Outbound services, such as the URL Fetch, Sockets and Mail APIs, make use of a large pool of IP addresses. The IP address ranges in this pool are subject to routine changes. In fact, two sequential API calls from the same application may appear to originate from two different IP addresses.
To find the current ranges of IP addresses that App Engine uses for outbound traffic, do the following:
- In a command shell, enter the following command:
nslookup -q=TXT _cloud-netblocks.googleusercontent.com 18.104.22.168
The response contains all of the current
_cloud-netblocksfor App Engine. For example:
Non-authoritative answer: _cloud-netblocks.googleusercontent.com text = "v=spf1 include:_cloud-netblocks1.googleusercontent.com include:_cloud-netblocks2.googleusercontent.com include:_cloud-netblocks3.googleusercontent.com include:_cloud-netblocks4.googleusercontent.com include:_cloud-netblocks5.googleusercontent.com ?all"
These results are not static. When you enter the command, you may see more or fewer netblocks than the example above.
- For each netblock listed in the response, enter the following query:
nslookup -q=TXT netblock-name 22.214.171.124
For example, if the previous query returned five netblocks, you would make the following five queries:
nslookup -q=TXT _cloud-netblocks1.googleusercontent.com 126.96.36.199 nslookup -q=TXT _cloud-netblocks2.googleusercontent.com 188.8.131.52 nslookup -q=TXT _cloud-netblocks3.googleusercontent.com 184.108.40.206 nslookup -q=TXT _cloud-netblocks4.googleusercontent.com 220.127.116.11 nslookup -q=TXT _cloud-netblocks5.googleusercontent.com 18.104.22.168
Each query of a specific netblock returns an IP range that you can use for App Engine
outgoing traffic. For example, the query of
_cloud-netblocks1 above could return the
Non-authoritative answer: _cloud-netblocks1.googleusercontent.com text = "v=spf1 include:_cloud-netblocks6.googleusercontent.com include:_cloud-netblocks7.googleusercontent.com ip6:2600:1900::/35 ip4:22.214.171.124/20 ip4:126.96.36.199/21 ip4:188.8.131.52/23 ip4:184.108.40.206/20 ip4:220.127.116.11/19 ip4:18.104.22.168/11 ip4:22.214.171.124/14 ?all"
From this example, we see that both the
IP ranges can be used for App Engine traffic. Other queries for any additional netblocks may return
additional IP ranges.
Note that using static IP address filtering is not considered a safe and effective means of protection. For example, an attacker could set up a malicious App Engine app which could share the same IP address range as your application. Instead, we suggest that you take a defense in depth approach using OAuth and Certs.