for example, I want to allow these IPs, but the IPs can/will change https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html

1I dont think you can attack the problem this way.(this is one of the hard issues of networking - particularly in the cloud). I believe that Amazon use software defined networks that require IP ranges - which is reasonable as reverse DNS kills network performance. My guess is you will hsve to allow all traffic on the relevant ports into your EC2 instance and run your own firewall - presumably using a script which runs periodically as you will run into the same issues - You will.most likely find domain names resolve only once when the script runs – davidgo – 2019-06-03T19:42:12.550

Ok so maybe create our own server that does the reverse DNS? and then whitelist our server with AWS? Since we know our server's IP, that won't change. – Alexander Mills – 2019-06-03T19:51:26.023

That doesnt make sense to me. The problem is not the nameserver IP changing, its the content of the DNS to IP mapping changing and the load and latency that this lookup causes on checking for each packet. – davidgo – 2019-06-03T20:06:50.667

Yeah I don't know enough about networking to follow. All I can say is that we might know the traffic is coming from bitbucket.org, but we don't which IPs as those could change. If we had some reverse dns we could look at an incoming request, get the IP and make sure it resolves to bitbucket.org? – Alexander Mills – 2019-06-03T20:11:57.460

Correct, but the big question is how do you do the reverse DNS in real time. – davidgo – 2019-06-03T20:18:33.830

Well that's where my networking knowledge falls short, but I thought you could do reverse dns in a few seconds? Not hard real time but soft real time? These are for devops tools, so a few seconds delay is no big deal. – Alexander Mills – 2019-06-03T20:20:07.933

Node.js has a utility is dns.reverse() - https://nodejs.org/api/dns.html#dns_dns_reverse_ip_callback

1Yes, if you kick the problem back to the application level it becomes trivial to do reverse DNS. Unfortunately this does.not work well at a firewall (ie packet) level. There are also some minor security concerns if someone can intercept and modify the reverse DNS queries or if Bitbucket forget to update reverse DNS - which may not be a problem here. – davidgo – 2019-06-03T20:29:42.677

alright so if I do thing with a middleman server, I can do the reverse dns - is security still an issue with https? – Alexander Mills – 2019-06-03T20:32:07.247

Im not sure how a middleman server would help, nor what you are trying to achieve. After googling Bitbucket it seems that it is a versioning service (ie git repo + bits) If your vms are clients of bitbucket why do you need to bother with thus, rather then allowing all outbound port 443 requests (and related return traffic)? Forgive me for saying this but based on your questions I dont think you can get more then a modicum of security in your system without engaging an expert. – davidgo – 2019-06-03T20:43:44.057

Let us continue this discussion in chat.

Bitbucket HTTP POSTs to our server, we need to accept incoming traffic from Bitbucket – Alexander Mills – 2019-06-03T21:14:05.993

1Looking at the bitbucket URL you presented I think the expected solution is for you to whitelist their given IP ranges and additionally set up some kind of monitoring for that page - as if it changes they state they will update that page. Its likely that this is a "cover themselves thing" as static IP addresses don't change very often - but might in an emergency or migrating to other providers. – davidgo – 2019-06-04T00:04:41.057