Obtaining GCP IP ranges to enable proxy and firewall configuration

Depending on your company's infrastructure configuration, the on-prem components may or may not go through a proxy/firewall to reach your Symphony instance.

When your organization's internal IT team uses a static IP in the proxy/firewall setting to allow traffic directly to your pod, an occasional issue may occur due to Amazon Web Services (AWS) performing automatic scaling on their side, which dynamically assigns/removes an IP from the ELB

Note: Symphony has no control over AWS regarding their scaling.

Find the IP ranges for your Symphony instance if your company uses a static IP in the proxy/firewall settings

According to this FAQ, Google Cloud Platform (GCP) uses a large range of IP addresses, which change over time. For historical reasons, GCP publishes its list of public IP addresses in an SPF record for_cloud-netblocks.googleusercontent.com.

  1. When you need the literal IP addresses for GCP, use one of the common DNS lookup commands, for example nslookup, dig or host, to retrieve the TXT records for the domain _cloud-netblocks.googleusercontent.com.
$ nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8

This returns a list of the domains included in Google's SPF Record:

_cloud-netblocks1.googleusercontent.com, _cloud-netblocks2.googleusercontent.com, 
_cloud-netblocks3.googleusercontent.com, _cloud-netblocks4.googleusercontent.com,
_cloud-netblocks5.googleusercontent.com
  1. Next, look up the DNS records associated with those domains one at a time:
$ nslookup -q=TXT _cloud-netblocks1.googleusercontent.com 8.8.8.8
$ nslookup -q=TXT _cloud-netblocks2.googleusercontent.com 8.8.8.8
$ nslookup -q=TXT _cloud-netblocks3.googleusercontent.com 8.8.8.8
$ nslookup -q=TXT _cloud-netblocks4.googleusercontent.com 8.8.8.8
$ nslookup -q=TXT _cloud-netblocks5.googleusercontent.com 8.8.8.8

The above results will return a list of IP Ranges and once consolidated, these will be the GCP IP ranges used.

Notes:

  • GCP does not provide any mapping of the IP range to their corresponding zones.
  • Your Symphony instance is behind a HTTPS server, so port 443 should be used on your proxy/firewall when whitelisting the GCP IP ranges.

If you require further assistance on this topic, please contact the Symphony Support team at support@symphony.com.