A good security practice is to block connections from unrecognized sources on the network level using a firewall or AWS security groups. This applies especially to the production database whose connections should not be publicly available. For an extra layer of security, setting up an SSH Tunnel is also recommended.
To access external systems (including your database), KBC uses the below IP addresses. Please whitelist these IP addresses in your firewalls to allow KBC to successfully connect to your system. This applies to all KBC components including all extractors and writers.
Important: These IP addresses can change in the future! For your convenience, you can programmatically fetch and process the list of existing IP addresses in JSON format. Below are listed the available Keboola Connection Stack endpoints.
For projects in the default US region (AWS region
us-east-1), the following IP addresses are currently used:
For projects in the EU region (AWS region
eu-central-1), the following IP addresses are currently used:
For projects in the AUS region (AWS region
ap-southeast-2), the following IP addresses are currently used:
We are publishing our current IP addresses in JSON format. To view them, download the kbc-public-ip.json file.
To determine whether there have been changes since the last time you saved the file, check the publication
time in the current file (
syncToken attribute) and compare it to the publication time in the last file you saved.
The JSON file contains an array of ranges (attribute
prefixes), each of which has the following attributes:
ipPrefix— subnet mask (CIDR)
vendor— cloud service provider
region— cloud service region
service— Keboola application service (
syrupfor Keboola Connection components)