github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: add more specific IP ranges for Relays (#5282)

Browse Source 
Needed for customers with restrictive network environments.
This commit is contained in:
Jamil
2024-06-10 17:22:20 -06:00
committed by GitHub
parent 926e26f578
commit 948f5515d5
3 changed files with 338 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
terraform/environments/production/relays.tf
View File

@@ -4,6 +4,9 @@ module "relays" {
source = "../../modules/google-cloud/apps/relay"
project_id = module.google-cloud-project.project.project_id
# TODO: Remember to update the following published documentation when this changes:
# - /website/src/app/kb/deploy/gateways/readme.mdx
# - /website/src/app/kb/architecture/tech-stack/readme.mdx
instances = {
"asia-east1" = {
cidr_range = "10.129.0.0/24"

328
website/public/relay-ips.json Normal file
View File

@@ -0,0 +1,328 @@
{
"asia-east1": {
"ipv4": [
"34.80.0.0/15",
"34.137.0.0/16",
"35.185.128.0/19",
"35.185.160.0/20",
"35.187.144.0/20",
"35.189.160.0/19",
"35.194.128.0/17",
"35.201.128.0/17",
"35.206.192.0/18",
"35.220.32.0/21",
"35.221.128.0/17",
"35.229.128.0/17",
"35.234.0.0/18",
"35.235.16.0/20",
"35.236.128.0/18",
"35.242.32.0/21",
"104.155.192.0/19",
"104.155.224.0/20",
"104.199.128.0/18",
"104.199.192.0/19",
"104.199.224.0/20",
"104.199.242.0/23",
"104.199.244.0/22",
"104.199.248.0/21",
"107.167.176.0/20",
"130.211.240.0/20"
],
"ipv6": ["2600:1900:4030::/44"]
},
"asia-south1": {
"ipv4": [
"34.0.227.0/24",
"34.47.128.0/17",
"34.93.0.0/16",
"34.100.128.0/17",
"34.104.108.0/23",
"34.124.44.0/23",
"34.152.64.0/22",
"34.157.87.0/24",
"34.157.215.0/24",
"34.177.32.0/22",
"35.200.128.0/17",
"35.201.41.0/24",
"35.207.192.0/18",
"35.220.42.0/24",
"35.234.208.0/20",
"35.242.42.0/24",
"35.244.0.0/18"
],
"ipv6": ["2600:1900:40a0::/44"]
},
"australia-southeast1": {
"ipv4": [
"34.40.128.0/17",
"34.87.192.0/18",
"34.104.104.0/23",
"34.116.64.0/18",
"34.124.40.0/23",
"34.128.36.0/24",
"34.128.48.0/24",
"34.151.64.0/18",
"34.151.128.0/18",
"35.189.0.0/18",
"35.197.160.0/19",
"35.201.0.0/19",
"35.213.192.0/18",
"35.220.41.0/24",
"35.234.224.0/20",
"35.242.41.0/24",
"35.244.64.0/18"
],
"ipv6": ["2600:1900:40b0::/44"]
},
"europe-west1": {
"ipv4": [
"8.34.208.0/23",
"8.34.211.0/24",
"8.34.220.0/22",
"23.251.128.0/20",
"34.22.112.0/20",
"34.22.128.0/17",
"34.34.128.0/18",
"34.38.0.0/16",
"34.76.0.0/14",
"34.118.254.0/23",
"34.140.0.0/16",
"35.187.0.0/17",
"35.187.160.0/19",
"35.189.192.0/18",
"35.190.192.0/19",
"35.195.0.0/16",
"35.205.0.0/16",
"35.206.128.0/18",
"35.210.0.0/16",
"35.220.96.0/19",
"35.233.0.0/17",
"35.240.0.0/17",
"35.241.128.0/17",
"35.242.64.0/19",
"104.155.0.0/17",
"104.199.0.0/18",
"104.199.66.0/23",
"104.199.68.0/22",
"104.199.72.0/21",
"104.199.80.0/20",
"104.199.96.0/20",
"130.211.48.0/20",
"130.211.64.0/19",
"130.211.96.0/20",
"146.148.2.0/23",
"146.148.4.0/22",
"146.148.8.0/21",
"146.148.16.0/20",
"146.148.112.0/20",
"192.158.28.0/22"
],
"ipv6": ["2600:1900:4010::/44"]
},
"southamerica-east1": {
"ipv4": [
"34.39.128.0/17",
"34.95.128.0/17",
"34.104.80.0/21",
"34.124.16.0/21",
"34.151.0.0/18",
"34.151.192.0/18",
"35.198.0.0/18",
"35.199.64.0/18",
"35.215.192.0/18",
"35.220.40.0/24",
"35.235.0.0/20",
"35.242.40.0/24",
"35.247.192.0/18"
