Archived - ThousandEyes Infrastructure Changes
Starting on November 15th, 2020, ThousandEyes will transition its infrastructure from the current data center to Amazon Web Services. The new infrastructure will use new IP address spaces. ThousandEyes customers who have IP address-based access control lists (ACLs) or firewall rules to permit Enterprise Agents, Endpoint Agents or other resources to communicate specifically with the ThousandEyes infrastructure will need to update those ACLs or rules. New ACLs or rules for the new addresses must be added to the existing ACLs and rules no later than November 15th, 2020. Any ACLs or rules with the old IP addresses must remain in place and active until at least January 31st, 2021.
This article provides a list of the new IP addresses for ThousandEyes infrastructure. The ThousandEyes article Firewall Configuration for Enterprise Agents contains the current list of addresses, and will be updated with the new addresses when the transition is complete.
The tables below contain the domain names, current and new IP addresses of all publicly facing services in the ThousandEyes infrastructure. Customers may have ACLs, firewall or web application firewall (WAF) rules for all of the listed services or for only a subset of the full list.
The first table contains information for services requiring connections to the ThousandEyes infrastructure. These services include the ThousandEyes app, API and services used by ThousandEyes Agents to upload data. IP addresses or domain names in this table will appear as destinations in ACLs or rules.
The second table contains information for services requiring connections from the ThousandEyes infrastructure to customer services. These services implement the notifications and integrations features (specifically Webhooks, AppDynamics, Slack, ServiceNow, and PagerDuty) of the ThousandEyes app's alerts rules. IP addresses or domain names in this table will appear as sources in ACLs or rules.
To make the change to the new ThousandEyes infrastructure, review the possible configuration methods for ACLs or rules below to determine which method your organization uses, and the corresponding steps.
- Customers with ACLs, firewall or web application firewall (WAF) rules that use the IP addresses listed in the Current Address(es) column of the following tables will use the addresses listed in the New Addresses column to add the new ACLs or rules.
- Customers whose ACLs or rules use the ThousandEyes CIDR netblock 220.127.116.11/24 rather than the individual IP addresses listed in the Current Address(es) column must use the individual addresses listed in the New Addresses column to add the new ACLs or rules. The addresses in the new infrastructure do not fall within a single netblock or contiguous range.
- Customers with ACLs, firewall or web application firewall (WAF) rules which use DNS domain names rather than IP addresses will not need to make changes to domain names in those lists or rules. Depending on the implementation of your domain name-based controls, customers may need to take action to reload the rulesets with the new name-to-address mappings. Consult your security administrators or the documentation for your security devices to determine any steps required to reload domain name-based controls.
The tables below provide the information required to add new ACLs or rules. Customers can identify which domain names or IP addresses are needed based on the ThousandEyes product or service used. For example, customers who have Enterprise Agents but no Endpoint Agents can add ACLs or rules for all names or addresses except those in the Endpoint Agents section of the first table.
For customers unsure of which products or services their organization uses, we recommend adding ACLs or rules for all of the entries in both tables.
If adding rules for the second table requires greater review due to an organization's security policies and thus more effort to implement, customers can attempt to determine whether the second table's ACLs or rules are needed by consulting the ThousandEyes documentation on the alert rules feature's notifications and integrations features (specifically Webhooks, AppDynamics, Slack, ServiceNow, and PagerDuty) and then reviewing their configuration of notifications and integrations in their ThousandEyes account.
NOTE: Notifications and integrations are configured on a per-account group basis, so customers should review all account groups within an organization to locate any configured notifications or integrations. For organizations with large numbers of account groups, the ThousandEyes API can be used to query for a list of account group IDs and then the list of notifications and integrations per account group.
Table 1: Connections from customer networks to ThousandEyes infrastructure
Add ACLs or rules with destination IP addresses from the New addresses column (similar to any existing ACLs or rules with destination IP addresses in the Current address(es) column).
Table 2: Connections to customer networks from ThousandEyes infrastructure
Add ACLs or rules with source IP addresses from the New addresses column (similar to any existing ACLs or rules with source IP addresses in the Current address(es) column).
Customers should add the new IP addresses or DNS domain names by November 15th, 2020. Customers should allow sufficient time to submit these changes to any configuration or change control processes used in their organization. ACLs or rules with the old IP addresses must remain in place and active until at least January 31st, 2021 or until further notice.