Overview
Blumira leverages a number of Google Cloud Platform services to provide you with a scalable and efficient experience. If you require strict outbound traffic filtering (e.g., for PCI compliance), then you must allow traffic to a specific subset of Google assets on the internet via allowlists. We strongly recommend using URL/FQDN filtering where possible. However, if you cannot allow this for your organization, then you must add all Google Cloud IPs and Google IPs to an allowlist. This article explains how to do both.
Allowlisting by URLs/FQDNs
Blumira uses broad domains that leverage private key authentication within the Google Cloud Platform. This means that if there is an issue in one region, DNS can shift to other available and routed IPs. The following are the URLs/FQDNs to add to your allowlist:
URL/FQDN | How Blumira sensors use the URL/FQDN |
sensor-mqtt.e.p.b5a.io (HTTPS/443) |
To send telemetry up to Google and Blumira on its health and status. |
pubsub.googleapis.com (HTTPS/443) |
To securely send data up through this protocol using a private key created for your specific sensor. |
storage.googleapis.com (HTTPS/443) |
To download Docker images from Google Storage that deploy new module functionality or gather your custom Docker sensor image. |
(HTTPS/443) |
To authenticate to the container repository using its private key to gather modules securely. |
oauth2.googleapis.com (HTTPS/443) |
To securely authenticate with other Google API endpoints. |
api.snapcraft.io |
To successfully install the sensor, specifically in environments that are actively blocking foreign traffic. |
Allowlisting by IP address
If you cannot allowlist by URL/FQDN, then you can allowlist the IP addresses in the lists below or in this TXT file.
IPv4 addresses
8.8.4.0/24
8.8.8.0/24
8.34.208.0/20
8.35.192.0/20
23.236.48.0/20
23.251.128.0/19
34.0.0.0/15
34.2.0.0/16
34.3.0.0/23
34.3.3.0/24
34.3.4.0/24
34.3.8.0/21
34.3.16.0/20
34.3.32.0/19
34.3.64.0/18
34.4.0.0/14
34.8.0.0/13
34.16.0.0/12
34.32.0.0/11
34.64.0.0/10
34.128.0.0/10
35.184.0.0/13
35.192.0.0/14
35.196.0.0/15
35.198.0.0/16
35.199.0.0/17
35.199.128.0/18
35.200.0.0/13
35.208.0.0/12
35.224.0.0/12
35.240.0.0/13
57.140.192.0/18
64.15.112.0/20
64.233.160.0/19
66.22.228.0/23
66.102.0.0/20
66.249.64.0/19
70.32.128.0/19
72.14.192.0/18
74.125.0.0/16
104.154.0.0/15
104.196.0.0/14
104.237.160.0/19
107.167.160.0/19
107.178.192.0/18
108.59.80.0/20
108.170.192.0/18
108.177.0.0/17
130.211.0.0/16
136.22.160.0/20
136.22.176.0/21
136.22.184.0/23
136.22.186.0/24
142.250.0.0/15
146.148.0.0/17
152.65.208.0/22
152.65.214.0/23
152.65.218.0/23
152.65.222.0/23
152.65.224.0/19
162.120.128.0/17
162.216.148.0/22
162.222.176.0/21
172.110.32.0/21
172.217.0.0/16
172.253.0.0/16
173.194.0.0/16
173.255.112.0/20
192.158.28.0/22
192.178.0.0/15
193.186.4.0/24
199.36.154.0/23
199.36.156.0/24
199.192.112.0/22
199.223.232.0/21
207.223.160.0/20
208.65.152.0/22
208.68.108.0/22
208.81.188.0/22
208.117.224.0/19
209.85.128.0/17
216.58.192.0/19
216.73.80.0/20
216.239.32.0/19
IPv6 addresses
2001:4860::/32
2404:6800::/32
2404:f340::/32
2600:1900::/28
2605:ef80::/32
2606:40::/32
2606:73c0::/32
2607:f8b0::/32
2620:11a:a000::/40
2620:120:e000::/40
2800:3f0::/32
2a00:1450::/32
2c0f:fb50::/32