Enable CircleCI jobs to go through a set of well-defined IP address ranges.
- IP ranges: use cases
- Example configuration file using IP ranges
- List of IP address ranges associated with the IP ranges feature
- AWS and GCP IP Addresses
- Known limitations
IP ranges is a feature for CircleCI customers who need to configure IP-based access to their restricted environments. As part of this feature, CircleCI provides a list of well-defined IP address ranges associated with the CircleCI service. CircleCI jobs that have this feature enabled will have their traffic routed through one of the defined IP address ranges.
The feature is currently available in preview to customers on a Performance or Scale plan. Pricing will be calculated based on network data usage of jobs that have opted in to using the IP ranges feature. There is no charge while the feature is in preview and pricing details will be shared once the feature is generally available.
IP ranges: use cases
IP ranges lets you limit inbound connections to your infrastructure to only IP address ranges that are verifiably associated with CircleCI.
Some example use cases where IP-based restricted access might be desired include:
- Accessing private artifact repositories
- Pulling dependencies from a CocoaPods proxy hosted behind a firewall
- Running test cases on an internal environment
- Performing integration testing against private AWS resources
- Deploying an internal app with sensitive data
- Granting access to a production network
Prior to offering IP ranges, the only solution CircleCI offered to configure and control static IP addresses was CircleCI’s Runner. IP ranges now enables you to meet your IP-based security and compliance requirements using your existing workflows and platform.
Example configuration file using IP ranges
version: 2.1 jobs: build: circleci_ip_ranges: true # opts the job into the IP ranges feature docker: - image: curlimages/curl steps: - run: echo “Hello World” workflows: build-workflow: jobs: - build
List of IP address ranges associated with the IP ranges feature
Last updated: 2021-08-23
Jobs that have been opted into the IP ranges feature will have one of the following IP address ranges associated with them:
Note: jobs can use any of the address ranges above. It is also important to note that the address ranges are shared by all CircleCI customers who have opted into using the feature.
IP address ranges for core services (used to trigger jobs, exchange information about users between CircleCI and Github etc):
Upcoming changes to the list of IP address ranges
- Added new items to the list of IP address ranges for core services.
The machine-consumable lists have also been updated to reflect the new IP address ranges.
Machine-consumable lists can be found below:
IP address ranges for jobs: DNS A record.
IP address ranges for core services: DNS A record.
All IP address ranges: DNS A record.
During the preview phase, this list may change. You should check regularly for updates, at least once a week.
Notifications of a change to this list will be sent out by email to all customers who have at least one job opted into the IP ranges feature. When the feature is generally available, 30 days notice will be given before changes are made to the existing set of IP address ranges. This page and the machine-consumable list will also be updated when there are upcoming changes.
Pricing will be calculated based on network data usage of jobs opted into the IP ranges feature, however, only the traffic of the opted-in jobs will be counted. It is possible to mix jobs with and without the IP ranges feature within the same workflow or pipeline.
Specific rates and details are being finalized and will be published when the feature is generally available.
While IP ranges is in preview, CircleCI may contact you if the amount of traffic sent through this feature reaches an excessive threshold.
AWS and GCP IP Addresses
The machines that execute all jobs on CircleCI’s platform, not just jobs opted into IP ranges, are hosted on Amazon Web Services (AWS), Google Cloud Platform (GCP), and CircleCI’s macOS Cloud. An exhaustive list of IP addresses that CircleCI’s traffic may come from on these cloud providers’ platforms can be found by looking up each cloud provider’s IP address ranges. AWS & GCP offer endpoints to find this information.
- AWS: CircleCI uses the us-east-1 and us-east-2 regions
- GCP: CircleCI uses the us-east1 and us-central1 regions
- CircleCI macOS Cloud:
CircleCI does not recommend configuring an IP-based firewall based on the AWS or GCP IP addresses, as the vast majority are not CircleCI’s machines. Additionally, there is no guarantee that the addresses in the AWS or GCP endpoints persist from day-to-day, as these addresses are reassigned continuously.
IP ranges is the recommended method for configuring an IP-based firewall to allow traffic from CircleCI’s platform.
- IP ranges is currently available exclusively for the Docker executor, not including
- When downloading or uploading files larger than ~10 MB during execution of jobs with IP ranges enabled, intermittently, the job may receive TCP reset (RST) packets and drop the connection. This could cause the job to fail if there is no retry logic in place while downloading/uploading the file. CircleCI recommends including robust retry mechanisms in your config when attempting to download/upload large files during execution of jobs with IP ranges enabled. For example, if your job uses curl to download/upload a large file, include the
--retry <num>flag and set
<num>to a large number such as 1,000.
Help make this document better
This guide, as well as the rest of our docs, are open-source and available on GitHub. We welcome your contributions.
- Suggest an edit to this page (please read the contributing guide first).
- To report a problem in the documentation, or to submit feedback and comments, please open an issue on GitHub.
- CircleCI is always seeking ways to improve your experience with our platform. If you would like to share feedback, please join our research community.
CircleCI Documentation by CircleCI is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.