Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Google Cloud Platform : ip address range
#!/bin/bash
# https://cloud.google.com/compute/docs/faq#find_ip_range
# nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8
myarray=()
for LINE in `dig txt _cloud-netblocks.googleusercontent.com +short | tr " " "\n" | grep include | cut -f 2 -d :`
do
myarray+=($LINE)
for LINE2 in `dig txt $LINE +short | tr " " "\n" | grep include | cut -f 2 -d :`
do
myarray+=($LINE2)
done
done
for LINE in ${myarray[@]}
do
dig txt $LINE +short | tr " " "\n"
done | grep ip4 | cut -f 2 -d : | sort -n +0 +1 +2 +3 -t .
# changing target to _spf.google.com, you can get a simliar range now for Google Apps mail servers.
# https://support.google.com/a/answer/60764
# changing it to _netblocks.google.com will help get all the ip ranges google uses for its services.
@Jas0n99
Copy link

Jas0n99 commented Sep 4, 2019

If you want a simple recursive bash script, this one works great... You can edit it if you want to grab ip6 too...

get_dns_spf() {
   dig @8.8.8.8 +short txt "$1" |
   tr ' ' '\n' |
   while read entry; do
      case "$entry" in
             ip4:*) echo ${entry#*:} ;;
         include:*) get_dns_spf ${entry#*:} ;;
      esac
   done
}
get_dns_spf "_cloud-netblocks.googleusercontent.com"

As steve mentioned above, netblocks6 & netblocks7 are listed when you lookup netblocks1, that's why you need a recursive function (due to length limitation on SPF/TXT records).

@anish
Copy link

anish commented Dec 13, 2019

using the original script from google (this gave the same results as @SteveEasley's code)

GCP netblocks as of 2019-12-13:
8.34.208.0/20
8.35.192.0/21
8.35.200.0/23
23.236.48.0/20
23.251.128.0/19
34.100.0.0/16
34.102.0.0/15
34.104.0.0/14
34.124.0.0/18
34.64.0.0/11
34.96.0.0/14
35.184.0.0/14
35.188.0.0/15
35.190.0.0/17
35.190.128.0/18
35.190.192.0/19
35.190.224.0/20
35.190.240.0/22
35.192.0.0/14
35.196.0.0/15
35.198.0.0/16
35.199.0.0/17
35.199.128.0/18
35.200.0.0/13
35.208.0.0/13
35.216.0.0/15
35.220.0.0/14
35.224.0.0/13
35.232.0.0/15
35.234.0.0/16
35.235.0.0/17
35.235.192.0/20
35.235.216.0/21
35.235.224.0/20
35.236.0.0/14
35.240.0.0/13
104.154.0.0/15
104.196.0.0/14
107.167.160.0/19
107.178.192.0/18
108.170.192.0/20
108.170.208.0/21
108.170.216.0/22
108.170.220.0/23
108.170.222.0/24
108.59.80.0/20
130.211.128.0/17
130.211.16.0/20
130.211.32.0/19
130.211.4.0/22
130.211.64.0/18
130.211.8.0/21
146.148.16.0/20
146.148.2.0/23
146.148.32.0/19
146.148.4.0/22
146.148.64.0/18
146.148.8.0/21
162.216.148.0/22
162.222.176.0/21
173.255.112.0/20
192.158.28.0/22
199.192.112.0/22
199.223.232.0/22
199.223.236.0/23
208.68.108.0/23

@pierrocknroll
Copy link

pierrocknroll commented Dec 20, 2019

I've made a Github repo with an updated list :
https://github.com/pierrocknroll/googlecloud-iprange

Thanks to all of you

@iptvcld
Copy link

iptvcld commented Feb 17, 2020

hello; i was wondering if you would know which netblocks this google range woud be in 108.177.0.0/17 - Thanks,

