We often get this question from IT teams wanting to secure their Internet connection with a firewall or filtering proxy, but still want to allow access to the Leading2Lean service. What servers will users at my company access when using the Leading2Lean solution?
asked Feb 28 '12 at 15:40
Tyler Whitaker ♦♦
We use several leading2lean.com sub domains in conjunction with Leading2Lean Solutions. Hopefully you can whitelist all traffic to both *.leading2lean.com and *.amazonaws.com to bypass your proxies and be allowed through your firewall. Do this filtering by DNS address is the preferred method since many of our servers are load balanced and span multiple IP addresses and address ranges. We do this for load balancing, high availability, redundancy, etc.
We have found that generally speaking proxies are not designed to work well with dynamic websites. If at all possible it's better to avoid using them for web traffic for destined for Leading2Lean.com domains. Users with corporate proxies may sometimes get random http 502 Proxy / Bad Gateway Errors unless the proper whitelisting is setup. See below for more details.
IP Address Ranges
If your firewall or proxy does not allow for filtering via DNS name, then the following list will be updated from time to time with the current IP address configuration, and you will need to update your filtering rules periodically.
Static IP Address Leading2Lean Domains
*customername*.leading2lean.com - Generally set at a static IP address. Where customername is the replaced with your actual customer name. Using ping at the command line will give you the IP Address of this server.
Load Balanced Dynamic IP Address Leading2Lean Domains
These servers utilize the Amazon S3 infrastructure and you will need the following procedure to obtain the current IP address ranges in use.
How to find the IP address ranges for Amazon's S3 infrastructure
There are a couple ways you can figure this out. I find this the easiest for where you are at a corporate location behind a firewall needing an IP range.
There is also a CIDR address which the firewall guys might want instead:
S3 IP Ranges
s3.amazonaws.com is a CNAME for s3-1.amazonaws.com and I think s3-2.amazonaws.com. Nothing above s3-2 resolves for me. I've also seen s3-1-w.amazonaws.com, s3-2-w.amazonaws.com, and s3-3-w.amazonaws.com.
The ranges of IPs I see assigned for these are:
You'll want to whitelist those ranges above.
You might get completely different IP ranges based on where you are in the world, but I am fairly certain that you won't ever stray out of the ranges you find if you follow these steps in the areas you are. For more information see: https://forums.aws.amazon.com/thread.jspa?messageID=87807#87807
I've found a more comprehensive list of IP addresses for Amazon's US East Region for those using IP addresses to whitelist.
Source: Complete IP Address list = https://forums.aws.amazon.com/ann.jspa?annID=1408
US East (Northern Virginia):
This came from Amazon's EC2 forum: https://forums.aws.amazon.com/forum.jspa?forumID=30
answered Apr 24 '12 at 16:18
Tyler Whitaker ♦♦