9

Does anyone have a complete list of all IP addresses used by the Apple Push Notification Service?

I know that Apple uses a content delivery network to spread out these requests, and DNS lookups will return servers close to the requestor's location - the problem I have is in locating all of these servers that handle content for the United States.

For example:

$ nslookup gateway.push.apple.com

Non-authoritative answer:
canonical name = gateway.push-apple.com.akadns.net.

Address: 17.172.238.216
Address: 17.172.238.224
Address: 17.172.238.226

etc.

This list changes every time I query DNS - but all of the addresses seem to be in the same 17.172.238.x range - but there's no guarantee that tomorrow or next week I'll see a different range.

For the test push server, however, I already get results in different subnets. Sometimes I get one set of addresses:

$ nslookup gateway.sandbox.push.apple.com

Non-authoritative answer:
canonical name = gateway.sandbox.push-apple.com.akadns.net.

Address: 17.149.34.66
Address: 17.149.34.65

and other times, I'll get these addresses:

Address: 17.172.233.65
Address: 17.172.233.66

My server that will use the Apple Push Notification Service will be behind a corporate firewall, and I'll need to open up ports 2195 and 2196 for the production and test gateways -- however, my firewall team requires specific IP Addresses instead of host names.

I'm worried that if I just ask the firewall team to allow the IP Addresses I've seen so far, then my server will simply stop working a day or a week from now when the DNS server decides to serve up a different range.

If anyone has a comprehensive list for both the production and test environments, I'd appreciate it.

Update: I've tried asking the firewall team to open Apple's entire IP block (17.0.0.0/8), but they won't do that for me -- I need to narrow down the addresses a little bit.

Final update - 10/16/2016

Even though this question is closed, I thought I'd add a note explaining my final solution - and it is not what anyone looking for an answer wants to hear. I could never get ahead of the constantly changing addresses used by the CDN, so I finally gave up and leased an external server from Rackspace. I got the smallest server possible, and the only thing running on it is a port-forwarder that listens on 2195 and 2916 and sends the connections to Apple.

I used a simple iptables configuration on the Rackspace server to only allow connections on 2195/2916 from my corporate gateway, and then had my firewall team open a path to the static IP address on the external server. The firewall team is happy, with implementing a single path, and the external server can connect to the entire 17.0.0.0/8 range used by Apple.

fuzzy
  • 181
  • 1
  • 1
  • 7
  • Apple is using a third party DNS service - Akamai DNS - as a low cost mechanism of load balancing. You and I suffer as a result. For push notification requests from behind a firewall, suggesting a 17.0.0.0/8 configuration will be correctly considered by many networks ops as a security issue. I phoned apple and got even poorer information than provided by their technical note. – Nostradamus Oct 12 '16 at 17:37

2 Answers2

24

From Apple's documentation (emphasis on the interesting bit added):

Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to have TCP port 2195 open. To reach the feedback service, you will need to have TCP port 2196 open. Devices and computers connecting to the push service over Wi-Fi will need to have TCP port 5223 open.

The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 17.0.0.0/8 address block is assigned to Apple, so you can specify that range in your firewall rules.

17.0.0.0/8 is CIDR notation for 17.0.0.1 to 17.255.255.254.

Community
  • 1
  • 1
vcsjones
  • 138,677
  • 31
  • 291
  • 286
  • 1
    Yeah, I tried that :). The firewall team will NOT let me open a /8 on the firewall. I should have mentioned that in my original question. – fuzzy May 21 '12 at 16:56
  • @fuzzy I don't think you have a choice if you want to go by IP address. You probably want to take your issue up with Apple at this point to see if you can get them to be more specific, but I don't think that's likely to happen. – vcsjones May 21 '12 at 16:59
  • I've taken this up with Apple, and all they can say is "open the 17.0.0.0/8 block". :( Not the answer I wanted to hear... – fuzzy May 30 '12 at 22:23
  • If they won't open 17.0.0.0/8, see if they will open 17.0.0.0/9 and 17.128.0.0/9. If that doesn't work, break it out into /16s. ;) – Aaron C. de Bruyn Mar 10 '15 at 16:38
8

The official answer is, unfortunately, that there is no official answer :) -- unless you consider Apple's rather sloppy approach of simply allowing all traffic to 17.0.0.0/8. Apple developer support provided the same link to the documentation as vcsjones in the first answer.

For my particular situation, I have narrowed the IP addresses down to these ranges after checking DNS regularly for the last couple of weeks. Keep in mind that these are only valid for the midwest portion of the United States, since Apple's CDN will return a set of addresses closest to the server making the query.

For gateway.push.apple.com, I'm opening ports 2195 and 2196 on my firewall for:

17.149.35.0 / 24
17.172.238.0 / 24

For gateway.sandbox.push.apple.com, I'm opening ports 2195 and 2196 on my firewall for:

17.149.34.66
17.149.34.65
17.172.233.65
17.172.233.66

Since these addresses are obviously subject to change, I've built in some monitoring for my application to detect when the APNS servers are no longer reachable (and fall back to these address ranges instead of using DNS). It's not the ideal solution, but it will have work for now until I can work out a solution with my corporate network / firewall teams...

fuzzy
  • 181
  • 1
  • 1
  • 7
  • Does this IP range still work for you? I have the same problem now. My provider will NOT open a /8 on the firewall. I also have to specify a smaller IP range for that. – mixable Dec 30 '13 at 13:39