Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Too many pipeline ip addresses for ec2 security groups

Mike Moore
Mike Moore November 26, 2024

Our bitbucket-pipeline rsync has stopped working. I have been following several articles on updating the whitelist ip addresses to run rsync in bitbucket-pipeline. 

https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/#AtlassiancloudIPrangesanddomains-OutgoingConnections

https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/

https://community.atlassian.com/t5/Bitbucket-questions/Bitbucket-Cloud-Pipeline-IP-Whitelisting/qaq-p/2775923

I have added all of the outbound ip addresses, but nothing works. I have looked at the https://ip-ranges.atlassian.com and that list is huge also, an EC2 security group is only allowed 60 rules. Can someone please explain how we are suppose to use the pipeline rsync without opening up port 22 to the world?  I am hoping I am just not understanding or do not know of a better method.

Thank You

mike

Answer
Watch
Like Be the first to like this
61 views

1 answer

1 vote
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 27, 2024

Hi Mike,

We have recently updated our 1x/2x size option builds to operate from a new, broader IP range.

The documentation of Bitbucket Pipelines Cloud IP addresses is divided into two sections:

  • Section 1: Valid IP addresses for Bitbucket Pipelines build environments

    This section applies to 1x/2x step sizes (or 4x/8x steps that have not been explicitly flagged to use atlassian-ip-ranges). An exhaustive list of IP addresses from which the traffic may originate on AWS can be obtained by using the following endpoint. You should filter records where the service equals EC2 or S3, and focus on the us-east-1 and us-west-2 regions. However, we do not recommend using these IP ranges as a security control due to their broad nature.

  • Section 2: Atlassian IP Ranges

    This section pertains to steps specifically configured to use Atlassian IP ranges. These are applicable only to 4x and 8x size steps that have the atlassian-ip-ranges: true flag enabled. The step sizes 4x and 8x are only available for builds running under a paid Bitbucket Cloud plan (Standard or Premium)

To mitigate your issue and use the more restricted set of IPs, I suggest adjusting your pipeline configuration to include the following:

pipelines:
  default:
    - step:
        size: 4x
        runtime:
          cloud:
            atlassian-ip-ranges: true
        script:
          - echo "This step will use atlassian-ip-ranges"

You can find more details in the documentation here: Runtime Step Options.

This configuration improves security by restricting the IP addresses utilized by Pipelines builds to the Atlassian IP ranges.

Please Note: Opting for larger step sizes (4x/8x) may impact billing. We encourage you to review the relevant documentation on step sizes here to understand these implications fully.

Please feel free to let me know if you have any questions.

Kind regards,
Theodora

View More Comments
Mike Moore
Mike Moore November 27, 2024

Edited: This is working if I add

size: 4x

runtime:

cloud: Atlassian-ip-ranges:true

 

Thank you, I have added the ip addresses found Atlassian IP Ranges and adjusted the size to 4X. The security group is still blocking IPs, to me BB is using IPs additional IPs. I can open the SG up to 0.0.0.0/0 and everything works as expected. Is there a way to see what ip the server Bitbucket IP address is that is running the pipeline?

 

Like
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 27, 2024

Hi Mike,

You need to add the runtime property also, exactly as I shared in my previous reply.

I am copy-pasting it again and I am highlighting in bold below the options that need to be added:

pipelines:
  default:
    - step:
        size: 4x
        runtime:
          cloud:
            atlassian-ip-ranges: true
        script:
          - echo "I use atlassian-ip-ranges"

Seeing the last edit in your post, I assume this is working now?

Please keep in mind that you may not need to add this to every single step, just to the steps that need to access your own servers (which have IP allowlisting configured).

Kind regards,
Theodora

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
TAGS
AUG Leaders

Atlassian Community Events

    See all events