Egress | Fluid Attacks Help

Egress

This section describes the high-level architecture of the Egress connection used by Fluid Attacks to access your resources to be tested, as well as its minimum requirements and limitations. This connection relies on dedicated Cloudflare egress IPs.

High-level architecture

In this connection option, Fluid Attacks utilizes public egress IP addresses to access your resources. These IP addresses are static, i.e., they do not change, ensuring consistent and reliable access.

To allow Fluid Attacks to access the necessary resources within your network, you need to whitelist the egress IP addresses on your firewall. This enables secure communication between Fluid Attacks and your designated resources over the Internet.

Below is a diagram that shows at a high level how the Egress scheme works.


Understand Egress connection with Fluid AttacksEgress connection architecture diagram

Minimum requirements

To enable the Egress connection, ensure the following:
  1. Public IP requirement: Your resources must have a public IP address or be accessible via an externally routed network to allow Fluid Attacks to establish a connection. If they are behind a NAT or private network, additional configuration may be required. One possible solution is using Port Address Translation (PAT) or NAT overload, which allows multiple devices in a private network to share a single public IP address by translating not only IP addresses but also port numbers.
  2. Firewall configuration: Whitelist the specified Fluid Attacks egress IP addresses in your firewall rules to permit incoming connections. Ensure that only the required ports and protocols are opened to maintain security.
  3. Connection form: Complete and submit the required connection form with accurate configuration details. Once submitted, the connection is established within eight business hours.

Egress IP addresses

IPv4:
  1. Main IP: 104.30.132.78
  2. Backup IP: 104.30.134.27
IPv6:
  1. Main IP: 2a09:bac0:1000:252::/64
  2. Backup IP: 2a09:bac0:1001:1cb::/64
Note on whitelisting
The main IP addresses (104.30.132.78 for IPv4 and 2a09:bac0:1000:252::/64 for IPv6) are the primary points of egress and will be used for the majority of outbound requests. If only one IP needs to be whitelisted due to restrictions, prioritize the main IPs for optimal reliability.

Limiting access

While Fluid Attacks requires access to your resources via the provided egress IP addresses, it is crucial to maintain a secure environment. Implement the principle of least privilege by configuring your firewall rules to expose only the essential resources required for security testing. This minimizes potential security risks by limiting access to sensitive information and systems.

Service limitations

When using self-signed SSL certificates for your sites, HTTPS traffic going through them is not inspected, reducing the log detail that can be collected. 
This is because the Cloudflare network, on which the connection relies, requires certificates issued by trusted Certificate Authorities (CAs) for full validation and logging. Therefore, it is recommended to use SSL certificates signed by a valid CA so navigation logs are fully detailed.

Authentication

The authentication mechanisms available for this connection are as follows:

OAuth SSH HTTPS

Frequently asked questions

What is the purpose of the Egress connection?

The Egress connection enables Fluid Attacks to securely access your resources for security testing using dedicated Cloudflare egress IPs.

Do my resources need a public IP?

Yes, your resources must have a public IP or be accessible via an externally routed network. If they are behind a NAT or private network, one possible solution is using Port Address Translation (PAT) or NAT overload, which allows multiple devices in a private network to share a single public IP address by translating IP addresses and port numbers.

Why is waiting and a form needed for Egress if it is just a public IP?

The connection form and processing time are required to configure Fluid Attacks' automated cloning service to use the Egress connection when accessing your resources.

What IP addresses should I whitelist?

You need to whitelist the following egress IP addresses:
  1. IPv4: 104.30.132.78 (main); 104.30.134.27 (backup)
  1. IPv6: 2a09:bac0:1000:252::/64 (main); 2a09:bac0:1001:1cb::/64 (backup)

Do I need to configure a public DNS for my resources?

While configuring a public DNS is recommended for ease of access, it is not strictly required. Alternative methods can be used to resolve hostnames internally.