Static IP for Inbound requests


#1

We are working with a major tech client and preparing an installation for their campus of our device, which uses the Electric Imp platform.

Their network administrators need to whitelist the IP address of any inbound traffic, and require a static IP for agent.electricimp.com. Is this something you are able to provide?

Many thanks,
Dan


#2

No, this is a load balancer and can move about.

However, this is not an address within your network. This is an address on the internet. The imps tunnel outbound to the imp server, and keep a channel open. There is no need to open any inbound firewall ports for imps.


#3

Thanks Hugo. So there is no need to ‘white list’ a particular domain or port to allow IMPs to get inbound requests whatsoever, regardless of the network environment?


#4

The imp itself only ever connects outbound to our servers, and all incoming messages to the imp come down that (persistent) connection.

The agent code runs in our cloud servers, so inbound HTTP requests to the agent don’t go via your network at all. The agent can, if needed, then communicate with the imp down the imp’s existing connection to our servers.

There’s a sort of picture of it all here: https://electricimp.com/product/ where the only communication on your own wifi is the imp’s connection to our cloud – which is connected in the outbound direction.

Peter


#5

Thanks @peter - this is a really helpful way to think about it.

Will let you know how it goes!

Thanks,
Dan


#6

Hi, I’m trying to set this up for our lecturers too and they believe after the IMP’s connect to the outbound servers they then make an inbound connection to a web server via PHP script. This is the part that will require an inbound whitelist. How do other users get around this?


#7

That’s not true; the physical imp only ever makes an outbound connection. As Peter says, any inbound traffic to the agent goes to the electric imp servers in Amazon AWS, and from there is routed to the imp’s existing connection.

There are no listening ports on an imp (aside from DHCP and DNS, so it can hear that traffic).

If they don’t believe this, just try it :slight_smile:


#8

The occasional stubborn client refuses to believe this is true, since we still send and receive communication with our devices over their networks. What is the technical term for how this outbound-only connection works? Is it SSH tunneling? Anything we can direct them to so they can understand the structure better is helpful.

Thanks,
Tom


#9

I mean, it’s a connection initiated from the client network. Once the connection is up, then data can flow bidirectionally, as with any other TCP connection.

The connection is TLS secured, so you could say it’s an “Bidirectional TLS tunnel initiated by the device” if that helps?


#10

Perfect. Thanks Hugo!