Cloud address allow-listing

Author: rickkas7

config/dnsTable.json

@@ -0,0 +1,74 @@
+{
+  "udp": {
+    "addresses": [
+      "3.85.71.8",
+      "3.210.194.186",
+      "3.221.51.74",
+      "3.222.253.60",
+      "3.223.76.106",
+      "3.224.151.208",
+      "3.225.113.205",
+      "3.227.163.177",
+      "3.228.117.244",
+      "3.229.224.193",
+      "34.194.48.89",
+      "34.233.0.183",
+      "52.22.68.60",
+      "52.70.88.102",
+      "52.70.247.238",
+      "54.82.141.176",
+      "54.86.198.203",
+      "54.89.110.189",
+      "54.226.52.22",
+      "100.25.253.74"
+    ]
+  },
+  "tcp": {
+    "addresses": [
+      "3.85.71.8",
+      "3.210.194.186",
+      "3.222.253.60",
+      "3.225.113.205",
+      "3.227.163.177",
+      "3.228.117.244",
+      "34.194.48.89",
+      "54.82.141.176",
+      "54.86.198.203",
+      "54.226.52.22",
+      "54.89.85.128",
+      "18.215.131.110",
+      "3.230.94.67",
+      "3.216.239.14",
+      "34.195.89.106",
+      "3.225.178.96",
+      "3.230.53.201",
+      "52.1.233.8",
+      "3.229.48.190",
+      "54.86.95.155"
+    ]
+  },
+  "api": {
+    "addresses": [
+      "18.210.55.77",
+      "23.20.15.229",
+      "34.234.252.187"
+    ]
+  },
+  "tools": {
+    "addresses": [
+      "18.232.44.59",
+      "23.22.157.146",
+      "35.153.87.190",
+      "52.84.52.41",
+      "52.84.52.45",
+      "52.84.52.61",
+      "52.84.52.129",
+      "52.84.129.24",
+      "52.84.129.37",
+      "52.84.129.55",
+      "52.84.129.93",
+      "104.16.51.111",
+      "104.16.53.111"
+    ]
+  }
+}

scripts/generateDnsTable.js

@@ -0,0 +1,125 @@
+const fs = require('fs');
+const path = require('path');
+const dns = require('dns');
+
+
+const dnsJsonPath = path.join(__dirname, '../config', 'dnsTable.json');
+    
+const lookupArray = [
+    {
+        "key":"udp",
+        "hosts":[
+            "eks-udp-device-service-blue-static.us-east-1.eks-production-gotham.particle.io",
+            "eks-udp-device-service-green-static.us-east-1.eks-production-gotham.particle.io"       
+        ]
+    },
+    {
+        "key":"tcp",
+        "hosts":[
+            "eks-tcp-device-service-green-static.us-east-1.eks-production-gotham.particle.io",
+            "eks-udp-device-service-green-static.us-east-1.eks-production-gotham.particle.io"       
+        ]
+    },
+    {
+        "key":"api",
+        "hosts":[
+            "api.particle.io"
+        ]
+    },
+    {
+        "key":"tools",
+        "hosts":[
+            "build.particle.io",
+            "console.particle.io",
+            "docs.particle.io",            
+            "support.particle.io"
+        ]
+    }
+];
+
+// console.log('generating...');
+let results = {};
+
+processLookupArray(function() {
+    fs.writeFileSync(dnsJsonPath, JSON.stringify(results, null, 2));
+});
+
+function processLookupArray(completion) {
+
+    lookupArray.forEach(function(lookupObj, outerIndex) {
+        // Create empty keys for the results
+        if (!results[lookupObj.key]) {
+            results[lookupObj.key] = {};
+        }
+        if (!results[lookupObj.key].addresses) {
+            results[lookupObj.key].addresses = [];
+        }
+
+        const outerLast = (outerIndex + 1) >= lookupArray.length;
+
+        lookupObj.hosts.forEach(function(hostName, innerIndex) {
+            dns.lookup(hostName, {family:4, all:true}, function(err, addresses) {
+                const innerLast = (innerIndex + 1) >= lookupObj.hosts.length;
+
+                if (err) {
+                    throw err;
+                }
+                
+                addresses.forEach(function(obj) {
+                    results[lookupObj.key].addresses.push(obj.address);    
+                });
+
+
+                if (innerLast) {
+                    //console.log('innerLast');
+                    results[lookupObj.key].addresses.sort(ipAddrSort);
+                    // console.log('addresses', results[lookupObj.key].addresses);
+
+                    // results[lookupObj.key].md = arrayToMd(results[lookupObj.key].addresses);
+                }
+
+                if (outerLast && innerLast) {
+                    //console.log('outerLast && innerLast');
+                    completion();
+                }
+            });
+        });
+    });
+}
+
+function ipAddrSort(a, b) {
+    const aArray = a.split('.');
+    const bArray = b.split('.');
+
+    if (aArray.length != 4 || bArray.length != 4) {
+        return a.localeCompare(b);
+    }
+
+    for(let ii = 0; ii < aArray.length; ii++) {
+        const aInt = parseInt(aArray[ii]);
+        const bInt = parseInt(bArray[ii]);
+
+        if (aInt < bInt) {
+            return -1;
+        }
+        else if (aInt > bInt) {
+            return +1;
+        }
+    }
+    return 0;
+}
+
+/*
+function arrayToMd(array) {
+    var md = '';
+
+    md += '| IP address      |\n';
+    md += '| :-------------: |\n';
+
+    array.forEach(function(addr) {
+        md += '| ' + addr + '                '.substr(0, 15 - addr.length) + ' |\n';
+    });
+
+    return md;
+}
+*/

scripts/metalsmith.js

@@ -40,6 +40,7 @@ var insertFragment = require('./insert_fragment');
 var javascriptDocsPreprocess = require('./javascript_docs_preprocess');
 var git = require('git-rev');
 var path = require('path');
+var fs = require('fs');
 var sitemap = require('./sitemap.js');
 
 var handlebars = require('handlebars');
@@ -60,6 +61,8 @@ var generateSearch = process.env.SEARCH_INDEX !== '0';
 
 var noScripts = false; 
 
