Hello everyone, I have a yaml file where this deployment is defined :

pull:
- prefect.deployments.steps.git_clone:
    repository: <https://gitlab.tools.tenacy.io/data/tenacy-prefect.git>
    branch: main
    access_token: '{{prefect.blocks.secret.gitlab-personal-token}}'

Since our Gitlab instance is not accessible from the open internet, we whitelisted the API's IP address found here.

The public IPv4 address for api.prefect.cloud is 34.111.36.90. The IPv6 address is 2600:1901:0:3486::

But the problem is that when we look into Gitlab's logs, we get this :

2024/08/21 09:56:00 [error] 2128093#2128093: *1967665 access forbidden by rule, client: 34.224.37.104, server: <http://gitlab.tools.tenacy.io|gitlab.tools.tenacy.io>, request: "GET /data/tenacy-prefect.git HTTP/1.1", host: "<http://gitlab.tools.tenacy.io|gitlab.tools.tenacy.io>"

As you can see, the requests are not coming from the IP that is whitelisted. How should we proceed ? cc @Marvin

It looks like the Prefect documentation does not specify the IP addresses used for the

git_clone

operations. The IP addresses mentioned in the status page are for the Prefect Cloud API, which might be different from those used by the workers performing the

git_clone

. Here's a step-by-step breakdown of what might help: 1. Check with Prefect Support: Since the issue involves specific IPs used by Prefect workers, reaching out to Prefect support for a definitive list of IPs would be the most reliable step. Often, network operations like cloning a Git repository might use different servers. 2. Use VPN or Proxy: If whitelisting IPs is problematic, consider setting up a VPN or proxy that the Prefect workers can connect through. This would ensure that the workers always appear to come from a known IP address that you can whitelist. 3. Local Runner: As a temporary measure or for troubleshooting, you could run your worker locally within the same network where your Gitlab instance resides. This would bypass the IP whitelisting issue and help isolate the problem. 4. Logs & Debugging: Enable debugging logs in your Prefect configuration to get more details about the network operations happening during the deployment steps. This might give you more insight into the specific IP addresses or configurations in use. For more specialized queries, it might be best to directly refer to Prefect deployment documentation or reach out to Prefect Support. If you need an example or any specific details, do let me know!

We found the solution : 1. Run the flow 30 times, and see what IP addresses are trying to clone the repo 2. Add those addresses to the whitelist Sometimes bruteforce is the best way 😉

hey! Those IP's that are trying to clone the repo are wherever your code is executing. Just to be clear the repo is not being cloned onto prefect servers unless you are using a prefect managed work pool (dedicated compute on prefect cloud). We currently do not publish a range of IP's for prefect managed, but hope to do soon.

Yes, we are using a Prefect managed work pool 🙂 Maybe I should have started with this !