Does Canonical host third-party services on their public IP ranges ?

Colin Watson cjwatson at ubuntu.com
Thu Jul 22 19:23:44 UTC 2021 

On Thu, Jul 22, 2021 at 01:19:50PM +0000, Julian CLEAUD wrote:
> I am willing to secure some servers outgoing traffic. With this in mind, I reviewed 2 solutions :
> - Level 7 proxy (squid or equivalent) - for HTTP/HTTPs traffic
> - Level 4 firewall (netfilter or equivalent) - for port 443
> 
> With my current setup, I found out that setting up level 4 firewall would be a first step faster
> to setup than setting up a proxy.
> I am seriously willing to investigate about setting up a proxy on all my servers, but configuring
> the firewall would be an intermediate step in the goal of securing outbound traffic.
> 
> With that in mind, I was looking for Ubuntu/Canonical ip ranges and found out thanks to the RIPE
> database that every service I need to access (except Ubuntu mirrors) are hosted on the CANONICAL-AS:
> https://apps.db.ripe.net/db-web-ui/query?bflag=true&dflag=false&inverse=mnt-by&rflag=false&searchtext=CANONICAL-MNT&source=RIPE&types=route
> 
> Some example of such services are:
> - Ubuntu keyserver
> - Ubuntu repositories (except mirrors)
> - Launchpad PPAs
> - Snapcraft/Snapstore
> 
> Hence, my question is rather simple:
> - Is that safe to allow outbound traffic to Canonical IP ranges ?
> or in other words:
> - Does Canonical only host Canonical (or Ubuntu community) services on those ranges, or
>   do they also host third party non-Canonical services ? (just like would Amazon host third-party services/files/... on their AWS infrastructure).

[Disclaimer: I'm not a sysadmin at Canonical.  I do a lot of work on
Canonical-operated services, though.]

My understanding is that nearly everything on the networks you mention
consists of Canonical services or Ubuntu community services.  (There are
a few exceptions: for instance, gopkg.in doesn't really come under that
heading.  However, it's still operated by Canonical's sysadmins even
though it's not a Canonical service in the sense you're probably
thinking of.)

As far as I know, we don't operate a public cloud in any of those
networks where third parties can sign up to run their own stuff.

-- 
Colin Watson (he/him)                              [cjwatson at ubuntu.com]

More information about the ubuntu-users mailing list