Skip to main content

Cloud Platform IP Addresses

Wherever possible, we treat the network as a bearer, rather than a means to confer trust.

For this reason, explicitly allowing traffic from/to specific IP numbers is discouraged in general.

Inbound IP Filtering

Allowed client IP source ranges can be specified using the nginx.ingress.kubernetes.io/whitelist-source-range annotation. The value is a comma separated list of CIDRs, e.g. 1.1.1.1/24,10.0.0.0/24.

Kubernetes official documentation on allowing source ranges.

An example configuration using nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1/24,10.0.0.0/24

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: <ingress-name>
  namespace: <namespace-name>
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
          {"apiVersion":"networking.k8s.io/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx","nginx.ingress.kubernetes.io/whitelist-source-range":"1.1.1.1/24,10.0.0.0/24"},"name":"<my-ingress>","namespace":"<my-namespace>"},"spec":{"rules":[{"host":"my-app.apps.live-1.cloud-platform.service.justice.gov.uk","http":{"paths":[{"backend":{"serviceName":"<my-svc>","servicePort":3000},"path":"/"}]}}],"tls":[{"hosts":["my-app.apps.live-1.cloud-platform.service.justice.gov.uk"]}]}}
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/whitelist-source-range: 1.1.1.1/24,10.0.0.0/24
    external-dns.alpha.kubernetes.io/set-identifier: <ingress-name>-<namespace-name>-<colour>
    external-dns.alpha.kubernetes.io/aws-weight: "100"
  creationTimestamp: 2019-03-21T14:26:31Z
  generation: 1
  name: <my-ingress>
  namespace: <my-namespace>
spec:
  rules:
  - host: my-app.apps.live-1.cloud-platform.service.justice.gov.uk
    http:
      paths:
      - path: /
      - backend:
          serviceName: <my-svc>
          servicePort: 3000
  tls:
  - hosts:
    - my-app.apps.live-1.cloud-platform.service.justice.gov.uk
status:
  loadBalancer:
    ingress:
    - hostname: <hostname>

(Note - Please change the ingress-name and namespace-name values in the above example. The colour should be blue for ingress in live-1 and green for ingress in EKS live cluster)

Testing with the annotation set:

curl -v -H "Host: my-app.apps.live-1.cloud-platform.service.justice.gov.uk" <HOST-IP>

Will return a “403 forbidden” status

IP6 / IPv6

Currently, IPv6 is not supported for inbound IP filtering.

It should be possible to add IPv6 support to the platform, but nobody has asked for this, so we haven’t done it.

If this is something you need, please raise a support ticket explaining your need.

Outbound IP filtering

Please note that these numbers may change, and should not be relied upon for authentication/authorisation.

NAT Gateways

IP traffic from the Cloud Platform will originate from the IP numbers of one our NAT Gateways. We have one NAT Gateway in each of the three availability zones in which we host the Cloud Platform, and outbound traffic may originate from any of them.

Currently, these are the IPs from which traffic will appear to come:

Live-1 Cluster
35.178.209.113
3.8.51.207
35.177.252.54
Changes

There is no guarantee that the origin IPs of traffic from the cloud platform will remain the same.

If we plan to change them (e.g. if we migrate to another kubernetes cluster), we will provide as much notice as possible, via posts in the #cloud-platform-update slack channel.

However, in the event of a catastrophic failure where we have to rebuild the platform from scratch (easier than it sounds, since everything is defined in source code), we will not be able to give any warning.

This page was last reviewed on 27 July 2021. It needs to be reviewed again on 27 October 2021 .
This page was set to be reviewed before 27 October 2021. This might mean the content is out of date.