Skip to main content

Configuring network access with IP allowlists

Abstract

You can access Bitrise virtual machines from behind a private network or a firewall. To do so, allowlist our build machine IP addresses in your network.

Our datacenters are behind a set of public static IP addresses, with the virtual machines having their own internal subnets behind these addresses. Depending on your company security policy, you may need to allowlist the public IP addresses to be able to access the build machine: IP address ranges for the Bitrise build machines.

Similarly, the Bitrise background workers powering app.bitrise.io UI and related control plane, configuration management, signaling to your services are accessible at a set of static IP addresses. Allowlisting these addresses can ensure you can still receive build status updates or that Bitrise can access the bitrise.yml file: IP address ranges for Bitrise backend workers of your app.

IP address ranges for the Bitrise build machines

For most users, who host their repositories on cloud-based service providers, there is no need for any network configuration to be able to use Bitrise. All we need is permission to access the repository and for that, an SSH key or an access token is enough.

However, your company security policy might not allow unknown and unauthorized IP addresses to communicate with the servers where your code is being stored - either on your own datacenter or in a private cloud. In that case, Bitrise won’t work unless the relevant IP addresses are added to your allow list.

You will see IP addresses from the following ranges as source when your Bitrise build machines reach out to your services like Git to download your source code, or call into your test backend services, or any other services you run outside Bitrise that are required to be reached as part of your CI workflow.

Allowlist the entire subnet

If the provided public IP address is a subnet, you need to allow the entire subnet on your network! For example, 208.52.166.128/28 means all IP addresses between 208.52.166.128 and 208.52.166.143 (208.52.166.128, 208.52.166.129, 208.52.166.130, and so on, all the way to and including 208.52.166.143) have to be allowlisted.

Multi-tenant vs Single-tenant

The build machine IP ranges listed below are for the Bitrise multi-tenant environment. Depending on your organization's security requirements, it may not be advisable to allow access to your network from the Bitrise multi-tenant IP range. For organizations with enhanced security requirements, you can: 

Feel free to contact us if you have questions.

Table 1. External and internal IP address ranges for the build machines

Stack type

Public IP

Xcode stacks

74.122.200.224/27 (All IPs from 74.122.200.224 to 74.122.200.255)

74.122.201.224/27 (All IPs from 74.122.201.224 to 74.122.201.255)

74.122.202.224/27 (All IPs from 74.122.202.224 to 74.122.202.255)

74.122.203.224/27 (All IPs from 74.122.203.224 to 74.122.203.255)

208.52.166.154/32 and

208.52.166.128/28

207.254.0.248/29 and

207.254.0.208/28

207.254.34.148/32 and

207.254.33.176/28

Linux/Docker stacks

74.122.200.224/27 (All IPs from 74.122.200.224 to 74.122.200.255)

74.122.201.224/27 (All IPs from 74.122.201.224 to 74.122.201.255)

74.122.202.224/27 (All IPs from 74.122.202.224 to 74.122.202.255)

74.122.203.224/27 (All IPs from 74.122.203.224 to 74.122.203.255)

104.197.15.74/32

34.123.172.192/32

34.125.50.224/32

34.125.82.130/32

34.134.193.138/32

34.138.187.10/32

34.150.152.190/32

34.162.185.129/32

34.162.202.37/32

34.162.229.32/32

34.162.29.153/32

34.162.88.79/32

34.23.207.105/32

34.85.139.176/32

34.85.240.93/32

34.86.56.118/32

35.202.121.43/32

35.225.44.167/32

35.231.56.118/32

35.237.165.17/32

35.243.148.182/32

35.245.56.67/32

IP address ranges for Bitrise backend workers

Bitrise backend workers are operating behind firewalls and NAT gateways. There are some use cases when our backend workers need to reach your services.

These addresses may be relevant if you use self-hosted Git services or store your bitrise.yml file in the repository. In this way Bitrise can, for example, access the bitrise.yml file, or send build status updates on commits and pull requests in a self-hosted repository.

Table 1. Static IP addresses for the Bitrise website and its background workers

IP address ranges

74.122.200.64/28 (All IPs from 74.122.200.64 to 74.122.200.78)

74.122.201.64/28 (All IPs from 74.122.201.64 to 74.122.201.78)

74.122.202.64/28 (All IPs from 74.122.202.64 to 74.122.202.78)

74.122.203.64/28 (All IPs from 74.122.203.64 to 74.122.203.78)

35.232.76.43

34.68.119.18

34.135.186.58

Document changelog

May 2025

Narrowed the Bitrise build machines IP range from 74.122.200.0/22 to:

  • 74.122.200.224/27

  • 74.122.201.224/27

  • 74.122.202.224/27

  • 74.122.203.224/27

Narrowed the Bitrise backend workers IP range: from 74.122.200.0/22 to:

  • 74.122.200.64/28

  • 74.122.201.64/28

  • 74.122.202.64/28

  • 74.122.203.64/28

April 2024

Added the 74.122.200.0/22 range to the IP ranges of both the build machines and the backend workers, which will utilize the new IP range after the 20th of May, 2024.

October 2022

Significantly increased the Linux/Docker stacks IP range.

In this section:

The bitrise.yml file stores your entire build configuration for an app. It specifies your stack and the build triggers, and defines the Workflows of the app. When you make changes on the graphical UI of our Workflow Editor, you actually modify the bitrise.yml file.

app