Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Pipeline is connecting to our env with a public IP which is not included in the documentation

matteus_deloge
matteus_deloge
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 13, 2024

Hi!

We are running a suite of Playwright tests from a Bitbucket pipeline, and for our test environments use IP whitelisting to block unauthorised access. Thus we have implemented the provided list of static Bitbucket IPs which are listed in the documentation here: https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/

Yet we still saw the pipeline was timing out all its requests to our environment, so upon investigation we were able to see the public IPs from some of the steps were: 

  • 44.203.28.179
  • 35.173.195.91
  • 44.201.215.133
  • etc.

Which, if I read the documentation correctly are all IPs which are not listed as expected IP addresses for pipelines, thus they are not whitelisted on our load balancer.

Some extra info for debugging this:

  • We are using the base machine type for our pipelines (so 1x)
  • We also checked the more extensive IP range list here https://ip-ranges.amazonaws.com/ip-ranges.json
  • For internal debugging at Atlassian, the ID of one of our steps that logged one of these IPs is db69e636-5044-460b-9730-ab7ef9fc154a

The current workaround was to put an allow all in place on our load balancer which is OK for a short while, but in the long run we need this security measure back in place.

Thanks in advance for (sanity) checking this!

UPDATE:

Turns out I was too quick and in the list provided at https://ip-ranges.amazonaws.com/ip-ranges.json I was able to find the matching CIDRs. Yet then another problem arises: there are 8086 IPv4 ranges provided in this document and we would ideally limit the amount of IPs to whitelist. Is there a way to either:

  • Set an IP affinity for a specific pipeline? This so we can limit the amount of ranges we can expect traffic to come from
  • Set a regional affinity for the pipelines so we both limit the ranges to whitelist AND have the tests run closer to our actual environment.
Answer
Watch
Like Be the first to like this
114 views

1 answer

0 votes
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 16, 2024

Hello Matteus and welcome to the community!

The documentation of Bitbucket Pipelines Cloud IP addresses is divided into two sections:

  • Section 1: Valid IP addresses for Bitbucket Pipelines build environments

    This section applies to 1x/2x step sizes (or 4x/8x steps that have not been explicitly flagged to use atlassian-ip-ranges). An exhaustive list of IP addresses from which the traffic may originate on AWS can be obtained by using the following endpoint. You should filter records where the service equals EC2 or S3, and focus on the us-east-1 and us-west-2 regions. However, we do not recommend using these IP ranges as a security control due to their broad nature.

  • Section 2: Atlassian IP Ranges

    This section pertains to steps specifically configured to use Atlassian IP ranges. These are applicable only to 4x and 8x size steps that have the atlassian-ip-ranges: true flag enabled. The step sizes 4x and 8x are only available for builds running under a paid Bitbucket Cloud plan (Standard or Premium)

    To use the more restricted set of IPs, you can adjust your pipeline configuration to include the following:

pipelines:
  default:
    - step:
        size: 4x
        runtime:
          cloud:
            atlassian-ip-ranges: true
        script:
          - echo "This step will use atlassian-ip-ranges"

You can find more details in the documentation here: Runtime Step Options.

This configuration improves security by restricting the IP addresses utilized by Pipelines builds to the Atlassian IP ranges.

Please Note: Opting for larger step sizes (4x/8x) may impact billing. We encourage you to review the relevant documentation on step sizes here to understand these implications fully.

Setting the region for a Pipelines build is not supported.

Please feel free to reach out if you have any questions.

Kind regards,
Theodora

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
TAGS
AUG Leaders

Atlassian Community Events

    See all events