Archived - ThousandEyes Infrastructure Changes

ThousandEyes Infrastructure Changes

Starting on November 15th, 2020, ThousandEyes will transition its infrastructure from the current data center to Amazon Web Services. The new infrastructure will use new IP address spaces. ThousandEyes customers who have IP address-based access control lists (ACLs) or firewall rules to permit Enterprise Agents, Endpoint Agents or other resources to communicate specifically with the ThousandEyes infrastructure will need to update those ACLs or rules. New ACLs or rules for the new addresses must be added to the existing ACLs and rules no later than November 15th, 2020. Any ACLs or rules with the old IP addresses must remain in place and active until at least January 31st, 2021.

Customers who do not use ACLs or firewall rules to allow communications with ThousandEyes infrastructure do not need to take any action.

Customers who use ACLs or firewalls to allow communications with ThousandEyes Cloud Agents do not need to take any action. Cloud Agent IP addresses will not be modified in this transition.

This article provides a list of the new IP addresses for ThousandEyes infrastructure. The ThousandEyes article Firewall Configuration for Enterprise Agents contains the current list of addresses, and will be updated with the new addresses when the transition is complete.

Change Configuration Details

The tables below contain the domain names, current and new IP addresses of all publicly facing services in the ThousandEyes infrastructure. Customers may have ACLs, firewall or web application firewall (WAF) rules for all of the listed services or for only a subset of the full list.

The first table contains information for services requiring connections to the ThousandEyes infrastructure. These services include the ThousandEyes app, API and services used by ThousandEyes Agents to upload data. IP addresses or domain names in this table will appear as destinations in ACLs or rules.

The second table contains information for services requiring connections from the ThousandEyes infrastructure to customer services. These services implement the notifications and integrations features (specifically Webhooks, AppDynamics, Slack, ServiceNow, and PagerDuty) of the ThousandEyes app's alerts rules. IP addresses or domain names in this table will appear as sources in ACLs or rules.

To make the change to the new ThousandEyes infrastructure, review the possible configuration methods for ACLs or rules below to determine which method your organization uses, and the corresponding steps.

  • Customers with ACLs, firewall or web application firewall (WAF) rules that use the IP addresses listed in the Current Address(es) column of the following tables will use the addresses listed in the New Addresses column to add the new ACLs or rules.

  • Customers whose ACLs or rules use the ThousandEyes CIDR netblock 192.150.160.0/24 rather than the individual IP addresses listed in the Current Address(es) column must use the individual addresses listed in the New Addresses column to add the new ACLs or rules. The addresses in the new infrastructure do not fall within a single netblock or contiguous range.

  • Customers with ACLs, firewall or web application firewall (WAF) rules which use DNS domain names rather than IP addresses will not need to make changes to domain names in those lists or rules. Depending on the implementation of your domain name-based controls, customers may need to take action to reload the rulesets with the new name-to-address mappings. Consult your security administrators or the documentation for your security devices to determine any steps required to reload domain name-based controls.

The tables below provide the information required to add new ACLs or rules. Customers can identify which domain names or IP addresses are needed based on the ThousandEyes product or service used. For example, customers who have Enterprise Agents but no Endpoint Agents can add ACLs or rules for all names or addresses except those in the Endpoint Agents section of the first table.

For customers unsure of which products or services their organization uses, we recommend adding ACLs or rules for all of the entries in both tables.

If adding rules for the second table requires greater review due to an organization's security policies and thus more effort to implement, customers can attempt to determine whether the second table's ACLs or rules are needed by consulting the ThousandEyes documentation on the alert rules feature's notifications and integrations features (specifically Webhooks, AppDynamics, Slack, ServiceNow, and PagerDuty) and then reviewing their configuration of notifications and integrations in their ThousandEyes account.

NOTE: Notifications and integrations are configured on a per-account group basis, so customers should review all account groups within an organization to locate any configured notifications or integrations. For organizations with large numbers of account groups, the ThousandEyes API can be used to query for a list of account group IDs and then the list of notifications and integrations per account group.

Table 1: Connections from customer networks to ThousandEyes infrastructure

Add ACLs or rules with destination IP addresses from the New addresses column (similar to any existing ACLs or rules with destination IP addresses in the Current address(es) column).

Product/ServiceDNS Domain NameCurrent Address(es)New Addresses

ThousandEyes App

app.thousandeyes.com

192.150.160.193

50.18.71.33

54.241.92.230

13.248.203.51

76.223.82.139

*.share.thousandeyes.com

192.150.160.195

50.18.147.222

54.177.244.79

13.248.217.17

76.223.69.131

embed.thousandeyes.com

192.150.160.202

52.9.5.97

54.177.66.87

75.2.122.52

99.83.143.133

ThousandEyes API

api.thousandeyes.com

192.150.160.194

54.177.34.231

54.193.142.147

13.248.200.34

76.223.86.189

Enterprise Agents

c1.agt.thousandeyes.com

192.150.160.17

13.52.142.100

54.215.23.174

75.2.66.34

99.83.133.153

sc1.thousandeyes.com

192.150.160.18

54.153.76.24

54.215.2.49

75.2.105.19

99.83.165.166

data1.agt.thousandeyes.com

192.150.160.203

18.144.149.12

54.219.22.100

13.248.204.16

76.223.76.176

ntrav.thousandeyes.com

192.150.160.20

54.176.41.14

54.241.50.7

75.2.27.3

99.83.136.191

crashreports.thousandeyes.com

192.150.160.50

204.236.190.123

54.241.250.221

75.2.49.1

99.83.242.129

Endpoint Agents

c1.eb.thousandeyes.com

192.150.160.199

204.236.184.131

52.9.192.109

75.2.45.13

99.83.250.143

data.eb.thousandeyes.com

192.150.160.200

50.18.29.173

54.176.79.58

13.248.210.21

76.223.72.156

Table 2: Connections to customer networks from ThousandEyes infrastructure

Add ACLs or rules with source IP addresses from the New addresses column (similar to any existing ACLs or rules with source IP addresses in the Current address(es) column).

Product/ServiceDNS Domain NameCurrent AddressesNew Addresses

Alert Rule Notifications and Integrations

Not applicable

192.150.160.12

192.150.160.13

52.52.142.26

52.52.36.83

For customers considering switching their IP address-based ACLs or rules to use domain names, be aware that the domain names are not currently protected by DNSSEC.

Change Window Dates

Customers should add the new IP addresses or DNS domain names by November 15th, 2020. Customers should allow sufficient time to submit these changes to any configuration or change control processes used in their organization. ACLs or rules with the old IP addresses must remain in place and active until at least January 31st, 2021 or until further notice.

As the date for the cutover approaches, consult this article or the ThousandEyes Changelog for updates. Customers may also contact ThousandEyes Customer Engineering with questions or concerns, or contact us via in-app chat.

Last updated