Enable CircleCI jobs to go through a set of well-defined IP address ranges.
- IP ranges: use cases
- Example configuration file using IP ranges
- List of IP address ranges associated with the IP ranges feature
- AWS and GCP IP Addresses
- Known limitations
IP ranges is a feature for CircleCI customers who need to configure IP-based access to their restricted environments. As part of this feature, CircleCI provides a list of well-defined IP address ranges associated with the CircleCI service. CircleCI jobs that have this feature enabled will have their traffic routed through one of the defined IP address ranges.
The feature is currently available in preview to customers on a Performance, Custom, or Scale plan.
IP ranges: use cases
IP ranges lets you limit inbound connections to your infrastructure to only IP address ranges that are verifiably associated with CircleCI.
Some example use cases where IP-based restricted access might be desired include:
- Accessing private artifact repositories
- Pulling dependencies from a CocoaPods proxy hosted behind a firewall
- Running test cases on an internal environment
- Performing integration testing against private AWS resources
- Deploying an internal app with sensitive data
- Granting access to a production network
Prior to offering IP ranges, the only solution CircleCI offered to configure and control static IP addresses was CircleCI’s Runner. IP ranges now enables you to meet your IP-based security and compliance requirements using your existing workflows and platform.
Example configuration file using IP ranges
version: 2.1 jobs: build: circleci_ip_ranges: true # opts the job into the IP ranges feature docker: - image: curlimages/curl steps: - run: echo “Hello World” workflows: build-workflow: jobs: - build
List of IP address ranges associated with the IP ranges feature
Last updated: 07/21/2021
Jobs that have been opted into the IP ranges feature will have one of the following IP address ranges associated with them:
Note: jobs can use any of the address ranges above. It is also important to note that the address ranges are shared by all CircleCI customers who have opted into using the feature.
IP address ranges for core services (used to trigger jobs, exchange information about users between CircleCI and Github etc):
Upcoming Changes to list of IP address ranges (Last Updated: 07/21/2021): None
Machine-consumable lists can be found below:
IP address ranges for jobs: DNS A record.
IP address ranges for core services: DNS A record.
All IP address ranges: DNS A record.
During the preview phase, this list may change. You should check regularly for updates, at least once a week.
Notifications of a change to this list will be sent out by email to all customers who have at least one job opted into the IP ranges feature. When the feature is generally available, 30 days notice will be given before changes are made to the existing set of IP address ranges. This page and the machine-consumable list will also be updated when there are upcoming changes.
Pricing will be calculated based on network data usage of jobs opted into the IP ranges feature, however, only the traffic of the opted-in jobs will be counted. It is possible to mix jobs with and without the IP ranges feature within the same workflow or pipeline.
Specific rates and details are being finalized and will be published when the feature is generally available.
AWS and GCP IP Addresses
The machines that execute all jobs (except for MacOS) on CircleCI’s platform, not just jobs opted into IP ranges, are hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP). An exhaustive list of IP addresses that CircleCI’s traffic may come from on these cloud providers’ platforms can be found by looking up each cloud providers’ IP address ranges. Each cloud provider offers endpoints to find this information.
- AWS: CircleCI uses the us-east-1 and us-east-2 regions
- GCP: CircleCI uses the us-east1 and us-central1 regions
CircleCI does not recommend configuring an IP-based firewall based on the above IP addresses, as the vast majority are not CircleCI’s machines. Additionally, there is no guarantee that the addresses in the endpoints above persist from day-to-day, as these addresses are reassigned continuously.
IP ranges is the recommended method for configuring an IP-based firewall to allow traffic from CircleCI’s platform.
IP ranges is currently available exclusively for the Docker executor, not including
Help make this document better
This guide, as well as the rest of our docs, are open-source and available on GitHub. We welcome your contributions.
- Suggest an edit to this page (please read the contributing guide first).
- To report a problem in the documentation, or to submit feedback and comments, please open an issue on GitHub.
- CircleCI is always seeking ways to improve your experience with our platform. If you would like to share feedback, please join our research community.
CircleCI Documentation by CircleCI is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.