@rogueresistor
Copy link

rogueresistor commented Mar 5, 2020

Today's date: Thu Mar  5 15:51:32 PST 2020

GCP IPv4 ranges:
8.34.208.0/20
8.35.192.0/21
8.35.200.0/23
23.236.48.0/20
23.251.128.0/19
34.100.0.0/16
34.102.0.0/15
34.104.0.0/14
34.124.0.0/18
34.124.64.0/20
34.124.80.0/23
34.124.84.0/22
34.124.88.0/23
34.124.92.0/22
34.125.0.0/16
34.64.0.0/11
34.96.0.0/14
35.184.0.0/14
35.188.0.0/15
35.190.0.0/17
35.190.128.0/18
35.190.192.0/19
35.190.224.0/20
35.190.240.0/22
35.192.0.0/14
35.196.0.0/15
35.198.0.0/16
35.199.0.0/17
35.199.128.0/18
35.200.0.0/13
35.208.0.0/13
35.216.0.0/15
35.219.192.0/24
35.220.0.0/14
35.224.0.0/13
35.232.0.0/15
35.234.0.0/16
35.235.0.0/17
35.235.192.0/20
35.235.216.0/21
35.235.224.0/20
35.236.0.0/14
35.240.0.0/13
104.154.0.0/15
104.196.0.0/14
107.167.160.0/19
107.178.192.0/18
108.170.192.0/20
108.170.208.0/21
108.170.216.0/22
108.170.220.0/23
108.170.222.0/24
108.59.80.0/20
130.211.128.0/17
130.211.16.0/20
130.211.32.0/19
130.211.4.0/22
130.211.64.0/18
130.211.8.0/21
146.148.16.0/20
146.148.2.0/23
146.148.32.0/19
146.148.4.0/22
146.148.64.0/18
146.148.8.0/21
162.216.148.0/22
162.222.176.0/21
173.255.112.0/20
192.158.28.0/22
199.192.112.0/22
199.223.232.0/22
199.223.236.0/23
208.68.108.0/23

GCP IPv6 ranges:
2600:1900::/35

@rogueresistor
Copy link

rogueresistor commented Mar 6, 2020

@iptvcld: You are literally responding to a gist that contains a script at the top...

@iptvcld
Copy link

iptvcld commented Mar 6, 2020

Shoot sorry! Question.. I know that this range belongs to Google 108.177.0.0/17 but I don't see it in your list

@rogueresistor
Copy link

rogueresistor commented Mar 6, 2020

That may not be part of their Google Cloud Platform IP ranges. Instead it may be one they use for other services.

@iptvcld
Copy link

iptvcld commented Mar 6, 2020

I got that range from Google assistant as I use it for home assistant and noticed that range being blocked on my nginx. Would you know what I can change the script to in order to get a output that has that range?

@bitwisecook
Copy link

bitwisecook commented May 11, 2020

@Jas0n99 I like your's, it's nice and compact, it was just missing ipv6:

get_dns_spf() {
   dig @8.8.8.8 +short txt "$1" |
   tr ' ' '\n' |
   while read entry; do
      case "$entry" in
             ip4:*) echo ${entry#*:} ;;
             ip6:*) echo ${entry#*:} ;;
         include:*) get_dns_spf ${entry#*:} ;;
      esac
   done
}
get_dns_spf "_cloud-netblocks.googleusercontent.com"

@edvinerikson
Copy link

edvinerikson commented Jun 10, 2020

Google has changed the way to fetch subnet ranges. The DNS records do not contain all ip addresses they use.

Here is an updated script.

