2

I have a Python Azure Function that is integrated in a subnet in a virtual network. Additionally there is a network security group associated to the subnet that controls inbound and outbound traffic to / from the subnet.

The requirement is to restrict traffic as much as possible what requires me to set rules that restrict the ports and destination addresses (for outbound traffic).

Network Security Groups need IP(s/ranges) - urls (as discussed here: what url should I authorize to use pip behind a firewall?) can't be specified.

Which ports and IP(s/ranges) are used by pip?

Thanks

quervernetzt
  • 10,311
  • 6
  • 32
  • 51
  • I would assume `https` (and maybe `http`). URLs: `pypi.org`, `files.pythonhosted.org` at least. – sinoroc Jul 30 '20 at 13:35
  • Thanks but as written urls are not possible. I need IP(s/ranges). – quervernetzt Jul 30 '20 at 13:41
  • I would recommend asking them directly: https://github.com/pypa/pypi-support/issues – sinoroc Jul 30 '20 at 13:52
  • The IP address assigned to a URL is subject to change at any time. That's why there are domain name resolution servers. – Mark Ransom Jul 30 '20 at 14:08
  • 1
    Both `pypi.org` and `files.pythonhosted.org` are at a CDN (content-delivery network) to distribute load, You cannot know IP ranges as they're constantly changing. – phd Jul 30 '20 at 14:52
  • I am not sure if everyone is reading what I wrote - so here again: given the current set up I can't specify urls. And e.g. in the Azure context there are defined IP ranges for certain services. I will ask them directly. Thanks – quervernetzt Jul 30 '20 at 20:35
  • When you come here to ask questions that don't have a sensible answer, don't be upset when we can't answer them. – Mark Ransom Jul 30 '20 at 21:00
  • @Mark: I am not upset because I don't get an answer, I am just a bit confused why people coming up with urls when I explicitly write that I can't use urls (given the current setup). And I don't fully understand why there is no sensible answer (like "this is not possible" or "there are the following IP ranges"...) – quervernetzt Jul 30 '20 at 22:17
  • I don't know enough about the way pip works to state definitively that "this is not possible", but knowing how the internet works I have a reasonably strong opinion. @phd brings up a good point too, if they've offloaded the hosting of those files it really may be impossible for *anybody* to give you an IP range. – Mark Ransom Jul 30 '20 at 22:41

0 Answers0