From 948f5515d5e13b84dc1da3592999ca418dfde23e Mon Sep 17 00:00:00 2001 From: Jamil Date: Mon, 10 Jun 2024 17:22:20 -0600 Subject: [PATCH] docs: add more specific IP ranges for Relays (#5282) Needed for customers with restrictive network environments. --- terraform/environments/production/relays.tf | 3 + website/public/relay-ips.json | 328 ++++++++++++++++++ website/src/app/kb/deploy/gateways/readme.mdx | 14 +- 3 files changed, 338 insertions(+), 7 deletions(-) create mode 100644 website/public/relay-ips.json diff --git a/terraform/environments/production/relays.tf b/terraform/environments/production/relays.tf index 9f9f5b56a..17715bb5e 100644 --- a/terraform/environments/production/relays.tf +++ b/terraform/environments/production/relays.tf @@ -4,6 +4,9 @@ module "relays" { source = "../../modules/google-cloud/apps/relay" project_id = module.google-cloud-project.project.project_id + # TODO: Remember to update the following published documentation when this changes: + # - /website/src/app/kb/deploy/gateways/readme.mdx + # - /website/src/app/kb/architecture/tech-stack/readme.mdx instances = { "asia-east1" = { cidr_range = "10.129.0.0/24" diff --git a/website/public/relay-ips.json b/website/public/relay-ips.json new file mode 100644 index 000000000..feb795058 --- /dev/null +++ b/website/public/relay-ips.json @@ -0,0 +1,328 @@ +{ + "asia-east1": { + "ipv4": [ + "34.80.0.0/15", + "34.137.0.0/16", + "35.185.128.0/19", + "35.185.160.0/20", + "35.187.144.0/20", + "35.189.160.0/19", + "35.194.128.0/17", + "35.201.128.0/17", + "35.206.192.0/18", + "35.220.32.0/21", + "35.221.128.0/17", + "35.229.128.0/17", + "35.234.0.0/18", + "35.235.16.0/20", + "35.236.128.0/18", + "35.242.32.0/21", + "104.155.192.0/19", + "104.155.224.0/20", + "104.199.128.0/18", + "104.199.192.0/19", + "104.199.224.0/20", + "104.199.242.0/23", + "104.199.244.0/22", + "104.199.248.0/21", + "107.167.176.0/20", + "130.211.240.0/20" + ], + "ipv6": ["2600:1900:4030::/44"] + }, + "asia-south1": { + "ipv4": [ + "34.0.227.0/24", + "34.47.128.0/17", + "34.93.0.0/16", + "34.100.128.0/17", + "34.104.108.0/23", + "34.124.44.0/23", + "34.152.64.0/22", + "34.157.87.0/24", + "34.157.215.0/24", + "34.177.32.0/22", + "35.200.128.0/17", + "35.201.41.0/24", + "35.207.192.0/18", + "35.220.42.0/24", + "35.234.208.0/20", + "35.242.42.0/24", + "35.244.0.0/18" + ], + "ipv6": ["2600:1900:40a0::/44"] + }, + "australia-southeast1": { + "ipv4": [ + "34.40.128.0/17", + "34.87.192.0/18", + "34.104.104.0/23", + "34.116.64.0/18", + "34.124.40.0/23", + "34.128.36.0/24", + "34.128.48.0/24", + "34.151.64.0/18", + "34.151.128.0/18", + "35.189.0.0/18", + "35.197.160.0/19", + "35.201.0.0/19", + "35.213.192.0/18", + "35.220.41.0/24", + "35.234.224.0/20", + "35.242.41.0/24", + "35.244.64.0/18" + ], + "ipv6": ["2600:1900:40b0::/44"] + }, + "europe-west1": { + "ipv4": [ + "8.34.208.0/23", + "8.34.211.0/24", + "8.34.220.0/22", + "23.251.128.0/20", + "34.22.112.0/20", + "34.22.128.0/17", + "34.34.128.0/18", + "34.38.0.0/16", + "34.76.0.0/14", + "34.118.254.0/23", + "34.140.0.0/16", + "35.187.0.0/17", + "35.187.160.0/19", + "35.189.192.0/18", + "35.190.192.0/19", + "35.195.0.0/16", + "35.205.0.0/16", + "35.206.128.0/18", + "35.210.0.0/16", + "35.220.96.0/19", + "35.233.0.0/17", + "35.240.0.0/17", + "35.241.128.0/17", + "35.242.64.0/19", + "104.155.0.0/17", + "104.199.0.0/18", + "104.199.66.0/23", + "104.199.68.0/22", + "104.199.72.0/21", + "104.199.80.0/20", + "104.199.96.0/20", + "130.211.48.0/20", + "130.211.64.0/19", + "130.211.96.0/20", + "146.148.2.0/23", + "146.148.4.0/22", + "146.148.8.0/21", + "146.148.16.0/20", + "146.148.112.0/20", + "192.158.28.0/22" + ], + "ipv6": ["2600:1900:4010::/44"] + }, + "southamerica-east1": { + "ipv4": [ + "34.39.128.0/17", + "34.95.128.0/17", + "34.104.80.0/21", + "34.124.16.0/21", + "34.151.0.0/18", + "34.151.192.0/18", + "35.198.0.0/18", + "35.199.64.0/18", + "35.215.192.0/18", + "35.220.40.0/24", + "35.235.0.0/20", + "35.242.40.0/24", + "35.247.192.0/18" + ], + "ipv6": ["2600:1900:40f0::/44"] + }, + "us-central1": { + "ipv4": [ + "8.34.210.0/24", + "8.34.212.0/22", + "8.34.216.0/22", + "8.35.192.0/21", + "23.236.48.0/20", + "23.251.144.0/20", + "34.0.225.0/24", + "34.16.0.0/17", + "34.27.0.0/16", + "34.28.0.0/14", + "34.33.0.0/16", + "34.41.0.0/16", + "34.42.0.0/16", + "34.44.0.0/15", + "34.46.0.0/16", + "34.66.0.0/15", + "34.68.0.0/14", + "34.72.0.0/16", + "34.118.200.0/21", + "34.121.0.0/16", + "34.122.0.0/15", + "34.128.32.0/22", + "34.132.0.0/14", + "34.136.0.0/16", + "34.157.84.0/23", + "34.157.96.0/20", + "34.157.212.0/23", + "34.157.224.0/20", + "34.170.0.0/15", + "34.172.0.0/15", + "34.177.52.0/22", + "35.184.0.0/16", + "35.188.0.0/17", + "35.188.128.0/18", + "35.188.192.0/19", + "35.192.0.0/15", + "35.194.0.0/18", + "35.202.0.0/16", + "35.206.64.0/18", + "35.208.0.0/15", + "35.220.64.0/19", + "35.222.0.0/15", + "35.224.0.0/15", + "35.226.0.0/16", + "35.232.0.0/16", + "35.238.0.0/15", + "35.242.96.0/19", + "104.154.16.0/20", + "104.154.32.0/19", + "104.154.64.0/19", + "104.154.96.0/20", + "104.154.113.0/24", + "104.154.114.0/23", + "104.154.116.0/22", + "104.154.120.0/23", + "104.154.128.0/17", + "104.155.128.0/18", + "104.197.0.0/16", + "104.198.16.0/20", + "104.198.32.0/19", + "104.198.64.0/20", + "104.198.128.0/17", + "107.178.208.0/20", + "108.59.80.0/21", + "130.211.112.0/20", + "130.211.128.0/18", + "130.211.192.0/19", + "130.211.224.0/20", + "146.148.32.0/19", + "146.148.64.0/19", + "146.148.96.0/20", + "162.222.176.0/21", + "173.255.112.0/21", + "199.192.115.0/24", + "199.223.232.0/22", + "199.223.236.0/24" + ], + "ipv6": ["2600:1900:4000::/44"] + }, + "us-east1": { + "ipv4": [ + "34.23.0.0/16", + "34.24.0.0/15", + "34.26.0.0/16", + "34.73.0.0/16", + "34.74.0.0/15", + "34.98.128.0/21", + "34.118.250.0/23", + "34.138.0.0/15", + "34.148.0.0/16", + "34.152.72.0/21", + "34.177.40.0/21", + "35.185.0.0/17", + "35.190.128.0/18", + "35.196.0.0/16", + "35.207.0.0/18", + "35.211.0.0/16", + "35.220.0.0/20", + "35.227.0.0/17", + "35.229.16.0/20", + "35.229.32.0/19", + "35.229.64.0/18", + "35.231.0.0/16", + "35.237.0.0/16", + "35.242.0.0/20", + "35.243.128.0/17", + "104.196.0.0/18", + "104.196.65.0/24", + "104.196.66.0/23", + "104.196.68.0/22", + "104.196.96.0/19", + "104.196.128.0/18", + "104.196.192.0/19", + "162.216.148.0/22" + ], + "ipv6": ["2600:1900:4020::/44"] + }, + "us-west2": { + "ipv4": [ + "34.20.128.0/17", + "34.94.0.0/16", + "34.102.0.0/17", + "34.104.64.0/21", + "34.108.0.0/16", + "34.118.248.0/23", + "34.124.0.0/21", + "35.215.64.0/18", + "35.220.47.0/24", + "35.235.64.0/18", + "35.236.0.0/17", + "35.242.47.0/24", + "35.243.0.0/21" + ], + "ipv6": ["2600:1900:4120::/44"] + }, + "europe-central2": { + "ipv4": [ + "34.0.240.0/20", + "34.104.116.0/22", + "34.116.128.0/17", + "34.118.0.0/17", + "34.124.52.0/22" + ], + "ipv6": ["2600:1900:4140::/44"] + }, + "europe-north1": { + "ipv4": [ + "34.88.0.0/16", + "34.104.96.0/21", + "34.124.32.0/21", + "35.203.232.0/21", + "35.217.0.0/18", + "35.220.26.0/24", + "35.228.0.0/16", + "35.242.26.0/24" + ], + "ipv6": ["2600:1900:4150::/44"] + }, + "europe-west2": { + "ipv4": [ + "34.39.0.0/17", + "34.89.0.0/17", + "34.105.128.0/17", + "34.127.186.0/23", + "34.128.52.0/22", + "34.142.0.0/17", + "34.147.128.0/17", + "34.157.36.0/22", + "34.157.40.0/22", + "34.157.168.0/22", + "35.189.64.0/18", + "35.197.192.0/18", + "35.203.210.0/23", + "35.203.212.0/22", + "35.203.216.0/22", + "35.214.0.0/17", + "35.220.20.0/22", + "35.230.128.0/19", + "35.234.128.0/19", + "35.235.48.0/20", + "35.242.20.0/22", + "35.242.128.0/18", + "35.246.0.0/17" + ], + "ipv6": ["2600:1900:40c0::/44"] + } +} diff --git a/website/src/app/kb/deploy/gateways/readme.mdx b/website/src/app/kb/deploy/gateways/readme.mdx index ca72b5891..5de802176 100644 --- a/website/src/app/kb/deploy/gateways/readme.mdx +++ b/website/src/app/kb/deploy/gateways/readme.mdx @@ -34,13 +34,13 @@ function**. If the network in which your Gateway is deployed applies egress filtering, you'll need to make sure the following outbound traffic is allowed: -| Host | (IP Address) | Port(s) | Protocol(s) | Purpose | -| ---------------------------- | -------------------- | ------------- | --------------- | -------------------------- | -| api.firezone.dev | `34.102.202.25` | `443` | HTTPS/WebSocket | Control Plane API (IPv4) | -| api.firezone.dev | `2600:1901:0:620b::` | `443` | HTTPS/WebSocket | Control Plane API (IPv6) | -| N/A | Varies | `3478` | STUN | STUN protocol signaling | -| N/A | Varies | `49152-65535` | TURN | TURN protocol channel data | -| github.com, www.firezone.dev | Varies | `443` | HTTPS | Gateway upgrades | +| Host | IP Address | Port(s) | Protocol(s) | Purpose | +| ---------------------------- | ------------------------------------- | ------------- | --------------- | --------------------------------------------------------------- | +| api.firezone.dev | `34.102.202.25` | `443` | HTTPS/WebSocket | Control Plane API (IPv4) | +| api.firezone.dev | `2600:1901:0:620b::` | `443` | HTTPS/WebSocket | Control Plane API (IPv6) | +| N/A | See [relay-ips.json](/relay-ips.json) | `3478` | STUN | STUN protocol signaling | +| N/A | See [relay-ips.json](/relay-ips.json) | `49152-65535` | TURN | TURN protocol channel data | +| github.com, www.firezone.dev | Varies | `443` | HTTPS | Only required for [Gateway upgrades](/kb/administer/upgrading). | ## Where to deploy Gateways