1. Home
  2. Getting Started
  3. IP / Egress Filtering

IP / Egress Filtering

Security

Security is a big concern with many of our customers and has led some to introduce egress filtering at their firewalls. This type of filtering controls outgoing connections from the customer network to ensure that their systems can only talk to approved destinations.

We use CloudFlare for DDoS mitigation, application firewalling and attack detection, so customers connecting to the VictorOps platform are actually connecting to a Cloudflare proxy server. This means that customer egress filters must allow connections to all of Cloudflare’s IP ranges in addition to VictorOps’ ranges. Egress IP ranges are listed at https://www.cloudflare.com/ips

Future platform enhancements on our roadmap will mean that public IP addresses for the VictorOps platform will see additions, deletions and changes over time. Therefore we have some suggestions for working with VictorOps:

Awareness

VictorOps does not represent that our current public IP addressing is immutable or guaranteed not to change. Our public IP addresses may change at any time due to architecture changes, new features and enhancements, and failover events. Customers connecting to VictorOps should therefore always use DNS hostnames rather than hardcoded IP addresses to make connections.

Egress Strategy

If egress filtering is a must, consider carving out an exception for servers that must communicate with VictorOps. For most customers, this amounts to one or two monitoring servers. If such servers are allowed to make port 443 connections to any destination, it should alleviate any issues. Strict certificate checking will ensure that your server is not connecting to an unknown entity.
Updated on April 4, 2019

Was this article helpful?

Related Articles