From e3fadbad8648c4f3b16fb295855ef159416a2d74 Mon Sep 17 00:00:00 2001 From: Adrian Parker Date: Tue, 16 Sep 2025 14:20:05 +1200 Subject: [PATCH 1/8] Add docs for IP address allow list --- .../octopus-cloud/ip-address-allow-list.md | 84 +++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 src/pages/docs/octopus-cloud/ip-address-allow-list.md diff --git a/src/pages/docs/octopus-cloud/ip-address-allow-list.md b/src/pages/docs/octopus-cloud/ip-address-allow-list.md new file mode 100644 index 0000000000..53bd925227 --- /dev/null +++ b/src/pages/docs/octopus-cloud/ip-address-allow-list.md @@ -0,0 +1,84 @@ +--- +layout: src/layouts/Default.astro +pubDate: 2025-09-22 +modDate: 2025-09-22 +title: IP address allow list +navOrder: 68 +description: How to configure and enjoy the security benefits of IP address allow lists in Octopus Cloud +--- + +Customers may restrict the IP addresses that can initiate traffic with their Octopus Cloud. + +IP address allow listing provides you with an effective tool to enforce internal access policies and add another layer of protection against some forms of cyber attack. +When activated, only traffic from the IPv4 address ranges you configure, or from sources required by Octopus Deploy, will be allowed to connect to your Octopus Cloud instance. + +## Configuration + +IP address allow list is configured in [Control Center](https://billing.octopus.com/). Users with ```Cloud Subscription Owner``` role can administer the feature from the **Configuration** menu. + +:::div{.hint} +Changes to IP address allow list content or activation status can take up to 60 seconds to apply. +::: + +### Activation + +To enforce traffic restrictions, your allow list must be activated. You can activate your IP address allow list by clicking the **Activate** link. IP address allow listing can only be activated when at least one IP address or range is listed. + +### Deactivation + +You can deactivate IP address allow listing by clicking the **Deactivate** link. Deactivating the feature will not modify your IP address allow list content. + +### Adding an IP address or range + +You can add an IPv4 address or range by clicking **Add a new IP address or range**. This will show a modal dialog which accepts a mandatory IP address or range in CIDR format, and an optional description. If the IP address or range provided already appears on your allow list, the description will be updated to this latest value, or removed if no description is provided. + +### Updating or deleting IP addresses or ranges + +When an IP address or range has been added to the allow list, it can be updated or deleted by clicking the **Edit** or **Delete** links on the relevant row. + +### CSV import + +You can import a CSV file of IP addresses or ranges, with optional descriptions, by selecting **Import a CSV file**. The CSV file must have a header row with two fields in this order, named: **ip_address** and **description**. If any IP address or range provided in the CSV file already appears on your allow list, the description will be updated to the value specified in the file, or removed if no description is provided. + +## Dynamic workers + +Dynamic workers leased by your Octopus Cloud are not protected by your IP address allow list. + +If you require a dynamic worker to have access to your Octopus Cloud instance when IP address allow list is activated, you need to include the IP address used for egress from the dynamic worker in your allow list. + +You can determine the egress IP address of a dynamic worker by running a script on it like ```curl -s https://api.ipify.org```. + +Please note: + +- Dynamic workers do not have static IP addresses +- You may need to adjust your allow list if a dynamic worker's IP address changes +- Dynamic workers in your Octopus Cloud Azure region can be leased by any customer in that region + +## Azure Private Links + +Customers with Azure Private Link access to their Octopus Cloud can have IP address allow list enabled with zero public IP addresses allowed by contacting [our support team](mailto:support@octopus.com). The combination of Azure Private Links and IP address allow list allows customers to achieve the highest standard of privacy available for Octopus Cloud. + +## Exclusions + +When activated, the IP