Skip to content

How can we improve the platform?

← Atlas

Integrate Netework Access IP Whitelist with GitHub Actions

I'm trying to setup CI for my project using GitHub actions, while restricting Network Access. The problem is that GitHub's machines have weekly changing IPs: https://help.github.com/en/actions/reference/virtual-environments-for-github-hosted-runners#ip-addresses-of-runners-on-github-hosted-machines

Is there any way to automatically integrate that list of IPs in the Network Access IP Whitelist? This feature would benefit all users of GitHub Actions.

3 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Dan shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Rock commented  ·   ·  Report

    According to the GitHub Meta API, there are currently 5,116 IP addresses under the "actions" key. Adding all these IP addresses manually to the Atlas IP Access List would be quite cumbersome (I can do it programmatically), and I am concerned that having this many IPs in the whitelist might cause performance issues or impact the cluster's responsiveness.

    Unfortunately there is a limitation as well that will not allow over 200 ips, maybe because of my previous concern on the negative impact it might have. The work around of opening it up to everything doesn't seem reasonable either. (0.0.0.0 allow list)

    I've been a contractor for a few companies where github actions were in use and they were early on with Atlas. I wonder if they don't find a need / want for this later or have at sometime. My current job definitely has a need as we are a small team and need to automate as much as we can (small team or not this is the same practice everywhere - "automate all the things!" )

    I would not of found this to comment on without the mongo support staff pointing me in the proper direction. I get that large ip lists might be a low priority in an overall product, but maybe looking at these larger companies as services and opening access to the services, especially as things get more automated and agent based.

  • Venkatesh Sankaranarayanan commented  ·   ·  Report

    We have found self-hosted GitHub Actions use ephemeral ports (large port-range) towards cloud.mongodb.com (@ tcp-443). I don't see any proper FAQ, Blogs, How-to-documentation on: What ports need to whitelist at Customer side (at GitHub Actions side) and What are all sub-domains under "cloud.mongodb.com" need to whitelist. All layer 7 firewall are not intelligent and some of the mentioned parameters need to define explicitly.

  • AdminAndrew Davidson (VP, Cloud Products, MongoDB) commented  ·   ·  Report

    Hi Dan

    This is a great idea. While we do not have near-term plans to do something like this, we're definitely thinking about how to provide better end to end CI/CD experiences, and I expect a product manager will likely want to speak to you in the future.

    -Andrew

Atlas: Other

Categories

Feedback and Knowledge Base

(thinking…)