CircleCI builds are currently run mainly from AWS East and West as well as Google Cloud Platform East. For this reason, we can not give a definitive list of IP addresses that our cloud system will use.
We're currently discussing implementing static IPs for our system. If you're interested in this feature, please vote for it in our ideas portal: https://ideas.circleci.com/ideas/CCI-I-35
We have alternative methods many of our customers today are using:
- Bastion Host
- You can configure SSH tunneling into your private environment via a bastion/jump host. Example Configuration / Orb
- If you require, you could safelist this bastion host for your environment's firewall.
- In addition to the SSH key, you can further secure your SSH connection by limiting what commands can be run via the jump host. Example
- Dynamic Safelisting
- You can, using your cloud provider's CLI tool, dynamically fetch the current builder's IP address and add it to a security group which has access to internal resources. At the end of the build, you'd remove that IP to prevent having leftover IPs.
- AWS-Specific Example
- To always run cleanup, use the `when: always` declaration under a run step. Documentation
- Server Product
- If the above solutions don't work for you, you may consider our Server solution (https://circleci.com/enterprise/) where you can simply run a CircleCI installation in your own VPC and/or specify your own IP ranges.