#!/bin/bash 

curl -s http://www.gstatic.com/ipranges/cloud.json | python -c 'import json,sys;obj=json.load(sys.stdin);list = [str(i.get("ipv4Prefix", i.get("ipv6Prefix", ""))) for i in obj["prefixes"] if i.get("ipv4Prefix", i.get("ipv6Prefix", "")) != ""];list.sort();print "\n".join(list);'
Ranges fetched 2020-06-10
104.154.113.0/24
104.154.114.0/23
104.154.116.0/22
104.154.120.0/23
104.154.128.0/17
104.154.16.0/20
104.154.32.0/19
104.154.64.0/19
104.154.96.0/20
104.155.0.0/17
104.155.128.0/18
104.155.192.0/19
104.155.224.0/20
104.196.0.0/18
104.196.128.0/18
104.196.192.0/19
104.196.224.0/19
104.196.65.0/24
104.196.66.0/23
104.196.68.0/22
104.196.96.0/19
104.197.0.0/16
104.198.0.0/20
104.198.112.0/20
104.198.128.0/17
104.198.16.0/20
104.198.32.0/19
104.198.64.0/20
104.198.80.0/20
104.198.96.0/20
104.199.0.0/18
104.199.112.0/20
104.199.128.0/18
104.199.192.0/19
104.199.224.0/20
104.199.242.0/23
104.199.244.0/22
104.199.248.0/21
104.199.66.0/23
104.199.68.0/22
104.199.72.0/21
104.199.80.0/20
104.199.96.0/20
107.167.176.0/20
107.178.208.0/20
107.178.240.0/20
108.59.80.0/21
130.211.112.0/20
130.211.128.0/18
130.211.16.0/20
130.211.192.0/19
130.211.224.0/20
130.211.240.0/20
130.211.32.0/20
130.211.4.0/22
130.211.48.0/20
130.211.64.0/19
130.211.8.0/21
130.211.96.0/20
146.148.112.0/20
146.148.16.0/20
146.148.2.0/23
146.148.32.0/19
146.148.4.0/22
146.148.64.0/19
146.148.8.0/21
146.148.96.0/20
162.216.148.0/22
162.222.176.0/21
173.255.112.0/21
192.158.28.0/22
199.192.115.0/24
199.223.232.0/22
199.223.236.0/24
23.236.48.0/20
23.251.128.0/20
23.251.144.0/20
2600:1901:1:1000::/52
2600:1901:1:2000::/51
2600:1901:1:4000::/50
2600:1901:1:8000::/49
2600:1901::/48
34.100.128.0/17
34.101.128.0/17
34.101.20.0/22
34.101.24.0/22
34.101.64.0/18
34.102.0.0/17
34.102.128.0/17
34.104.104.0/23
34.104.106.0/23
34.104.108.0/23
34.104.110.0/23
34.104.128.0/17
34.104.64.0/21
34.104.72.0/22
34.104.76.0/22
34.104.80.0/21
34.104.88.0/21
34.104.96.0/21
34.105.0.0/17
34.105.128.0/17
34.106.0.0/16
34.107.0.0/17
34.107.128.0/17
34.116.0.0/21
34.116.64.0/18
34.120.0.0/16
34.121.0.0/16
34.124.0.0/21
34.124.12.0/22
34.124.16.0/21
34.124.24.0/21
34.124.32.0/21
34.124.40.0/23
34.124.42.0/23
34.124.44.0/23
34.124.46.0/23
34.124.8.0/22
34.125.0.0/16
34.64.128.0/22
34.64.132.0/22
34.64.136.0/21
34.64.144.0/20
34.64.160.0/19
34.64.192.0/18
34.64.64.0/22
34.64.68.0/22
34.64.72.0/21
34.64.80.0/20
34.64.96.0/19
34.65.0.0/16
34.66.0.0/15
34.68.0.0/14
34.72.0.0/16
34.73.0.0/16
34.74.0.0/15
34.76.0.0/14
34.80.0.0/15
34.82.0.0/15
34.84.0.0/16
34.85.0.0/17
34.85.128.0/17
34.86.0.0/16
34.87.0.0/17
34.87.128.0/18
34.87.192.0/18
34.88.0.0/16
34.89.0.0/17
34.89.128.0/17
34.90.0.0/15
34.92.0.0/16
34.93.0.0/16
34.94.0.0/16
34.95.0.0/18
34.95.128.0/17
34.95.64.0/18
34.96.128.0/17
34.96.64.0/18
34.97.0.0/16
34.98.128.0/21
34.98.64.0/18
35.184.0.0/16
35.185.0.0/17
35.185.128.0/19
35.185.160.0/20
35.185.176.0/20
35.185.192.0/18
35.186.144.0/20
35.186.160.0/19
35.186.192.0/18
