What Servers / IP addresses need to be Whitelisted in my firewall and proxy server?

Comments

4 comments

  • Tyler Whitaker

    We use several leading2lean.com sub domains in conjunction with Leading2Lean Solutions. Hopefully you can whitelist all traffic to both *.leading2lean.com and *.amazonaws.com to bypass your proxies and be allowed through your firewall. Do this filtering by DNS address is the preferred method since many of our servers are load balanced and span multiple IP addresses and address ranges. We do this for load balancing, high availability, redundancy, etc.

    Proxies

    We have found that generally speaking proxies are not designed to work well with dynamic websites. If at all possible it's better to avoid using them for web traffic for destined for Leading2Lean.com domains. Users with corporate proxies may sometimes get random http 502 Proxy / Bad Gateway Errors unless the proper whitelisting is setup. See below for more details.

    IP Address Ranges

    If your firewall or proxy does not allow for filtering via DNS name, then the following list will be updated from time to time with the current IP address configuration, and you will need to update your filtering rules periodically.

    Static IP Address Leading2Lean Domains

    *customername*.leading2lean.com - Generally set at a static IP address. Where customername is the replaced with your actual customer name. Using ping at the command line will give you the IP Address of this server.

    Other sub-domains/domains we use:

    support.leading2lean.com
    sales.leading2lean.com
    www.leading2lean.com
    beta.leading2lean.com
    static.leading2lean.com
    files.leading2lean.com
    www.errorstack.com
    www.google-analytics.com
    etc...

    Load Balanced Dynamic IP Address Leading2Lean Domains

    files.leading2lean.com 
    static.leading2lean.com
    

    These servers utilize the Amazon S3 infrastructure and you will need the following procedure to obtain the current IP address ranges in use.

    How to find the IP address ranges for Amazon's S3 infrastructure

    There are a couple ways you can figure this out. I find this the easiest for where you are at a corporate location behind a firewall needing an IP range.

    1. From a command prompt use dig or nslookup to lookup an IP for s3.amazonaws.com
    2. Take the IP you get (I get 72.21.202.112) and run a whois query on it. If you aren't on a system that has whois installed there are several websites that provide it ( I like the ARIN page: http://www.arin.net/whois/)
    3. On there you will see a field like "NetRange:" and then the range of IP addresses Amazon owns around the IP that you found. So for me, when I whois the above IP i get back:

      "NetRange: 72.21.192.0 - 72.21.223.255"

    There is also a CIDR address which the firewall guys might want instead:

    "CIDR:       72.21.192.0/19"
    

    S3 IP Ranges

    s3.amazonaws.com is a CNAME for s3-1.amazonaws.com and I think s3-2.amazonaws.com. Nothing above s3-2 resolves for me. I've also seen s3-1-w.amazonaws.com, s3-2-w.amazonaws.com, and s3-3-w.amazonaws.com.

    The ranges of IPs I see assigned for these are:

    72.21.192.0 - 72.21.223.255       CIDR: 72.21.192.0/19
    207.171.160.0 - 207.171.191.255   CIDR: 207.171.160.0/19
    178.236.0.0 -  178.236.7.255      CIDR: 178.236.0.0/21
    87.238.80.0 - 87.238.81.255       CIDR: 87.238.80.0/21
    

    You'll want to whitelist those ranges above.

    You might get completely different IP ranges based on where you are in the world, but I am fairly certain that you won't ever stray out of the ranges you find if you follow these steps in the areas you are. For more information see: https://forums.aws.amazon.com/thread.jspa?messageID=87807#87807

    Originally answered Feb 28, 2012 at 4:21 pm

    0
    Comment actions Permalink
  • Tyler Whitaker

    I've found a more comprehensive list of IP addresses for Amazon's US East Region for those using IP addresses to whitelist.

    Source: Complete IP Address list = https://forums.aws.amazon.com/ann.jspa?annID=1408

    US East (Northern Virginia):

    • 72.44.32.0/19 (72.44.32.0 - 72.44.63.255)
    • 67.202.0.0/18 (67.202.0.0 - 67.202.63.255)
    • 75.101.128.0/17 (75.101.128.0 - 75.101.255.255)
    • 174.129.0.0/16 (174.129.0.0 - 174.129.255.255)
    • 204.236.192.0/18 (204.236.192.0 - 204.236.255.255)
    • 184.73.0.0/16 (184.73.0.0 – 184.73.255.255)
    • 184.72.128.0/17 (184.72.128.0 - 184.72.255.255)
    • 184.72.64.0/18 (184.72.64.0 - 184.72.127.255)
    • 50.16.0.0/15 (50.16.0.0 - 50.17.255.255)
    • 50.19.0.0/16 (50.19.0.0 - 50.19.255.255)
    • 107.20.0.0/14 (107.20.0.0 - 107.23.255.255)
    • 23.20.0.0/14 (23.20.0.0 – 23.23.255.255)

    This came from Amazon's EC2 forum: https://forums.aws.amazon.com/forum.jspa?forumID=30

    Originally answered Apr 24, 2012 at 4:18 pm

    0
    Comment actions Permalink
  • Justin Skaggs

    Just wanted to confirm if the whitelist rules, DNS, and IPs above are still accurate? We're seeing traffic to cloudfront.net being blocked but don't see that listed. Thanks!

    0
    Comment actions Permalink
  • Cara Winther

    Good morning Justin! 

    Yes, the rules and guidelines above are still accurate. 

    0
    Comment actions Permalink

Please sign in to leave a comment.