1. Home
  2. Getting Started
  3. IP / Egress Filtering

IP / Egress Filtering

Security:

Security is a big concern with many of our customers and has led some to introduce egress filtering at their firewalls. This type of filtering controls outgoing connections from the customer network, to ensure that their systems can only talk to approved destinations.

This type of filtering can be a challenge when working with VictorOps. Since we use CloudFlare for DDoS mitigation, application firewalling and attack detection, customers connecting to the VictorOps platform are actually connecting to a Cloudflare proxy server. This means that customer egress filters must allow connections to all of Cloudflare’s IP ranges in addition to VictorOps’ ranges. The current list of Cloudflare IP ranges can always be downloaded at https://www.cloudflare.com/ips

Future platform enhancements on our roadmap will mean that public IP addresses for the VictorOps platform will see additions, deletions and changes over time. Therefore we have some suggestions for working with VictorOps:

Awareness:

VictorOps does not represent that our current public IP addressing is
immutable or guaranteed not to change. Our public IP addresses may change at any time due to architecture changes, new features and enhancements, and failover events. Customers connecting to VictorOps should therefore always use DNS hostnames rather than hardcoded IP addresses to make connections.

Egress Strategy:

If egress filtering is a must, consider carving out an exception for
servers that must communicate with VictorOps. For most customers, this amounts to one or two monitoring servers. If such servers are allowed to make port 443 connections to any destination, it should alleviate any issues. Strict certificate checking will ensure that your server is not connecting to an unknown entity.
Updated on August 24, 2017

Was this article helpful?

Related Articles