Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Whitelisted IPs

Michael Klassen
Michael Klassen November 14, 2024

I am not a fan of the 4x/8x as we are one of the shops which needs to whitelist IP addresses. In all builds failing today, they are coming from different IPs.

We are verifying this with the curl ifconfig.me to report the pipeline IP address.

After finding 3 new ones, we decided to test out with the 4x IP since it should be part of the list: https://ip-ranges.amazonaws.com/ip-ranges.json

It wasn't part of the list 

 

52.23.194.202

If Atlassian isn't going to publish these enhanced and supposed whitelisted IPs, how are the customers supposed to utilize them?

It also is not here either 

https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/#AtlassiancloudIPrangesanddomains-OutgoingConnections

Answer
Watch
Like Guilherme de Oliveira likes this
753 views

3 answers

1 accepted

0 votes
Answer accepted
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 14, 2024

Hello @Michael Klassen 

We have recently updated our 1x/2x size option builds to operate from a new, broader IP range.

For teams who need their builds to run from a more restricted set of IP addresses, we recommend using the atlassian-ip-ranges configuration available with our 4x/8x stepsThese size options are only available for builds running under a paid Bitbucket Cloud plan (Standard or Premium).This option provides enhanced security by limiting the IP addresses to a smaller, more manageable list. You can find more details about this configuration here. This configuration does not need to apply to all steps in a pipeline, just the steps that access secure resources.

Please Note: Opting for larger step sizes (4x/8x) may impact billing. We encourage you to review the relevant documentation on step sizes here to understand these implications fully.

You can view the complete list of IP addresses used by the 1x/2x steps in this JSON format. This list can be explicitly filtered for EC2 or S3 resources located in us-east-1 and us-west-2. We do not recommend or support adding these IP addresses into your firewall configuration.

The AWS JSON file is divided into CIDR blocks. To help you identify if a given IP address belongs to an Amazon CIDR IP range, you can check the article How to identify the CIDR block of the IP from the Bitbucket pipeline.

Important Note: Relying solely on IP-based firewalls for securing your infrastructure is not recommended. Instead, consider implementing secure authentication methods for any services exposed to Bitbucket Pipelines, such as using OpenID Connect (OIDC).

Alternatively, you may consider utilizing Bitbucket's pipeline runners. Runners enable you to execute builds in Pipelines on your own infrastructure. Additionally, as your runner is hosted on your own infrastructure, you will have greater flexibility regarding the list of IP addresses to permit.

Please feel free to reach out if you have any questions.

Thank you, @Michael Klassen !

Patrik S

View More Comments
Michael Klassen
Michael Klassen November 14, 2024

The IP addresses listed are wrong, none include 52.23.194.202

It has broken ALL of our builds.

Like
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 14, 2024

Hello @Michael Klassen ,

I understand the frustration with your builds being affected due to IP address issues. Let me clarify the situation regarding Bitbucket Cloud IP addresses.

The documentation of Bitbucket Pipelines Cloud IP addresses is divided into two sections:

  • Section 1: Valid IP addresses for Bitbucket Pipelines build environments

    This section applies to 1x/2x step sizes (or 4x/8x steps that have not been explicitly flagged to use atlassian-ip-ranges). An exhaustive list of IP addresses from which the traffic may originate on AWS can be obtained by using the following endpoint. You should filter records where the service equals EC2 or S3, and focus on the us-east-1 and us-west-2 regions. However, we do not recommend using these IP ranges as a security control due to their broad nature.

  • Section 2: Atlassian IP Ranges

    This section pertains to steps specifically configured to use Atlassian IP ranges. These are applicable only to 4x and 8x size steps that have the atlassian-ip-ranges: true flag enabled. The step sizes 4x and 8x are only available for builds running under a paid Bitbucket Cloud plan (Standard or Premium)

To mitigate your issue and use the more restricted set of IPs, I suggest adjusting your pipeline configuration to include the following:

pipelines:
  default:
    - step:
       size: 4x
       runtime:
         cloud:
           atlassian-ip-ranges: true
       script:
          - echo "This step will use atlassian-ip-ranges"

I have highlighted in bold the options you need to add to ensure that your step uses the more targeted Atlassian IP ranges. You can find more details in the documentation here: Runtime Step Options.

Regarding the specific IP address you mentioned, 52.23.194.202, it falls under the first section (AWS broader IP range). This is likely because you are using either a size 1x/2x step, or a 4x/8x step without the atlassian-ip-ranges attribute.

For confirmation, you can verify this IP address using an external tool. It belongs to the following AWS CIDR block:

  • Region: US East (N. Virginia)

  • Region code: us-east-1

  • Service: EC2

  • Subnet: 52.20.0.0/14

This information is consistent with the AWS IP JSON file shared in our documentation.

The AWS IP JSON file is a list of CIDR blocks. Each block is a collection of IP addresses. To help you identify if a given IP address belongs to an AWS CIDR IP range, you can follow the instructions of the article How to identify the CIDR block of the IP from the Bitbucket Pipelines.

I hope this helps resolve the issue you're facing. Please let us know if you need further assistance.

Thank you @Michael Klassen !

Patrik S

Like Guilherme de Oliveira likes this
Michael Klassen
Michael Klassen November 15, 2024

Thank you for your reply. The flag you mentioned (atlassian-ip-ranges:true) worked perfectly for us.

 

Like Guilherme de Oliveira likes this
Reply
0 votes
Dmytro Pedan
Dmytro Pedan
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 20, 2024

@Patrik S we are facing the same issues that @Michael Klassen  mentioned.

We use default 1x sizs and for the past few days all our deployments have been failing. I have added "curl ifconfig.me" to show public IP, here are some of them: 3.239.227.205, 107.20.98.94, 3.219.33.11, 34.205.69.158, 54.167.148.39. 

But no one of them are presented in https://ip-ranges.amazonaws.com/ip-ranges.json;

How we are supposed to use 

https://ip-ranges.amazonaws.com/ip-ranges.json? Or maybe we are missing something?

Reply
0 votes
Guilherme de Oliveira
Guilherme de Oliveira
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 14, 2024

same problem here

View More Comments
Michael Klassen
Michael Klassen November 14, 2024

It's an annoyance to have the increased cost to have a list of IP addresses.

It's a major error to have an incorrect list of IP addresses.

Now this breaks all pipeline builds for us unless we get lucky and it uses one of the original IP addresses that Atlassian has listed in their own IP listings.

Like Guilherme de Oliveira likes this
Edmund Munday
Edmund Munday
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 17, 2024

Hi @Michael Klassen - I'm the Product Manager for Bitbucket Pipelines. Wanted to quickly reach out re: your comments around the increased cost for static IP's.

If you haven't already seen it, I posted this update a few months ago going into the details of exactly why this change was necessary in order to be able to continue offering Pipelines with a pricing structure that was fair to all customers.

In particular, I explained the reasoning behind restricting static IP's to 4/8x steps instead of creating a seperate "static-IP" add-on concept that would work with 1/2x steps. A few customers have had feedback regarding this reasoning which has been very helpful for us in terms of understanding some of the edge-cases people are encountering in regards to the pricing/value changes. Likewise, if you have any specific feedback you would like to share, I'd be keen to hear it.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Atlassian logo
Pipelines
TAGS
AUG Leaders

Atlassian Community Events

    See all events