Gitlab CI runners public IP addresses (range)


#1

Is there any official IP range for the Gitlab CI runners? I’d like to white-list an IP range which is allowed to connect to my CloudSQL database on Google Cloud Platform. The CI runner is running some Django admin commands that will need remote access to the SQL database during the setup.

Any ideas?


#2

I have the same problem. I setup a test server and tried to deploy to this server. I ran tcpdump while the deployment was doing its thing and analyzed the dumps with wireshark.
The runners public IPs seem to be all over the place, so it looks like it is impossible to whitelist an IP range.

I would be very interested in a solution though. Let’s hope there is a hidden configuration option somewhere or any way to get more manageable public IPs.
I was thinking that some sort of proxy could be helpful, but I am not very confident with my network skills.


#3

I have the same issue for our development servers, our production servers are updated through the AWS cli but our development servers need to be updated with SFTP. I would like to allow an ip-range to use our ssh ports, any updates on this topic?


#4

You’re not alone on this request. Here is a related feature proposal that could use your support.


#5

We’re using Gitlab.com hosted service, with shared runners, and three out of four runners fall in the following CIDR: 67.205.128.0/18 which is:

And the fourth which is “shared-runners-manager-1.gitlab.com” falls in the CIDR 192.241.128.0/17

White listing these two CIDR works for us currently. Not sure IPs changes dynamically / occasionally or not, but it’s working for now. Hope this helps…


#6

Thanks, I just verified that these are still the same with a dig and a whois.

A minor security concern though:

These appear to be public cloud (Digital Ocean) CIDR blocks. I just recommend that if you do whitelist these CIDRs do it in your CI pipeline and close the firewall rules when done.