Quick Links

Allowlisting outbound traffic for Blumira sensors

Overview

Blumira leverages a number of Google Cloud Platform services to provide you with a scalable and efficient experience. If you require strict outbound traffic filtering (e.g., for PCI compliance), then you must allow traffic to a specific subset of Google assets on the internet via allowlists. We strongly recommend using URL/FQDN filtering where possible. However, if you cannot allow this for your organization, then you must add all Google Cloud IPs and Google IPs to an allowlist. This article explains how to do both.

Allowlisting by URLs/FQDNs

Blumira uses broad domains that leverage private key authentication within the Google Cloud Platform. This means that if there is an issue in one region, DNS can shift to other available and routed IPs. The following are the URLs/FQDNs to add to your allowlist:

URL/FQDN How Blumira sensors use the URL/FQDN
sensor-mqtt.e.p.b5a.io (HTTPS/443) To send telemetry up to Google and Blumira on its health and status.
pubsub.googleapis.com (HTTPS/443) To securely send data up through this protocol using a private key created for your specific sensor.
storage.googleapis.com (HTTPS/443) To download Docker images from Google Storage that deploy new module functionality or gather your custom Docker sensor image.

gcr.io and

us-central1-docker.pkg.dev

(HTTPS/443)

To authenticate to the container repository using its private key to gather modules securely.
oauth2.googleapis.com (HTTPS/443) To securely authenticate with other Google API endpoints.
api.snapcraft.io To successfully install the sensor, specifically in environments that are actively blocking foreign traffic.


Allowlisting by IP address

If you cannot allowlist by URL/FQDN, then you can allowlist the IP addresses in the lists below or in this TXT file.

IPv4 addresses

8.8.4.0/24
8.8.8.0/24
8.34.208.0/20
8.35.192.0/20
23.236.48.0/20
23.251.128.0/19
34.0.0.0/15
34.2.0.0/16
34.3.0.0/23
34.3.3.0/24
34.3.4.0/24
34.3.8.0/21
34.3.16.0/20
34.3.32.0/19
34.3.64.0/18
34.4.0.0/14
34.8.0.0/13
34.16.0.0/12
34.32.0.0/11
34.64.0.0/10
34.128.0.0/10
35.184.0.0/13
35.192.0.0/14
35.196.0.0/15
35.198.0.0/16
35.199.0.0/17
35.199.128.0/18
35.200.0.0/13
35.208.0.0/12
35.224.0.0/12
35.240.0.0/13
57.140.192.0/18
64.15.112.0/20
64.233.160.0/19
66.22.228.0/23
66.102.0.0/20
66.249.64.0/19
70.32.128.0/19
72.14.192.0/18
74.125.0.0/16
104.154.0.0/15
104.196.0.0/14
104.237.160.0/19
107.167.160.0/19
107.178.192.0/18
108.59.80.0/20
108.170.192.0/18
108.177.0.0/17
130.211.0.0/16
136.22.160.0/20
136.22.176.0/21
136.22.184.0/23
136.22.186.0/24
142.250.0.0/15
146.148.0.0/17
152.65.208.0/22
152.65.214.0/23
152.65.218.0/23
152.65.222.0/23
152.65.224.0/19
162.120.128.0/17
162.216.148.0/22
162.222.176.0/21
172.110.32.0/21
172.217.0.0/16
172.253.0.0/16
173.194.0.0/16
173.255.112.0/20
192.158.28.0/22
192.178.0.0/15
193.186.4.0/24
199.36.154.0/23
199.36.156.0/24
199.192.112.0/22
199.223.232.0/21
207.223.160.0/20
208.65.152.0/22
208.68.108.0/22
208.81.188.0/22
208.117.224.0/19
209.85.128.0/17
216.58.192.0/19
216.73.80.0/20
216.239.32.0/19

IPv6 addresses

2001:4860::/32
2404:6800::/32
2404:f340::/32
2600:1900::/28
2605:ef80::/32
2606:40::/32
2606:73c0::/32
2607:f8b0::/32
2620:11a:a000::/40
2620:120:e000::/40
2800:3f0::/32
2a00:1450::/32
2c0f:fb50::/32