Cloud Platform IP Addresses
Wherever possible, we treat the network as a bearer, rather than a means to confer trust.
For this reason, explicitly allowing traffic from/to specific IP numbers is discouraged in general.
Inbound IP Filtering
Allowed client IP source ranges can be specified using the nginx.ingress.kubernetes.io/whitelist-source-range annotation. The value is a comma separated list of CIDRs, e.g. 1.1.1.1/24,10.0.0.0/24.
Kubernetes official documentation on allowing source ranges.
An example configuration using nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1/24,10.0.0.0/24
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: <ingress-name>
namespace: <namespace-name>
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1/24,10.0.0.0/24
external-dns.alpha.kubernetes.io/set-identifier: <ingress-name>-<namespace-name>-<colour>
external-dns.alpha.kubernetes.io/aws-weight: "100"
creationTimestamp: 2019-03-21T14:26:31Z
generation: 1
spec:
ingressClassName: default
rules:
- host: my-app.apps.live.cloud-platform.service.justice.gov.uk
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: <my-svc>
port:
number: 80
tls:
- hosts:
- my-app.apps.live.cloud-platform.service.justice.gov.uk
status:
loadBalancer:
ingress:
- hostname: <hostname>
(Note - Please change the ingress-name and namespace-name values in the above example. The colour should be green for ingress in EKS live cluster)
Testing with the annotation set:
curl -v -H "Host: my-app.apps.live.cloud-platform.service.justice.gov.uk" <HOST-IP>
Will return a “403 forbidden” status
IP6 / IPv6
Currently, IPv6 is not supported for inbound IP filtering.
It should be possible to add IPv6 support to the platform, but nobody has asked for this, so we haven’t done it.
If this is something you need, please raise a support ticket explaining your need.
Outbound IP filtering
Please note that these numbers may change, and should not be relied upon for authentication/authorisation.
NAT Gateways
IP traffic from the Cloud Platform will originate from the IP numbers of one our NAT Gateways. We have one NAT Gateway in each of the three availability zones in which we host the Cloud Platform, and outbound traffic may originate from any of them.
Currently, these are the IPs from which traffic will appear to come:
Live Cluster
35.178.209.113
3.8.51.207
35.177.252.54
Changes
There is no guarantee that the origin IPs of traffic from the cloud platform will remain the same.
If we plan to change them (e.g. if we migrate to another kubernetes cluster), we will provide as much notice as possible, via posts in the #cloud-platform-update slack channel.
However, in the event of a catastrophic failure where we have to rebuild the platform from scratch (easier than it sounds, since everything is defined in source code), we will not be able to give any warning.