IP Address Ranges for Safelisting/Do You Have Static IP Addresses Available?

Overview

The machines that execute all jobs on CircleCI’s platform, not just jobs opted into IP ranges feature, are hosted on the following platforms:

• Amazon Web Services (AWS)

• Google Cloud Platform (GCP)

• CircleCI’s macOS cloud

An exhaustive list of IP addresses that CircleCI’s traffic may come can be found by looking up each cloud provider’s IP address ranges. AWS and GCP offer endpoints to find this information which can found here, along with the regions we use:

• AWS: CircleCI uses the us-east-1 and us-east-2 regions.

• GCP: CircleCI uses the us-east1 and us-central1 regions.

Initial Troubleshooting When Seeing Issues

For the CircleCI core services, please see our list here.

For CircleCI Docker Jobs, please see our list here.

For CircleCI MacOS jobs, please see our list here.

IP ranges let you limit inbound connections to your infrastructure to IP address ranges that are verifiably associated with CircleCI.

If the above feature does not meet your needs, below are some alternative methods many of our customers are using:

CircleCI Runner

• • Install CircleCI runners on supported platforms (Machine and Kubernetes).
  • Use your own infrastructure for running specific jobs
  • Get additional control over the environment

Server Product

• • If the above solutions don't work for you, you may consider our Server solution where you can run a CircleCI installation in your own VPC and/or specify your own IP ranges.

Workarounds that are not officially supported but have been used by others for safelisting IP address ranges

Bastion Host

• • Configure SSH tunneling into your private environment via a bastion/jump host. Example Configuration / Orb
  • If you require, you could safelist this bastion host for your environment's firewall.
  • In addition to the SSH key, you can further secure your SSH connection by limiting what commands can be run via the jump host. Example
    
    

VPN

• • Configure a VPN connection to your environment on our machine executor.
  • See the article "How to set up a VPN connection during builds?"
    
    

Dynamic Safelisting

• • Using your cloud provider's CLI tool, dynamically fetch the current builder's IP address and add it to a security group which has access to internal resources. At the end of the build, you'd remove that IP to prevent having leftover IPs.
  • AWS-Specific Example
  • To always run cleanup, use the `when: always` declaration under a run step. Documentation
    
    

• Additional Resources

• IP Address Ranges for Safelisting/Do You Have Static IP Addresses Available?
• How to View the IP Address Used by Your Machine
• IP Ranges Documentation