35.187.0.0/17
35.187.144.0/20
35.187.160.0/19
35.187.192.0/19
35.187.224.0/19
35.188.0.0/17
35.188.128.0/18
35.188.192.0/19
35.188.224.0/19
35.189.0.0/18
35.189.128.0/19
35.189.160.0/19
35.189.192.0/18
35.189.64.0/18
35.190.0.0/18
35.190.112.0/20
35.190.128.0/18
35.190.192.0/19
35.190.224.0/20
35.190.64.0/19
35.192.0.0/15
35.194.0.0/18
35.194.128.0/17
35.194.64.0/19
35.194.96.0/19
35.195.0.0/16
35.196.0.0/16
35.197.0.0/17
35.197.128.0/19
35.197.160.0/19
35.197.192.0/18
35.198.0.0/18
35.198.128.0/18
35.198.192.0/18
35.198.64.0/18
35.199.0.0/18
35.199.144.0/20
35.199.160.0/19
35.199.64.0/18
35.200.0.0/17
35.200.128.0/17
35.201.0.0/19
35.201.128.0/17
35.201.41.0/24
35.201.64.0/18
35.202.0.0/16
35.203.0.0/17
35.203.128.0/18
35.203.210.0/23
35.203.212.0/22
35.203.216.0/22
35.203.232.0/21
35.204.0.0/16
35.205.0.0/16
35.206.128.0/18
35.206.192.0/18
35.206.64.0/18
35.207.0.0/18
35.207.128.0/18
35.207.192.0/18
35.207.64.0/18
35.208.0.0/15
35.210.0.0/16
35.211.0.0/16
35.212.0.0/17
35.212.128.0/17
35.213.0.0/17
35.213.128.0/18
35.213.192.0/18
35.214.0.0/17
35.214.128.0/17
35.215.0.0/18
35.215.128.0/18
35.215.192.0/18
35.215.64.0/18
35.216.0.0/17
35.216.128.0/17
35.217.0.0/18
35.217.128.0/17
35.217.64.0/18
35.219.0.0/17
35.219.128.0/18
35.220.0.0/20
35.220.128.0/17
35.220.16.0/23
35.220.18.0/23
35.220.20.0/22
35.220.24.0/23
35.220.26.0/24
35.220.27.0/24
35.220.31.0/24
35.220.32.0/21
35.220.40.0/24
35.220.41.0/24
35.220.42.0/24
35.220.43.0/24
35.220.44.0/24
35.220.45.0/24
35.220.47.0/24
35.220.48.0/21
35.220.56.0/22
35.220.60.0/22
35.220.64.0/19
35.220.96.0/19
35.221.0.0/18
35.221.128.0/17
35.221.64.0/18
35.222.0.0/15
35.224.0.0/15
35.226.0.0/16
35.227.0.0/17
35.227.128.0/18
35.227.192.0/18
35.228.0.0/16
35.229.128.0/17
35.229.16.0/20
35.229.32.0/19
35.229.64.0/18
35.230.0.0/17
35.230.128.0/19
35.230.160.0/19
35.230.240.0/20
35.231.0.0/16
35.232.0.0/16
35.233.0.0/17
35.233.128.0/17
35.234.0.0/18
35.234.128.0/19
35.234.160.0/20
35.234.176.0/20
35.234.192.0/20
35.234.208.0/20
35.234.224.0/20
35.234.240.0/20
35.234.64.0/18
35.235.0.0/20
35.235.16.0/20
35.235.216.0/21
35.235.32.0/20
35.235.48.0/20
35.235.64.0/18
35.236.0.0/17
35.236.128.0/18
35.236.192.0/18
35.237.0.0/16
35.238.0.0/15
35.240.0.0/17
35.240.128.0/17
35.241.0.0/18
35.241.128.0/17
35.241.64.0/18
35.242.0.0/20
35.242.128.0/18
35.242.16.0/23
35.242.18.0/23
35.242.192.0/18
35.242.20.0/22
35.242.24.0/23
35.242.26.0/24
35.242.27.0/24
35.242.31.0/24
35.242.32.0/21
35.242.40.0/24
35.242.41.0/24
35.242.42.0/24
35.242.43.0/24
35.242.44.0/24
35.242.45.0/24
35.242.47.0/24
35.242.48.0/21
35.242.56.0/22
35.242.60.0/22
35.242.64.0/19
35.242.96.0/19
35.243.0.0/21
35.243.128.0/17
35.243.32.0/21
35.243.40.0/21
35.243.56.0/21
35.243.64.0/18
35.243.8.0/21
35.244.0.0/18
35.244.128.0/17
35.244.64.0/18
35.245.0.0/16
35.246.0.0/17
35.246.128.0/17
35.247.0.0/17
35.247.128.0/18
35.247.192.0/18
8.34.208.0/23
8.34.210.0/24
8.34.211.0/24
8.34.212.0/22
8.34.216.0/22
8.34.220.0/22
8.35.192.0/21

