inc_
Budggy Inc_
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 7, 2025

Here's what I came up with - PLEASE help me verify!


1) IPv4 inbound for bitbucket.org, api.bitbucket.org, and altssh.bitbucket.org

  • 104.192.136.0/21

  • 185.166.140.0/22

  • 13.200.41.128/25

2) IPv6 inbound for bitbucket.org, api.bitbucket.org, and altssh.bitbucket.org

  • 2401:1d80:320c:3::/64

  • 2401:1d80:320c:4::/64

  • 2401:1d80:320c:5::/64

  • 2401:1d80:3208::/64

  • 2401:1d80:3208:1::/64

  • 2401:1d80:3208:2::/64

  • 2401:1d80:3210::/64

  • 2401:1d80:3210:1::/64

  • 2401:1d80:3210:2::/64

  • 2401:1d80:321c::/64

  • 2401:1d80:321c:1::/64

  • 2401:1d80:321c:2::/64

  • 2401:1d80:322c:2::/64

  • 2401:1d80:322c:3::/64

  • 2401:1d80:322c:5::/64

  • 2401:1d80:3218:1::/64

  • 2401:1d80:3218:3::/64

  • 2401:1d80:3218:4::/64

  • 2401:1d80:3220::/64

  • 2401:1d80:3220:1::/64

  • 2401:1d80:3224::/64

  • 2401:1d80:3224:1::/64

  • 2401:1d80:3224:2::/64

 

3) Valid IP addresses for Bitbucket Pipelines build environments:

NOTE: Service: EC2, region: eu-central-1

35.50.192.0/24

18.96.32.0/19

3.5.136.0/22

18.192.0.0/15

136.18.142.0/23

64.252.89.0/24

63.176.0.0/14

99.77.136.0/24

5.60.32.0/22

15.145.2.0/23

63.180.0.0/14

52.58.0.0/15

15.220.48.0/21

18.184.0.0/15

52.57.0.0/16

35.96.12.0/24

54.93.0.0/16

3.124.0.0/14

35.96.96.0/20

15.220.64.0/20

3.33.35.0/24

52.95.255.128/28

83.119.128.0/18

15.220.152.0/21

18.156.0.0/14

15.220.144.0/23

35.96.48.0/20

64.252.87.0/24

15.145.0.0/23

99.77.158.0/24

35.50.194.0/24

3.64.0.0/12

151.148.35.0/24

15.145.12.0/22

99.77.247.0/24

64.252.88.0/24

35.50.193.0/24

52.29.0.0/16

99.151.188.0/23

15.193.4.0/24

99.150.16.0/21

3.120.0.0/14

18.198.0.0/15

52.94.248.112/28

35.96.5.0/24

35.156.0.0/14

5.60.24.0/22

15.145.16.0/22

15.145.4.0/23

18.153.0.0/16

173.83.196.0/23

64.252.86.0/24

18.196.0.0/15

52.95.248.0/24

52.94.146.0/24

18.89.0.0/18

18.194.0.0/15

52.46.184.0/22

35.71.105.0/24

52.28.0.0/16

15.145.8.0/22

3.5.134.0/23

15.177.68.0/23

Answer
Watch
Like Be the first to like this
71 views

1 answer

0 votes
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 8, 2025

Hi @Budggy Inc_ and welcome to the community!

The IPs Bitbucket Cloud uses are listed on this page:

I assume you copy-pasted in your post the IPs from the page I shared?

The Valid IP addresses for Bitbucket Pipelines build environments are needed only if you run Pipelines builds on Atlassian's infrastructure and you want to connect to your own server during the Pipelines build. Is this what you are trying to do? If so, please keep in mind that the documentation of Bitbucket Pipelines Cloud IP addresses is divided into two sections:

  • Section 1: Valid IP addresses for Bitbucket Pipelines build environments

    This section applies to 1x/2x step sizes (or 4x/8x steps that have not been explicitly flagged to use atlassian-ip-ranges). An exhaustive list of IP addresses from which the traffic may originate on AWS can be obtained by using the following endpoint. You should filter records where the service equals EC2 or S3, and focus on the us-east-1 and us-west-2 regions. However, we do not recommend using these IP ranges as a security control due to their broad nature.

  • Section 2: Atlassian IP Ranges

    This section pertains to steps specifically configured to use Atlassian IP ranges. These are applicable only to 4x and 8x size steps that have the atlassian-ip-ranges: true flag enabled. The step sizes 4x and 8x are only available for builds running under a paid Bitbucket Cloud plan (Standard or Premium).

    The documentation for the configuration needed in order for a Pipelines step to use this more limited set of IPs is documented here:

    https://support.atlassian.com/bitbucket-cloud/docs/step-options/#Runtime

    This configuration improves security by restricting the IP addresses utilized by Pipelines builds to the Atlassian IP ranges.

I hope this helps. If you have any questions, please feel free to let me know and also share some more details on what you are trying to do (e.g. if you want to connect to your server from Bitbucket Pipelines or if want to do something different).

Kind regards,
Theodora

View More Comments
Budggy Inc_
Budggy Inc_
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 8, 2025

Hi @Theodora Boudale ,

Thank you so much for your elaborate response, wishing you a happy new year.

 

What we are trying to do is this: Use OpenID Connect to run BB Pipelines on our AWS EC2 instance. The setup followed the recommended procedure, but I can't seem to get the Fetch Fingerprint to work, it is always stuck at the SSH connection stage. We tried to manually embed it using the private IP of the instance - same issue. I just needed to know which IP BB tried to access the instance, so I verify if my setup was correct for the SSH inbound rules.

 

Yes @ "you run Pipelines builds on Atlassian's infrastructure and you want to connect to your own server during the Pipelines build. Is this what you are trying to do?" - and no, will not use the Atlassian IP Ranges.

 

Please let me know if this is clear enough, thank you so much!

Like
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 8, 2025

Happy new year to you too, @Budggy Inc_!

Thank you for the additional information!

The IP addresses for bitbucket.org, api.bitbucket.org, and altssh.bitbucket.org in your post seem to be the ones from our documentation.

However, the IP ranges for Pipelines environments in your post have Service: EC2, region: eu-central-1.

If you are not planning to use Atlassian IP ranges, then from the following endpoint you need to get the IP ranges where service equals EC2 or S3, and out of these, filter further on the us-east-1 and us-west-2 regions (not the eu-central-1 region).

Please also keep in mind that when you try to fetch the fingerprint, you need to provide the public IP address or domain name of your server. Bitbucket will try to connect to your server over the internet in order to fetch the fingerprint (and also during the build), and private IP addresses can only be used in a local network.

Please feel free to let me know how it goes.

Kind regards,
Theodora

Like
Andrew Sheldon
Andrew Sheldon
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 8, 2025

I am having similar issue.

 

We have added the Atlassian IP Address to our security group because we plan to use 4X build. But When I try to get the Known Host, I says there is a SSH error. Does the Known Host fetch not run through one of those IP addresses?

 

Thanks

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin Site Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events