addresses or ranges specified on your allow list retain access to your Octopus Cloud. + +In addition, access is retained for the IPs and services that: + +- Octopus Cloud requires for successful function +- Octopus Deploy requires to perform our maintenance +- Our Support staff use for access to your instance when needed + +These API endpoints retain public access in order to correctly function: + +- ```/.well-known``` +- ```/api/serverstatus/health``` +- ```/api/serverstatus/hosted/external``` +- ```/token/v1``` + +Polling tentacle access is not restricted by an activated IP address allow list. + +## Troubleshooting + +If you suspect an activated IP address allow list is causing access issues, consider deactivating the feature, waiting 60 seconds, then testing if the access issue is now resolved. If the issue persists beyond 60 seconds, it is likely unrelated to IP address allow list. If the issue is resolved when your allow list is deactivated, consider if additional IP addresses are required on your allow list. + +If this approach has not resolved the issue, please contact [our support team](mailto:support@octopus.com) for further assistance. From 6114dbf58113ddee4ca3841a1cb1c06e6247794c Mon Sep 17 00:00:00 2001 From: Adrian Parker Date: Wed, 17 Sep 2025 09:34:07 +1200 Subject: [PATCH 2/8] Update src/pages/docs/octopus-cloud/ip-address-allow-list.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/octopus-cloud/ip-address-allow-list.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/octopus-cloud/ip-address-allow-list.md b/src/pages/docs/octopus-cloud/ip-address-allow-list.md index 53bd925227..1e04b599ae 100644 --- a/src/pages/docs/octopus-cloud/ip-address-allow-list.md +++ b/src/pages/docs/octopus-cloud/ip-address-allow-list.md @@ -14,7 +14,7 @@ When activated, only traffic from the IPv4 address ranges you configure, or from ## Configuration -IP address allow list is configured in [Control Center](https://billing.octopus.com/). Users with ```Cloud Subscription Owner``` role can administer the feature from the **Configuration** menu. +IP address allow list is configured in [Control Center](https://billing.octopus.com/). Users with `Cloud Subscription Owner` role can administer the feature from the **Configuration** menu. :::div{.hint} Changes to IP address allow list content or activation status can take up to 60 seconds to apply. From e9eb2153975aebeb2ae45630fc503bacdeb51987 Mon Sep 17 00:00:00 2001 From: Adrian Parker Date: Wed, 17 Sep 2025 09:34:22 +1200 Subject: [PATCH 3/8] Update src/pages/docs/octopus-cloud/ip-address-allow-list.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/octopus-cloud/ip-address-allow-list.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/octopus-cloud/ip-address-allow-list.md b/src/pages/docs/octopus-cloud/ip-address-allow-list.md index 1e04b599ae..73095ce477 100644 --- a/src/pages/docs/octopus-cloud/ip-address-allow-list.md +++ b/src/pages/docs/octopus-cloud/ip-address-allow-list.md @@ -46,7 +46,7 @@ Dynamic workers leased by your Octopus Cloud are not protected by your IP addres If you require a dynamic worker to have access to your Octopus Cloud instance when IP address allow list is activated, you need to include the IP address used for egress from the dynamic worker in your allow list. -You can determine the egress IP address of a dynamic worker by running a script on it like ```curl -s https://api.ipify.org```. +You can determine the egress IP address of a dynamic worker by running a script on it like `curl -s https://api.ipify.org`. Please note: From c9705f5b93cce5128981e011aafb3360374292e5 Mon Sep 17 00:00:00 2001 From: Adrian Parker Date: Wed, 17 Sep 2025 09:34:31 +1200 Subject: [PATCH 4/8] Update src/pages/docs/octopus-cloud/ip-address-allow-list.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/octopus-cloud/ip-address-allow-list.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/octopus-cloud/ip-address-allow-list.md b/src/pages/docs/octopus-cloud/ip-address-allow-list.md index 73095ce477..2cff35080d 100644 --- a/src/pages/docs/octopus-cloud/ip-address-allow-list.md +++ b/src/pages/docs/octopus-cloud/ip-address-allow-list.md @@ -70,7 +70,7 @@ In addition, access is retained for the IPs and services that: These API endpoints retain public access in order to correctly function: -- ```/.well-known``` +- `/.well-known` - ```/api/serverstatus/health``` - ```/api/serverstatus/hosted/external``` - ```/token/v1``` From f7600cb3c250d9419746d2a6ea659bd583aad103 Mon Sep 17 00:00:00 2001 From: Adrian Parker Date: Wed, 17 Sep 2025 09:34:46 +1200 Subject: [PATCH 5/8] Update src/pages/docs/octopus-cloud/ip-address-allow-list.