27

I know that Google App Engine does not support an application having a static IP address, but I'd like to know if there is a list or range of IP addresses that an app could potentially have? I'd like to use that list as a whitelist of IP addresses for another application deployed elsewhere.

ThePiachu
  • 8,695
  • 17
  • 65
  • 94
  • I don't know much about it, but this is probably what the "Secure Data Connector" is for: https://developers.google.com/secure-data-connector/ – Thilo Jun 22 '12 at 02:32
  • You're going to need to use some other mechanism. – Dave W. Smith Jun 22 '12 at 04:07
  • 5
    Why are you relying on the remote IP address? Whitelisting your app will whitelist _all_ App Engine apps. Use authentication. – Nick Johnson Jun 22 '12 at 05:28
  • 1
    @NickJohnson I'm using authentication, but since I also have an option of whitelisting IPs, I'd also like to take advantage of that. – ThePiachu Jun 22 '12 at 13:09
  • possible duplicate of [IP Address Block of Appengine Servers?](http://stackoverflow.com/questions/5591384/ip-address-block-of-appengine-servers) – tc. Nov 21 '12 at 15:56

6 Answers6

18

In addition to the other answers, GAE premier support directed me to this name, esp as the source IP address for URLFetch calls:

$ dig -t txt _cloud-netblocks.googleusercontent.com

which answers:

include:_cloud-netblocks1.googleusercontent.com
include:_cloud-netblocks2.googleusercontent.com
include:_cloud-netblocks3.googleusercontent.com

if you then query those, you get this list of ranges (as of 2014-06-26):

8.34.208.0/20
8.35.192.0/21
8.35.200.0/23
23.236.48.0/20
23.251.128.0/19
107.167.160.0/19
107.178.192.0/18
108.170.192.0/20
108.170.208.0/21
108.170.216.0/22
108.170.220.0/23
108.170.222.0/24
108.59.80.0/20
130.211.4.0/22
146.148.16.0/20
146.148.2.0/23
146.148.32.0/19
146.148.4.0/22
146.148.64.0/18
146.148.8.0/21
162.216.148.0/22
162.222.176.0/21
173.255.112.0/20
192.158.28.0/22
199.192.112.0/22
199.223.232.0/22
199.223.236.0/23
Attila O.
  • 15,659
  • 11
  • 54
  • 84
ckhan
  • 4,771
  • 24
  • 26
  • You made my day / week / month dude ! Thanks soooo much for this ! I was already losing my shits trying to configure VPC & loadbalancers on Gcloud ... This is soo much better ! – sphax Nov 06 '20 at 10:41
7

Use command:

 dig -t txt _netblocks.google.com

to get the latest google ip blocks, and then you can add the result to your white list. Be aware that the list are not static and updated from time to time.

Yudong Li
  • 1,784
  • 2
  • 17
  • 32
  • This is only applicable to Google's mail servers. Other services (like Maps, etc.) have different IP addresses than what is listed in that IP4 netblock. – Josiah Mar 18 '13 at 05:13
  • 1
    As of 29.04.2013 there are also requests coming from the following range: Level 3 Communications, Inc. LVLT-ORG-8-8 (NET-8-0-0-0-1) 8.0.0.0 - 8.255.255.255 Google Apps. LVLT-GOOGL-2-8-35-200 (NET-8-35-200-0-1) 8.35.200.0 - 8.35.207.255 – 0E322070 Apr 29 '13 at 09:49
5

From the GAE documentationn, you need to use the dig command because it does not currently provide a way to map static IP addresses to an application, due to its design:

dig -t TXT _netblocks.google.com @ns1.google.com

If the dig command is not available on your system, you can use an online service:

As the time of writing this answer, querying http://www.digwebinterface.com/?hostnames=_netblocks.google.com&type=TXT&useresolver=8.8.4.4&ns=self&nameservers=ns1.google.com returns:

_netblocks.google.com.  3596    IN  TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"

Here the formatted list for the Google API console if you need it:

216.239.32.0/19 
64.233.160.0/19 
66.249.80.0/20 
72.14.192.0/18 
209.85.128.0/17 
66.102.0.0/20 
74.125.0.0/16 
64.18.0.0/20 
207.126.144.0/20 
173.194.0.0/16

Please note the IP ranges may change in the future so you will need to run this query from time to time.

Tony Baguette
  • 617
  • 7
  • 14
  • 1
    Here's a one-liner to help you parse it: `dig -t TXT _netblocks.google.com @ns1.google.com | grep '^_netblocks.google.com' | grep -o 'ip4:.* ' | sed -e 's/ip4://g' -e 's/ /\n/g'` – jschnurr Jun 30 '16 at 15:09
5

I threw this together quickly, for use with the gcloud create-firewall command.

#!/bin/bash

netblocks=$(dig TXT _cloud-netblocks.googleusercontent.com @ns1.google.com +short | sed -e 's/"//g')

for block in $netblocks; do
    if [[ $block == include:* ]]; then
        ipblocks=$(dig TXT ${block#include:} @ns1.google.com +short)

        for ipblock in $ipblocks; do
            if [[ $ipblock == ip4:* ]]; then
                printf "${ipblock:4},"
            fi
        done
    fi
done
pestilence669
  • 5,698
  • 1
  • 23
  • 35
  • 1
    Thanks, I ended up wrapping the whole thing in a `function source_ranges() {` and then adding `gcloud compute firewall-rules update RULEX --source-ranges=$(source_ranges) ...` Now I just call that in a cron job once a week to keep it up to date – Daniel Worthington-Bodart Sep 23 '18 at 19:14
3

And this is an updated list as of March 20, 2016:

Extracted using instructions in this KB article.

ip4:8.34.208.0/20
ip4:8.35.192.0/21
ip4:8.35.200.0/23
ip4:108.59.80.0/20
ip4:108.170.192.0/20
ip4:108.170.208.0/21
ip4:108.170.216.0/22
ip4:108.170.220.0/23
ip4:108.170.222.0/24

ip4:162.216.148.0/22
ip4:162.222.176.0/21
ip4:173.255.112.0/20
ip4:192.158.28.0/22
ip4:199.192.112.0/22
ip4:199.223.232.0/22
ip4:199.223.236.0/23
ip4:23.236.48.0/20
ip4:23.251.128.0/19

ip4:107.167.160.0/19
ip4:107.178.192.0/18
ip4:146.148.2.0/23
ip4:146.148.4.0/22
ip4:146.148.8.0/21
ip4:146.148.16.0/20
ip4:146.148.32.0/19
ip4:146.148.64.0/18
ip4:130.211.4.0/22

ip4:130.211.8.0/21
ip4:130.211.16.0/20
ip4:130.211.32.0/19
ip4:130.211.64.0/18
ip4:130.211.128.0/17
ip4:104.154.0.0/15
ip4:104.196.0.0/14
ip4:208.68.108.0/23

ip6:2600:1900::/35
Waleed Abdulla
  • 1,873
  • 1
  • 14
  • 20
0

I've created a ruby script for this exact purpose (super simple, easy to update):

https://github.com/stephengroat/whitelist-travisci

Resolv::DNS.open do |dns|
  ress = dns.getresource "_cloud-netblocks.googleusercontent.com", Resolv::DNS::Resource::IN::TXT
  ress.data.scan(/(?<=include:)_cloud-netblocks+\d.googleusercontent.com/).each do |r|
    subress = dns.getresource r, Resolv::DNS::Resource::IN::TXT
    subress.data.scan(/(?<=ip[4|6]:)[^\s]+/).each do |sr|
      puts sr
    end
  end
end
StephenG
  • 2,851
  • 1
  • 16
  • 36