How can I add my Code Engine function to an allowlist?
Your Code Engine workload needs to access a protected resource. You need to create an allowlist for your Code Engine workload. How can you find the IP addresses that your Code Engine workload uses?
When you deploy your Code Engine app, job, or function, the workload is deployed to a known list of possible network addresses, depending on the deployment region. You can add these IP addresses to an allowlist in your firewall; however, you must accept the drawbacks and risks that are involved in this action.
- When Code Engine runs an application, job, or function, it selects an arbitrary system from a large pool of systems for running the workload. Load conditions and system health influence the system selection. Systems are also dynamically added and removed from this pool without warning, making the list of potential network addresses large and dynamic. Your allowlist might not be stable and work reliably.
- These network addresses are not exclusive to a single tenant and by granting access to these network addresses, you are also granting access for all other workloads, which might be owned by other tenants that are running on Code Engine.
Consider instead to send requests to a third-party proxy service. Proxy services provide static IP addresses that you can add to your allowlist. When you purchase a proxy service, you receive credentials for the proxy. Configure your workload to send all requests to the proxy by using the proxy credentials. The proxy service uses a unique, static IP address as the sender address when it forwards all requests to the target service. Because these IP addresses are static, they are stable to use in an allowlist.
If this scenario does not work for you and you want to accept the risks previously stated, you can list all egress IP addresses, both public and private that are used by Code Engine workloads in a specific project with the Code Engine API. For more information, see List egress IP addresses.