Cloud Platform IP Addresses
Wherever possible, we treat the network as a bearer, rather than a means to confer trust.
For this reason, explicitly allowing traffic from/to specific IP numbers is discouraged in general.
Inbound IP Filtering
Allowed client IP source ranges can be specified using the nginx.ingress.kubernetes.io/whitelist-source-range annotation. The value is a comma separated list of CIDRs, e.g. 126.96.36.199/24,10.0.0.0/24.
An example configuration using
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: <ingress-name> namespace: <namespace-name> annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/whitelist-source-range: 188.8.131.52/24,10.0.0.0/24 external-dns.alpha.kubernetes.io/set-identifier: <ingress-name>-<namespace-name>-<colour> external-dns.alpha.kubernetes.io/aws-weight: "100" creationTimestamp: 2019-03-21T14:26:31Z generation: 1 name: <my-ingress> namespace: <my-namespace> spec: rules: - host: my-app.apps.live.cloud-platform.service.justice.gov.uk http: paths: - path: / pathType: ImplementationSpecific backend: service: name: <my-svc> port: number: 80 tls: - hosts: - my-app.apps.live.cloud-platform.service.justice.gov.uk status: loadBalancer: ingress: - hostname: <hostname>
(Note - Please change the
namespace-name values in the above example. The
colour should be
green for ingress in EKS
Testing with the annotation set:
curl -v -H "Host: my-app.apps.live.cloud-platform.service.justice.gov.uk" <HOST-IP>
Will return a “403 forbidden” status
IP6 / IPv6
Currently, IPv6 is not supported for inbound IP filtering.
It should be possible to add IPv6 support to the platform, but nobody has asked for this, so we haven’t done it.
If this is something you need, please raise a support ticket explaining your need.
Outbound IP filtering
Please note that these numbers may change, and should not be relied upon for authentication/authorisation.
IP traffic from the Cloud Platform will originate from the IP numbers of one our NAT Gateways. We have one NAT Gateway in each of the three availability zones in which we host the Cloud Platform, and outbound traffic may originate from any of them.
Currently, these are the IPs from which traffic will appear to come:
184.108.40.206 220.127.116.11 18.104.22.168
There is no guarantee that the origin IPs of traffic from the cloud platform will remain the same.
If we plan to change them (e.g. if we migrate to another kubernetes cluster), we will provide as much notice as possible, via posts in the
#cloud-platform-update slack channel.
However, in the event of a catastrophic failure where we have to rebuild the platform from scratch (easier than it sounds, since everything is defined in source code), we will not be able to give any warning.