@tracertea
Copy link

tracertea commented Jun 16, 2020

Same as @edvinerikson just with jq

curl -s http://www.gstatic.com/ipranges/cloud.json | jq '.prefixes[] | [.ipv4Prefix, .ipv6Prefix][] | select(. != null)' -r

@sbocinec
Copy link

sbocinec commented Aug 25, 2020

Updated command using HTTPS URL and with sorted output:

curl -s https://www.gstatic.com/ipranges/cloud.json | jq '.prefixes[] | [.ipv4Prefix, .ipv6Prefix][] | select(. != null)' -r | sort -n

@doublerr
Copy link

doublerr commented Aug 27, 2020

Google has published these in new formats now: https://cloud.google.com/compute/docs/faq#find_ip_range including a JSON file http://www.gstatic.com/ipranges/cloud.json

@sbocinec
Copy link

sbocinec commented Aug 28, 2020

Google has published these in new formats now: https://cloud.google.com/compute/docs/faq#find_ip_range including a JSON file http://www.gstatic.com/ipranges/cloud.json

@doublerr the recent comments in this thread already use the new URL https://www.gstatic.com/ipranges/cloud.json. Even with more secure HTTPS protocol.

Adding also even shorter version of the jq arguments:

curl https://www.gstatic.com/ipranges/cloud.json | jq '.prefixes[] | .ipv4Prefix // .ipv6Prefix' -r |sort -r

@jeffmccune
Copy link

jeffmccune commented Sep 3, 2020

See https://gist.github.com/jeffmccune/e7d635116f25bc7e12b2a19efbafcdf8 for a version which lists out all Google API's and services. (_netblocks.google.com, _netblocks{2,3,4,5,6,7}.google.com) etc...

@Jas0n99
Copy link

Jas0n99 commented Sep 3, 2020

See https://gist.github.com/jeffmccune/e7d635116f25bc7e12b2a19efbafcdf8 for a version which lists out all Google API's and services. (_netblocks.google.com, _netblocks{2,3,4,5,6,7}.google.com) etc...

As mentioned before, Google has updated their pages instructing people to switch to the JSON method...

https://cloud.google.com/compute/docs/faq?hl=id#networking

Important: In the past, Google Cloud instructed users to inspect the _cloud-netblocks.googleusercontent.com DNS TXT record (and the records it referenced). Please update your scripts or software libraries so that they read from the cloud.json file instead. The JSON file includes additional information, such as the region to which a regional external IP address is attached.

@jeffmccune
Copy link

jeffmccune commented Sep 3, 2020

As mentioned before, Google has updated their pages instructing people to switch to the JSON method...

The JSON file lists customer-usable global and regional external IP address ranges

@Jas0n99 if you know of a JSON file for Google API's and Services, please let me know where it is.

The following script returns the netblocks for Google API's and Services, not Compute Engine customer-usable subnets.

#! /bin/bash
#
# Return the subnets used by Google Services
#
# There are a growing number of netblocks, 2,3,4,5,6,7, etc...
# Dig them all until an empty string is returned.
txt="$(dig TXT _netblocks.google.com +short @8.8.8.8)"
idx=2
while [[ -n "${txt}" ]]; do
  echo "$txt" | tr '[:space:]+' "\n" | grep : | cut -d: -f2-
  txt="$(dig TXT _netblocks${idx}.google.com +short @8.8.8.8)"
  ((idx++))
done

@jeffmccune
Copy link

jeffmccune commented Sep 3, 2020

if you know of a JSON file for Google API's and Services, please let me know where it is.

Learned about IP addresses for default domains which enables the JSON method to determine the ranges for Google API's and Services by subtracting Cloud customer-usable ranges:

The IP addresses used by the default domains for Google APIs and services fit within the list of ranges computed by taking away all ranges in cloud.json from those in goog.json.

@Passarinho4
Copy link

Passarinho4 commented Sep 4, 2020

Hi,
have you any idea how can I obtain the range for https://source.cloud.google.com/ ?
I do not need to whitelist all google services, but only the source code repository.

@morrowc
Copy link

morrowc commented Oct 8, 2020

There are, actually, 3 versions of the data this GIST is all about, released weekly (at least) by Google. This data is split as:
'google services' - goog.json / goog.txt
'cloud services' - cloud.json / cloud_geofeed (RFC8805)
(I'm a little surprised the json/txt/geo_feed aren't for all versions here, I'll go see why that's not the case)

behind this URL:
https://www.gstatic.com/ipranges/goog.json
https://www.gstatic.com/ipranges/cloud.json

Please do not use the _spf record for this sort of determination, it's only really supposed to contain email sending ip address ranges in the coming near future :)

@blorby
Copy link

blorby commented Jan 20, 2021

Hi,
have you any idea how can I obtain the range for https://source.cloud.google.com/ ?
I do not need to whitelist all google services, but only the source code repository.

found an answer you can share?

