Re: Remote IP address for "Send HTTP Request" action

Remote IP address for "Send HTTP Request" action

Talfo
Shopify Partner
8 0 2

I am evaluating Shopify Flow to send the order information to our private inventory server.

Sending JSON data via "Send HTTP Request" action is good, it works fine.

However, I found that the remote IP address was not fixed and changed from time to time.

 

I want the API access only from limited IP addresses.

Is there any list of fixed IP addresses for the  "Send HTTP Request" action? 

 

Replies 8 (8)

jazz-jay
Shopify Partner
96 14 17

Hi,

 

A simple solution will be to add a secret key and a value into the flow HTTP Request header and then your private inventory server app needs to validate that secret key and value before it processes the request.

 

banned
Talfo
Shopify Partner
8 0 2

Thank you Jazz-Jay for your advice.

I understand that the API access should be protected by some kind of secret access key.  And actually it is already implemented.

 

Using API key is an application layer protection. 

In addition to it, we want to add a network layer protection on the server. 

By filtering IP addresses and ports, our server will be protected at a lower level.

paul_n
Shopify Staff
1501 161 350

Check this page for a list of IPs. It doesn't change frequently, but you might need to monitor it: 
https://egress-ips.shopify.com/

Paul_N | Flow Product Manager @ Shopify
- Finding Flow useful? Leave us a review
- Need Flow help? Check out our help docs.
- Building for Flow? Check out Flow's dev docs.
Talfo
Shopify Partner
8 0 2

Thank you very much, Paul.

This is the one I was looking for.

👍

Talfo
Shopify Partner
8 0 2

Hi Paul, 
I checked the list in https://egress-ips.shopify.com/ and current list was here:

{
  "last_update": "2021-08-30",
  "egress_ips": [
    "35.232.224.180/32",
    "35.232.224.180/32",
    "35.238.98.119/32",
    "130.211.193.14/32",
    "35.223.215.165/32",
    "34.73.222.25/32",
    "35.243.163.187/32",
    "35.237.72.31/32",
    "23.227.62.0/23"
  ]
}

However, I've got the HTTP requests from other IPs not in the list:

  • 35.223.115.56 
  • 34.122.221.228

Is the list well maintained and up-to-date?  I doubt that it's not updated recently.
Could you please check it and update if necessary.

Thanks for your support !!

paul_n
Shopify Staff
1501 161 350

Hi, it looks like the info provided is not correct. I think those IPs are actually not used. Unfortunately, there isn't a consistent set of IPs used as they are determined dynamically, so what you are trying to do doesn't look possible. 

Paul_N | Flow Product Manager @ Shopify
- Finding Flow useful? Leave us a review
- Need Flow help? Check out our help docs.
- Building for Flow? Check out Flow's dev docs.
Talfo
Shopify Partner
8 0 2

Unfortunately, there isn't a consistent set of IPs used as they are determined dynamically, so what you are trying to do doesn't look possible. 

Hi Paul,


Thank you for your update.

Is it possible to provide the IP ranges for the "dynamically" determined one? 
It could be helpful for making a whitelist.

paul_n
Shopify Staff
1501 161 350

Unfortunately no.

Paul_N | Flow Product Manager @ Shopify
- Finding Flow useful? Leave us a review
- Need Flow help? Check out our help docs.
- Building for Flow? Check out Flow's dev docs.