Skip to content

Update static outbound IPs and remove stale entries#226

Merged
Komsomol merged 2 commits intomasterfrom
update-urls-and-ip-addresses
Mar 18, 2026
Merged

Update static outbound IPs and remove stale entries#226
Komsomol merged 2 commits intomasterfrom
update-urls-and-ip-addresses

Conversation

@Komsomol
Copy link
Copy Markdown
Contributor

@Komsomol Komsomol commented Mar 18, 2026

Summary

The /32 IPs listed under "IP-based whitelisting" were stale — they no longer resolve to any Fliplet infrastructure. All Fliplet API/CDN domains are now CloudFront-fronted with dynamic IPs.

Verified current NAT Gateway Elastic IPs across all three regions by querying AWS directly (describe-nat-gateways + describe-vpcs + ECS service network configs + route tables).

Changes

  • New "Static outbound IPs" section — verified NAT Gateway EIPs for EU, US, CA. These are the IPs Fliplet servers use for outbound calls (OAuth2 token exchange, App Actions webhooks, server-to-server API calls)
  • Removed 7 stale /32 IPs52.19.68.87, 63.32.114.158, 63.32.146.94 (EU), 54.193.126.209, 54.67.74.6 (US), 3.98.17.196, 3.98.43.103 (CA) are no longer allocated as Elastic IPs
  • Removed redundant App Actions section — folded into the new static outbound IPs section (same IPs)
  • Stronger CloudFront caveat — explicit warning that IP-based whitelisting for inbound access is unreliable
  • Kept S3/CDN CIDR ranges and email (SES) section unchanged

Verified IPs

Region Production API/Worker/Studio Browser/App Actions
EU (eu-west-1) 34.253.89.200 52.212.7.119
US (us-west-1) 54.215.18.140 54.151.38.62
CA (ca-central-1) 52.60.161.244 3.98.9.146

Context

Triggered by a client request (Orrick) — they use Fliplet.OAuth2 with Azure AD behind a VNet firewall and couldn't create firewall rules because the documented IPs were stale. The OAuth2 proxy (/v1/communicate/proxy/*) runs on the API service, so outbound calls use the production-vpc NAT Gateway EIP.

🤖 Generated with Claude Code

Komsomol added 2 commits March 18, 2026 15:45
@Komsomol
Update static outbound IPs and remove stale CloudFront snapshots
a6e478a 
The /32 IPs listed under IP-based whitelisting were stale CloudFront
snapshots from when api.fliplet.com was not CloudFront-fronted. Since
all Fliplet API/CDN domains now resolve through CloudFront (dynamic
IPs), those specific IPs no longer point to Fliplet infrastructure.

Changes:
- Add new "Static outbound IPs" section with verified NAT Gateway EIPs
  for all three regions (EU, US, CA) — these are the IPs that Fliplet
  servers use when making outbound calls (OAuth2, App Actions, webhooks)
- Remove stale /32 IPs from the general IP whitelisting section
- Keep S3 CIDR ranges (still valid for CDN asset access)
- Strengthen recommendation for URL-based whitelisting
- Keep App Actions and Email sections unchanged (already correct)
@Komsomol
Remove infrastructure detail from static outbound IPs section
6c7845e
@Komsomol Komsomol merged commit 2681dfa into master Mar 18, 2026
0 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Komsomol