],
"ipv6": ["2600:1900:40f0::/44"]
},
"us-central1": {
"ipv4": [
"8.34.210.0/24",
"8.34.212.0/22",
"8.34.216.0/22",
"8.35.192.0/21",
"23.236.48.0/20",
"23.251.144.0/20",
"34.0.225.0/24",
"34.16.0.0/17",
"34.27.0.0/16",
"34.28.0.0/14",
"34.33.0.0/16",
"34.41.0.0/16",
"34.42.0.0/16",
"34.44.0.0/15",
"34.46.0.0/16",
"34.66.0.0/15",
"34.68.0.0/14",
"34.72.0.0/16",
"34.118.200.0/21",
"34.121.0.0/16",
"34.122.0.0/15",
"34.128.32.0/22",
"34.132.0.0/14",
"34.136.0.0/16",
"34.157.84.0/23",
"34.157.96.0/20",
"34.157.212.0/23",
"34.157.224.0/20",
"34.170.0.0/15",
"34.172.0.0/15",
"34.177.52.0/22",
"35.184.0.0/16",
"35.188.0.0/17",
"35.188.128.0/18",
"35.188.192.0/19",
"35.192.0.0/15",
"35.194.0.0/18",
"35.202.0.0/16",
"35.206.64.0/18",
"35.208.0.0/15",
"35.220.64.0/19",
"35.222.0.0/15",
"35.224.0.0/15",
"35.226.0.0/16",
"35.232.0.0/16",
"35.238.0.0/15",
"35.242.96.0/19",
"104.154.16.0/20",
"104.154.32.0/19",
"104.154.64.0/19",
"104.154.96.0/20",
"104.154.113.0/24",
"104.154.114.0/23",
"104.154.116.0/22",
"104.154.120.0/23",
"104.154.128.0/17",
"104.155.128.0/18",
"104.197.0.0/16",
"104.198.16.0/20",
"104.198.32.0/19",
"104.198.64.0/20",
"104.198.128.0/17",
"107.178.208.0/20",
"108.59.80.0/21",
"130.211.112.0/20",
"130.211.128.0/18",
"130.211.192.0/19",
"130.211.224.0/20",
"146.148.32.0/19",
"146.148.64.0/19",
"146.148.96.0/20",
"162.222.176.0/21",
"173.255.112.0/21",
"199.192.115.0/24",
"199.223.232.0/22",
"199.223.236.0/24"
],
"ipv6": ["2600:1900:4000::/44"]
},
"us-east1": {
"ipv4": [
"34.23.0.0/16",
"34.24.0.0/15",
"34.26.0.0/16",
"34.73.0.0/16",
"34.74.0.0/15",
"34.98.128.0/21",
"34.118.250.0/23",
"34.138.0.0/15",
"34.148.0.0/16",
"34.152.72.0/21",
"34.177.40.0/21",
"35.185.0.0/17",
"35.190.128.0/18",
"35.196.0.0/16",
"35.207.0.0/18",
"35.211.0.0/16",
"35.220.0.0/20",
"35.227.0.0/17",
"35.229.16.0/20",
"35.229.32.0/19",
"35.229.64.0/18",
"35.231.0.0/16",
"35.237.0.0/16",
"35.242.0.0/20",
"35.243.128.0/17",
"104.196.0.0/18",
"104.196.65.0/24",
"104.196.66.0/23",
"104.196.68.0/22",
"104.196.96.0/19",
"104.196.128.0/18",
"104.196.192.0/19",
"162.216.148.0/22"
],
"ipv6": ["2600:1900:4020::/44"]
},
"us-west2": {
"ipv4": [
"34.20.128.0/17",
"34.94.0.0/16",
"34.102.0.0/17",
"34.104.64.0/21",
"34.108.0.0/16",
"34.118.248.0/23",
"34.124.0.0/21",
"35.215.64.0/18",
"35.220.47.0/24",
"35.235.64.0/18",
"35.236.0.0/17",
"35.242.47.0/24",
"35.243.0.0/21"
],
"ipv6": ["2600:1900:4120::/44"]
},
"europe-central2": {
"ipv4": [
"34.0.240.0/20",
"34.104.116.0/22",
"34.116.128.0/17",
"34.118.0.0/17",
"34.124.52.0/22"
],
"ipv6": ["2600:1900:4140::/44"]
},
"europe-north1": {
"ipv4": [
"34.88.0.0/16",
"34.104.96.0/21",
"34.124.32.0/21",
"35.203.232.0/21",
"35.217.0.0/18",
"35.220.26.0/24",
"35.228.0.0/16",
"35.242.26.0/24"
],
"ipv6": ["2600:1900:4150::/44"]
},
"europe-west2": {
"ipv4": [
"34.39.0.0/17",
"34.89.0.0/17",
"34.105.128.0/17",
"34.127.186.0/23",
"34.128.52.0/22",
"34.142.0.0/17",
"34.147.128.0/17",
"34.157.36.0/22",
"34.157.40.0/22",
"34.157.168.0/22",
"35.189.64.0/18",
"35.197.192.0/18",
"35.203.210.0/23",
"35.203.212.0/22",
"35.203.216.0/22",
"35.214.0.0/17",
"35.220.20.0/22",
"35.230.128.0/19",
"35.234.128.0/19",
"35.235.48.0/20",
"35.242.20.0/22",
"35.242.128.0/18",
"35.246.0.0/17"
],
"ipv6": ["2600:1900:40c0::/44"]
}
}

