CircleCi Source IP

networking

#1

Can you please let us know circle Ci public Ip? This is needed for setting up port forwarding to enable circle ci trigger automation execution on out private hosted servers.


#2

Hi!

We deploy machines in US-East and US-West on AWS. There is no single IP address and there is no great way to predict where your builds will run. This means that you will need to whitelist the entire ranges for US-East and US-West.


OpenVPN on deploy step
Additional restrictions to ssh key to publish
#3

We are running system integration tests against our production service as well. In that context opening up the whole IP range is unacceptable.
We are currently unable to run said tests and have to do so manually from a developer’s machine.
Is there any plan on providing a specific range of IPs or alternatively the security group?


#4

We do not have any immediate plans for this, but if this would be useful for you I would encourage you to add a feature request here on this site.


#5

i’m confused. it used to be security groups right? what happened to that? wasn’t it 183081753049/sg-f98a8290?


#6

That only works with EC2-classic, which isn’t available to new customers, and it’s likely that CircleCI has migrated to VPC themselves.


#7

Are the AWS IP ranges used by CircleCI still US-East and US-West? There used to be more info at https://circleci.com/docs/ec2ip-and-security-group, but that page is down.


#8

Is this still the case or are you guys using a fixed range now?


#9

Yes they are. No way to limit down further.


#10

A solution we used was to add a custom script to run in the beginning that gets the public ip address of the current box and calls the AWS CLI to add an inbound security rule on the fly. Then we do the opposite and remove that rule at the end of the script. Here’s the sample code:

To Remove the Old Values
this removes all existing rules - adjust if you need to keep some

current_security_group=$(aws ec2 describe-security-groups --region us-west-2 --group-id sg-e747959f)
ip_count=$(echo ${current_security_group} | jq -r '.SecurityGroups[0].IpPermissions | length')
if [ ${ip_count} > 0 ]; then
    for (( n=0; n < $ip_count; n++ ))
    do
	this_port=$(echo ${current_security_group} | jq -r ".SecurityGroups[0].IpPermissions[${n}].FromPort")
	cidr_count=$(echo ${current_security_group} | jq -r ".SecurityGroups[0].IpPermissions[${n}].IpRanges | length")
	for (( c=0; c < $cidr_count; c++ ))
	do
	    this_cidr=$(echo ${current_security_group} | jq -r ".SecurityGroups[0].IpPermissions[${n}].IpRanges[${c}].CidrIp")
	    aws ec2 revoke-security-group-ingress --region us-west-2 --group-id sg-e747959f --protocol tcp --port ${this_port} --cidr ${this_cidr}
	done
    done
fi

To Add the Current Public IP Address
ip-permissions is an array so add more ports as needed

public_ip_address=$(wget -qO- http://checkip.amazonaws.com)
echo "this computers public ip address is $public_ip_address"
aws ec2 authorize-security-group-ingress --region <YOUR_REGION> --group-id <YOUR_SECURITY_GROUP_ID> --ip-permissions "[{\"IpProtocol\": \"tcp\", \"FromPort\": <YOUR_PORT_YOU_NEED_OPEN>, \"ToPort\": <YOUR_PORT_YOU_NEED_OPEN>, \"IpRanges\": [{\"CidrIp\": \"${public_ip_address}/32\"}]}]"

#11

I currently have whitelisted an enormous list of IP’s from the regions us-east-1, us-west-1, us-west-2. Which isn’t optimal at all. Still deployments failed. Seems my CI box uses an IP not listed in these regions.

What could be up? Are there other regions added recently?


#12

We did expand to us-east-2 recently to keep up with capacity requirements.


#13

Is there anywhere we can read about such changes?


#14

Thank you for the excellent solution. :slight_smile:


#15

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.