How to identify the CIDR block of the IP from the Bitbucket pipeline build

Summary

With the release of the new CI/CD runtime for Bitbucket Pipelines, Atlassian also announced the new IPs hosted on Amazon Web Services. For more details, please check the blog post: https://ip-ranges.amazonaws.com/ip-ranges.json.

However, all IPs in this documentation are listed in CIDR blocks, meaning that if you don't allow the entire block range of IPs, you might encounter some failures.

With that being said, there could be a scenario where your Bitbucket pipeline build failed, and you found in your internal logs that it ran under an IP that wasn't allowed.

How can I verify if this IP is included in the provided list of IPs for Bitbucket pipelines to run?

Environment

Bitbucket Pipelines.

Solution

In a hypothetical scenario, you have identified that your Bitbucket Pipeline build ran under the IP address 52.55.119.23. Simply searching https://ip-ranges.amazonaws.com/ip-ranges.json from the browser will not reveal the IP address.

In this case, you can use the AWS site at https://thameera.com/awsip/ to find out to which CIDR block a given IP belongs. By entering 52.55.119.23 into https://thameera.com/awsip/, you can see that this IP address belongs to the CIDR block 52.54.0.0/15.

With this information, you can adjust your firewall configuration to allow traffic to the entire CIDR block.