IP Address Ranges for Safelisting/Do You Have Static IP Addresses Available?

Initial Troubleshooting

Please see the IP ranges documentation page to enable CircleCI jobs to go through a set of well-defined IP address ranges.

If the above feature does not meet your needs, below are some alternative methods many of our customers are using:

CircleCI Runner

• • Install CircleCI runners on supported platforms (https://circleci.com/docs/2.0/runner-overview)
  • Use your own infrastructure for running specific jobs
  • Get additional control over the environment

Bastion Host

• • Configure SSH tunneling into your private environment via a bastion/jump host. Example Configuration / Orb
  • If you require, you could safelist this bastion host for your environment's firewall.
  • In addition to the SSH key, you can further secure your SSH connection by limiting what commands can be run via the jump host. Example
    
    

VPN

• • Configure a VPN connection to your environment on our machine executor.
  • See the article "How to set up a VPN connection during builds?"
    
    

Dynamic Safelisting

• • Using your cloud provider's CLI tool, dynamically fetch the current builder's IP address and add it to a security group which has access to internal resources. At the end of the build, you'd remove that IP to prevent having leftover IPs.
  • AWS-Specific Example
  • To always run cleanup, use the `when: always` declaration under a run step. Documentation
    
    

Server Product

• • If the above solutions don't work for you, you may consider our Server solution where you can run a CircleCI installation in your own VPC and/or specify your own IP ranges.