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/octopus-cloud/ip-address-allow-list.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/octopus-cloud/ip-address-allow-list.md b/src/pages/docs/octopus-cloud/ip-address-allow-list.md index 2cff35080d..295627d928 100644 --- a/src/pages/docs/octopus-cloud/ip-address-allow-list.md +++ b/src/pages/docs/octopus-cloud/ip-address-allow-list.md @@ -71,7 +71,7 @@ In addition, access is retained for the IPs and services that: These API endpoints retain public access in order to correctly function: - `/.well-known` -- ```/api/serverstatus/health``` +- `/api/serverstatus/health` - ```/api/serverstatus/hosted/external``` - ```/token/v1``` From e82bfeec806cac7cef54dff6299d958562e28f17 Mon Sep 17 00:00:00 2001 From: Adrian Parker Date: Wed, 17 Sep 2025 09:34:56 +1200 Subject: [PATCH 6/8] Update src/pages/docs/octopus-cloud/ip-address-allow-list.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/octopus-cloud/ip-address-allow-list.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/octopus-cloud/ip-address-allow-list.md b/src/pages/docs/octopus-cloud/ip-address-allow-list.md index 295627d928..3d33c22057 100644 --- a/src/pages/docs/octopus-cloud/ip-address-allow-list.md +++ b/src/pages/docs/octopus-cloud/ip-address-allow-list.md @@ -72,7 +72,7 @@ These API endpoints retain public access in order to correctly function: - `/.well-known` - `/api/serverstatus/health` -- ```/api/serverstatus/hosted/external``` +- `/api/serverstatus/hosted/external` - ```/token/v1``` Polling tentacle access is not restricted by an activated IP address allow list. From 45ba665c782e8cb7da45db341b488931a3aea688 Mon Sep 17 00:00:00 2001 From: Adrian Parker Date: Wed, 17 Sep 2025 09:35:05 +1200 Subject: [PATCH 7/8] Update src/pages/docs/octopus-cloud/ip-address-allow-list.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/octopus-cloud/ip-address-allow-list.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/octopus-cloud/ip-address-allow-list.md b/src/pages/docs/octopus-cloud/ip-address-allow-list.md index 3d33c22057..ca69387d85 100644 --- a/src/pages/docs/octopus-cloud/ip-address-allow-list.md +++ b/src/pages/docs/octopus-cloud/ip-address-allow-list.md @@ -73,7 +73,7 @@ These API endpoints retain public access in order to correctly function: - `/.well-known` - `/api/serverstatus/health` - `/api/serverstatus/hosted/external` -- ```/token/v1``` +- `/token/v1` Polling tentacle access is not restricted by an activated IP address allow list. From d77167750c1353ce8fd041da1dfd540f18003d32 Mon Sep 17 00:00:00 2001 From: Adrian Parker Date: Wed, 17 Sep 2025 09:35:30 +1200 Subject: [PATCH 8/8] Update src/pages/docs/octopus-cloud/ip-address-allow-list.md Co-authored-by: Steve Fenton <99181436+steve-fenton-octopus@users.noreply.github.com> --- src/pages/docs/octopus-cloud/ip-address-allow-list.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/octopus-cloud/ip-address-allow-list.md b/src/pages/docs/octopus-cloud/ip-address-allow-list.md index ca69387d85..36bd28f660 100644 --- a/src/pages/docs/octopus-cloud/ip-address-allow-list.md +++ b/src/pages/docs/octopus-cloud/ip-address-allow-list.md @@ -81,4 +81,4 @@ Polling tentacle access is not restricted by an activated IP address allow list. If you suspect an activated IP address allow list is causing access issues, consider deactivating the feature, waiting 60 seconds, then testing if the access issue is now resolved. If the issue persists beyond 60 seconds, it is likely unrelated to IP address allow list. If the issue is resolved when your allow list is deactivated, consider if additional IP addresses are required on your allow list. -If this approach has not resolved the issue, please contact [our support team](mailto:support@octopus.com) for further assistance. +If this approach has not resolved the issue, please contact [our support team](https://octopus.com/support) for further assistance.