14
website/src/app/kb/deploy/gateways/readme.mdx
View File

@@ -34,13 +34,13 @@ function**.
If the network in which your Gateway is deployed applies egress filtering,
you'll need to make sure the following outbound traffic is allowed:
| Host | (IP Address) | Port(s) | Protocol(s) | Purpose |
| ---------------------------- | -------------------- | ------------- | --------------- | -------------------------- |
| api.firezone.dev | `34.102.202.25` | `443` | HTTPS/WebSocket | Control Plane API (IPv4) |
| api.firezone.dev | `2600:1901:0:620b::` | `443` | HTTPS/WebSocket | Control Plane API (IPv6) |
| N/A | Varies | `3478` | STUN | STUN protocol signaling |
| N/A | Varies | `49152-65535` | TURN | TURN protocol channel data |
| github.com, www.firezone.dev | Varies | `443` | HTTPS | Gateway upgrades |
| Host | IP Address | Port(s) | Protocol(s) | Purpose |
| ---------------------------- | ------------------------------------- | ------------- | --------------- | --------------------------------------------------------------- |
| api.firezone.dev | `34.102.202.25` | `443` | HTTPS/WebSocket | Control Plane API (IPv4) |
| api.firezone.dev | `2600:1901:0:620b::` | `443` | HTTPS/WebSocket | Control Plane API (IPv6) |
| N/A | See [relay-ips.json](/relay-ips.json) | `3478` | STUN | STUN protocol signaling |
| N/A | See [relay-ips.json](/relay-ips.json) | `49152-65535` | TURN | TURN protocol channel data |
| github.com, www.firezone.dev | Varies | `443` | HTTPS | Only required for [Gateway upgrades](/kb/administer/upgrading). |
## Where to deploy Gateways