Configuring Your Firewall to Accept Cloudsmith and AWS CDN IP Ranges

If you're using a firewall to secure your network and need to ensure uninterrupted access to Cloudsmith services or AWS CloudFront content, follow this guide to properly whitelist the necessary IP addresses.

Understanding Traffic Types

When working with Cloudsmith, your network will handle two main types of traffic: outbound and inbound. Below is a breakdown of what each means for your environment.

1. Configuring Inbound Traffic for Cloudsmith

Inbound traffic refers to connections initiated by Cloudsmith to your infrastructure. To ensure seamless access and functionality when using Cloudsmith, it is essential to configure inbound traffic correctly. This includes allowing traffic from specific IP ranges for caching, proxying, and internal upstream requests.

Examples of Inbound Traffic:

• Webhooks from Cloudsmith to notify your systems about events such as package uploads, sync or deletions.
• API callbacks or integrations where Cloudsmith sends data to your environment.

Inbound Traffic IPs

For inbound traffic, you should allow traffic from the following sources:

1. Cloudsmith’s NAT Gateway IPs.
2. CloudFront’s list of node IPs (as Cloudsmith fetches from the edge as well as its own IP ranges).
3. Internal IPs (if you are proxying/caching packages to an internal upstream).

Not allowing these IPs may lead to failures in package retrieval, proxying, or upstream requests.

Cloudsmith NAT Gateway IPs (Inbound)

Allow inbound traffic from the following Cloudsmith NAT Gateway IPs:

13.55.231.43
52.62.115.207
3.104.99.235
34.252.163.216
52.208.86.0
108.129.59.129
52.30.175.5
52.209.24.43
18.200.166.58
3.135.162.154
18.224.75.239
18.216.17.80
52.24.213.62
54.203.138.156
35.163.82.210

Cloudsmith Webhook IP Ranges, to ensure secure delivery of webhook notifications, whitelist the following Cloudsmith origin IP addresses:

3.10.225.171
34.250.171.206
52.16.183.139
52.19.118.176

CloudFront CDN Traffic (Inbound)

Since Cloudsmith’s package distribution happens via AWS CloudFront, requests may originate from CloudFront node IPs. Additionally, when proxying/caching upstream requests, CloudFront may contact your internal upstream from its node IPs.

To fetch all CloudFront IPs globally, use:

curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service == "CLOUDFRONT") | .ip_prefix' | sort -n

To fetch CloudFront IPs for a specific AWS region, use:

curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service == "CLOUDFRONT" and .region == "REGION") | .ip_prefix' | sort -n

(Replace "REGION" with your AWS region, e.g., "us-east-1" or "eu-west-1".)

Just so you know, these are AWS CloudFront IPs and are subject to change, you might want to monitor the ranges from time-to-time and update the list or use this curl example and implement it into some form of cron job. You can utilise subscribe-notification from AWS whenever this changes.

2. Outbound Traffic Requirements

Examples of Outbound Traffic:

•  Downloading packages from Cloudsmith or publishing packages to Cloudsmith.
•  API requests from your systems to Cloudsmith’s platform.

Required IP Ranges for Outbound Traffic:

• • AWS CloudFront (CDN) IP Ranges, these IP ranges are dynamic and updated by AWS. To fetch the latest ranges, use the following command:

curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service == "CLOUDFRONT") | .ip_prefix' | sort -n

Ensure IPs that have CLOUDFRONT prefix are allowed in your firewall over HTTPS (443). 
Just so you know, these are AWS CloudFront IPs and are subject to change, you might want to monitor the ranges from time-to-time and update the list or use this curl example and implement it into some form of cron job. You can utilise subscribe-notification from AWS whenever this changes.

Why Are These Rules Necessary?

• Inbound:
  • Cloudsmith fetches packages via CloudFront, meaning requests originate from multiple CloudFront node IPs.
  • If you use internal upstream proxying, Cloudsmith may request packages from your upstream servers.
• Outbound:
  • Publishing and retrieving packages requires connectivity to Cloudsmith services.
  • Proxying/mirroring requires access to upstream repositories.

Firewall & Network Security Considerations

If your security policy does not allow whitelisting the full CloudFront range, or if you have strict outbound rules, please contact Cloudsmith Support for guidance.