@f1-outsourcing
Copy link

f1-outsourcing commented Feb 4, 2021

http://www.gstatic.com/ipranges/json

Link does not work (anymore)

@lord-alfred
Copy link

lord-alfred commented Jul 30, 2021

I've made a Github repo with an daily updates Google Cloud, Amazon AWS and Microsoft Azure IP Ranges:
https://github.com/lord-alfred/ipranges

Thanks to all of you

@robertmain
Copy link

robertmain commented Sep 2, 2021

@n0531m Apologies if this is a dumb question, am I correct in thinking that goog.json is the IP addresses used by google, while cloud.json is all the IPs used by GCP (including the ones used by google internally)? I'm looking to allow access to only google services, but not the customer usable subnets...i.e: my google home should be able to talk to the GoogleAssistant API, but not random crap I stand up on GCP

@morrowc
Copy link

morrowc commented Sep 2, 2021

Robertmain, you probably need to remove the content of cloud.json from goog.json to get what you seem to want.
(what you are asking for is a bit nebulous so...)

@robertmain
Copy link

robertmain commented Sep 2, 2021

@morrowc Sorry, I was probably a little unclear. So, here's where I'm at:

  • I have a VLAN with IoT garbage on it. There's a few different things, but for now I'll just focus on the google home. That VLAN basically denies all internet traffic from any device, except from devices I specifically permit to destinations I specifically permit. That way I don't end up with my smart toaster or whatever connecting to a malicious CNC server. That means that without a specific firewall rule written, any device on that VLAN has NO outbound internet access.
  • Right now, one of the rules I have allows my google home to talk to google. I forget which IP list it was, but basically it (I think) includes every IP range and network that's published by GCP
  • That's fine, but my beef with that is that any random person could stand-up a malicious service, and as long as it was hosted on GCP......my google home would be able to communicate with it
  • What I'd like to do is restrict it even more so that my google home can only communicate with the IP ranges used by google official products, and exclude the IP ranges and networks used by customers. That way, my google home can check-in with google for various reasons, but couldn't talk to malicious services running on GCP

Hopefully that makes more sense.

I might be way off track here, but my understanding of things is this:
venn

I think what I currently have is the yellow set. What I'd like to do, is find a way to narrow that down to the red set so that I can exclude the green set.

@morrowc
Copy link

morrowc commented Sep 2, 2021

@morrowc Sorry, I was probably a little unclear. So, here's where I'm at:

  • I have a VLAN with IoT garbage on it. There's a few different things, but for now I'll just focus on the google home. That VLAN basically denies all internet traffic from any device, except from devices I specifically permit to destinations I specifically permit. That way I don't end up with my smart toaster or whatever connecting to a malicious CNC server. That means that without a specific firewall rule written, any device on that VLAN has NO outbound internet access.

ok, seems sensible, time-intensive, but sensible ;)

  • Right now, one of the rules I have allows my google home to talk to google. I forget which IP list it was, but basically it (I think) includes every IP range and network that's published by GCP

Sorry, 'GCP' does not publish ip ranges nor networks.
Google does, we publish 2 lists (in 3 different forms):
goog.json - All routes (networks) which AS15169 provides reachability to from the Internet
cloud.json - All routes (networks) which belong to the ARIN OrgId "GOOGL-2"

goog.json include, among other things, all of the cloud.json networks.

  • That's fine, but my beef with that is that any random person could stand-up a malicious service, and as long as it was hosted on GCP......my google home would be able to communicate with it

agreed, you should exception the cloud.json content from goog.json.

  • What I'd like to do is restrict it even more so that my google home can only communicate with the IP ranges used by google official products, and exclude the IP ranges and networks used by customers. That way, my google home can check-in with google for various reasons, but couldn't talk to malicious services running on GCP

Sure you need some simple set-math, I expect, if this were python we're talking about, something like:
goog = <slurp in goog.json, return just a set([]) of ipaddr.IPNetwork() parts>
cloud = <slurp in cloud.json, return just a set([]) of ipaddr.IPNetwork() parts>

what_robert_wants = goog - cloud

I think that'd return you a simple set([]) of just the google service address space.

Hopefully that makes more sense.

I might be way off track here, but my understanding of things is this:
venn

that's not really accurate, no.

I think what I currently have is the yellow set. What I'd like to do, is find a way to narrow that down to the red set so that I can exclude the green set.

that's the set math above, yes.

@robertmain
Copy link

robertmain commented Sep 2, 2021

ok, seems sensible, time-intensive, but sensible ;)

When I've wrapped my brain round this - I'm planning to automate it with a cron job :)

Sorry, 'GCP' does not publish ip ranges nor networks.

Gotcha. I guess I just meant that I thought I might've basically added "Everything Google and/or GCP" to my allow list, rather than a narrow subset

that's not really accurate, no.

Ah. I'm not too familiar with how GCP does things 🙃

that's the set math above, yes.

Thank you for clarifying that and for your help! 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment