Overview
Blumira leverages a number of Google Cloud Platform services to provide you with a scalable and efficient experience. If you require strict outbound traffic filtering (e.g., for PCI compliance), then you must allowlist traffic to a specific subset of Google assets on the internet. We strongly recommend using URL/FQDN filtering where possible. However, if you cannot allow this for your organization, then you must add all Google Cloud IPs and Google IPs to an allowlist. This article explains how to do both.
Allowlisting by URLs/FQDNs
Blumira uses broad domains that leverage private key authentication within the Google Cloud Platform. This means that if there is an issue in one region then DNS can shift to other available and routed IPs. The following are the URLs/FQDNs to allowlist:
URL/FQDN | How Blumira sensors use the URL/FQDN |
mqtt.googleapis.com (HTTPS/443) | To send telemetry up to Google and Blumira on its health and status. |
pubsub.googleapis.com (HTTPS/443) | To securely send data up through this protocol using a private key created for your specific sensor. |
storage.googleapis.com (HTTPS/443) | To download Docker images from Google Storage that deploy new module functionality or gather your custom Docker sensor image. |
gcr.io (HTTPS/443) | To authenticate to the Google Container Repository using its private key to gather modules securely from storage.googleapis.com. |
oauth2.googleapis.com |
To securely authenticate with other google api endpoints. |
Allowlisting by IP address
If you cannot allowlist by URL/FQDN, then you must allowlist the IP addresses in the files in the following links:
- IPv4 addresses (100 KB download)
- IPv6 addresses (200 KB download)