+var dnsTable = JSON.parse(fs.readFileSync(path.join(__dirname, '../config', 'dnsTable.json')));
+
 exports.metalsmith = function () {
   function removeEmptyTokens(token) {
     if (token.length > 0) {
@@ -121,6 +124,10 @@ exports.metalsmith = function () {
     .use(fileMetadata([
       { pattern: 'content/**/*.md', metadata: { assets: '/assets', branch: gitBranch, noScripts: noScripts } }
     ]))
+    // Inject the dnsTable into introduction.md so it can be used by the dnsTable helper
+    .use(fileMetadata([
+      { pattern: 'content/tutorials/device-cloud/introduction.md', metadata: { dnsTable: dnsTable } }
+    ]))
     .use(msIf(
       environment === 'development',
       fileMetadata([

src/content/tutorials/device-cloud/introduction.md

@@ -79,3 +79,41 @@ There is no ability for devices to send function calls to other devices; publish
 Updating your device firmware and Device OS can be done securely over the Particle cloud connection that's used for the other device cloud features.
 
 
+## Cloud Services and Firewalls
+
+The IP addresses used by the Particle cloud are subject to change without notice. Use the information here as a last resort if you have a network that restricts traffic and are unable to allow-list traffic by using techniques such as MAC address allow-lists.
+
+### Gen 3 and Gen 2 Cellular
+
+Gen 3 devices (Argon, Boron, B Series, Tracker SoM) and Gen 2 cellular devices (Electron, E Series) all use UDP port 5684, outbound. 
+
+While you rarely need to worry about this for cellular devices, for the Argon (Wi-Fi), if you are connecting from a network with a restrictive network firewall, the devices will connect to one of these IP addresses, port 5684, outbound. Like most UDP-based protocols (like DNS), your firewall generally creates a temporary port to allow packets back to the device without creating a permanent firewall port forwarding rule. The amount of time this port will remain active ranges from seconds to hours, and you may need to use [`Particle.keepAlive()`](/reference/device-os/firmware/argon/#particle-keepalive-) to keep the cloud connection active.
+
+{{dnsTable key="udp"}}
+
+### Gen 2 and Gen 1 Wi-Fi
+
+The Photon, P1, and Spark Core connect to TCP Port 5683 (CoAP), outbound.
+
+If you are connecting from a restrictive network that does not allow outbound TCP access on Port 5683, you may need to allow-list these IP addresses or allow access based on the device's MAC address.
+
+{{dnsTable key="tcp"}}
+
+### Cloud API
+
+The devices themselves do not access the Particle Cloud using the API port, but if you are using the Tinker mobile app over Wi-Fi, curl commands, node.js scripts, etc. from a computer on the Wi-Fi or LAN, and you have a restrictive outbound network connection policy, you may need to allow-list **api.particle.io** port 443 (TLS/SSL), outbound, or as a last resort, these IP addresses (subject to change without notice):
+
+{{dnsTable key="api"}}
+
+### Other Services
+
+Other common services includes:
+
+- **console.particle.io** (device management)
+- **docs.particle.io** (documentation)
+- **build.particle.io** (Web IDE)
+- **support.particle.io** (support and knowledge base)
+
+If you are using network with restrictive outbound access policies, you may need to allow-list those DNS names for port 443 (TLS/SSL) outbound, or as a last resort, these IP addresses (subject to change without notice):
+
+{{dnsTable key="tools"}}

templates/helpers/dnsTable.js

@@ -0,0 +1,57 @@
+// Inserts a table of DNS addresses
+// {{dns-table key="udp"}}
+// The data is stored in config/dnsTable.json
+// The dnsTable.json file is generated or updated by scripts/generateDnsTable.js
+var Handlebars = require('handlebars');
+
+var lastCssClass;
+
+module.exports = function(context) {
+    const key = context.hash.key;
+    if (!key) {
+        return '';
+    }
+    const columns = context.hash.columns || 5;
+
+    // console.log('context', context);
+    // console.log('context.data.root.dns_table', context.data.root.dns_table);
+    
+    return generateTable(context.data.root.dnsTable[key].addresses, columns);
+};
+
+function generateTable(addresses, columns) {
+    if (!addresses || addresses.length == 0) {
+        return '';
+    }
+
+    if (columns > addresses.length) {
+        columns = addresses.length;
+    }
+    let md = '';
+    let col;
+
+    for(col = 0; col < columns; col++) {
+        md += '| IP Address ';
+    }
+    md += '|\n';
+
+    for(col = 0; col < columns; col++) {
+        md += '| :--- ';
+    }
+    md += '|\n';
+
+    col = 0;
+    addresses.forEach(function(address) {
+        md += '| ' + address;
+        if (++col >= columns) {
+            col = 0;
+            md += '|\n';
+        }
+    });
+    if (col != 0) {
+        md += '|\n';
+    }
+
+    return md;
+}
+