Outbound IP firewalling of the Go SDK TTN client to the Data API

TTN Network and Services
1

Hi all,

I’m trying to figure to out which IPs the Go SDK TTN client connects. Our production environment doesn’t allow outbound connections by default and we whitelist outbounds in the firewall. I have read the documentation and see the network has discovery server(s) and the data api nodes. In our development environment all outbound connections are allowed and we see it connects to the azure IP netblock.

These IPs where used:

52.178.215.58:1900
52.169.76.255:1883
52.169.76.255:1904

How is it possible to constrain the firewall to the TTN network because it can be dynamicly scaled?

Kind regards,
Jerry Jacobs

2

Unfortunately we can’t give a definitive list of IPs or IP ranges for deployments of the public community network. The Things Network Foundation uses different cloud providers and different cloud regions, so IP ranges may change. If you allow ranges for Microsoft Azure, Amazon AWS and Google Cloud you should be able to connect to regions hosted by The Things Network Foundation. However, if you’re connecting to other public regions (Meshed in Australia, DigitalCatapult in the UK, Switch in Switzerland), then you may need to whitelist other IP address ranges as well.

1 Like
3

Thanks for the confirmation, I already made it up myself but now I know for sure.
We will find a way then.

Thanks!

4

There are a few ports used, the connected 1904 is not even in the list below:

So what do we need to add to the firewall then when using the Go SDK for the TTN client?

5

The only fixed ports are:

1900/tcp (for the discovery server)
1700/udp (for UDP gateways)

All other ports can be picked by the operator that deploys a cluster/region, although we usually (but not always!) use the default ports:

1900-1910/tcp (for gRPC)
1880-1885/tcp and 8880-8885/tcp (for MQTT and MQTT+TLS)
8080-8090/tcp (for experimental HTTP APIs, no TLS available)