amazon-web-services - 设置 AWS 安全组入站规则以允许 Gilabci 管道在 RDS 中进行更改

Question

我可以使用 0.0.0.0/0 CidrIp 从 gitlabci 管道访问 AWS RDS，但它已广泛开放。

这是我在 cloudformation 文件中的 SecurityGroupIngress 定义:

SecurityGroupIngress:
                -   CidrIp: 0.0.0.0/0
                    FromPort: 5432
                    ToPort: 5432
                    IpProtocol: TCP
                    Description: Allows traffic from gitlb ci

效果很好。

我不知道如何设置 gitlabci 的 IP 地址范围以使 AWS RDS 更安全。

我找到了这个文档:gitlab ip range

有指向谷歌云上所有可能的IP地址的链接cloude.josn

这里有类似的主题 stackoverflow

我需要 IP 和掩码。

Answer 1

For outgoing connections from CI/CD runners, we are not providing static IP addresses. All GitLab.com shared runners are deployed into Google Cloud Platform (GCP) in us-east1

这里是 us-east1 中所有 GCP CIDR block 的列表(假设您使用的是 Gitlab 运行程序)。

"34.23.0.0/16"
"34.24.0.0/15"
"34.26.0.0/16"
"34.73.0.0/16"
"34.74.0.0/15"
"34.98.128.0/21"
"34.118.250.0/23"
"34.138.0.0/15"
"34.148.0.0/16"
"35.185.0.0/17"
"35.190.128.0/18"
"35.196.0.0/16"
"35.207.0.0/18"
"35.211.0.0/16"
"35.220.0.0/20"
"35.227.0.0/17"
"35.229.16.0/20"
"35.229.32.0/19"
"35.229.64.0/18"
"35.231.0.0/16"
"35.237.0.0/16"
"35.242.0.0/20"
"35.243.128.0/17"
"104.196.0.0/18"
"104.196.65.0/24"
"104.196.66.0/23"
"104.196.68.0/22"
"104.196.96.0/19"
"104.196.128.0/18"
"104.196.192.0/19"
"162.216.148.0/22"
"2600:1900:4020::/44"

方法论:

curl https://www.gstatic.com/ipranges/cloud.json | jq '.prefixes[] | select(.scope=="us-east1") | .ipv4Prefix // .ipv6Prefix'