Gitlab CI runners public IP addresses (range)

Is there any official IP range for the Gitlab CI runners? I’d like to white-list an IP range which is allowed to connect to my CloudSQL database on Google Cloud Platform. The CI runner is running some Django admin commands that will need remote access to the SQL database during the setup.

Any ideas?

3 Likes

I have the same problem. I setup a test server and tried to deploy to this server. I ran tcpdump while the deployment was doing its thing and analyzed the dumps with wireshark.
The runners public IPs seem to be all over the place, so it looks like it is impossible to whitelist an IP range.

I would be very interested in a solution though. Let’s hope there is a hidden configuration option somewhere or any way to get more manageable public IPs.
I was thinking that some sort of proxy could be helpful, but I am not very confident with my network skills.

I have the same issue for our development servers, our production servers are updated through the AWS cli but our development servers need to be updated with SFTP. I would like to allow an ip-range to use our ssh ports, any updates on this topic?

You’re not alone on this request. Here is a related feature proposal that could use your support.

We’re using Gitlab.com hosted service, with shared runners, and three out of four runners fall in the following CIDR: 67.205.128.0/18 which is:

And the fourth which is “shared-runners-manager-1.gitlab.com” falls in the CIDR 192.241.128.0/17

White listing these two CIDR works for us currently. Not sure IPs changes dynamically / occasionally or not, but it’s working for now. Hope this helps…

2 Likes

Thanks, I just verified that these are still the same with a dig and a whois.

A minor security concern though:

These appear to be public cloud (Digital Ocean) CIDR blocks. I just recommend that if you do whitelist these CIDRs do it in your CI pipeline and close the firewall rules when done.

1 Like

Are these ips still the valid gitlab ips? Didn’t gitlab switch to google cloud recently? Does anyone know?
I’ve tried whitelisting these for our gitlab-ci ssh connection and it is timing out.

Jade,

You could do a DNS lookup on these endpoints yourself and verify this via a whois on the resulting IPs.

I can confirm that this currently seems unchanged:

 robert > bug/DDPQAI-2189 > … > infrastructure_as_code $ dig +short gitlab-shared-runners-manager-2.gitlab.com
67.205.141.121
 robert > bug/DDPQAI-2189 > … > infrastructure_as_code $ dig +short gitlab-shared-runners-manager-1.gitlab.com
67.205.137.49
 robert > bug/DDPQAI-2189 > … > infrastructure_as_code $ dig +short shared-runners-manager-2.gitlab.com
67.205.166.117
 robert > bug/DDPQAI-2189 > … > infrastructure_as_code $ whois 67.205.137.49 | grep -i ^cidr
CIDR:           67.205.128.0/18
 robert > bug/DDPQAI-2189 > … > infrastructure_as_code $

Hello all,

It looks like this changed, and shared runners are now being hosed in GCP:

https://cloud.google.com/compute/docs/faq#find_ip_range

TL;DR:

$ while read -r CIDR_RECORD; do 
      dig @8.8.8.8 \
          +short TXT "$CIDR_RECORD" | \
              grep -Pow '(\d+\.){3}\d+\/\d+'; 
  done < <(
      dig @8.8.8.8 \
          +short TXT _cloud-netblocks.googleusercontent.com | \
              grep -Pow '\_cloud.[^\ ]*.com'
  )
8.34.208.0/20
8.35.192.0/21
8.35.200.0/23
108.59.80.0/20
108.170.192.0/20
108.170.208.0/21
162.216.148.0/22
162.222.176.0/21
173.255.112.0/20
192.158.28.0/22
199.192.112.0/22
199.223.232.0/22
199.223.236.0/23
23.236.48.0/20
23.251.128.0/19
35.204.0.0/14
35.208.0.0/13
107.167.160.0/19
107.178.192.0/18
146.148.2.0/23
146.148.4.0/22
146.148.8.0/21
146.148.16.0/20
146.148.32.0/19
146.148.64.0/18
35.203.0.0/17
35.203.128.0/18
35.203.192.0/19
35.203.240.0/20
130.211.8.0/21
130.211.16.0/20
130.211.32.0/19
130.211.64.0/18
130.211.128.0/17
104.154.0.0/15
104.196.0.0/14
208.68.108.0/23
35.184.0.0/14
35.188.0.0/15
35.216.0.0/15
35.190.0.0/17
35.190.128.0/18
35.190.192.0/19
35.235.224.0/20
35.192.0.0/14
35.196.0.0/15
35.198.0.0/16
35.199.0.0/17
35.199.128.0/18
35.200.0.0/15
35.235.216.0/21

These CIDRS might change again in the future, so it will probably be worth running that while loop when you read this. Note <() doesn’t work in POSIX (/bin/sh) so you would need to output that first dig (the one that the loop iterates over) to a file for the second dig (the one inside the while read loop).

Or you could simply run a bash docker image and use it as written if you don’t have bash locally.

2 Likes

That was useful! Thanks! :smiley:

Hi Robert,
if we’re creating and using our own runner from GitLab how to know the IP, Successful pipeline should hit the server of type CPanel. TO unblock it in firewall need list of IPs’.

Thanks in Advance
AmbikaSantosh