@Marvin do you have a list of IPs that I should whitelist to provide access to prefect cloud to my cloud resources behind firewalls ?

To allow access to Prefect Cloud from behind a firewall, you need to whitelist certain URLs. Regardless of whether you're using Prefect 2.x or 3.x, the essential domains to whitelist for Prefect Cloud communication include: -

app.prefect.cloud

-

api.prefect.cloud

-

<http://auth.workos.com|auth.workos.com>

-

<http://api.github.com|api.github.com>

-

<http://github.com|github.com>

-

ocsp.pki.goog/s/gts1d4/OxYEb8XcYmo

With Prefect 3.x, secure access by IP allowlisting is an available feature for certain Enterprise plans. This allows administrators to restrict API and UI access at the network level. You can manage your IP allowlist using the Prefect CLI, and the allowlist can include individual IPs or IP ranges using CIDR notation. Note that the allowlist feature may require being enabled in your Enterprise account, and it can contain up to 25 entries. For detailed steps on setting up your network to securely access Prefect Cloud, these resources may be helpful: - Prefect 2.x Connection Guidelines: Prefect 2.x documentation - Prefect 3.x Secure Access by IP: Prefect 3.x documentation If you find yourself behaving like a paranoid firewall, don't worry—it's all about keeping your resources safe! If you have more specific questions or need further help, feel free to ask.

@Marvin I mean the opposite. I have some services protected by a firewall. Prefect cloud will need to connect to these services. What is the list of IPs from Prefect Cloud that I should allow ?

Ah, I see! If you need to allow Prefect Cloud to access your services, you should consider the specific IP addresses that Prefect Cloud uses. However, it seems the documentation I searched doesn't provide a direct list of those IP addresses. For setting up your firewall rules, it's typically necessary to contact Prefect support or your account manager, especially if you are using Prefect Cloud on an Enterprise plan. They can provide a detailed list of IP addresses or ranges that Prefect Cloud uses for outgoing connections. This kind of configuration might involve specific IP addresses that aren't publicly documented due to security concerns. It might seem a tad paranoid, but in the world of cloud security, it's always better safe than sorry! If you need further assistance, reaching out directly to Prefect or through your Enterprise support channels can clarify any IP-specific requirements.

hi @Matthieu Dujany - is this helpful?

» prefect cloud ip-allowlist

 Usage: prefect cloud ip-allowlist [OPTIONS] COMMAND [ARGS]...

 Manage Prefect Cloud IP Allowlists

╭─ Options ───────────────────────────────────────────────────────────────────────────────────╮
│ --help          Show this message and exit.                                                 │
╰─────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ──────────────────────────────────────────────────────────────────────────────────╮
│ enable    Enable the IP allowlist for your account. When enabled, if the allowlist is       │
│           non-empty, then access to your Prefect Cloud account will be restricted to only   │
│           those IP addresses on the allowlist.                                              │
│ disable   Disable the IP allowlist for your account. When disabled, all IP addresses will   │
│           be allowed to access your Prefect Cloud account.                                  │
│ ls        Fetch and list all IP allowlist entries in your account.                          │
│ add       Add a new IP entry to your account IP allowlist.                                  │
│ remove    Remove an IP entry from your account IP allowlist.                                │
│ toggle    Toggle the enabled status of an individual IP entry in your account IP allowlist. │
╰─────────────────────────────────────────────────────────────────────────────────────────────╯

yes @Nate my question was which ips are "official prefect things" that you should allow? Are there any ? Thanks for jumping in, I appreciate the help

is this because you're using a managed work pool? or are you setting up outbound webhooks in Cloud?

We are considering two options: • Prefect Cloud. It's attractive it would give us in a few clicks the infra necessary to run our prefect workflows. The issue is these worfklows need to target some of our own cloud services which are behind firewalls. Whitelisting the Prefect infra would be a more acceptable solution. • Prefect "Hybrid". In that case we would set up a work pool in our GCP cloud. We would not have the firewall issues anymore. It's just more work to get everything running. So to answer your question @Kevin Grismore we would prefer to use the prefect cloud work pool and would like to know if there exists a restricted list of IPs that we should whitelist to let prefect cloud workers reach our services.