Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: Publish NuGet Public IP addresses/CIDRs for whitelisting #10085

Open
skirk-mpr opened this issue Jul 29, 2024 · 1 comment
Open

[Feature]: Publish NuGet Public IP addresses/CIDRs for whitelisting #10085

skirk-mpr opened this issue Jul 29, 2024 · 1 comment
Assignees
@joelverhagen
Labels
feature-request Customer feature request Triaged

Comments

@skirk-mpr
Copy link

Related Problem

I am using AWS CodeBuild to build a .NET 8 project which relies on some public NuGet packages. I'd like to lock down the Security Group on my CodeBuild project to ONLY allow outbound HTTPS/443 traffic to NuGet, since that is the only necessary internet bound communications that is needed.

Security Groups require whitelisting by CIDR blocks so I am looking for a place where I can find the NuGet's public CIDR blocks for whitelisting.

The Elevator Pitch

Make publicly available the CIDR blocks of that would be hit when restoring public packages from nuget, so clients can implement least-privledge on network infrastructure.

Additional Context and Details

Originally posted here: https://stackoverflow.com/questions/78804804/nuget-public-ip-addresses-for-whitelisting
@skirk-mpr skirk-mpr added the feature-request Customer feature request label Jul 29, 2024
@joelverhagen
Copy link
Member

joelverhagen commented Aug 6, 2024
edited
Loading

Hey @skirk-mpr, apologies for the delay.

The set of IPs used for NuGet.org are not fixed. In fact, there is not a published list of IP ranges that we maintain. This is because NuGet.org has a variety of cloud infrastructure dependencies and these internally have many different IP ranges.

To give a sample of why this is a hard problem for us, I'll list some dependencies of ours (easily discoverable via some simple DNS queries):

  • api.nuget.org - this points to a CDN. Not only are there multiple IP addresses associated with a single CDN URL (this is part of a traditional CDN implementation), but there are also multiple CDNs we use, for high availability and performance reasons. So, there are two distinct problems causing the set of IP ranges to be hard to document as fixed.
  • www.nuget.org - this points to Azure API Management. This may have a fixed set of IPs, but it is owned by another team, not the NuGet.org team, and may be dynamic or pooled with other customers (I am not sure).
  • Our search services, such as azuresearch-usnc.nuget.org - this is again cloud infrastructure, but running on Azure App Service. These IPs are not managed by us but instead by an Azure team. We do not require a fixed IP and only rely on a stable DNS name.

I'm sorry that I do not have a good answer for you. If possible, could you allow-list *.nuget.org DNS names? That is the only feasible option I can provide you given our current infrastructure.

Here is Visual Studio document aligned this my suggestion:
https://learn.microsoft.com/en-us/visualstudio/install/install-and-use-visual-studio-behind-a-firewall-or-proxy-server?view=vs-2022#urls-to-add-to-an-allowlist-and-ports-and-protocols-to-open

See the row for NuGet and NuGet package discovery.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joelverhagen joelverhagen

Labels
feature-request Customer feature request Triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joelverhagen @erdembayar @skirk-mpr